https://pulumi.com logo
Docs
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
aws
  • f

    fast-river-57630

    11/01/2021, 9:42 PM
    does aws.s3.AccessPoint (https://www.pulumi.com/registry/packages/aws/api-docs/s3/accesspoint/) support Object Lambda access points?
  • f

    fast-river-57630

    11/01/2021, 9:44 PM
    oh it's not in terraform yet https://github.com/hashicorp/terraform-provider-aws/issues/18206
  • d

    damp-school-17708

    11/02/2021, 4:17 PM
    Hello - is it possible to setup an app sync cache? I see the configuration per resolver, but I can't find where to specify the instance type
  • n

    nice-father-44210

    11/02/2021, 6:09 PM
    Having trouble running
    pulumi import
    for a
    aws:ec2/routeTableAssociation
    Any advice? Log below:
    ❯ pulumi import aws:ec2/routeTableAssociation:RouteTableAssociation private-us-west-2a subnet-xxx/rtb-xxx -d
    Previewing import (xxx/xxx)
    
    View Live: <https://app.pulumi.com/xxx>
    
         Type                              Name                        Plan       Info
         pulumi:pulumi:Stack               my-project             1 error; 10 debugs
     =   └─ aws:ec2:RouteTableAssociation  private-us-west-2a          import     3 errors
     
    Diagnostics:
      pulumi:pulumi:Stack (my-project):
        debug: Attempting to use session-derived credentials
        debug: Successfully derived credentials from session
        debug: AWS Auth provider used: "SSOProvider"
        debug: Truncating attribute path of 0 diagnostics for TypeSet
        debug: Attempting to use session-derived credentials
        debug: Successfully derived credentials from session
        debug: AWS Auth provider used: "SSOProvider"
        debug: Trying to get account information via iam:GetUser
        debug: Trying to get account information via sts:GetCallerIdentity
        debug: Importing route table association, target: subnet-xxx, route table: rtb-xxx
        error: preview failed
     
      aws:ec2:RouteTableAssociation (private-us-west-2a):
        error: aws:ec2/routeTableAssociation:RouteTableAssociation resource 'private-us-west-2a' has a problem: Invalid combination of arguments: "gateway_id": one of `gateway_id,subnet_id` must be specified. Examine values at 'RouteTableAssociation.GatewayId'.
        error: aws:ec2/routeTableAssociation:RouteTableAssociation resource 'private-us-west-2a' has a problem: Invalid combination of arguments: "subnet_id": one of `gateway_id,subnet_id` must be specified. Examine values at 'RouteTableAssociation.SubnetId'.
        error: Preview failed: one or more inputs failed to validate
    b
    • 2
    • 2
  • m

    microscopic-animal-41955

    11/02/2021, 9:31 PM
    Is it possible to programmatically get the underlying ASG associated with an EKS node group? I need to modify it to install https://github.com/aws/aws-node-termination-handler
    w
    • 2
    • 2
  • c

    clever-painter-96148

    11/03/2021, 1:06 PM
    Is there a way to use AWS SSO credentials with Pulumi? I authenticate with
    aws sso login --profile
    then I can reuse those credentials by passing the same profile to AWS CLI commands. Unless I did some mistake, we cannot use those profiles with Pulumi. Did someone achieve it?
    m
    b
    +4
    • 7
    • 36
  • f

    full-artist-27215

    11/03/2021, 1:27 PM
    🤔 This has always "just worked" for me. Is
    AWS_PROFILE
    set in your environment?
    c
    f
    • 3
    • 12
  • f

    fast-river-57630

    11/03/2021, 1:28 PM
    hrm. aws.lambda.CallbackFunction calling a awsx.ecs.FargateTaskDefinition with overrides. I can override name and command but not image within the FargateTaskDefinition.run? yeahhh and that looks like it's a limitation in aws-sdk . I don't want to have to create a custom task def just to run a one-off ECS task
    • 1
    • 1
  • r

    rapid-raincoat-36492

    11/03/2021, 5:58 PM
    For those who used it early, how do you like the native aws provider? Specifically, have you hit any issues with rate limiting?
  • m

    millions-umbrella-34765

    11/04/2021, 4:38 PM
    I'm just trying to create an s3 bucket with aws_native. And getting the error "missing required property region", but I don't see that in the input args. What am I missing?
    r
    f
    • 3
    • 6
  • m

    millions-umbrella-34765

    11/04/2021, 5:20 PM
    How can you block public access with the S3 native, this is for classic but doesn't work
    const bucket = new aws_native.s3.Bucket("<http://dev-assets.mydomain.com|dev-assets.mydomain.com>", {
    	bucketName: "<http://dev-assets.mydomain.com|dev-assets.mydomain.com>",
    	blockPublicAcls: true
    });
    r
    m
    • 3
    • 9
  • e

    echoing-actor-55539

    11/04/2021, 10:22 PM
    does anybody have a recipe for using apiKeyRequired on a route with an aws websocket api-gateway? i dont see any way to setup a usage plan or specify the key
    l
    • 2
    • 10
  • h

    high-holiday-63390

    11/05/2021, 10:35 AM
    Anyone using elastic beanstalk with pulumi? I’m curious about how you would add certain configuration settings. Some of them are documented, but there are quite a few that escape me. For example, the ‘Capacity’ section in EB where you specify instance size.
  • o

    orange-belgium-53818

    11/05/2021, 12:04 PM
    Any ideas how to turn off aws cloudwatch alarms at specific hours?
  • f

    flat-appointment-12338

    11/05/2021, 4:38 PM
    I upgraded
    @pulumi/aws
    to
    4.26.0
    today and this seemingly broke `aws.mq.Broker`:
    Missing required argument: The argument "broker_name" is required, but no definition was found.. Examine values at 'Broker.BrokerName'.
    Invalid or unknown key. Examine values at 'Broker.BrokerName'.
    s
    • 2
    • 4
  • f

    fancy-eve-82724

    11/05/2021, 4:39 PM
    Has anyone noticed an issue where an
    aws.ec2.VpcDhcpOptionsAssociation()
    is not having any effect? Pulumi deploys the resource and I can see the DHCP Options present in the AWS console, but looking at my VPC, it is not associated with the DHCP Option Set
    • 1
    • 1
  • b

    bulky-policeman-29913

    11/05/2021, 5:06 PM
    Hello all.
  • b

    bulky-policeman-29913

    11/05/2021, 5:07 PM
    I am trying to use the new native provider in typescript and getting an error for unknown field statement. I am just trying to create an IAM role here:
    const lambdaRole = new aws_native.iam.Role(`${resourcePrefix}-myrole`, {
        assumeRolePolicyDocument: { 
            version: '2012-10-17',
            statement: [{
                    effect: 'Allow',
                    principal: {
                        service: '<http://lambda.amazonaws.com|lambda.amazonaws.com>'
                    },
                    action: [
                        'sts:AssumeRole'
                    ]
            }]
        },
        path: '/'
    });
  • b

    bulky-policeman-29913

    11/05/2021, 5:07 PM
    it looks correct per docs here so I am a bit confused https://www.pulumi.com/registry/packages/aws-native/api-docs/iam/role/
  • b

    bulky-policeman-29913

    11/05/2021, 5:11 PM
    Same error just running this from their example:
    const automationExecutionRole = new aws_native.iam.Role("automationExecutionRole", {
        assumeRolePolicyDocument: {
            version: "2012-10-17",
            statement: [{
                effect: "Allow",
                principal: {
                    service: "<http://ssm.amazonaws.com|ssm.amazonaws.com>",
                },
                action: ["sts:AssumeRole"],
            }],
        },
        path: "/",
        managedPolicyArns: [`arn:${awsPartition}:iam::aws:policy/AmazonEC2FullAccess`],
    });
  • s

    sparse-state-34229

    11/07/2021, 12:21 AM
    I’m experiencing some issues with
    aws-sdk-go
    where when running Pulumi in a container on an EC2 instance, it’s unable to use the instance profile attached to the instance. this is the error I get:
    Exception: invoke of aws:index/getCallerIdentity:getCallerIdentity failed: invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: 1 error occurred:
        	* error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
    
        Please see <https://registry.terraform.io/providers/hashicorp/aws>
        for more information about providing credentials.
    
        Error: NoCredentialProviders: no valid providers in chain
        caused by: EnvAccessKeyNotFound: failed to find credentials in the environment.
        SharedCredsLoad: failed to load profile, .
        EC2RoleRequestError: no EC2 instance role found
        caused by: RequestCanceled: EC2 IMDS access disabled via AWS_EC2_METADATA_DISABLED env var
        error: an unhandled error occurred: Program exited with non-zero exit code: 1
    • I can curl the IMDSv1 endpoint within the container • the container does not have any
    AWS_*
    env vars set • the container does not mount
    ~/.aws
    • there is a valid IAM role attached to the instance that is in use with Terraform runs anyone know what’s up here?
    b
    • 2
    • 30
  • s

    sparse-state-34229

    11/07/2021, 2:23 AM
    getting this on the EC2 instance as well
  • s

    steep-soccer-65561

    11/08/2021, 9:47 AM
    Hello, I have this issue when I import a DynamoDB table : https://github.com/pulumi/pulumi/issues/6690 All my attributes are used as key or in GSI. Does anyone know of a workaround to import the table ?
  • e

    echoing-actor-55539

    11/08/2021, 6:54 PM
    Is there a clean way to destroy a CloudFront distro that uses a Lambda@Edge function in a single pass? Seems like I have to do it 2 passes since the func cant be deleted while in use by the CF distro.
    c
    • 2
    • 1
  • g

    great-postman-59271

    11/09/2021, 1:51 PM
    I am having issues with the DynamoDB TableItem resource. I have tried to create one Item with what appears to me to be valid JSON. It also seems to have created the actual Item in the table, but the pulumi up still failed with the following message:
    error: 1 error occurred:
            * updating urn:pulumi:dev::ThreeShape.Olympus.Auth.Infrastructure::aws:dynamodb/tableItem:TableItem::IntegrationTestAccessKey: 1 error occurred:
            * Error retrieving DynamoDB table item: SerializationException:
            status code: 400, request id: 1AE7FL7RD378QAOE1745B5TCDVVV4KQNSO5AEMVJF66Q9ASUAAJG
    I have tried the example code here, and that works fine. Have anyone else experienced this?
    📣 1
    b
    • 2
    • 7
  • c

    curved-translator-40788

    11/09/2021, 6:04 PM
    HI, I am trying create wafv2 webacl, I configured all rules and executed pulumi up, everything ok but after I execute pulumi up it is always showing changes... but I didn't change anything in the code. Additional if I comment the rules in the code and then execute pulumi up there are not changes. Any idea?
    m
    b
    • 3
    • 3
  • g

    gray-hamburger-90102

    11/10/2021, 1:47 PM
    hey 👋 I am using Pulumi to set up a VPC in aws like so:
    const vpc = new awsx.ec2.Vpc("eks-vpc", {
            cidrBlock: "10.21.0.0/16",
            numberOfAvailabilityZones: "all",
        });
    I believe this makes a public and private subnet per AZ, so in my case that's 3 of each. I'd like to change my cidr block to be
    10.21.0.0/24
    - when i do this and run the changes, it seems that it fails because the internet gateway can't be detached from the VPC - which I have narrowed down to the fact that each NAT gateway has a public IP associated to them that should probably be removed first:
    Diagnostics:
      pulumi:pulumi:Stack (bravissimo-platform-ec2-vpc):
        error: update failed
     
      aws:ec2:InternetGateway (eks-vpc):
        error: 1 error occurred:
            * updating urn:pulumi:vpc::bravissimo-platform-ec2::awsx:x:ec2:Vpc$awsx:x:ec2:InternetGateway$aws:ec2/internetGateway:InternetGateway::eks-vpc: 1 error occurred:
            * Error waiting for internet gateway (igw-03ec74c6df2e8bd83) to detach: timeout while waiting for state to become 'detached' (last state: 'detaching', timeout: 15m0s)
    Am I missing something here?
    w
    • 2
    • 1
  • d

    damp-school-17708

    11/10/2021, 3:36 PM
    Hello, I've a question regarding aws api gateway v2 and route53 domains. On the docs (https://www.pulumi.com/registry/packages/aws/api-docs/apigatewayv2/domainname/#associated-route-53-resource-record) I see:
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const exampleDomainName = new aws.apigatewayv2.DomainName("exampleDomainName", {
        domainName: "<http://http-api.example.com|http-api.example.com>",
        domainNameConfiguration: {
            certificateArn: aws_acm_certificate.example.arn,
            endpointType: "REGIONAL",
            securityPolicy: "TLS_1_2",
        },
    });
    const exampleRecord = new aws.route53.Record("exampleRecord", {
        name: exampleDomainName.domainName,
        type: "A",
        zoneId: aws_route53_zone.example.zone_id,
        aliases: [{
            name: exampleDomainName.domainNameConfiguration.apply(domainNameConfiguration => domainNameConfiguration.targetDomainName),
            zoneId: exampleDomainName.domainNameConfiguration.apply(domainNameConfiguration => domainNameConfiguration.hostedZoneId),
            evaluateTargetHealth: false,
        }],
    });
    Which I've followed as-is basically. My route53 record though, seems to point to something different to endpoint I used to call the api with (id-here.execute-api.us-east-1.amazonaws.com works; while this now points to something like different-id-here.execute-api.us-east-1.amazonaws.com) does my api call need to change or am I missing something? I would expect the route53 to point to the 'working endpoint' nothing else
    • 1
    • 5
  • m

    millions-umbrella-34765

    11/10/2021, 5:12 PM
    I'm coming across some AWS resources that appear to be managed by pulumi. I don't see them in my organization. I think an employee that has since left the company created the project in their personal account. Is there a way for me to transfer that project to our organization?
  • l

    late-lock-17022

    11/11/2021, 11:53 AM
    Hi, lovely people. right now I’m deploying a pulumi stack with a CertificateValidation resource. But it seems stuck on creation. I can’t find anything helpful in the documentation or google. It looks like that for 15 Minutes already. Is this normal or is something wrong there? Oh, as sidenote. This is the 5th time already that I’m trying that. Other times I just canceled the process which lead to corrupted state. Solved: Yeah, it was completely my fault. Destroyed and rebuilt the hosted zones without considering the NS entries for my domains. Hence AWS assigned some random NS Servers for those domains. DNS settings weren’t right so pulumi was stuck on the validation step. It could not reach the domains to validate the cert. Add in some aws region confusion on my side and you have the problem. Thanks @miniature-king-36473 for your help 😄
    m
    • 2
    • 18
Powered by Linen
Title
l

late-lock-17022

11/11/2021, 11:53 AM
Hi, lovely people. right now I’m deploying a pulumi stack with a CertificateValidation resource. But it seems stuck on creation. I can’t find anything helpful in the documentation or google. It looks like that for 15 Minutes already. Is this normal or is something wrong there? Oh, as sidenote. This is the 5th time already that I’m trying that. Other times I just canceled the process which lead to corrupted state. Solved: Yeah, it was completely my fault. Destroyed and rebuilt the hosted zones without considering the NS entries for my domains. Hence AWS assigned some random NS Servers for those domains. DNS settings weren’t right so pulumi was stuck on the validation step. It could not reach the domains to validate the cert. Add in some aws region confusion on my side and you have the problem. Thanks @miniature-king-36473 for your help 😄
m

miniature-king-36473

11/11/2021, 12:06 PM
It can take a while. Perhaps a silly question, have you performed the validation steps that are required for the certificate (usually creating DNS records, but may be email)?
l

late-lock-17022

11/11/2021, 12:14 PM
Yeah, I did. A DNS Record as well as the cert itself are created beforehand by the same script. The AWS Console lists the certificate as issued and validated. At least as far as I can see.
Pulumi lists the validation as still creating though.
m

miniature-king-36473

11/11/2021, 12:17 PM
hmm - I don't suppose you are creating the cert in a different AWS Region (us-east-1 is required for Cloudfront for example)?
l

late-lock-17022

11/11/2021, 12:18 PM
Everything is the same region. It comes from the stack config. I do not switch regions within the resources. Don’t even know if that is actually possible 🙂
m

miniature-king-36473

11/11/2021, 12:20 PM
Just to double check, you have created the DNS records for certificate validation (not just the domain - example is here - https://www.pulumi.com/registry/packages/aws/api-docs/acm/certificatevalidation/#dns-validation-with-route-53
l

late-lock-17022

11/11/2021, 12:21 PM
Python code.
chipnibbles_com_certificate = aws.acm.Certificate(
    "<http://chipnibbles.com|chipnibbles.com>", domain_name="<http://chipnibbles.com|chipnibbles.com>", validation_method="DNS"
)

validation_option = chipnibbles_com_certificate.domain_validation_options[0]
chipnibbles_validation_record = ChipnibblesRecord(
    "validation_record",
    name=validation_option.resource_record_name,
    type=validation_option.resource_record_type,
    records=[
        validation_option.resource_record_value,
    ],
)

chipnibbles_cert_validation = aws.acm.CertificateValidation(
    "chipnibbles-validation",
    certificate_arn=chipnibbles_com_certificate.arn,
    validation_record_fqdns=[chipnibbles_validation_record.fqdn],
)
Should be the same. Just without the smarts that are in the example.
Now I got an error. After about 45 Minutes.
aws:acm:CertificateValidation (chipnibbles-validation):
    error: 1 error occurred:
        * Error describing created certificate: Expected certificate to be issued but was in state PENDING_VALIDATION
m

miniature-king-36473

11/11/2021, 12:27 PM
ChipnibblesRecord is you own Resource type? Does this have access to the correct DNS Zone? Can you check to see if the record has been created in your DNS?
l

late-lock-17022

11/11/2021, 12:28 PM
Oh yeah, forgot to mention that. Yes it’s just a subclass of Route53Record with some defaults applied which are overridable. And yes the record is there.
m

miniature-king-36473

11/11/2021, 12:28 PM
worth checking the values match what ACM is showing as required for the certificate?
and is your domain "live"?
looks like the nameservers may not be correct - https://intodns.com/chipnibbles.com
l

late-lock-17022

11/11/2021, 12:32 PM
I checked again right now. I had another Certificate in us-east-1. From runs before. That’s the validated one. AWS Console somehow changed my region so I sent the wrong picture. The one I created with the script shows pending validation. The records are correct and there though.
So to reitarate. Cert is created > right DNS Entries are there in route53. Cert validation fails. I’ll look into the DNS errors. Thanks for your time! 😄
m

miniature-king-36473

11/11/2021, 12:33 PM
np
l

late-lock-17022

11/11/2021, 12:38 PM
Thats interesting. I use the default NS and SOA entries which were created by AWS for my hosted zones. Perhaps when I destroyed some of the old hosted zones some values are still cached? Hence DNS Fails completely. It’s always DNS isn’t it. 🤔
View count: 6