pulumi-community #aws

Channels

aws

mammoth-art-6111

02/04/2022, 6:01 PM

hey all, i've been enjoying pulumi crosswalk for aws so far, and i've been having a pretty productive morning, but for some reason (i'm not sure why), pulumi has stopped detecting updates in my lambda function whenever i call

pulumi up

mammoth-art-6111

02/04/2022, 6:48 PM

this is coming out when i do

pulumi up -r

, seems like it notices there's a code change, but doesn't actually update

mammoth-art-6111

02/04/2022, 6:48 PM

aws:lambda:Function           github-release-webhook                              [diff: ~code]

mammoth-art-6111

02/04/2022, 7:07 PM

is there a way to force pulumi to refresh the lambda?

mammoth-art-6111

02/04/2022, 7:28 PM

honestly, really confused. was working seamlessly for a while.

mammoth-art-6111

02/04/2022, 8:04 PM

ah, ok

mammoth-art-6111

02/04/2022, 8:04 PM

i accidentally created an index.js file by running

typescript

better-activity-84090

02/07/2022, 8:20 AM

Since the WAFv2 is not idempotent (see https://github.com/pulumi/pulumi-aws/issues/1423), is there any workaround to this so every

pulumi up

doesn’t update the resource ?

polite-pillow-78450

02/07/2022, 11:01 PM

I am having issues with the Native provider and StackSet resource from a delegated administrator account for CloudFormation. Creation (if everything is valid) works. However, I believe that Pulumi is not recording the

call_as

property with the resource, and many subsequent operations fail because the StackSet is not able to be described when

call_as

is not DELEGATED_ADMIN in this scenario. Has anyone else encountered this?

sparse-apartment-71989

02/08/2022, 4:09 PM

In the docs at https://www.pulumi.com/registry/packages/aws/installation-configuration/ it says if multiple profiles are configured,

In this case, you will need to set the AWS_PROFILE environment variable to the name of the profile to use.

However, later in the docs, an alternative method is offered:

After creating your project, run pulumi config set aws:profile <profilename>

If these differ, which takes precedence, the env var or the config setting? In general will this order of precedence always be true for configuration in Pulumi?

ripe-shampoo-80285

02/09/2022, 3:16 AM

I am trying to get VPC defautl securitygroup with the following code, but I am getting this error. What am I doing wrong? sgNames := vpc.Vpc.DefaultSecurityGroupId.ApplyT(func(sg string) pulumi.StringArray { return goStringArrayToPulumiStringArray([]string{sg}) }).(pulumi.StringArrayOutput) panic: applier must have 1 input parameter assignable from interface {}

ripe-shampoo-80285

02/09/2022, 3:28 AM

Change the above code to this, I got different error: sgNames := vpc.Vpc.DefaultSecurityGroupId.ApplyT(func(sg interface{}) pulumi.StringArray { return goStringArrayToPulumiStringArray([]string{sg.(string)}) }).(pulumi.StringArrayOutput) panic: runtime error: invalid memory address or nil pointer dereference

numerous-spoon-56858

02/09/2022, 10:26 AM

after importing an existing image pipline. im trying to update it and getting

The value supplied for parameter 'distributions[0]' is not valid.

any idea why?

prehistoric-beach-79855

02/09/2022, 8:19 PM

Hello all, I am trying to import a key pair resource with: key=pulumi_aws.ec2.KeyPair.get(“myKeyPairs”, id=‘key-00789edf16bef11xx’) but pulumi up is giving: “error: Preview failed: resource ‘key-00789edf16bef11xx’ does not exist”. While I can see this Key pair in console > EC2 > Key pairs, under ID column. Am I missing something?

acceptable-oil-81004

02/10/2022, 3:47 AM

Hey there, can some one explain me what does that button actually do? My EPs only work after hitting it (without any changes) and deploying. I'm getting 500, and lambdas are not being invoked. I'm not sure what I'm missing pulumi-side. But before posting my whole scenario, a simple tip may just do the trick. Thanks!

victorious-fountain-7689

02/10/2022, 5:27 AM

Hello! I observed that I can not update

maintenanceWindowStartTime

aws.mq.Broker

. After doing a

pulumi up

with the updated value, the AWS Console still shows the old value. Doing a

pulumi refresh

afterwards will restore the stack to the old value. The weird thing is that changing it from the AWS Console works. I did that that to manually sync Pulumi code and the MQ broker. Is this a known issue? I see in the Terraform Docs (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/mq_broker#maintenance_window_start_time) that updating is not supported. Could this be related to this?

clever-dog-35937

02/11/2022, 6:32 PM

When pulumi updates a route53 record does it do so intelligently (convert to set > create additional record > delete old > revert set), or should I expect a dns outage while it's modifying/updating?

clever-dog-35937

02/11/2022, 6:32 PM

maybe not even in that manner, but without interruption

purple-megabyte-83002

02/11/2022, 6:42 PM

hello how to invalidate Cloudfront distribution cache after updating S3 files ?

little-soccer-5693

02/11/2022, 7:29 PM

i'm struggling getting pulumi to leverage the iam role attached to my ec2 instance for credentials. i am getting this error:

Diagnostics:

aws:acm:Certificate (Bopmatic-wwwcert):

error: 1 error occurred:

* error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.

Please see <https://registry.terraform.io/providers/hashicorp/aws>

for more information about providing credentials.

Error: NoCredentialProviders: no valid providers in chain

caused by: EnvAccessKeyNotFound: failed to find credentials in the environment.

SharedCredsLoad: failed to load profile, .

EC2RoleRequestError: no EC2 instance role found

caused by: RequestCanceled: EC2 IMDS access disabled via AWS_EC2_METADATA_DISABLED env var

I have aws😒kipMetadataApiCheck: "false" in my Pulumi.dev.yaml and when i create a non-default provider I have:

aws.NewProvider(ctx, "us-east-1-provider", &aws.ProviderArgs{

Region: pulumi.String("us-east-1"),

SkipMetadataApiCheck:      pulumi.Bool(false),

})

any idea what else i need to do to fix this?

curved-pharmacist-41509

02/12/2022, 11:29 AM

Is there a plan to upgrade

@pulumi/aws

for nodejs to use v3 of the aws-sdk?

worried-xylophone-86184

02/12/2022, 7:53 PM

Hi all ! I am trying to setup a simple EKS cluster using the

pulumi-eks

with a NodeGroup. Whenever I am trying to launch it throws this error:

Exception: Setting nodeGroupOptions, and any set of singular node group option(s) on the cluster, is mutually exclusive. Choose a single approach.

I looked at a few threads in this channel to figure out what the issue would possibly be and reached this code snippet where the check happens: link. I want to restrict the configurations to the NodeGroup as I have to create multiple NodeGroups for our usecase. Can anyone guide me as to what am I missing here? Adding code in thread.

little-soccer-5693

02/13/2022, 6:21 PM

anyone else running into problems with iam.NewPolicyAttachment() during an update? i'm seeing an initial deployment with 'pulumi up' work fine but then a subsequent update will detach the policy from the role despite not changing the resource.

worried-xylophone-86184

02/14/2022, 5:08 AM

x-posting incase anyone has any thoughts about this https://pulumi-community.slack.com/archives/C84L4E3N1/p1644810760786549

nice-father-44210

02/14/2022, 4:43 PM

Hello! When creating a

aws.route53.ResolverEndpoint

, if I pass a

subnet_id

into the

ResolverEndpointIpAddressArgs

constructor, is there a way for me to obtain an

Output

that represents the IP address that AWS assigned to the endpoint? Thanks in advance.

gentle-piano-19726

02/14/2022, 8:49 PM

Anyone have an example setting up public RDS with vpc? I'm using Node

cool-glass-63014

02/15/2022, 9:18 AM

Hello! Does anybody here have any resources on how to migrate a database? And by that I mean from one VM to another, keeping the data itself. For example when updating postgres versions or upgrading the size of the VM instance and so on

thousands-area-40147

02/15/2022, 2:17 PM

Heyo, on destroying a stack that had Lambda functions created as described in the Crosswalk for AWS section, how can I make it so the implicitly generated Cloudwatch log groups for these Lambdas are destroyed as well?

bored-barista-23480

02/15/2022, 3:09 PM

Hi folks! I'm trying to deploy a setup to an EKS cluster. A service is made public via an Application Load Balancer set up by the Load Balancer Controller in my setup. But

pulumi destroy

never works, it always hangs on the Ingress resource. Manually deleting the finalizer set on the Ingress by the LBC while

destroy

is ongoing works. But even when I explicitly make the Ingress depend on the Helm chart of the LBC the LBC pods get destroyed before the Ingress, and most important: before the finalizer was removed from the Ingress by the LBC. So the destroy-operation always needs manual intervention. Does anyone have an idea what causes this behavior or even how to solve it?

boundless-telephone-75738

02/17/2022, 4:34 PM

Hi folks, I'm deploying a eks cluster, and trying to use a custom node group with only private ip's. I've set the api endpoint to be available in both private and public subnets, but the nodes still don't register with the cluster. Any hints as to what I'm doing wrong, or which log I need to look at to see why it fails to register, it worked with the default node group as long as I kept nodeAssociatePublicIpAddress to true, but setting that to false (a requirement from our security team) the nodes fails to register. I've been banging my head against this for a while now, and I'm sure I'm missing something stupid

export const cluster = new eks.Cluster(clusterName, {
    storageClasses: {
        'gp2-encrypted': { type: 'gp2', encrypted: true },
    },
    instanceRoles: [stdNodegroupIamRole, spotNodegroupIamRole],
    name: clusterName,
    vpcId: vpcId,
    privateSubnetIds: privateSubnetIds,
    publicSubnetIds: publicSubnetIds,
    userMappings: createUserMapping(),
    useDefaultVpcCni: true,
    createOidcProvider: true,
    nodeAssociatePublicIpAddress: false,
    encryptionConfigKeyArn: keyAlias.then((k) => k.targetKeyArn),
    vpcCniOptions: {
        enablePrefixDelegation: true,
    },
    clusterTags: {
        Pulumi: 'true',
    },
    skipDefaultNodeGroup: true,
    clusterSecurityGroupTags: { ClusterSecurityGroupTag: 'true' },
    nodeSecurityGroupTags: { NodeSecurityGroupTag: 'true' },
    endpointPublicAccess: true,
    endpointPrivateAccess: true,
});

cluster.createNodeGroup('standard-ng', {
    nodeAssociatePublicIpAddress: false,
    minSize: 1,
    maxSize: 6,
    desiredCapacity: 2,
    instanceType: standardInstance,
    bootstrapExtraArgs:
        "--use-max-pods false --kubelet-extra-args '--max-pods=110'",
    instanceProfile: new aws.iam.InstanceProfile('ng-standard', {
        role: stdNodegroupIamRole.name,
    }),
    nodeSubnetIds: privateSubnetIds,
    labels: {
        ondemand: 'true',
    },
});

Title

boundless-telephone-75738

02/17/2022, 4:34 PM

export const cluster = new eks.Cluster(clusterName, {
    storageClasses: {
        'gp2-encrypted': { type: 'gp2', encrypted: true },
    },
    instanceRoles: [stdNodegroupIamRole, spotNodegroupIamRole],
    name: clusterName,
    vpcId: vpcId,
    privateSubnetIds: privateSubnetIds,
    publicSubnetIds: publicSubnetIds,
    userMappings: createUserMapping(),
    useDefaultVpcCni: true,
    createOidcProvider: true,
    nodeAssociatePublicIpAddress: false,
    encryptionConfigKeyArn: keyAlias.then((k) => k.targetKeyArn),
    vpcCniOptions: {
        enablePrefixDelegation: true,
    },
    clusterTags: {
        Pulumi: 'true',
    },
    skipDefaultNodeGroup: true,
    clusterSecurityGroupTags: { ClusterSecurityGroupTag: 'true' },
    nodeSecurityGroupTags: { NodeSecurityGroupTag: 'true' },
    endpointPublicAccess: true,
    endpointPrivateAccess: true,
});

cluster.createNodeGroup('standard-ng', {
    nodeAssociatePublicIpAddress: false,
    minSize: 1,
    maxSize: 6,
    desiredCapacity: 2,
    instanceType: standardInstance,
    bootstrapExtraArgs:
        "--use-max-pods false --kubelet-extra-args '--max-pods=110'",
    instanceProfile: new aws.iam.InstanceProfile('ng-standard', {
        role: stdNodegroupIamRole.name,
    }),
    nodeSubnetIds: privateSubnetIds,
    labels: {
        ondemand: 'true',
    },
});

worried-xylophone-86184

04/09/2022, 4:57 PM

Hi Christoper ! Did you manage to fix this by any chance?

I am facing a similar issue 😅

I am making use of a managed node group to get

eks_cluster = eks.Cluster(
    cluster_name,
    name=cluster_name,
    public_subnet_ids=list(public_subnets.values()),
    private_subnet_ids=list(private_subnets.values()),
    tags={"Name": cluster_name, "Stack": stack_name},
    vpc_id=vpc_id,
    version="1.21",
    instance_role=eks_ec2_role,
    skip_default_node_group=True,
)


node_group = eks.ManagedNodeGroup(
    node_group_name,
    cluster=eks_cluster.core,
    capacity_type="SPOT",
    instance_types=["t3a.medium"],
    node_group_name=node_group_name,
    node_role=eks_ec2_role,
    tags={"Name": cluster_name, "Stack": stack_name},
    subnet_ids=list(private_subnets.values()),
    scaling_config=pulumi_aws.eks.NodeGroupScalingConfigArgs(
        desired_size=1,
        min_size=1,
        max_size=3,
    ),
)

boundless-telephone-75738

04/19/2022, 9:06 AM

Hi Sushant, sorry, I've had my slack notifications on mute for a long Easter holiday. I ended up having to allocate a public ip to my nodes for now, we've added an exception to our security rules for the one port that's being exposed by traefik for terminating https traffic. So no good solution found I'm afraid

View count: 11