So I've made progress enabling GuardDuty for the organization with this code

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// pulumi import aws:organizations/organization:Organization myOrg o-4pxk9chgfxyz

const myOrg = new aws.organizations.Organization(
	"myOrg",
	{
		awsServiceAccessPrincipals: [
			"<http://ram.amazonaws.com|ram.amazonaws.com>",
			"<http://sso.amazonaws.com|sso.amazonaws.com>",
			"<http://reporting.trustedadvisor.amazonaws.com|reporting.trustedadvisor.amazonaws.com>",
			"<http://cloudtrail.amazonaws.com|cloudtrail.amazonaws.com>",
			"<http://guardduty.amazonaws.com|guardduty.amazonaws.com>"
		],
		featureSet: "ALL"
	},
	{
		protect: true
	}
);


//Configure GuardDuty for the organization

//creating a detector in the master acct enables GuardDuty
const masterAcctDetector = new aws.guardduty.Detector("masterAcctDetector", {});

//delegate the GuardDuty admin account to the security account (<mailto:aws-security@my.com|aws-security@my.com>)
const securityAccountId = "405739590713";
const guardDutyOrganizationAdminAccount = new aws.guardduty.OrganizationAdminAccount("guardDutyOrganizationAdminAccount", {adminAccountId: securityAccountId}, {
	dependsOn: [myOrg],
});

But GD is only per region by the organization is not specific to a region. To create a GD master account, I need to run this for each region so I'll create a new stack for the region. Is it an issue the org is defined in this file and doesn't apply to a region?

I just ran

pulumi up

to create a bunch of GuardDuty members and it created them. But I immediatly ran

pulumi preview

with no code changes and it says it's going to replace a member. Why would that be?

anyone got any idea what might be going on here :- I set the region, i check the region , try to import a resource i know exists in the region i have set, the import fails because pulumi says the bucket is not in a different region to what i have set . . . 🤷

is there a way to export public IP's from instances created in a autoscaling group like you would just creating a normal ec2 instance, something like pulumi.export('public_ip', server.public_ip) but for ASG?

Hi! In Pulumi crosswalk for AWS, is it possible to get the complete

awsx.ec2.Vpc

object using

awsx.ec2.Vpc.fromExistingIds

? Eventhough I passed in

vpcId

,

publicSubnetIds

and

privateSubnetIds

, the output of

.getSubnets("public")

seems to be an empty list.

im trying to create instances with ASG, then register those as targets in my TargetGroup. What would be the best way to accomplish this?

Hi, I’m trying to use

new

aws.cloudformation.Stack

, but having a lot of issues when using the

templateBody

and adding data (ids or ips) from other resources created on same pulumi update run. I end up with this error on every output:

Calling [toJSON] on an [Output<T>] is not supported. To get the value of an Output as a JSON value or JSON string consider either: 1: o.apply(v => v.toJSON()) 2: o.apply(v => JSON.stringify(v)) See <https://pulumi.io/help/outputs> for more details. This function may throw in a future version of @pulumi/pulumi.

Thanks.

hey all, quick question regarding pulumi update/replace/delete events. When Pulumi will take one of these actions, does it wait for the replacement to actually be ready? For example, if I have an EC2 instance that needs to be replaced, will Pulumi just create the new instance and if all API calls succeed correctly destroy the old one, or will it wait for the new EC2 instance to actually be ready, i.e. monitoring checks etc all pass?

Hey, is there any recommended practice or way to make lambda to lambda calls (in different microservices)? I’m using the

aws-sdk

, with the

lambda.invoke

, my main doubt is with the naming for the other lambda, as Pulumi adds extra numbering to the name. Maybe something on the

pulumi up

process to add in the lambda’s env data or any other option?

Hi folks - I'm trying to map the default stage of my api gateway to a custom domain with a Path in the mapping, as per step 7 of the bottom of this instruction. In the AWS Classic provider for APIGatewayV2, I can only see something called ApiMapping, which doesn't include the path argument. Instead it includes an

api_mapping_key

but that links to the API gateway WS docs of all things. I'm assuming that's the path I want to provide (esp. given the CF example) but should the docs not link to the aforementioned page rather than WS docs?

I have an ACM Certificate using DNS validation, and I noticed the days to expiry was set to "45 days" and it auto-renewed. The problem is, the default is 60, how did this become 45? I can't find the property in AWS provider under ACM. https://docs.aws.amazon.com/acm/latest/userguide/dns-renewal-validation.html

Hi all, I am trying to add EC2 root volume encryption for EKS nodes created by eks.ManagedNodeGroup. The below does not work. Perhaps someone here knows the trick? https://www.pulumi.com/registry/packages/eks/api-doc Thanks for your help.

cluster:eks.Cluster = eks.Cluster(f"{cluster_name}-cluster",
        name=cluster_name,
        ....
        node_group_options=eks.ClusterNodeGroupOptionsArgs(
            cloud_formation_tags={
                "Name": "EKS Worker Node"
            },
            encrypt_root_block_device=True,
        ),
        ...
    )   

    eks.ManagedNodeGroup(f"{cluster_name}-node-group-" + str(i),
            cluster=cluster.core,
            node_group_name=f"{cluster_name}-managed-node-group-" + str(i),
            ....
        ))

Hi all, I'm trying to create a new role with the entity type of:

web-identity

. how can I do it via pulmi? thx!

So is there a way to "Unimport" a resource? Basically we have service roles that we don't want in the stack anymore because they're not something we manage, seeing as that they're automatically generated. So after having imported them into the Pulumi stack, we want to remove them from the stack but not have them removed from our actual AWS. We can do this manually currently, by removing the code and manually deleting the resources from the stack, but is there anything like an

"unimport"

feature that can simply remove things from the pulumi stack without changing anything in AWS?

Has anyone had success with getting EBS-CSI working with Pulimi in Python? https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html ☝️ I'm having some difficulty translating these steps to Python.

Hi, there is a way to extract the

kubeconfig

of an EKS cluster? I want to pass it to the

k8s.Provider

object in order to deploy stuff on the cluster. thx!

What's the best way to get the first public subnet ID for a VPC network?

Hi, I’m trying to add a new Alias to a Lambda function.

new aws.lambda.Alias(
  `alias-${stageSanitized}-new`,
  {
    name: 'SER001',
    functionVersion: lambdaFN.version,
    functionName: lambdaFN.name,
    description: 'Alias for SER001 environment',
  },
  { parent: lambdaFN, protect: true },
);

I already have an alias created for a given version of the same Lambda. But when I make

pulumi update

, I get that the existing Alias will get deleted. What am I missing? So both Alias have different names: one for the

env

, like

dev

, and the other, simulating a feature (

SER001

). I even added the protected flag…

For folks who are using S3 state storage and deploying to multiple accounts, how are you dealing with permissions boundaries for the entities executing the stacks?

I am having some strange issues with my pulumi EKS stack. Apparently, for some reason, the stack state is out of sync with the actual aws resources it provisioned (not sure exactly what happened). When I try to resync the state with "pulumi refresh", it successfully completed, but obviously the problem is still there. So, when I try "pulumi up", it detects the difference, the update failed. Not sure exactly how to fix the issue. I'm trying to destroy the entire stack to restart from scratch, the pulumi destroy failed as well. How do I get out of this situation. Any help will be greatly appreciated.

BTW, do we have a force destroy option with pulumi?

That is the error from "pulumi up". It tried to update a group policy attachment: pulumipulumiStack infra-dev +- └─ awsiamGroupPolicyAttachment devtest-eks-admins-Policy-eks-read-attach replace [diff: ~policyArn]

Now I am trying to recreate the cluster and getting a bunch of this errors: pre-step event returned an error: failed to verify snapshot: resource urnpulumidev:infraeksindexCluster:devtest-eks dependency refers to missing resource

Has anyone had problems with API Gateway and getting the correct value for a CNAME record to point to the gateway? The API Gateway has an ID as well as a gateway domain name. When using a custom domain name, the Route 53 record seems to need to be a CNAME that points to the gateway domain name (and not the ID) otherwise you get an SSL certificate bad domain error. However, the only output in Pulumi for Api Gateway seems to be the apiEndpoint which maps to the ID but there doesn't seem to be an output for gateway domain name. Any ideas? As an example, for my gateway, the ID is tl25su6oel.execute-api.eu-west-2.amazonaws.com but the API Gateway Domain Name is d-yt93fcyxyr.execute-api.eu-west-2.amazonaws.com. It's the api gateway domain output I need

Anyone got any idea how I can fix

Could not set VPC CNI options: kubectl is missing

with EKS?

Hey all, I'm trying to set a resource as "deleteBeforeReplace" but pulumi up doesn't seem to generate a diff. Anyone had this before? this.domainName = new aws.apigatewayv2.DomainName(

${_name_}-domain-name

, { domainName: args.customDomainName, domainNameConfiguration: { certificateArn: args.certifcateArn, endpointType: 'REGIONAL', securityPolicy: 'TLS_1_2' } }, { deleteBeforeReplace: true, parent: this });

Previously, deleteBeforeReplace is not there, then I add it, but no diff is generated. When I change the name, it still tries to create a replacement first 😞

Hey folks! very basic IAM/Pulumi question: In these docs - don't need to read it yet, just linking for context https://docs.aws.amazon.com/apigateway/latest/developerguide/grant-permissions-to-create-vpclink.html it basically says "<create the following IAM policy/role> and <*Assign the IAM role to you or a user in your account who is creating VPC links*>" In my situation, we're strictly provisioning stuff in Pulumi with the AWS root user. So, two questions: • Is it possible that this recommendation doesn't make sense for the AWS root user, who I'd assume has access to everything already? • How does one attach an IAM role to <the AWS root user>?

(Ah - nevermind - it turns out we are indeed assuming a role elsewhere!)