little-summer-88406
09/29/2021, 10:07 AMlittle-summer-88406
09/29/2021, 10:10 AMlittle-summer-88406
09/29/2021, 10:10 AMgreen-intern-27665
09/29/2021, 1:18 PMlittle-summer-88406
09/29/2021, 2:05 PMlittle-summer-88406
09/29/2021, 2:07 PMfull-artist-27215
09/29/2021, 4:20 PMpulumi_vault.aws.SecretBackend
(https://www.pulumi.com/docs/reference/pkg/vault/aws/secretbackend/) along with a pulumi_aws.iam.User
(https://www.pulumi.com/docs/reference/pkg/aws/iam/user/) and a pulumi_aws.iam.AccessKey
(https://www.pulumi.com/docs/reference/pkg/aws/iam/accesskey/) to do the initial setup.
The wrinkle comes in where Vault allows you to automatically rotate the credentials with vault write -f aws/config/rotate-root
(https://www.vaultproject.io/api-docs/secret/aws#rotate-root-iam-credentials). This changes what Pulumi thinks it knows about the state of the world. Things are fine as long as you continue to pulumi up
, but once you run pulumi refresh
, the difference is discovered, steps are taken to remediate the situation, and things get messy. Initially, I was thinking I could use Pulumi to do the initial setup, then remove the pulumi_aws.iam.AccessKey
resource (after I had Vault rotate it the first time), and add an ignore_changes
(https://www.pulumi.com/docs/intro/concepts/resources/#ignorechanges) option on the pulumi_vault.aws.SecretBackend
. However, when I run pulumi refresh
after having Vault rotate the key, it still shows that an update needs to happen. The diff doesn't show anything, but if I compare the stack outputs before and after (using pulumi stack export
) I see a bunch of ciphertext changes that I'm having trouble making heads or tails of.
I'm curious if anyone else has had any success with a similar setup in Pulumi. Is there a better way to do this using Pulumi? Or would it be better to manually create these things outside of Pulumi, and then perhaps adopt the resources into Pulumi? Thanks.fast-river-57630
09/30/2021, 2:47 AMfast-river-57630
09/30/2021, 2:52 AMflat-appointment-12338
09/30/2021, 2:21 PMportMappings
field but it only associates the task with one of the target groups.freezing-van-87649
10/01/2021, 1:42 AMambitious-father-68746
10/01/2021, 8:50 AMripe-shampoo-80285
10/01/2021, 5:18 PMproud-pizza-80589
10/03/2021, 10:56 AMaws.kms.Key
? The UI has it and via the aws-sdk, but i can’t seem to find the field. (not using the native provider yet)crooked-pillow-11944
10/04/2021, 5:41 PMcrooked-pillow-11944
10/04/2021, 8:23 PMid
is returning the arn of the secret which is not working with codebuild environment variablesquaint-portugal-34880
10/05/2021, 11:16 AM/tmp/pulumi % pulumi up
error: failed to load checkpoint: blob (key ".pulumi/stacks/test-stack.json") (code=Unknown): ExpiredToken: The provided token has expired.
status code: 400, request id: WD9TGHZYT1S0D2DA, host id: LG3ktEVsZRP1DTG47uiEWrC+ez4t4X0COr65CqkGxTTMiKhpygCnWbQKUhBI3TSMIYf6nqSTdNo=
I have logged in with pulumi login s3://my-state-bucket
And cmds like aws s3 --profile my-profile ls s3://my-state-bucket works fine
The only AWS env variable is
AWS_PROFILE=my-profile
I get the same error with all my stacks and it started suddenly
Running latest version of Pulumicrooked-pillow-11944
10/05/2021, 12:13 PM* Error creating CodeBuild project: InvalidInputException: Invalid project source: location must be a valid S3 source
The bucket is created and I've added the root prefix /
after the id. I've confirmed that I can set this in the UIloud-nest-15724
10/06/2021, 3:27 PMfast-river-57630
10/06/2021, 6:27 PMbrainy-helmet-80249
10/06/2021, 8:33 PMpanic: interface conversion: interface {} is []interface {}, not *schema.Set
while deploying with GitHub actions?
Full diagnostics:
Diagnostics:
aws:lambda:Function (****-handler-lambda-function-dev):
error: transport is closing
aws:s3:BucketObject (****-handler-deployment-dev.zip):
error: transport is closing
pulumi:pulumi:Stack (****-dev):
error: update failed
panic: interface conversion: interface {} is []interface {}, not *schema.Set
goroutine 438 [running]:
<http://github.com/terraform-providers/terraform-provider-aws/aws.resourceAwsLambdaFunctionUpdate(0xc001bf6480|github.com/terraform-providers/terraform-provider-aws/aws.resourceAwsLambdaFunctionUpdate(0xc001bf6480>, 0x6d569e0, 0xc0015f6c00, 0x0, 0x0)
/home/runner/go/pkg/mod/github.com/pulumi/terraform-provider-aws@v1.38.1-0.20211004122636-8966d24576a0/aws/resource_aws_lambda_function.go:1199 +0x522d
<http://github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).update(0xc000717110|github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).update(0xc000717110>, 0x8963f18, 0xc00012c018, 0xc001bf6480, 0x6d569e0, 0xc0015f6c00, 0x0, 0x0, 0x0)
/home/runner/go/pkg/mod/github.com/pulumi/terraform-plugin-sdk/v2@v2.0.0-20210629210550-59d24255d71f/helper/schema/resource.go:342 +0x1ee
<http://github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0xc000717110|github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0xc000717110>, 0x8963f18, 0xc00012c018, 0xc0023278f0, 0xc00139a4c0, 0x6d569e0, 0xc0015f6c00, 0x8, 0x10, 0x7fa1682565b8, ...)
/home/runner/go/pkg/mod/github.com/pulumi/terraform-plugin-sdk/v2@v2.0.0-20210629210550-59d24255d71f/helper/schema/resource.go:454 +0x390
<http://github.com/pulumi/pulumi-terraform-bridge/v3/pkg/tfshim/sdk-v2.v2Provider.Apply(0xc00107a1e0|github.com/pulumi/pulumi-terraform-bridge/v3/pkg/tfshim/sdk-v2.v2Provider.Apply(0xc00107a1e0>, 0x7cc8d72, 0x13, 0x8964e68, 0xc002251340, 0x898b330, 0xc00139a4c0, 0x0, 0x898b330, 0xc00139a4c0, ...)
/home/runner/go/pkg/mod/github.com/pulumi/pulumi-terraform-bridge/v3@v3.8.2-0.20210930033847-5bba386a0e79/pkg/tfshim/sdk-v2/provider.go:112 +0x210
<http://github.com/pulumi/pulumi-terraform-bridge/v3/pkg/tfbridge.(*Provider).Update(0xc00000a3c0|github.com/pulumi/pulumi-terraform-bridge/v3/pkg/tfbridge.(*Provider).Update(0xc00000a3c0>, 0x8963f88, 0xc001bc2630, 0xc001b0d380, 0xc00000a3c0, 0x6ca9101, 0xc002243080)
/home/runner/go/pkg/mod/github.com/pulumi/pulumi-terraform-bridge/v3@v3.8.2-0.20210930033847-5bba386a0e79/pkg/tfbridge/provider.go:1038 +0x9a3
<http://github.com/pulumi/pulumi/sdk/v3/proto/go._ResourceProvider_Update_Handler.func1(0x8963f88|github.com/pulumi/pulumi/sdk/v3/proto/go._ResourceProvider_Update_Handler.func1(0x8963f88>, 0xc001bc2630, 0x7a70020, 0xc001b0d380, 0x7a24600, 0xd580058, 0x8963f88, 0xc001bc2630)
/home/runner/go/pkg/mod/github.com/pulumi/pulumi/sdk/v3@v3.13.2/proto/go/provider.pb.go:2638 +0x8b
<http://github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc.OpenTracingServerInterceptor.func1(0x8963f88|github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc.OpenTracingServerInterceptor.func1(0x8963f88>, 0xc001bc20c0, 0x7a70020, 0xc001b0d380, 0xc00132f1a0, 0xc001562c00, 0x0, 0x0, 0x8876e20, 0xc000400a70)
/home/runner/go/pkg/mod/github.com/grpc-ecosystem/grpc-opentracing@v0.0.0-20180507213350-8e809c8a8645/go/otgrpc/server.go:57 +0x30a
<http://github.com/pulumi/pulumi/sdk/v3/proto/go._ResourceProvider_Update_Handler(0x7b63f20|github.com/pulumi/pulumi/sdk/v3/proto/go._ResourceProvider_Update_Handler(0x7b63f20>, 0xc00000a3c0, 0x8963f88, 0xc001bc20c0, 0xc0010555c0, 0xc00145b800, 0x8963f88, 0xc001bc20c0, 0xc0009b4c00, 0xadc)
/home/runner/go/pkg/mod/github.com/pulumi/pulumi/sdk/v3@v3.13.2/proto/go/provider.pb.go:2640 +0x150
<http://google.golang.org/grpc.(*Server).processUnaryRPC(0xc0003cb6c0|google.golang.org/grpc.(*Server).processUnaryRPC(0xc0003cb6c0>, 0x898bcf8, 0xc0015a6180, 0xc0024af440, 0xc0015316b0, 0xd53aa30, 0x0, 0x0, 0x0)
/home/runner/go/pkg/mod/google.golang.org/grpc@v1.37.0/server.go:1217 +0x52b
<http://google.golang.org/grpc.(*Server).handleStream(0xc0003cb6c0|google.golang.org/grpc.(*Server).handleStream(0xc0003cb6c0>, 0x898bcf8, 0xc0015a6180, 0xc0024af440, 0x0)
/home/runner/go/pkg/mod/google.golang.org/grpc@v1.37.0/server.go:1540 +0xd0c
<http://google.golang.org/grpc.(*Server).serveStreams.func1.2(0xc000ea8050|google.golang.org/grpc.(*Server).serveStreams.func1.2(0xc000ea8050>, 0xc0003cb6c0, 0x898bcf8, 0xc0015a6180, 0xc0024af440)
/home/runner/go/pkg/mod/google.golang.org/grpc@v1.37.0/server.go:878 +0xab
created by <http://google.golang.org/grpc.(*Server).serveStreams.func1|google.golang.org/grpc.(*Server).serveStreams.func1>
/home/runner/go/pkg/mod/google.golang.org/grpc@v1.37.0/server.go:876 +0x1fd
late-lock-17022
10/07/2021, 7:56 PMdata_volume = ebs.Volume("Ghost Data",
availability_zone=default_az,
size=10,
type="gp3",
tags={
"Name": "Ghost data"
}
)
ghost_instance = ec2.Instance("Ghost",
instance_type="t4g.small",
ami=default_ami.id,
root_block_device=ec2.InstanceRootBlockDeviceArgs(
delete_on_termination=True,
volume_type="gp3",
tags={
"Name": "Ghost root device"
}
),
availability_zone=default_az,
vpc_security_group_ids=[
security_groups.sg_web_access.id,
security_groups.sg_ssh_access.id,
security_groups.sg_all_outbound.id
],
key_name="chipnibbles-aws-keys",
tags={
"Name": "Ghost Instance"
}
)
second_disk = ec2.VolumeAttachment("Second Disk",
device_name="/dev/sdh",
volume_id=data_volume.id,
instance_id=ghost_instance.id,
force_detach=True
)
The problem I’m facing right now is when I’m trying to update the ghost_instance
pulumi fails on the Volume Attachment replacement.
View Live: <https://app.pulumi.com/Regrau/chipnibbles-infrastructure/dev/updates/26>
Type Name Status Info
pulumi:pulumi:Stack infrastructure-dev **failed** 1 error
+- └─ aws:ec2:VolumeAttachment Second Disk **replacing failed** [diff: ~instanceId]; 1 error
Diagnostics:
aws:ec2:VolumeAttachment (Second Disk):
error: 1 error occurred:
* Error attaching volume (vol-07e61ae7f6062403f) to instance (i-002f5a8d58c0bb000), message: "vol-07e61ae7f6062403f is already attached to an instance", code: "VolumeInUse"
I’m still not quite sure if the problem is with pulumi or AWS itself. I get the error code, but it seems wrong that pulumi does not detach the volume before changing the attached instance id. Why is that a limitation and are there any workarounds?
Can anybody help me out here please?
It is worth mentioning that I want to mount the second ebs volume for database storage. I’d use EFS but it would be to slow for that purpose.prehistoric-kite-30979
10/07/2021, 10:40 PMhallowed-tomato-78073
10/08/2021, 4:14 AMaws-native
package in typescript to create an Amazon Managed Prometheus workspace, and running into the following error when running `pulumi up`:
error: could not get AWS account ID: operation error STS: GetCallerIdentity, exceeded maximum number of attempts, 3, failed to sign request: failed to retrieve credentials: no EC2 IMDS role found, operation error ec2imds: GetMetadata, exceeded maximum number of attempts, 3, request send failed, Get "<http://X/latest/meta-data/iam/security-credentials/>": dial tcp X:80: connect: host is down
In the Pulumi.yaml file, aws:profile: Y
and aws-native:profile: Y
are both set.
If I remove the code that uses aws-native
, keeping only the aws
code, the error does not appear and the update works as expected.
Any advice/tips/etc… appreciated!swift-planet-53281
10/08/2021, 12:44 PMerror creating ELBv2 Listener (arn:aws:elasticloadbalancing:eu-west-1:###########:loadbalancer/net/Pulumi-LB-f7b33b7/53038cb254ec917f): TargetGroupAssociationLimit: The following target groups cannot be associated with more than one load balancer: arn:aws:elasticloadbalancing:eu-west-1:############:targetgroup/datahub-tg-8e3c646/06da054467749336
This seems to be caused by the fact that a new listener is created first (before the old one is removed), leading to a temporary invalid situation. How should I go about this?
NB: Relevant part of source code is in thread below.swift-planet-53281
10/08/2021, 1:16 PMbumpy-laptop-30846
10/08/2021, 2:19 PMbrainy-helmet-80249
10/08/2021, 8:38 PMnew aws.ec2.VpcEndpoint(`s3-vpc-endpoint-${stack}`, {
serviceName: `com.amazonaws.${region}.s3`,
vpcId: vpc.id
});
broad-dog-22463
10/08/2021, 9:50 PMbroad-dog-22463
10/08/2021, 10:06 PM