Is it better to set the AWS IAM Assumed Role as a configuration option or as a new provider inside the program to deploy my resources?

Any ideas why when I pass a name to

aws.lambda.Function()

that name gets used exactly when the lambda is spun up, but when I pass a name to

aws.lambda.CallbackFunction()

a hash is appended to the end of the name? For example if I pass

test-callback

to the callback function, the lambda spun up from the callback function will be something like

test-callback-9283a32

Hello everyone, I have created an EKS cluster and installed ALB controller in it. I have defined an ingress of class

alb

which brings up a loadbalancer in AWS with dns name something like

<http://k8s-kubesyst-octestal-f8d469242e-698581751.ap-south-1.elb.amazonaws.com|k8s-kubesyst-octestal-f8d469242e-698581751.ap-south-1.elb.amazonaws.com>

const albIngress = new k8s.networking.v1beta1.Ingress(`${projectName}-alb-ingress`, {
    metadata: {
        name: `${projectName}-alb-ingress`,
        namespace: 'kube-system',
        annotations: {
            '<http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>': 'alb',
            '<http://alb.ingress.kubernetes.io/scheme|alb.ingress.kubernetes.io/scheme>': 'internet-facing',
            '<http://alb.ingress.kubernetes.io/target-type|alb.ingress.kubernetes.io/target-type>': 'ip',
        },
    },
    spec: {
        rules: [
            {
                http: {
                    paths: [
                        {
                            path: '/*',
                            backend: { serviceName: ingressNginxService.metadata.name, servicePort: 80 }
                        }
                    ]
                }
            }
        ]
    },
}, { provider: cluster.provider });

const www = new aws.route53.Record("www", {
    zoneId: '<Redacted>',
    name: 'dev-server',
    type: 'A',
    aliases: [{
        name: albIngress.status.loadBalancer.ingress[0].hostname, // <http://k8s-kubesyst-octestal-f8d469242e-698581751.ap-south-1.elb.amazonaws.com|k8s-kubesyst-octestal-f8d469242e-698581751.ap-south-1.elb.amazonaws.com>
        zoneId: exampleZone.zoneId, // <---------------------------------- how do i get the zone id?
        evaluateTargetHealth: true,
    }],
});

The problem is when creating a route53 record for this loadbalancer, i need a

zoneId

, where do i get it from? Any help is appreciated

Is there any way to signal to pulumi that all resources of a certain type, or with a shared parent, should be deleted before others created? Wonder if this is non computable in terms of dependencies. The problem I have is re-naming an ApiGateway Route, where the newly named resource clashes because the old one is not yet deleted. Naming ofc doesn't change too often but it's a nice problem to solve at the platform level if possible for more "throw away and change things quickly" dev environments.

Is it possible to specify a

serial-number

and

token-code

when assuming a role in the AWS Classic provider? It does not appear so from the Pulumi AWS installation-configuration and provider documentation. This is to allow using YubiKey MFA to assume more privileged role as described in this AWS tutorial.

Has anyone had any issues with

sourceHash

on

s3.BucketObject

? Is pulumi overriding it with the

FileArchive

source

reference? The path (ie. the .zip) I pass is not deterministic so this is a little bit of an issue.

Trying to add the default tags to my IAC here, but its not applying tags and I am not sure what I am missing here.

Fighting to adapt an existing aws.ec2.Vpc to awsx.ecs.Cluster. I built the compatible object via

new awsx.ec2.Vpc('...', {vpc})

. (ExistingVpcArgs) but the cluster won't provision because the subnets I've configured arent part of the compatible vpc (awsx) object. Oh I can probably use ExistingVpcIdArgs and pass it my existing privateSubnetIds/publicSubnetIds.

Anybody knows how can I disable s3 ACL? I'm using Golang. There is a func s3.NewBucketOwnershipControls that I can use to change ownership control: &s3.BucketOwnershipControlsArgs{ Bucket: bucket.ID(), Rule: &s3.BucketOwnershipControlsRuleArgs{ ObjectOwnership: pulumi.String("BucketOwnerPreferred"), }, } But there doesn't like there is a way that I can disable ACL with this function. By default, the ACL is enabled when Bucket is created.

Thanks for any help.

Looks like setting the ObjectOwnership to BucketOwnerEnforced will do the trick, but Pulumi doesn't seem to support that.

I created a ticket for the issue: https://github.com/pulumi/pulumi/issues/8763

Kinda curious what others are doing but I am wondering how much you guys are using the conf file for your environments? I have a bunch of stuff in my conf file for each environment and I am thinking about pulling some of it back into the main.py (Python) file instead. Still playing with options but curious what others are doing? I come from a heavy Terraform (tfvars) world so putting a lot of the environment-specific info in the conf file makes sense.

Hello, I'm very new to Pulumi and I'm trying to implement this https://www.pulumi.com/registry/packages/aws/how-to-guides/video-thumbnailer however I run into the following issue when running `pulumi up`:

#5 29.97 Collecting pip
    #5 30.17   Downloading <https://files.pythonhosted.org/packages/da/f6/c83229dcc3635cdeb51874184241a9508ada15d8baa337a41093fab58011/pip-21.3.1.tar.gz> (1.7MB)
    #5 30.79     Complete output from command python setup.py egg_info:
    #5 30.79     Traceback (most recent call last):
    #5 30.79       File "<string>", line 1, in <module>
    #5 30.79       File "/tmp/pip-build-hQd70M/pip/setup.py", line 7
    #5 30.79         def read(rel_path: str) -> str:
    #5 30.79                          ^
    #5 30.79     SyntaxError: invalid syntax
    #5 30.79
    #5 30.79     ----------------------------------------
    #5 30.82 Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-hQd70M/pip/
    #5 31.38 You are using pip version 8.1.1, however version 21.3.1 is available.
    #5 31.38 You should consider upgrading via the 'pip install --upgrade pip' command.
    #5 ERROR: executor failed running [/bin/sh -c apt-get update &&     apt-get install python-dev python-pip -y &&     apt-get clean && pip install --upgrade pip]: exit code: 1
    ------
     > [2/4] RUN apt-get update &&     apt-get install python-dev python-pip -y &&     apt-get clean && pip install --upgrade pip:
    ------
    executor failed running [/bin/sh -c apt-get update &&     apt-get install python-dev python-pip -y &&     apt-get clean && pip install --upgrade pip]: exit code: 1

My code is identical to the one in the article, Docker is running, I'm on MacOS 12.1.

I'm working on a project that uses (as far as I can tell) only the default AWS provider, configured in the default manner. When I use env vars AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN, things work. But when I unset those vars and use only AWS_PROFILE (correctly set it), Pulumi complains with

Error: invocation of aws:index/getRegion:getRegion returned an error: unable to discover AWS AccessKeyID and/or SecretAccessKey - see <https://pulumi.io/install/aws.html> for details on configuration

Hello everyone, I have run into a weird issue. I am creating a EKS cluster which works fine, but on destroy pulumi tries to delete the security groups created for the node groups which fails because there is a network interface attached to it. I am guessing this network interface is attached by AWS/EKS when I bring up a loadbalancer and hence pulumi does not know about it which cause the destroy to fail. I have to manually go and delete the network interface, so the the destroy can proceed with deleting the security group and everything after that. Does anyone know about this?

Hello! Question about Pulumi and AWS Parameter Store values. Can one create a param store resource with Pulumi and only have it create it if it does not exist, but we manually set its values? So no subsequent deploy affects the value we manually set.

Given I have a known cidr space (/18) and know how that is partitioned across subnets (using awsx logic), how can I use getIPV4Address(value) to create some private fixed addresses in my network? Unsure what

value: number

is here.

do we have any examples of how to update eks kubernetes version or how to trigger ami upgrade on managed nodegroup?

Question about awsx/ec2/vpc. There are 3 subnet types: public, private, isolated. If I use isolated, can I still setup the instances inside this subnet to be reachable via a bastion and custom egress/ingress rules?

I installed AWS Load Balancer Controller via Helm chart. Since initial installation, whenever I do

pulumi up

, the certs in

Secrets kube-system/aws-load-balancer-tls

get replaced. I even tried "keepTLSSecret: true," but no-go. I see that

kubernetes:<http://admissionregistration.k8s.io/v1:MutatingWebhookConfiguration|admissionregistration.k8s.io/v1:MutatingWebhookConfiguration>

and

kubernetes:<http://admissionregistration.k8s.io/v1:ValidatingWebhookConfiguration|admissionregistration.k8s.io/v1:ValidatingWebhookConfiguration>

gets updated too. Is there a way to mitigate this? This is the code

// Install AWS Load Balancer Controller via Helm chart
const awslbcontroller = new k8s.helm.v3.Chart("aws-load-balancer-controller", {
  chart: "aws-load-balancer-controller",
  version: "1.3.3",
  namespace: "kube-system",
  fetchOpts:{
      repo: "<https://aws.github.io/eks-charts>",
  },
  values: {
    clusterName: clusterName,
    keepTLSSecret: true,
  }
}, {provider: cluster.provider});

I'm struggling to find how to get pulumi python to list AWS resources, specifically I want to list R53 hosted zones associated with a specific vpc?

Sorry to bring this up again but I can't resolve this issue, if someone has an idea: https://pulumi-community.slack.com/archives/CRH5ENVDX/p1642354916102400

I'm trying to create a bastion host:EC2 instance with two subnets - one public and one private. My public subnet is:

export const infra_public = new awsn.ec2.Subnet('infra_public', {
    tags: nativeTags({ ...tags, Name: `infra_pub` }),
    cidrBlock: '10.0.0.16/28',
    vpcId,
    availabilityZone,
    mapPublicIpOnLaunch: true,
});

But when I launch an instance:

const nic0 = new aws.ec2.NetworkInterface('nic0', {
    subnetId: infra_public.id,
    tags,
    securityGroups: [sg_ssh.id],
});

const nic1 = new aws.ec2.NetworkInterface('nic1', {
    subnetId: infra_private.id,
    tags,
    securityGroups: [sg_priv.id],
});


const bastion_node = new aws.ec2.Instance('bastion', {
    keyName,
    tags: { ...tags, Name: `${pulumi.getStack()}-bastion` },
    instanceType: aws.ec2.InstanceType.T4g_Nano,
    ami: ami.id,
    networkInterfaces: [
        {
            deviceIndex: 0,
            networkInterfaceId: nic0.id,
        }, {
            deviceIndex: 1,
            networkInterfaceId: nic1.id,
        }
    ],
    creditSpecification: { cpuCredits: 'standard' },
    monitoring: true,
    availabilityZone,
});

the AWS console reports NO public IPv4 address. Am I missing something?

Hello Everyone! I am facing an issue on deploying a sample Nginx application on AWS that whenever I tried to expose service with type "LoadBalancer" It provision Classic LoadBalancer with no Targets. So It doesn't know where to route traffic. that's why the service is not accessible on the browser even with the Right Security Group setting. I need assistance on this issue.

To solve this issue I am trying to create alb controller, followed this https://github.com/jaxxstorm/pulumi-awsloadbalancercontroller but the installation is giving the following error

is there a way to tell pulumi to not way on the resource modifcation? I’m deploying an opensearch resources and the updates take time because of the rollout procedure and make my ci pipeline to nuts. If yes, does it’s a bad practice?

I am trying to combine eks cluster securitygroup and node securitygroup in to an array with the following Golang pulumi code, but I am getting the error below. What am I doing wrong?