pulumi-community #aws

aws

fast-river-57630

11/01/2021, 9:42 PM

does aws.s3.AccessPoint (https://www.pulumi.com/registry/packages/aws/api-docs/s3/accesspoint/) support Object Lambda access points?

fast-river-57630

11/01/2021, 9:44 PM

oh it's not in terraform yet https://github.com/hashicorp/terraform-provider-aws/issues/18206

damp-school-17708

11/02/2021, 4:17 PM

Hello - is it possible to setup an app sync cache? I see the configuration per resolver, but I can't find where to specify the instance type

nice-father-44210

11/02/2021, 6:09 PM

Having trouble running

pulumi import

for a

aws:ec2/routeTableAssociation

Any advice? Log below:

❯ pulumi import aws:ec2/routeTableAssociation:RouteTableAssociation private-us-west-2a subnet-xxx/rtb-xxx -d
Previewing import (xxx/xxx)

View Live: <https://app.pulumi.com/xxx>

     Type                              Name                        Plan       Info
     pulumi:pulumi:Stack               my-project             1 error; 10 debugs
 =   └─ aws:ec2:RouteTableAssociation  private-us-west-2a          import     3 errors
 
Diagnostics:
  pulumi:pulumi:Stack (my-project):
    debug: Attempting to use session-derived credentials
    debug: Successfully derived credentials from session
    debug: AWS Auth provider used: "SSOProvider"
    debug: Truncating attribute path of 0 diagnostics for TypeSet
    debug: Attempting to use session-derived credentials
    debug: Successfully derived credentials from session
    debug: AWS Auth provider used: "SSOProvider"
    debug: Trying to get account information via iam:GetUser
    debug: Trying to get account information via sts:GetCallerIdentity
    debug: Importing route table association, target: subnet-xxx, route table: rtb-xxx
    error: preview failed
 
  aws:ec2:RouteTableAssociation (private-us-west-2a):
    error: aws:ec2/routeTableAssociation:RouteTableAssociation resource 'private-us-west-2a' has a problem: Invalid combination of arguments: "gateway_id": one of `gateway_id,subnet_id` must be specified. Examine values at 'RouteTableAssociation.GatewayId'.
    error: aws:ec2/routeTableAssociation:RouteTableAssociation resource 'private-us-west-2a' has a problem: Invalid combination of arguments: "subnet_id": one of `gateway_id,subnet_id` must be specified. Examine values at 'RouteTableAssociation.SubnetId'.
    error: Preview failed: one or more inputs failed to validate

microscopic-animal-41955

11/02/2021, 9:31 PM

Is it possible to programmatically get the underlying ASG associated with an EKS node group? I need to modify it to install https://github.com/aws/aws-node-termination-handler

clever-painter-96148

11/03/2021, 1:06 PM

Is there a way to use AWS SSO credentials with Pulumi? I authenticate with

aws sso login --profile

then I can reuse those credentials by passing the same profile to AWS CLI commands. Unless I did some mistake, we cannot use those profiles with Pulumi. Did someone achieve it?

full-artist-27215

11/03/2021, 1:27 PM

🤔 This has always "just worked" for me. Is

AWS_PROFILE

set in your environment?

fast-river-57630

11/03/2021, 1:28 PM

hrm. aws.lambda.CallbackFunction calling a awsx.ecs.FargateTaskDefinition with overrides. I can override name and command but not image within the FargateTaskDefinition.run? yeahhh and that looks like it's a limitation in aws-sdk . I don't want to have to create a custom task def just to run a one-off ECS task

rapid-raincoat-36492

11/03/2021, 5:58 PM

For those who used it early, how do you like the native aws provider? Specifically, have you hit any issues with rate limiting?

millions-umbrella-34765

11/04/2021, 4:38 PM

I'm just trying to create an s3 bucket with aws_native. And getting the error "missing required property region", but I don't see that in the input args. What am I missing?

millions-umbrella-34765

11/04/2021, 5:20 PM

How can you block public access with the S3 native, this is for classic but doesn't work

const bucket = new aws_native.s3.Bucket("<http://dev-assets.mydomain.com|dev-assets.mydomain.com>", {
	bucketName: "<http://dev-assets.mydomain.com|dev-assets.mydomain.com>",
	blockPublicAcls: true
});

echoing-actor-55539

11/04/2021, 10:22 PM

does anybody have a recipe for using apiKeyRequired on a route with an aws websocket api-gateway? i dont see any way to setup a usage plan or specify the key

high-holiday-63390

11/05/2021, 10:35 AM

Anyone using elastic beanstalk with pulumi? I’m curious about how you would add certain configuration settings. Some of them are documented, but there are quite a few that escape me. For example, the ‘Capacity’ section in EB where you specify instance size.

orange-belgium-53818

11/05/2021, 12:04 PM

Any ideas how to turn off aws cloudwatch alarms at specific hours?

flat-appointment-12338

11/05/2021, 4:38 PM

I upgraded

@pulumi/aws

4.26.0

today and this seemingly broke `aws.mq.Broker`:

Missing required argument: The argument "broker_name" is required, but no definition was found.. Examine values at 'Broker.BrokerName'.
Invalid or unknown key. Examine values at 'Broker.BrokerName'.

fancy-eve-82724

11/05/2021, 4:39 PM

Has anyone noticed an issue where an

aws.ec2.VpcDhcpOptionsAssociation()

is not having any effect? Pulumi deploys the resource and I can see the DHCP Options present in the AWS console, but looking at my VPC, it is not associated with the DHCP Option Set

bulky-policeman-29913

11/05/2021, 5:06 PM

Hello all.

bulky-policeman-29913

11/05/2021, 5:07 PM

I am trying to use the new native provider in typescript and getting an error for unknown field statement. I am just trying to create an IAM role here:

const lambdaRole = new aws_native.iam.Role(`${resourcePrefix}-myrole`, {
    assumeRolePolicyDocument: { 
        version: '2012-10-17',
        statement: [{
                effect: 'Allow',
                principal: {
                    service: '<http://lambda.amazonaws.com|lambda.amazonaws.com>'
                },
                action: [
                    'sts:AssumeRole'
                ]
        }]
    },
    path: '/'
});

bulky-policeman-29913

11/05/2021, 5:07 PM

it looks correct per docs here so I am a bit confused https://www.pulumi.com/registry/packages/aws-native/api-docs/iam/role/

bulky-policeman-29913

11/05/2021, 5:11 PM

Same error just running this from their example:

const automationExecutionRole = new aws_native.iam.Role("automationExecutionRole", {
    assumeRolePolicyDocument: {
        version: "2012-10-17",
        statement: [{
            effect: "Allow",
            principal: {
                service: "<http://ssm.amazonaws.com|ssm.amazonaws.com>",
            },
            action: ["sts:AssumeRole"],
        }],
    },
    path: "/",
    managedPolicyArns: [`arn:${awsPartition}:iam::aws:policy/AmazonEC2FullAccess`],
});

sparse-state-34229

11/07/2021, 12:21 AM

I’m experiencing some issues with

aws-sdk-go

where when running Pulumi in a container on an EC2 instance, it’s unable to use the instance profile attached to the instance. this is the error I get:

Exception: invoke of aws:index/getCallerIdentity:getCallerIdentity failed: invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: 1 error occurred:
    	* error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.

    Please see <https://registry.terraform.io/providers/hashicorp/aws>
    for more information about providing credentials.

    Error: NoCredentialProviders: no valid providers in chain
    caused by: EnvAccessKeyNotFound: failed to find credentials in the environment.
    SharedCredsLoad: failed to load profile, .
    EC2RoleRequestError: no EC2 instance role found
    caused by: RequestCanceled: EC2 IMDS access disabled via AWS_EC2_METADATA_DISABLED env var
    error: an unhandled error occurred: Program exited with non-zero exit code: 1

• I can curl the IMDSv1 endpoint within the container • the container does not have any

AWS_*

env vars set • the container does not mount

~/.aws

• there is a valid IAM role attached to the instance that is in use with Terraform runs anyone know what’s up here?

sparse-state-34229

11/07/2021, 2:23 AM

getting this on the EC2 instance as well

steep-soccer-65561

11/08/2021, 9:47 AM

Hello, I have this issue when I import a DynamoDB table : https://github.com/pulumi/pulumi/issues/6690 All my attributes are used as key or in GSI. Does anyone know of a workaround to import the table ?

echoing-actor-55539

11/08/2021, 6:54 PM

Is there a clean way to destroy a CloudFront distro that uses a Lambda@Edge function in a single pass? Seems like I have to do it 2 passes since the func cant be deleted while in use by the CF distro.

great-postman-59271

11/09/2021, 1:51 PM

I am having issues with the DynamoDB TableItem resource. I have tried to create one Item with what appears to me to be valid JSON. It also seems to have created the actual Item in the table, but the pulumi up still failed with the following message:

error: 1 error occurred:
        * updating urn:pulumi:dev::ThreeShape.Olympus.Auth.Infrastructure::aws:dynamodb/tableItem:TableItem::IntegrationTestAccessKey: 1 error occurred:
        * Error retrieving DynamoDB table item: SerializationException:
        status code: 400, request id: 1AE7FL7RD378QAOE1745B5TCDVVV4KQNSO5AEMVJF66Q9ASUAAJG

I have tried the example code here, and that works fine. Have anyone else experienced this?

📣 1

curved-translator-40788

11/09/2021, 6:04 PM

HI, I am trying create wafv2 webacl, I configured all rules and executed pulumi up, everything ok but after I execute pulumi up it is always showing changes... but I didn't change anything in the code. Additional if I comment the rules in the code and then execute pulumi up there are not changes. Any idea?

gray-hamburger-90102

11/10/2021, 1:47 PM

hey 👋 I am using Pulumi to set up a VPC in aws like so:

const vpc = new awsx.ec2.Vpc("eks-vpc", {
        cidrBlock: "10.21.0.0/16",
        numberOfAvailabilityZones: "all",
    });

I believe this makes a public and private subnet per AZ, so in my case that's 3 of each. I'd like to change my cidr block to be

10.21.0.0/24

- when i do this and run the changes, it seems that it fails because the internet gateway can't be detached from the VPC - which I have narrowed down to the fact that each NAT gateway has a public IP associated to them that should probably be removed first:

Diagnostics:
  pulumi:pulumi:Stack (bravissimo-platform-ec2-vpc):
    error: update failed
 
  aws:ec2:InternetGateway (eks-vpc):
    error: 1 error occurred:
        * updating urn:pulumi:vpc::bravissimo-platform-ec2::awsx:x:ec2:Vpc$awsx:x:ec2:InternetGateway$aws:ec2/internetGateway:InternetGateway::eks-vpc: 1 error occurred:
        * Error waiting for internet gateway (igw-03ec74c6df2e8bd83) to detach: timeout while waiting for state to become 'detached' (last state: 'detaching', timeout: 15m0s)

Am I missing something here?

damp-school-17708

11/10/2021, 3:36 PM

Hello, I've a question regarding aws api gateway v2 and route53 domains. On the docs (https://www.pulumi.com/registry/packages/aws/api-docs/apigatewayv2/domainname/#associated-route-53-resource-record) I see:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const exampleDomainName = new aws.apigatewayv2.DomainName("exampleDomainName", {
    domainName: "<http://http-api.example.com|http-api.example.com>",
    domainNameConfiguration: {
        certificateArn: aws_acm_certificate.example.arn,
        endpointType: "REGIONAL",
        securityPolicy: "TLS_1_2",
    },
});
const exampleRecord = new aws.route53.Record("exampleRecord", {
    name: exampleDomainName.domainName,
    type: "A",
    zoneId: aws_route53_zone.example.zone_id,
    aliases: [{
        name: exampleDomainName.domainNameConfiguration.apply(domainNameConfiguration => domainNameConfiguration.targetDomainName),
        zoneId: exampleDomainName.domainNameConfiguration.apply(domainNameConfiguration => domainNameConfiguration.hostedZoneId),
        evaluateTargetHealth: false,
    }],
});

Which I've followed as-is basically. My route53 record though, seems to point to something different to endpoint I used to call the api with (id-here.execute-api.us-east-1.amazonaws.com works; while this now points to something like different-id-here.execute-api.us-east-1.amazonaws.com) does my api call need to change or am I missing something? I would expect the route53 to point to the 'working endpoint' nothing else

millions-umbrella-34765

11/10/2021, 5:12 PM

I'm coming across some AWS resources that appear to be managed by pulumi. I don't see them in my organization. I think an employee that has since left the company created the project in their personal account. Is there a way for me to transfer that project to our organization?

late-lock-17022

11/11/2021, 11:53 AM

Hi, lovely people. right now I’m deploying a pulumi stack with a CertificateValidation resource. But it seems stuck on creation. I can’t find anything helpful in the documentation or google. It looks like that for 15 Minutes already. Is this normal or is something wrong there? Oh, as sidenote. This is the 5th time already that I’m trying that. Other times I just canceled the process which lead to corrupted state. Solved: Yeah, it was completely my fault. Destroyed and rebuilt the hosted zones without considering the NS entries for my domains. Hence AWS assigned some random NS Servers for those domains. DNS settings weren’t right so pulumi was stuck on the validation step. It could not reach the domains to validate the cert. Add in some aws region confusion on my side and you have the problem. Thanks @miniature-king-36473 for your help 😄

Title

late-lock-17022

11/11/2021, 11:53 AM

miniature-king-36473

11/11/2021, 12:06 PM

It can take a while. Perhaps a silly question, have you performed the validation steps that are required for the certificate (usually creating DNS records, but may be email)?

late-lock-17022

11/11/2021, 12:14 PM

Yeah, I did. A DNS Record as well as the cert itself are created beforehand by the same script. The AWS Console lists the certificate as issued and validated. At least as far as I can see.

Pulumi lists the validation as still creating though.

miniature-king-36473

11/11/2021, 12:17 PM

hmm - I don't suppose you are creating the cert in a different AWS Region (us-east-1 is required for Cloudfront for example)?

late-lock-17022

11/11/2021, 12:18 PM

Everything is the same region. It comes from the stack config. I do not switch regions within the resources. Don’t even know if that is actually possible 🙂

miniature-king-36473

11/11/2021, 12:20 PM

Just to double check, you have created the DNS records for certificate validation (not just the domain - example is here - https://www.pulumi.com/registry/packages/aws/api-docs/acm/certificatevalidation/#dns-validation-with-route-53

late-lock-17022

11/11/2021, 12:21 PM

Python code.

chipnibbles_com_certificate = aws.acm.Certificate(
    "<http://chipnibbles.com|chipnibbles.com>", domain_name="<http://chipnibbles.com|chipnibbles.com>", validation_method="DNS"
)

validation_option = chipnibbles_com_certificate.domain_validation_options[0]
chipnibbles_validation_record = ChipnibblesRecord(
    "validation_record",
    name=validation_option.resource_record_name,
    type=validation_option.resource_record_type,
    records=[
        validation_option.resource_record_value,
    ],
)

chipnibbles_cert_validation = aws.acm.CertificateValidation(
    "chipnibbles-validation",
    certificate_arn=chipnibbles_com_certificate.arn,
    validation_record_fqdns=[chipnibbles_validation_record.fqdn],
)

Should be the same. Just without the smarts that are in the example.

Now I got an error. After about 45 Minutes.

aws:acm:CertificateValidation (chipnibbles-validation):
    error: 1 error occurred:
        * Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION

miniature-king-36473

11/11/2021, 12:27 PM

ChipnibblesRecord is you own Resource type? Does this have access to the correct DNS Zone? Can you check to see if the record has been created in your DNS?

late-lock-17022

11/11/2021, 12:28 PM

Oh yeah, forgot to mention that. Yes it’s just a subclass of Route53Record with some defaults applied which are overridable. And yes the record is there.

miniature-king-36473

11/11/2021, 12:28 PM

worth checking the values match what ACM is showing as required for the certificate?

and is your domain "live"?

looks like the nameservers may not be correct - https://intodns.com/chipnibbles.com

late-lock-17022

11/11/2021, 12:32 PM

I checked again right now. I had another Certificate in us-east-1. From runs before. That’s the validated one. AWS Console somehow changed my region so I sent the wrong picture. The one I created with the script shows pending validation. The records are correct and there though.

So to reitarate. Cert is created > right DNS Entries are there in route53. Cert validation fails. I’ll look into the DNS errors. Thanks for your time! 😄

miniature-king-36473

11/11/2021, 12:33 PM

late-lock-17022

11/11/2021, 12:38 PM

Thats interesting. I use the default NS and SOA entries which were created by AWS for my hosted zones. Perhaps when I destroyed some of the old hosted zones some values are still cached? Hence DNS Fails completely. It’s always DNS isn’t it. 🤔

View count: 6