https://pulumi.com logo
Docs
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
aws
  • m

    millions-umbrella-34765

    10/20/2021, 8:28 PM
    So I've made progress enabling GuardDuty for the organization with this code
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    // pulumi import aws:organizations/organization:Organization myOrg o-4pxk9chgfxyz
    
    const myOrg = new aws.organizations.Organization(
    	"myOrg",
    	{
    		awsServiceAccessPrincipals: [
    			"<http://ram.amazonaws.com|ram.amazonaws.com>",
    			"<http://sso.amazonaws.com|sso.amazonaws.com>",
    			"<http://reporting.trustedadvisor.amazonaws.com|reporting.trustedadvisor.amazonaws.com>",
    			"<http://cloudtrail.amazonaws.com|cloudtrail.amazonaws.com>",
    			"<http://guardduty.amazonaws.com|guardduty.amazonaws.com>"
    		],
    		featureSet: "ALL"
    	},
    	{
    		protect: true
    	}
    );
    
    
    //Configure GuardDuty for the organization
    
    //creating a detector in the master acct enables GuardDuty
    const masterAcctDetector = new aws.guardduty.Detector("masterAcctDetector", {});
    
    //delegate the GuardDuty admin account to the security account (<mailto:aws-security@my.com|aws-security@my.com>)
    const securityAccountId = "405739590713";
    const guardDutyOrganizationAdminAccount = new aws.guardduty.OrganizationAdminAccount("guardDutyOrganizationAdminAccount", {adminAccountId: securityAccountId}, {
    	dependsOn: [myOrg],
    });
    But GD is only per region by the organization is not specific to a region. To create a GD master account, I need to run this for each region so I'll create a new stack for the region. Is it an issue the org is defined in this file and doesn't apply to a region?
    l
    g
    • 3
    • 9
  • m

    millions-umbrella-34765

    10/20/2021, 9:19 PM
    I just ran
    pulumi up
    to create a bunch of GuardDuty members and it created them. But I immediatly ran
    pulumi preview
    with no code changes and it says it's going to replace a member. Why would that be?
    l
    • 2
    • 27
  • p

    purple-plumber-90981

    10/21/2021, 4:47 AM
    anyone got any idea what might be going on here :- I set the region, i check the region , try to import a resource i know exists in the region i have set, the import fails because pulumi says the bucket is not in a different region to what i have set . . . 🤷
    r
    • 2
    • 6
  • m

    mysterious-piano-98161

    10/21/2021, 5:07 AM
    is there a way to export public IP's from instances created in a autoscaling group like you would just creating a normal ec2 instance, something like pulumi.export('public_ip', server.public_ip) but for ASG?
    b
    • 2
    • 3
  • v

    victorious-fountain-7689

    10/21/2021, 5:23 AM
    Hi! In Pulumi crosswalk for AWS, is it possible to get the complete
    awsx.ec2.Vpc
    object using
    awsx.ec2.Vpc.fromExistingIds
    ? Eventhough I passed in
    vpcId
    ,
    publicSubnetIds
    and
    privateSubnetIds
    , the output of
    .getSubnets("public")
    seems to be an empty list.
    b
    m
    • 3
    • 12
  • m

    mysterious-piano-98161

    10/21/2021, 6:16 AM
    im trying to create instances with ASG, then register those as targets in my TargetGroup. What would be the best way to accomplish this?
  • e

    early-keyboard-41388

    10/21/2021, 6:30 AM
    Hi, I’m trying to use
    new
    aws.cloudformation.Stack
    , but having a lot of issues when using the
    templateBody
    and adding data (ids or ips) from other resources created on same pulumi update run. I end up with this error on every output:
    Calling [toJSON] on an [Output<T>] is not supported. To get the value of an Output as a JSON value or JSON string consider either: 1: o.apply(v => v.toJSON()) 2: o.apply(v => JSON.stringify(v)) See <https://pulumi.io/help/outputs> for more details. This function may throw in a future version of @pulumi/pulumi.
    Thanks.
    v
    • 2
    • 6
  • b

    brave-nightfall-19158

    10/21/2021, 8:10 AM
    hey all, quick question regarding pulumi update/replace/delete events. When Pulumi will take one of these actions, does it wait for the replacement to actually be ready? For example, if I have an EC2 instance that needs to be replaced, will Pulumi just create the new instance and if all API calls succeed correctly destroy the old one, or will it wait for the new EC2 instance to actually be ready, i.e. monitoring checks etc all pass?
  • e

    early-keyboard-41388

    10/21/2021, 11:58 AM
    Hey, is there any recommended practice or way to make lambda to lambda calls (in different microservices)? I’m using the
    aws-sdk
    , with the
    lambda.invoke
    , my main doubt is with the naming for the other lambda, as Pulumi adds extra numbering to the name. Maybe something on the
    pulumi up
    process to add in the lambda’s env data or any other option?
    c
    • 2
    • 3
  • e

    enough-leather-70274

    10/22/2021, 10:03 AM
    Hi folks - I'm trying to map the default stage of my api gateway to a custom domain with a Path in the mapping, as per step 7 of the bottom of this instruction. In the AWS Classic provider for APIGatewayV2, I can only see something called ApiMapping, which doesn't include the path argument. Instead it includes an
    api_mapping_key
    but that links to the API gateway WS docs of all things. I'm assuming that's the path I want to provide (esp. given the CF example) but should the docs not link to the aforementioned page rather than WS docs?
    • 1
    • 1
  • m

    millions-furniture-75402

    10/22/2021, 2:46 PM
    I have an ACM Certificate using DNS validation, and I noticed the days to expiry was set to "45 days" and it auto-renewed. The problem is, the default is 60, how did this become 45? I can't find the property in AWS provider under ACM. https://docs.aws.amazon.com/acm/latest/userguide/dns-renewal-validation.html
    • 1
    • 1
  • g

    green-park-28305

    10/25/2021, 3:00 PM
    Hi all, I am trying to add EC2 root volume encryption for EKS nodes created by eks.ManagedNodeGroup. The below does not work. Perhaps someone here knows the trick? https://www.pulumi.com/registry/packages/eks/api-doc Thanks for your help.
    cluster:eks.Cluster = eks.Cluster(f"{cluster_name}-cluster",
            name=cluster_name,
            ....
            node_group_options=eks.ClusterNodeGroupOptionsArgs(
                cloud_formation_tags={
                    "Name": "EKS Worker Node"
                },
                encrypt_root_block_device=True,
            ),
            ...
        )   
    
        eks.ManagedNodeGroup(f"{cluster_name}-node-group-" + str(i),
                cluster=cluster.core,
                node_group_name=f"{cluster_name}-managed-node-group-" + str(i),
                ....
            ))
    w
    • 2
    • 1
  • w

    witty-belgium-75866

    10/25/2021, 3:52 PM
    Hi all, I'm trying to create a new role with the entity type of:
    web-identity
    . how can I do it via pulmi? thx!
  • m

    mysterious-wolf-74677

    10/25/2021, 6:06 PM
    So is there a way to "Unimport" a resource? Basically we have service roles that we don't want in the stack anymore because they're not something we manage, seeing as that they're automatically generated. So after having imported them into the Pulumi stack, we want to remove them from the stack but not have them removed from our actual AWS. We can do this manually currently, by removing the code and manually deleting the resources from the stack, but is there anything like an
    "unimport"
    feature that can simply remove things from the pulumi stack without changing anything in AWS?
    r
    s
    • 3
    • 9
  • b

    bitter-policeman-94135

    10/26/2021, 12:07 AM
    Has anyone had success with getting EBS-CSI working with Pulimi in Python? https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html ☝️ I'm having some difficulty translating these steps to Python.
    b
    w
    • 3
    • 6
  • w

    witty-belgium-75866

    10/26/2021, 9:18 AM
    Hi, there is a way to extract the
    kubeconfig
    of an EKS cluster? I want to pass it to the
    k8s.Provider
    object in order to deploy stuff on the cluster. thx!
    b
    • 2
    • 2
  • t

    tall-beard-99429

    10/26/2021, 4:08 PM
    What's the best way to get the first public subnet ID for a VPC network?
    b
    m
    • 3
    • 6
  • e

    early-keyboard-41388

    10/27/2021, 10:34 AM
    Hi, I’m trying to add a new Alias to a Lambda function.
    new aws.lambda.Alias(
      `alias-${stageSanitized}-new`,
      {
        name: 'SER001',
        functionVersion: lambdaFN.version,
        functionName: lambdaFN.name,
        description: 'Alias for SER001 environment',
      },
      { parent: lambdaFN, protect: true },
    );
    I already have an alias created for a given version of the same Lambda. But when I make
    pulumi update
    , I get that the existing Alias will get deleted. What am I missing? So both Alias have different names: one for the
    env
    , like
    dev
    , and the other, simulating a feature (
    SER001
    ). I even added the protected flag…
    l
    • 2
    • 9
  • a

    astonishing-quill-88807

    10/27/2021, 8:30 PM
    For folks who are using S3 state storage and deploying to multiple accounts, how are you dealing with permissions boundaries for the entities executing the stacks?
    b
    l
    c
    • 4
    • 6
  • r

    ripe-shampoo-80285

    10/28/2021, 2:30 PM
    I am having some strange issues with my pulumi EKS stack. Apparently, for some reason, the stack state is out of sync with the actual aws resources it provisioned (not sure exactly what happened). When I try to resync the state with "pulumi refresh", it successfully completed, but obviously the problem is still there. So, when I try "pulumi up", it detects the difference, the update failed. Not sure exactly how to fix the issue. I'm trying to destroy the entire stack to restart from scratch, the pulumi destroy failed as well. How do I get out of this situation. Any help will be greatly appreciated.
  • r

    ripe-shampoo-80285

    10/28/2021, 2:31 PM
    BTW, do we have a force destroy option with pulumi?
  • r

    ripe-shampoo-80285

    10/28/2021, 2:37 PM
    Untitled.txt
    f
    c
    • 3
    • 7
  • r

    ripe-shampoo-80285

    10/28/2021, 2:38 PM
    That is the error from "pulumi up". It tried to update a group policy attachment: pulumi😛ulumi:Stack infra-dev +- └─ aws:iam:GroupPolicyAttachment devtest-eks-admins-Policy-eks-read-attach replace [diff: ~policyArn]
  • r

    ripe-shampoo-80285

    10/28/2021, 7:06 PM
    Now I am trying to recreate the cluster and getting a bunch of this errors: pre-step event returned an error: failed to verify snapshot: resource urn😛ulumi:dev::infra::eks:index:Cluster::devtest-eks dependency refers to missing resource
    • 1
    • 1
  • b

    brave-nightfall-19158

    10/29/2021, 3:35 PM
    Has anyone had problems with API Gateway and getting the correct value for a CNAME record to point to the gateway? The API Gateway has an ID as well as a gateway domain name. When using a custom domain name, the Route 53 record seems to need to be a CNAME that points to the gateway domain name (and not the ID) otherwise you get an SSL certificate bad domain error. However, the only output in Pulumi for Api Gateway seems to be the apiEndpoint which maps to the ID but there doesn't seem to be an output for gateway domain name. Any ideas? As an example, for my gateway, the ID is tl25su6oel.execute-api.eu-west-2.amazonaws.com but the API Gateway Domain Name is d-yt93fcyxyr.execute-api.eu-west-2.amazonaws.com. It's the api gateway domain output I need
    b
    • 2
    • 6
  • t

    tall-beard-99429

    10/29/2021, 3:43 PM
    Anyone got any idea how I can fix
    Could not set VPC CNI options: kubectl is missing
    with EKS?
    b
    • 2
    • 10
  • b

    brave-nightfall-19158

    10/30/2021, 3:13 PM
    Hey all, I'm trying to set a resource as "deleteBeforeReplace" but pulumi up doesn't seem to generate a diff. Anyone had this before? this.domainName = new aws.apigatewayv2.DomainName(
    ${_name_}-domain-name
    , { domainName: args.customDomainName, domainNameConfiguration: { certificateArn: args.certifcateArn, endpointType: 'REGIONAL', securityPolicy: 'TLS_1_2' } }, { deleteBeforeReplace: true, parent: this });
    t
    • 2
    • 2
  • b

    brave-nightfall-19158

    10/30/2021, 3:14 PM
    Previously, deleteBeforeReplace is not there, then I add it, but no diff is generated. When I change the name, it still tries to create a replacement first 😞
  • s

    sparse-tomato-5980

    11/01/2021, 7:35 PM
    Hey folks! very basic IAM/Pulumi question: In these docs - don't need to read it yet, just linking for context https://docs.aws.amazon.com/apigateway/latest/developerguide/grant-permissions-to-create-vpclink.html it basically says "<create the following IAM policy/role> and <*Assign the IAM role to you or a user in your account who is creating VPC links*>" In my situation, we're strictly provisioning stuff in Pulumi with the AWS root user. So, two questions: • Is it possible that this recommendation doesn't make sense for the AWS root user, who I'd assume has access to everything already? • How does one attach an IAM role to <the AWS root user>?
    l
    w
    b
    • 4
    • 11
  • s

    sparse-tomato-5980

    11/01/2021, 7:39 PM
    (Ah - nevermind - it turns out we are indeed assuming a role elsewhere!)
Powered by Linen
Title
s

sparse-tomato-5980

11/01/2021, 7:39 PM
(Ah - nevermind - it turns out we are indeed assuming a role elsewhere!)
View count: 2