nvm found how.

Hi!!! one question. I want to add autoscalling to my ECS fargate tasks. I have trying to dig into the documentation and all the examples that I have seen are related to EC2 instances but I haven’t found information about Fargate tasks. Any idea or resource to check?

https://aws.amazon.com/premiumsupport/knowledge-center/ecs-fargate-service-auto-scaling/ ? seems you just need to tie into a cloudwatch metric, either one you get out the box, our make your own cloudwatch metric from log output parsing

Id be tempted to ignore the out the box metrics and find something more symbolic - ttfb for each request over 5 minutes exceeding 0.5seconds or something

I'm automating the setup of a Hashicorp Vault server, and setting up an AWS secrets backend (https://www.vaultproject.io/docs/secrets/aws) Part of that entails passing the secret key and access key of an IAM user to allow Vault to interact with AWS. I can use a

pulumi_vault.aws.SecretBackend

(https://www.pulumi.com/docs/reference/pkg/vault/aws/secretbackend/) along with a

pulumi_aws.iam.User

(https://www.pulumi.com/docs/reference/pkg/aws/iam/user/) and a

pulumi_aws.iam.AccessKey

(https://www.pulumi.com/docs/reference/pkg/aws/iam/accesskey/) to do the initial setup. The wrinkle comes in where Vault allows you to automatically rotate the credentials with

vault write -f aws/config/rotate-root

(https://www.vaultproject.io/api-docs/secret/aws#rotate-root-iam-credentials). This changes what Pulumi thinks it knows about the state of the world. Things are fine as long as you continue to

pulumi up

, but once you run

pulumi refresh

, the difference is discovered, steps are taken to remediate the situation, and things get messy. Initially, I was thinking I could use Pulumi to do the initial setup, then remove the

pulumi_aws.iam.AccessKey

resource (after I had Vault rotate it the first time), and add an

ignore_changes

(https://www.pulumi.com/docs/intro/concepts/resources/#ignorechanges) option on the

pulumi_vault.aws.SecretBackend

. However, when I run

pulumi refresh

after having Vault rotate the key, it still shows that an update needs to happen. The diff doesn't show anything, but if I compare the stack outputs before and after (using

pulumi stack export

) I see a bunch of ciphertext changes that I'm having trouble making heads or tails of. I'm curious if anyone else has had any success with a similar setup in Pulumi. Is there a better way to do this using Pulumi? Or would it be better to manually create these things outside of Pulumi, and then perhaps adopt the resources into Pulumi? Thanks.

Hrm. just renaming a awsec2SecurityGroupRule seems to hit "A duplicate Security Group rule was found on" / https://github.com/hashicorp/terraform/pull/2376 / "Error message: the specified rule ... already exists". The actual terraform github link seems like a red herring. Of course... wow. just nuked all the rules sitting in front of my db

"At this time you cannot use a Security Group with in-line rules in conjunction with any Security Group Rule resources. Doing so will cause a conflict of rule settings and will overwrite rules.". I hit that when trying to work around it, ofc

Does anyone know how to register multiple target groups with a Fargate definition? Ive tried passing an array of target groups into the container definitions'

portMappings

field but it only associates the task with one of the target groups.

Has anyone used Pulumi with the python step function sdk? I’m jealous of the CDK step function user experience

Pulumi team, great work on the new Pulumi AWS Native provider. Kudos to you!

With recent announcement of aws native provider, do we need to migrate from current aws provider to this new native provider? what exactly needs to be done? What are main benefits of doing this? https://www.pulumi.com/blog/announcing-aws-native/

Is there a way to get the public key out of a KMS key created via

aws.kms.Key

? The UI has it and via the aws-sdk, but i can’t seem to find the field. (not using the native provider yet)

Can I hardcode the contents of the buildspec.yml into a CodeBuild project in the resource?

How can I get just the secret name of a Secrets Manager secret from the secret resource?

id

is returning the arn of the secret which is not working with codebuild environment variables

I suddenly start to get a very strange error with my s3 state bucket

/tmp/pulumi % pulumi up

error: failed to load checkpoint: blob (key ".pulumi/stacks/test-stack.json") (code=Unknown): ExpiredToken: The provided token has expired.

status code: 400, request id: WD9TGHZYT1S0D2DA, host id: LG3ktEVsZRP1DTG47uiEWrC+ez4t4X0COr65CqkGxTTMiKhpygCnWbQKUhBI3TSMIYf6nqSTdNo=

I have logged in with pulumi login s3://my-state-bucket And cmds like aws s3 --profile my-profile ls s3://my-state-bucket works fine The only AWS env variable is AWS_PROFILE=my-profile I get the same error with all my stacks and it started suddenly Running latest version of Pulumi

CodeBuild project is failing to update with

* Error creating CodeBuild project: InvalidInputException: Invalid project source: location must be a valid S3 source

The bucket is created and I've added the root prefix

/

after the id. I've confirmed that I can set this in the UI

Hi all, has anyone used Pulumi to setup an AWS account vending machine? i.e. an automated way for teams to create and manage AWS accounts themselves for the components they own I've had a quick look at AWS Control Tower, and org-formation, but I'd prefer to do this with Pulumi

ECS attached to EventBridge cron? Is it just aws.cloudwatch.EventTarget with a task definition arn?

Has anyone run into this error:

panic: interface conversion: interface {} is []interface {}, not *schema.Set

while deploying with GitHub actions? Full diagnostics:

Diagnostics:
    aws:lambda:Function (****-handler-lambda-function-dev):
      error: transport is closing
   
    aws:s3:BucketObject (****-handler-deployment-dev.zip):
      error: transport is closing
   
    pulumi:pulumi:Stack (****-dev):
      error: update failed
   
      panic: interface conversion: interface {} is []interface {}, not *schema.Set
      goroutine 438 [running]:
      <http://github.com/terraform-providers/terraform-provider-aws/aws.resourceAwsLambdaFunctionUpdate(0xc001bf6480|github.com/terraform-providers/terraform-provider-aws/aws.resourceAwsLambdaFunctionUpdate(0xc001bf6480>, 0x6d569e0, 0xc0015f6c00, 0x0, 0x0)
      	/home/runner/go/pkg/mod/github.com/pulumi/terraform-provider-aws@v1.38.1-0.20211004122636-8966d24576a0/aws/resource_aws_lambda_function.go:1199 +0x522d
      <http://github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).update(0xc000717110|github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).update(0xc000717110>, 0x8963f18, 0xc00012c018, 0xc001bf6480, 0x6d569e0, 0xc0015f6c00, 0x0, 0x0, 0x0)
      	/home/runner/go/pkg/mod/github.com/pulumi/terraform-plugin-sdk/v2@v2.0.0-20210629210550-59d24255d71f/helper/schema/resource.go:342 +0x1ee
      <http://github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0xc000717110|github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0xc000717110>, 0x8963f18, 0xc00012c018, 0xc0023278f0, 0xc00139a4c0, 0x6d569e0, 0xc0015f6c00, 0x8, 0x10, 0x7fa1682565b8, ...)
      	/home/runner/go/pkg/mod/github.com/pulumi/terraform-plugin-sdk/v2@v2.0.0-20210629210550-59d24255d71f/helper/schema/resource.go:454 +0x390
      <http://github.com/pulumi/pulumi-terraform-bridge/v3/pkg/tfshim/sdk-v2.v2Provider.Apply(0xc00107a1e0|github.com/pulumi/pulumi-terraform-bridge/v3/pkg/tfshim/sdk-v2.v2Provider.Apply(0xc00107a1e0>, 0x7cc8d72, 0x13, 0x8964e68, 0xc002251340, 0x898b330, 0xc00139a4c0, 0x0, 0x898b330, 0xc00139a4c0, ...)
      	/home/runner/go/pkg/mod/github.com/pulumi/pulumi-terraform-bridge/v3@v3.8.2-0.20210930033847-5bba386a0e79/pkg/tfshim/sdk-v2/provider.go:112 +0x210
      <http://github.com/pulumi/pulumi-terraform-bridge/v3/pkg/tfbridge.(*Provider).Update(0xc00000a3c0|github.com/pulumi/pulumi-terraform-bridge/v3/pkg/tfbridge.(*Provider).Update(0xc00000a3c0>, 0x8963f88, 0xc001bc2630, 0xc001b0d380, 0xc00000a3c0, 0x6ca9101, 0xc002243080)
      	/home/runner/go/pkg/mod/github.com/pulumi/pulumi-terraform-bridge/v3@v3.8.2-0.20210930033847-5bba386a0e79/pkg/tfbridge/provider.go:1038 +0x9a3
      <http://github.com/pulumi/pulumi/sdk/v3/proto/go._ResourceProvider_Update_Handler.func1(0x8963f88|github.com/pulumi/pulumi/sdk/v3/proto/go._ResourceProvider_Update_Handler.func1(0x8963f88>, 0xc001bc2630, 0x7a70020, 0xc001b0d380, 0x7a24600, 0xd580058, 0x8963f88, 0xc001bc2630)
      	/home/runner/go/pkg/mod/github.com/pulumi/pulumi/sdk/v3@v3.13.2/proto/go/provider.pb.go:2638 +0x8b
      <http://github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc.OpenTracingServerInterceptor.func1(0x8963f88|github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc.OpenTracingServerInterceptor.func1(0x8963f88>, 0xc001bc20c0, 0x7a70020, 0xc001b0d380, 0xc00132f1a0, 0xc001562c00, 0x0, 0x0, 0x8876e20, 0xc000400a70)
      	/home/runner/go/pkg/mod/github.com/grpc-ecosystem/grpc-opentracing@v0.0.0-20180507213350-8e809c8a8645/go/otgrpc/server.go:57 +0x30a
      <http://github.com/pulumi/pulumi/sdk/v3/proto/go._ResourceProvider_Update_Handler(0x7b63f20|github.com/pulumi/pulumi/sdk/v3/proto/go._ResourceProvider_Update_Handler(0x7b63f20>, 0xc00000a3c0, 0x8963f88, 0xc001bc20c0, 0xc0010555c0, 0xc00145b800, 0x8963f88, 0xc001bc20c0, 0xc0009b4c00, 0xadc)
      	/home/runner/go/pkg/mod/github.com/pulumi/pulumi/sdk/v3@v3.13.2/proto/go/provider.pb.go:2640 +0x150
      <http://google.golang.org/grpc.(*Server).processUnaryRPC(0xc0003cb6c0|google.golang.org/grpc.(*Server).processUnaryRPC(0xc0003cb6c0>, 0x898bcf8, 0xc0015a6180, 0xc0024af440, 0xc0015316b0, 0xd53aa30, 0x0, 0x0, 0x0)
      	/home/runner/go/pkg/mod/google.golang.org/grpc@v1.37.0/server.go:1217 +0x52b
      <http://google.golang.org/grpc.(*Server).handleStream(0xc0003cb6c0|google.golang.org/grpc.(*Server).handleStream(0xc0003cb6c0>, 0x898bcf8, 0xc0015a6180, 0xc0024af440, 0x0)
      	/home/runner/go/pkg/mod/google.golang.org/grpc@v1.37.0/server.go:1540 +0xd0c
      <http://google.golang.org/grpc.(*Server).serveStreams.func1.2(0xc000ea8050|google.golang.org/grpc.(*Server).serveStreams.func1.2(0xc000ea8050>, 0xc0003cb6c0, 0x898bcf8, 0xc0015a6180, 0xc0024af440)
      	/home/runner/go/pkg/mod/google.golang.org/grpc@v1.37.0/server.go:878 +0xab
      created by <http://google.golang.org/grpc.(*Server).serveStreams.func1|google.golang.org/grpc.(*Server).serveStreams.func1>
      	/home/runner/go/pkg/mod/google.golang.org/grpc@v1.37.0/server.go:876 +0x1fd

Hi just started out using pulumi and am playing around with pulumi. I want to use a second ebs volume as a persistent storage for an ec2 instance. So i’ve set it up like this.

data_volume = ebs.Volume("Ghost Data",
                         availability_zone=default_az,
                         size=10,
                         type="gp3",
                         tags={
                             "Name": "Ghost data"
                         }
                         )

ghost_instance = ec2.Instance("Ghost",
                              instance_type="t4g.small",
                              ami=default_ami.id,
                              root_block_device=ec2.InstanceRootBlockDeviceArgs(
                                  delete_on_termination=True,
                                  volume_type="gp3",
                                  tags={
                                      "Name": "Ghost root device"
                                  }
                              ),
                              availability_zone=default_az,
                              vpc_security_group_ids=[
                                  security_groups.sg_web_access.id,
                                  security_groups.sg_ssh_access.id,
                                  security_groups.sg_all_outbound.id
                              ],
                              key_name="chipnibbles-aws-keys",
                              tags={
                                  "Name": "Ghost Instance"
                              }
                              )

second_disk = ec2.VolumeAttachment("Second Disk",
                                   device_name="/dev/sdh",
                                   volume_id=data_volume.id,
                                   instance_id=ghost_instance.id,
                                   force_detach=True
                                   )

The problem I’m facing right now is when I’m trying to update the

ghost_instance

pulumi fails on the Volume Attachment replacement.

View Live: <https://app.pulumi.com/Regrau/chipnibbles-infrastructure/dev/updates/26>

     Type                         Name                            Status                   Info
     pulumi:pulumi:Stack          infrastructure-dev  **failed**               1 error
 +-  └─ aws:ec2:VolumeAttachment  Second Disk                     **replacing failed**     [diff: ~instanceId]; 1 error
 
Diagnostics:
  aws:ec2:VolumeAttachment (Second Disk):
    error: 1 error occurred:
        * Error attaching volume (vol-07e61ae7f6062403f) to instance (i-002f5a8d58c0bb000), message: "vol-07e61ae7f6062403f is already attached to an instance", code: "VolumeInUse"

I’m still not quite sure if the problem is with pulumi or AWS itself. I get the error code, but it seems wrong that pulumi does not detach the volume before changing the attached instance id. Why is that a limitation and are there any workarounds? Can anybody help me out here please? It is worth mentioning that I want to mount the second ebs volume for database storage. I’d use EFS but it would be to slow for that purpose.

Could someone point me in the direction of the magic lambda function code implementation, I’ve been looking the the pulumi-aws repo but cant find it 😅. I’m trying to build a workaround for https://github.com/pulumi/pulumi/issues/2661

Hi! I’m trying to use the new

aws-native

package in typescript to create an Amazon Managed Prometheus workspace, and running into the following error when running `pulumi up`:

error: could not get AWS account ID: operation error STS: GetCallerIdentity, exceeded maximum number of attempts, 3, failed to sign request: failed to retrieve credentials: no EC2 IMDS role found, operation error ec2imds: GetMetadata, exceeded maximum number of attempts, 3, request send failed, Get "<http://X/latest/meta-data/iam/security-credentials/>": dial tcp X:80: connect: host is down

In the Pulumi.yaml file,

aws:profile: Y

and

aws-native:profile: Y

are both set. If I remove the code that uses

aws-native

, keeping only the

aws

code, the error does not appear and the update works as expected. Any advice/tips/etc… appreciated!

I'm having a problem when updating loadbalancer data. Situation before: • 1 loadbalancer • 1 target group • 1 listener for the loadbalancer, forwarding to the target group. Problematic actions: 1. I updated something in the loadbalancer (added EIPs), such that it needed to be replaced 2. The pulumi tries to replace the listener as well 3. Then I get the following error:

error creating ELBv2 Listener (arn:aws:elasticloadbalancing:eu-west-1:###########:loadbalancer/net/Pulumi-LB-f7b33b7/53038cb254ec917f): TargetGroupAssociationLimit: The following target groups cannot be associated with more than one load balancer: arn:aws:elasticloadbalancing:eu-west-1:############:targetgroup/datahub-tg-8e3c646/06da054467749336

This seems to be caused by the fact that a new listener is created first (before the old one is removed), leading to a temporary invalid situation. How should I go about this? NB: Relevant part of source code is in thread below.

Ah I just found out about deleteBeforeReplace...

Hi! Is there a way to wait for aws.route53.Record to be actually served ? Or, is there a generic ‘wait for an http endpoint to be present’ and pass it as dependsOn for another ressource?

I have a AWS Fargate service behind a simple VPC, and that service needs to access S3 (not behind VPC). Is the following enough to expose s3?

new aws.ec2.VpcEndpoint(`s3-vpc-endpoint-${stack}`, {
    serviceName: `com.amazonaws.${region}.s3`,
    vpcId: vpc.id
  });

There's a slight regression in v4.24.0 of pulumi-aws for ALB TargetGroup - I am preparing a PR to fix it now and hope to have it patched this evening

The issue is being tracked here - https://github.com/pulumi/pulumi-aws/issues/1660