Hey everyone, How do you destroy a stack that has an imported AWS ACM certificate without deleting the certificate?

Is there a good way to share a tagging convention across component resources? I use the same AWS tags on resources that are built in the same stack.

Still trying to resolve the issue creating scheduled functions via the pulumi example: https://github.com/pulumi/examples/issues/1098 . Can someone take 5 minutes and try to reproduce on the latest pulumi to help determine if it's an issue with my local install / config or a bug?

Do we have any flag similar to the CDK’s autoDeleteObjects in the aws-native plugin?

I'm declaring CloudWatch Metrics which contain units, the metrics are correct, the unit is set... however when I create a widget with the metric using awsx LineGraphMetricWidget,

unit

is not in the returned JSON. If I edit the properties in the dashboard source, I can add

"unit": "Percent"

and the dashboard honors this. However, this feature is undocumented: https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/CloudWatch-Dashboard-Body-Structure.html#CloudWatch-Dashboar[…]dering-Object-Format So I'm confused about whose bug/feature this really is.

Can I easily package / execute a static binary along with pulumi's "magic function" serialization? For example can I easily package a static binary to execute from the aws.cloudwatch.EventRuleEventHandler block? https://www.pulumi.com/blog/scheduling-serverless/ . Should I package the static binary with a Lambda layer? Do I need to instead create a vanilla Lambda function to use along with the Lambda layer?

What’s the best way to switch credentials between dev/production accounts for the different env based stacks on the same project? Also, I use aws sso cli for logging into console.

fromDockerBuild

appears to hang if I pass a

aws.ecr.Repository

instead of a

string

for the first argument:

const containerRepository = new aws.ecr.Repository(`${appName}-image`, {
  imageScanningConfiguration: {
    scanOnPush: true,
  },
  imageTagMutability: "MUTABLE",
});

new awsx.ecs.FargateService(
  `${appName}-service`, {
    ...
    image: awsx.ecs.Image.fromDockerBuild(containerRepository, buildArgs);
    ...
}, { dependsOn: containerRepository });

Any idea what I'm doing wrong?

Is there a way to setup a rolling window of manual Aurora RDS snapshots? We use the built-in daily snapshots, but in addition to that, we also want to retain snapshots taken during the last ~10 deployments

Looking at pulumi's magic functions and spawn as referenced in https://aws.amazon.com/blogs/compute/running-executables-in-aws-lambda/ and getting

Diagnostics:
  pulumi:pulumi:Stack (quickstart-dev):
    error: Error serializing '(event) => __awaiter(void 0, void 0, .
    
    '(event) => __awaiter(void 0, void 0, ...': index.ts(20,19): cap
      'spawn', a function defined at
        function 'spawnWithSignal': child_process.js(900,24): which 
          'validateAbortSignal', a function defined at
            '(signal, name) => { if (signal !== u ...': which captur
              'ERR_INVALID_ARG_TYPE', a function defined at
                function 'NodeError': which referenced
                  function 'getMessage': which captured
                    variable 'messages' which indirectly referenced
                      function 'get': which could not be serialized 
                        it was a native code function.
    
    Function code:
      function get() { [native code] }

Pulumi still suggesting the change on RDS ParameterGroup. My engine is PostgreSQL from

"applyMethod": "pending-reboot"

to `"applyMethod": "immediate" The affected parameter is

timezone

which I create like this:

{"name": "timezone", "value": "UTC"},

And according to docs the default

applyMethod

value is set to

immediate

. So the questions are: 1) What did set

applyMethod

to

pending-reboot

? 2) Why does pulumi try to change the value every time? (I'd say it may be coming from the provider) 3) And where can I find which parameters require reboot?

I am creating a EC2ImageBuilder. We set UserData on image recipe using additional instance configuration. While AWS CDK supports it, Terraform and Pulumi are missing the

additionalInstanceConfiguration

property on aws.imagebuilder.ImageRecipe. See: https://www.pulumi.com/docs/reference/pkg/aws/imagebuilder/imagerecipe/

Hello - is this https://aws.amazon.com/blogs/mobile/appsync-lambda-auth/ already supported by pulumi? thanks

What's the coverage like for the aws native provider compared to the tf based provider? Good enough to switch?

Hi, we had massive issues with this https://github.com/DataDog/datadog-lambda-js/issues/237 this morning it's now solved with a workaround, however if you read the thread there are mentions with CDK and AWS team changing the way we interact with lambdas. I do wonder then if it can be an issue also with pulumi and if pulumi for lambdas uses native already. Thanks we are on these versions

@pulumi/aws ^4.22.1 → ^4.24.1

@pulumi/pulumi ^3.13.2 → ^3.14.0

Same for us, we had Node 14.x and the layer

49

. I switched to

64

just to make sure it wasn't the layer version, but it quickly became evident that the version didn't matter. Since there was no code change on our side before and after the errors started showing up, we believe it's infra related. The layer is still there, and you can't modify it AFAIK so this must be AWS. We opened a ticket with AWS. I think they're are doing some changes to Lambda and this might be related

You are receiving this message because we identified that your account created or updated or invoked Lambda functions on or after July 1, 2021.

AWS Lambda is extending the capability to track the current state of a function through its lifecycle to all functions [1]. With this change, you may need to update your CLI and/or SDK-based automation workflows around creating and updating functions by adding a check that the function became active before performing additional actions that operate on the function.

Previously, states have been used in two primary use-cases. Firstly, to move the blocking setup of VPC resources out of the path of function invocation. Secondly, to allow the Lambda service to optimize new or updated container images for container-image based functions, also before invocation. By moving this additional work out of the path of the invocation, customers see lower latency and better consistency in their function performance.
Infrastructure as code and deployment automation tools such as AWS CloudFormation, AWS Serverless Application Model (SAM), AWS Cloud Development Kit (CDK), Serverless Framework,Hashicorp Terraform, AWS Chalice and Cloud Custodian already support states.

If you are using these tools and are already on the latest Software Development Kit (SDK), you do not need to take any action, and can stop reading now. If you are using an earlier SDK version, please update to the latest one.

We are rolling out this change over multi-phase periods to allow you to update existing tooling for deploying and managing Lambda functions. You can delay this change for your functions until December 5, 2021. Starting December 6, 2021, the delay mechanism expires and all customers see the Lambda states lifecycle applied during function create or update. Read this blog post [2] to learn about this change, timelines for different phases and a reference example on how to check your function state.

and then the support also said

Furthermore,  Lambda team performed rollback to fix this issue but this may take some time to fully propagate. However, I am actively monitoring internal ticket and I will keep you updated on this case.

Anyone have any tips/tricks for mocking API calls in tests (python, specifically)? I’m using iam.get_policy_document a couple places in code I’m trying to test and writing a manual mock for it feels wrong

Hey y'all. I'm just wondering if it is possible to create resources in other accounts than the one all resources are created for the current stack? In my case, I have an account which manages general infrastructure (in this case, DNS) which is separate to the main dev account. When I spin up a new service, I want it to register a new record set in route 53. Is this possible?

Does the new

aws-native

provider have support for AWS CodeCommit and CodePipeline? At first glance, I couldn't find the corresponding module for these services in the docs. https://www.pulumi.com/docs/reference/pkg/aws-native/

if i have a pulumi stack “aws-providers” of just one aws provider for each region and I export each region_provider, should i be able to

providers = pulumi.StackReference('aws-providers')

and then

opts=pulumi.ResourceOptions(provider=providers.get_output('provider_aws_us-east-1'))

???

I am trying to create and s3 bucket using the aws-native package but its returning an error

Hi, I’m having some issues with the

StackReference

(trying to understand it). I’m using S3 as backend (everything in one bucket), ideally a folder for each project (micro services setup: infra, app, services, etc). With this I saw two options: 1. Every pulumi project in same folder -> each stack needs to have project name in it (eg,

infra.dev

), or they will collide (dev, in two different projects, in same folder in S3). 2. Every project in different folders -> stack can be named with just the environment (

dev

,

stg

,

prod

) In case 1, I did

new StackReference('infra.dev')

, and it ends with error:

aws:lambda:Function (lambda_name):
    error: 1 error occurred:
    	* error creating Lambda Function (1): ValidationException:
    	status code: 400, request id: 6dab7a4b-c6cc-4ebc-8a46-cb14060d50f2

Apparently it gets the stack_reference but it fails to deploy. My assumption is because it’s empty data or failing in some level with those refs. Also tried

new StackReference('project_name/infra.dev')

, but got the error:

error: Preview failed: unknown stack "project_name/infra.dev"

If I wanted to use the case 2, everything in different folders, how do you reference to the other stack? Any help is more than welcome.

Is there a way to update an existing vpc service endpoint (to add to the policy)?

I see https://www.pulumi.com/registry/packages/aws/api-docs/ec2/vpcendpointservice/ but seems to only support create and lookup

Looking at setting up GuardDuty for an organization. Any tips on this? Trying to understand if I can run under one script under one AWS profile or if I need to break this up into different scripts.

Is there any equivalent to DeletionPolicy and UpdateReplacePolicy in

Pulumi.Aws

(when not using a CloudFormation resource)? i.e. if I was to port from CF to non-CF using Pulumi, would it be possible to preserve this behaviour?

I’m getting a strange error with

new

aws.lambda.LayerVersion

. The error is this one.

Error creating lambda layer: ValidationException:
    	status code: 400, request id: 7e256205-6800-460e-ad82-91ba69f1ac8a

The issue is with the LayerName, options tried: • [FAIL] layerName:

my-layer-${env}

• [FAIL] layerName: myVarName -> where

const myVarName = `my-layer-${env}`.toString() // with or without toString()

• [OK] layerName: “my-layer” So only valid option is by sending a string in the

args

on

LayerVersion

. Any idea on what’s going on?

Are there any constraints on the naming?

Hey folks! Using a lambda running a docker image, we're having issues that pushing a new image with a

latest

tag isn't updating the lambda. How can we force the lambda to refetch the docker image? Or do we have to have well named version tags and that then forces the lambda to update?

I'm importing an AWS organization into Pulumi and it's showing

undefined

for a couple of service principals. Is that a bug?