does aws.s3.AccessPoint (https://www.pulumi.com/registry/packages/aws/api-docs/s3/accesspoint/) support Object Lambda access points?

oh it's not in terraform yet https://github.com/hashicorp/terraform-provider-aws/issues/18206

Hello - is it possible to setup an app sync cache? I see the configuration per resolver, but I can't find where to specify the instance type

Having trouble running

pulumi import

for a

aws:ec2/routeTableAssociation

Any advice? Log below:

❯ pulumi import aws:ec2/routeTableAssociation:RouteTableAssociation private-us-west-2a subnet-xxx/rtb-xxx -d
Previewing import (xxx/xxx)

View Live: <https://app.pulumi.com/xxx>

     Type                              Name                        Plan       Info
     pulumi:pulumi:Stack               my-project             1 error; 10 debugs
 =   └─ aws:ec2:RouteTableAssociation  private-us-west-2a          import     3 errors
 
Diagnostics:
  pulumi:pulumi:Stack (my-project):
    debug: Attempting to use session-derived credentials
    debug: Successfully derived credentials from session
    debug: AWS Auth provider used: "SSOProvider"
    debug: Truncating attribute path of 0 diagnostics for TypeSet
    debug: Attempting to use session-derived credentials
    debug: Successfully derived credentials from session
    debug: AWS Auth provider used: "SSOProvider"
    debug: Trying to get account information via iam:GetUser
    debug: Trying to get account information via sts:GetCallerIdentity
    debug: Importing route table association, target: subnet-xxx, route table: rtb-xxx
    error: preview failed
 
  aws:ec2:RouteTableAssociation (private-us-west-2a):
    error: aws:ec2/routeTableAssociation:RouteTableAssociation resource 'private-us-west-2a' has a problem: Invalid combination of arguments: "gateway_id": one of `gateway_id,subnet_id` must be specified. Examine values at 'RouteTableAssociation.GatewayId'.
    error: aws:ec2/routeTableAssociation:RouteTableAssociation resource 'private-us-west-2a' has a problem: Invalid combination of arguments: "subnet_id": one of `gateway_id,subnet_id` must be specified. Examine values at 'RouteTableAssociation.SubnetId'.
    error: Preview failed: one or more inputs failed to validate

Is it possible to programmatically get the underlying ASG associated with an EKS node group? I need to modify it to install https://github.com/aws/aws-node-termination-handler

Is there a way to use AWS SSO credentials with Pulumi? I authenticate with

aws sso login --profile

then I can reuse those credentials by passing the same profile to AWS CLI commands. Unless I did some mistake, we cannot use those profiles with Pulumi. Did someone achieve it?

🤔 This has always "just worked" for me. Is

AWS_PROFILE

set in your environment?

hrm. aws.lambda.CallbackFunction calling a awsx.ecs.FargateTaskDefinition with overrides. I can override name and command but not image within the FargateTaskDefinition.run? yeahhh and that looks like it's a limitation in aws-sdk . I don't want to have to create a custom task def just to run a one-off ECS task

For those who used it early, how do you like the native aws provider? Specifically, have you hit any issues with rate limiting?

I'm just trying to create an s3 bucket with aws_native. And getting the error "missing required property region", but I don't see that in the input args. What am I missing?

How can you block public access with the S3 native, this is for classic but doesn't work

const bucket = new aws_native.s3.Bucket("<http://dev-assets.mydomain.com|dev-assets.mydomain.com>", {
	bucketName: "<http://dev-assets.mydomain.com|dev-assets.mydomain.com>",
	blockPublicAcls: true
});

does anybody have a recipe for using apiKeyRequired on a route with an aws websocket api-gateway? i dont see any way to setup a usage plan or specify the key

Anyone using elastic beanstalk with pulumi? I’m curious about how you would add certain configuration settings. Some of them are documented, but there are quite a few that escape me. For example, the ‘Capacity’ section in EB where you specify instance size.

Any ideas how to turn off aws cloudwatch alarms at specific hours?

I upgraded

@pulumi/aws

to

4.26.0

today and this seemingly broke `aws.mq.Broker`:

Missing required argument: The argument "broker_name" is required, but no definition was found.. Examine values at 'Broker.BrokerName'.
Invalid or unknown key. Examine values at 'Broker.BrokerName'.

Has anyone noticed an issue where an

aws.ec2.VpcDhcpOptionsAssociation()

is not having any effect? Pulumi deploys the resource and I can see the DHCP Options present in the AWS console, but looking at my VPC, it is not associated with the DHCP Option Set

Hello all.

I am trying to use the new native provider in typescript and getting an error for unknown field statement. I am just trying to create an IAM role here:

const lambdaRole = new aws_native.iam.Role(`${resourcePrefix}-myrole`, {
    assumeRolePolicyDocument: { 
        version: '2012-10-17',
        statement: [{
                effect: 'Allow',
                principal: {
                    service: '<http://lambda.amazonaws.com|lambda.amazonaws.com>'
                },
                action: [
                    'sts:AssumeRole'
                ]
        }]
    },
    path: '/'
});

it looks correct per docs here so I am a bit confused https://www.pulumi.com/registry/packages/aws-native/api-docs/iam/role/

Same error just running this from their example:

const automationExecutionRole = new aws_native.iam.Role("automationExecutionRole", {
    assumeRolePolicyDocument: {
        version: "2012-10-17",
        statement: [{
            effect: "Allow",
            principal: {
                service: "<http://ssm.amazonaws.com|ssm.amazonaws.com>",
            },
            action: ["sts:AssumeRole"],
        }],
    },
    path: "/",
    managedPolicyArns: [`arn:${awsPartition}:iam::aws:policy/AmazonEC2FullAccess`],
});

I’m experiencing some issues with

aws-sdk-go

where when running Pulumi in a container on an EC2 instance, it’s unable to use the instance profile attached to the instance. this is the error I get:

Exception: invoke of aws:index/getCallerIdentity:getCallerIdentity failed: invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: 1 error occurred:
    	* error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.

    Please see <https://registry.terraform.io/providers/hashicorp/aws>
    for more information about providing credentials.

    Error: NoCredentialProviders: no valid providers in chain
    caused by: EnvAccessKeyNotFound: failed to find credentials in the environment.
    SharedCredsLoad: failed to load profile, .
    EC2RoleRequestError: no EC2 instance role found
    caused by: RequestCanceled: EC2 IMDS access disabled via AWS_EC2_METADATA_DISABLED env var
    error: an unhandled error occurred: Program exited with non-zero exit code: 1

• I can curl the IMDSv1 endpoint within the container • the container does not have any

AWS_*

env vars set • the container does not mount

~/.aws

• there is a valid IAM role attached to the instance that is in use with Terraform runs anyone know what’s up here?

getting this on the EC2 instance as well

Hello, I have this issue when I import a DynamoDB table : https://github.com/pulumi/pulumi/issues/6690 All my attributes are used as key or in GSI. Does anyone know of a workaround to import the table ?

Is there a clean way to destroy a CloudFront distro that uses a Lambda@Edge function in a single pass? Seems like I have to do it 2 passes since the func cant be deleted while in use by the CF distro.

I am having issues with the DynamoDB TableItem resource. I have tried to create one Item with what appears to me to be valid JSON. It also seems to have created the actual Item in the table, but the pulumi up still failed with the following message:

error: 1 error occurred:
        * updating urn:pulumi:dev::ThreeShape.Olympus.Auth.Infrastructure::aws:dynamodb/tableItem:TableItem::IntegrationTestAccessKey: 1 error occurred:
        * Error retrieving DynamoDB table item: SerializationException:
        status code: 400, request id: 1AE7FL7RD378QAOE1745B5TCDVVV4KQNSO5AEMVJF66Q9ASUAAJG

I have tried the example code here, and that works fine. Have anyone else experienced this?

HI, I am trying create wafv2 webacl, I configured all rules and executed pulumi up, everything ok but after I execute pulumi up it is always showing changes... but I didn't change anything in the code. Additional if I comment the rules in the code and then execute pulumi up there are not changes. Any idea?

hey 👋 I am using Pulumi to set up a VPC in aws like so:

const vpc = new awsx.ec2.Vpc("eks-vpc", {
        cidrBlock: "10.21.0.0/16",
        numberOfAvailabilityZones: "all",
    });

I believe this makes a public and private subnet per AZ, so in my case that's 3 of each. I'd like to change my cidr block to be

10.21.0.0/24

- when i do this and run the changes, it seems that it fails because the internet gateway can't be detached from the VPC - which I have narrowed down to the fact that each NAT gateway has a public IP associated to them that should probably be removed first:

Diagnostics:
  pulumi:pulumi:Stack (bravissimo-platform-ec2-vpc):
    error: update failed
 
  aws:ec2:InternetGateway (eks-vpc):
    error: 1 error occurred:
        * updating urn:pulumi:vpc::bravissimo-platform-ec2::awsx:x:ec2:Vpc$awsx:x:ec2:InternetGateway$aws:ec2/internetGateway:InternetGateway::eks-vpc: 1 error occurred:
        * Error waiting for internet gateway (igw-03ec74c6df2e8bd83) to detach: timeout while waiting for state to become 'detached' (last state: 'detaching', timeout: 15m0s)

Am I missing something here?

Hello, I've a question regarding aws api gateway v2 and route53 domains. On the docs (https://www.pulumi.com/registry/packages/aws/api-docs/apigatewayv2/domainname/#associated-route-53-resource-record) I see:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const exampleDomainName = new aws.apigatewayv2.DomainName("exampleDomainName", {
    domainName: "<http://http-api.example.com|http-api.example.com>",
    domainNameConfiguration: {
        certificateArn: aws_acm_certificate.example.arn,
        endpointType: "REGIONAL",
        securityPolicy: "TLS_1_2",
    },
});
const exampleRecord = new aws.route53.Record("exampleRecord", {
    name: exampleDomainName.domainName,
    type: "A",
    zoneId: aws_route53_zone.example.zone_id,
    aliases: [{
        name: exampleDomainName.domainNameConfiguration.apply(domainNameConfiguration => domainNameConfiguration.targetDomainName),
        zoneId: exampleDomainName.domainNameConfiguration.apply(domainNameConfiguration => domainNameConfiguration.hostedZoneId),
        evaluateTargetHealth: false,
    }],
});

Which I've followed as-is basically. My route53 record though, seems to point to something different to endpoint I used to call the api with (id-here.execute-api.us-east-1.amazonaws.com works; while this now points to something like different-id-here.execute-api.us-east-1.amazonaws.com) does my api call need to change or am I missing something? I would expect the route53 to point to the 'working endpoint' nothing else

I'm coming across some AWS resources that appear to be managed by pulumi. I don't see them in my organization. I think an employee that has since left the company created the project in their personal account. Is there a way for me to transfer that project to our organization?

Hi, lovely people. right now I’m deploying a pulumi stack with a CertificateValidation resource. But it seems stuck on creation. I can’t find anything helpful in the documentation or google. It looks like that for 15 Minutes already. Is this normal or is something wrong there? Oh, as sidenote. This is the 5th time already that I’m trying that. Other times I just canceled the process which lead to corrupted state. Solved: Yeah, it was completely my fault. Destroyed and rebuilt the hosted zones without considering the NS entries for my domains. Hence AWS assigned some random NS Servers for those domains. DNS settings weren’t right so pulumi was stuck on the validation step. It could not reach the domains to validate the cert. Add in some aws region confusion on my side and you have the problem. Thanks @miniature-king-36473 for your help 😄