I've done env variables and secrets, yes, but not yet dns-based service discovery

env variables were very easy (just name/value pairs in the container definition), but to get secrets I had to: * create the secret * give it a value (via secretVersion) * add access to the secret to the fargate services' execution role then the service could actually access and use the secret

one you've got the

Secret

with a value, you can use the secret in your taskDefinition's container definition, eg:

// secrets can be passed in as env variables too!
            secrets: dbPassword.arn.apply(arn =>[
                { name: "PGPASSWORD", valueFrom: arn }
            ]),

where

dbPassword

is a

SecretValue

resource that I used to set a password on a

dbPassword

Secret

I have a cost requirement to use a single ALB for multiple instances (currently behind Elastic Beanstalk. This works effectively, but I would like to move to ECS or even EKS, using Pulumi to manage it all. It's possible to do it programmatically with a single config, but I'd like to seperate the core config (ALB) from ECS deployments. Here's the single config with hints on where I'd like seperation:

import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";

// CORE CONFIGURATION
const cluster = new awsx.ecs.Cluster("stack-cluster");
const lb = new awsx.lb.ApplicationLoadBalancer("loadbalancer", { external: true });

const web = lb.createListener("web", { protocol: "HTTP", defaultAction: {
    type: "fixed-response",
    fixedResponse: {
        statusCode: "503",
        contentType: "application/json"
    }
} })

const defaultCertificateArn = "";

const webHttps = lb.createListener("web-https", { protocol: "HTTPS", certificateArn: defaultCertificateArn, defaultAction: {
    type: "fixed-response",
    fixedResponse: {
        statusCode: "503",
        contentType: "application/json"
    }
} })

const repo = new awsx.ecr.Repository("my-repo");

// FIRST SERVICE (GitHub repo 2)
const targetgroup1 = lb.createTargetGroup("targetgroup1", { protocol: "HTTP", port: 80 });

const app1Certificate = new aws.alb.ListenerCertificate("app1", {
    certificateArn: "",
    listenerArn: webHttps.listener.arn,
});

const rule1 = new awsx.lb.ListenerRule("http-app1", web, { conditions: [{ field: "host-header", values: "<http://app1.domain.com|app1.domain.com>" }], actions: [{type: "forward", targetGroupArn: targetgroup1.targetGroup.arn }]})
const ruleHttps1 = new awsx.lb.ListenerRule("https-app1", webHttps, { conditions: [{ field: "host-header", values: "<http://app1.domain.com|app1.domain.com>" }], actions: [{type: "forward", targetGroupArn: targetgroup1.targetGroup.arn }]})

const app1 = repo.buildAndPushImage("./app1");

const app1Service = new awsx.ecs.FargateService("app1", {
    cluster,
    taskDefinitionArgs: {
        containers: {
            app1: {
                image: app1,
                portMappings: [targetgroup1],
            },
        },
    },
    desiredCount: 2,
});


// SECOND SERVICE (GitHub repo 3)
const targetgroup2 = lb.createTargetGroup("targetgroup2", { protocol: "HTTP", port: 80 });

const app2Certificate = new aws.alb.ListenerCertificate("app2", {
    certificateArn: "",
    listenerArn: webHttps.listener.arn,
});

const rule2 = new awsx.lb.ListenerRule("http-app2", web, {  conditions: [{ field: "host-header", values: "<http://app2.domain.com|app2.domain.com>" }], actions: [{type: "forward", targetGroupArn: targetgroup2.targetGroup.arn }]})
const ruleHttps2 = new awsx.lb.ListenerRule("https-app2", webHttps, {  conditions: [{ field: "host-header", values: "<http://app2.domain.com|app2.domain.com>" }], actions: [{type: "forward", targetGroupArn: targetgroup2.targetGroup.arn }]})

const app2 = repo.buildAndPushImage("./app2");

let app2Service = new awsx.ecs.FargateService("app2", {
    cluster,
    desiredCount: 2,
    taskDefinitionArgs: {
        containers: {
            app2: {
                image: app2,  
                portMappings: [ targetgroup2 ],
            },
        },
    },
});

deletionProtection

on RDS should be default true, and not default false because that is what AWS has for default. Is this considered a bug technically?

@rhythmic-camera-25993 We’re trying to avoid secrets as env variables and use filesystem for that. We use env variables for configs though.

is there an example of setting up an api gateway private endpoint using pulumi? https://aws.amazon.com/blogs/compute/introducing-amazon-api-gateway-private-endpoints/

Found another bug;

masterPassword?: pulumi.Input<string>;
masterUsername?: pulumi.Input<string>;

are marked as optional, but is required by AWS for RDS.

My `pulumi up`s seem to be hanging on API Gateway updates, but for the life of me I can't figure out why. It's a

diff: ~body

, and is running for hours before silently failing. Frustratingly, I'm not getting any extra context via

-v=3

or by setting a

--tracing

file. Is there any way for me to see what specifically is hanging in these deploys?

Interesting - it seems to somehow be related to having too many routes, or something. I'm trying to add a new route, which is the only chance in the hanging update. If I comment out an old completely unrelated route, the deploy works and the new route is available. Uncommenting the old route and deploying then hangs (on the previously successfully deployed route)

Still not sure how to see what exactly is hanging, though.

Ah, I think I see the issue.

APIGateway.getCognitoAuthorizer

is creating a new authorizer for every endpoint, and there is a limit of 10 authorizers per stage. There doesn't seem to be any docs on that function, but it would be nice if it reused existing authorizers when they are from the same pool.

seems that

awsx.apigateway

doesn't support

authorizationScopes

, which means it has to create a fresh authorizer for each Cognito scope. Solution will be to use

aws.apigateway

, although I much preferred the

awsx

interface.

I should probably create a github issue for this.

Since pulumi isn’t automatically setting the password, is there a way to generate a UUID with pulumi that is persisted so it doesn’t keep changing the password? Changing the password as a form of rotation isn’t a bad idea, but it does create a gap where the applications are either using the old password or then new password before RDS has changed.

It’s weird that I can store state using something like

random.RandomPet("SamplePetz", {..})

But can’t set my own config from runtime.

there's some interesting recalculation going on with the

containerDefinitions

property of a Fargate TaskDefinition. I've got updates on every

pulumi up

, even when I don't change anything about the container. I'm trying to fill in the deltas between the configurations that I see when doing

pulumi up --diff

to see if I can get the states to ever sync up and not require re-pushing, but there are definitely some default values that are represented in the 'deployed model' that aren't represented in the 'about to deploy' model

Hello! I'm trying to make my first Pulumi app and I'm stymied right out of the gate. I can't work out how to define a websocket API.

I'm assuming

new aws.apigateway.RestApi()

isn't what I'm after? Should I be using

new awsx.apigateway.API()

with some particular

APIArgs

?

Or something else? Apologies for the dumb question.

Hey . I am very new to Pulumi and trying it for the 1st time. Really liked it though so far. I am trying to setup ‘aws secrets’ for my

pulumi typescript

project . But instead of exporting like below. I was hoping if i can manage aws key/secret in

.env

and provide it to pulumi config. I could not find any documentation for that.

export AWS_ACCESS_KEY_ID=<YOUR_ACCESS_KEY_ID> && export AWS_SECRET_ACCESS_KEY=<YOUR_SECRET_ACCESS_KEY>

Hey. whenever i am trying to create a resource by

pulumi up

its creating resource in

pulumi cloud

instead of

aws cloud

?

Hi, I'm trying to create an autoscaling group for an EC2 instance with custom UserData. I see that it is possible to add userData through the (

awsx.autoscaling.AutoScalingUserData

)

extraRuncmdLines()

and the

extraBootcmdLines()

functions; but looking at the code, (https://github.com/pulumi/pulumi-awsx/blob/3c2cd20b945d9a5fa8cf5f76e399ff16961248d1/nodejs/awsx/autoscaling/launchConfiguration.ts#L164) these seem specifically made for containers. I'm having trouble sending userData that includes installing Ubuntu packages and files, is there a way to do this? Thanks. The specific problem I'm having is that once the instance is created it doesn't seem to be sending the

cfn-signal

(which aws uses to indicate that the cloudformation stack was successful)

Can I get some help with this?

const endpoint = new awsx.apigateway.API("hello-world", {
    stageArgs: {
        accessLogSettings: {
            format: {
                "httpMethod": "$context.httpMethod"
            }.toString(),
            destinationArn: "???"
        },

I want to define the cloudwatch log formats for the APIGateway but I am not sure how to do that, the docs are quite sparse on that on the Pulumi end.

Found a bug

bucketRegionalDomainName

does not return regional name, but the same value as

bucketDomainName

I’ve been building a CloudFront distribution today and noticed that whenever I’m making changes to the distribution, pulumi waits indefinitely for the updates to complete (even after the distribution status is back to “Deployed”). For example, I made a change that updated some custom error pages. Pulumi initiated the change, after a few minutes the change was complete and the distribution returned to the “Deployed” state and the new changes were visible in the console. However, the

pulumi up

command continued to wait for it to complete, right up until the AWS credentials it was using expired (~15 minutes after the change was complete). this has happened every time i’ve made an update to the distribution. Any ideas what might be causing this?

Hey. Is there any good example of setting up

elastic beanstalk

on a VPC and multi az env (not default) ? I have setup my code but i am facing multiple issue with it . 1. Whenever i am doing

pulumi destroy

some of the IAM roles are not getting deleted. (Image attached) 2. Whenever i am changing the subnets from public to private , i am not able to access the default app. 3. I have

2 public subnets

&

2 private subnets

. How to configure that my ec2's are created in private subnet and ELB in public subnet Also find the code attached. Any help would be highly appreciated.

What would I need to do to invalidate a specific cloudfront distribution with Typescript? Or maybe as an alternative, triger the invalidation job automatically after syncing new files to an S3 bucket.

The

aws.apigateway.BasePathMapping

resource doesn't seem to update correctly when

basePath

is empty. Probably this is due to AWS having a terrible API. In any case, trying to update a stack w/ one of these gives the error "error: Error creating Gateway base path mapping: ConflictException: Only one base path mapping is allowed if the base path is empty." I change the pulumi name of the resource (to force a delete & re-create), and added a basePath, but got the same error. Destroying the stack and re-deploying fixed the problem, and I learned to never use a 'blank' base path mapping again.