pulumi-community #aws

orange-lunch-7899

01/23/2020, 4:42 PM

rhythmic-camera-25993

01/24/2020, 8:18 PM

I'm running into something interesting here with my two fargate services that I wanted to see if anyone else was seeing. I'm building two http services from a single multi-stage dockerfile, but with different targets. I have created two `awsx.ecs.Image`s from docker builds that specify each target individually. I have created two

FargateServices

, one using each image. Sometimes, when I run

pulumi up

to build and deploy the images both services end up using the image for the 'later' of the two docker image targets, ie. the one that is further down the Dockerfile. Does anyone else have a similar problem? I'd like to not have to split up the build stages in the Dockerfile because they both build off of a shared 'fetch dependencies and prereqs' stage. I've worked around it in the meantime by managing the images and their backing ECR repositories manually, pushing those before I do the

pulumi up

operation, but it was nice to let pulumi manage that for me :D

flat-insurance-25294

01/25/2020, 3:52 AM

Hmm, is there a way to use STS or assume role instead of a pretty permissive Role with access token for CI? It would be cool to support https://github.com/99designs/aws-vault

worried-painting-67291

01/29/2020, 9:04 PM

Hey all, I'm trying to figure out why my private hosted zone was created with a suffix.

worried-painting-67291

01/29/2020, 9:05 PM

I have a public zone:

<http://foo.com|foo.com>

, and I wanted to create a private zone:

<http://i.foo.com|i.foo.com>

but it created

i.foo.com--b24be8c

worried-painting-67291

01/29/2020, 9:07 PM

I supplied the name to the function call, and supplied only the

vpcs

to the ZoneArgs.. I'll try it again, explicitly setting

name

in the ZoneArgs

calm-parrot-72437

01/31/2020, 10:36 PM

anyone figure out how to generate your cluster oidc provider url with the pulumi sdk? i..e, the equivalent of this command

aws eks describe-cluster --name cluster_name --query "cluster.identity.oidc.issuer" --output text

Trying to enable iam roles for service accounts on my cluster..

shy-greece-98380

02/01/2020, 3:00 AM

Hey all, is there a way to remove object if it already exists? for example I have subnets with tags. I want to change tag but I'm getting the following error:

Copy code

Diagnostics:
  pulumi:pulumi:Stack (pulumi-sandbox-dev):
    error: update failed
 
  aws:ec2:Subnet (Subnet_0):
    error: Error creating subnet: InvalidSubnet.Conflict: The CIDR '10.0.0.0/20' conflicts with another subnet
    	status code: 400, request id: 089dfb4e-16db-4edf-87a8-f63a599ae4e9
 
  aws:ec2:Subnet (Subnet_1):
    error: Error creating subnet: InvalidSubnet.Conflict: The CIDR '10.0.16.0/20' conflicts with another subnet
    	status code: 400, request id: 91e98039-a031-4b54-b9ff-79ea16c00d2e

hundreds-portugal-17080

02/01/2020, 8:04 AM

Hi, Maybe it is a very basic question, I have a input map and can vary with any number of key value inside map. I am trying to pass the map as tags input. I am not able to see the aws tags. can you please help.

Untitled

many-garden-84306

02/02/2020, 1:49 AM

I have encountered what seems like a bug in aws.rds.Cluster, at least with Aurora and in Python. If you specify an engine_version of, say '5.7' it will happily create the cluster for you. But from that point on, on any update it thinks that the cluster version has changed and tries to update it, and the update fails because the resource says that you cannot change to the same version. It seems to only work properly if a fully qualified version string is supplied; e.g., '5.7.mysql_aurora.2.07.1'

calm-parrot-72437

02/04/2020, 12:47 AM

is there a way to specify the trust relationship when creating an iam role? or is there another way to go about it? trying to link an iam role with a eks serviceaccount..

big-caravan-87850

02/06/2020, 6:06 AM

the msk module doesn't provide an api to get the full list of the broker in a cluster. only the bootstrap servers property is available, which only returns 3 brokers. it would be nice to have all the brokers that belong to a cluster as it's possible that the 3 bootstrap servers may not be available in a large cluster.

billions-scientist-31826

02/06/2020, 9:35 PM

I was looking through the docs this morning and I couldn't find an option to enable root drive encryption for my nodegroups. What am I missing?

victorious-hydrogen-52050

02/07/2020, 10:43 AM

Is there anyone has tried

aws-ts-airflow

example? https://github.com/pulumi/examples/tree/master/aws-ts-airflow I tried it, but it couldn't work well because the

airflowcontroller

task exit with a error.

airflowcontroller

task's log ended with this message.

Copy code

ERROR - No response from gunicorn master within 120 seconds

Anyone has ideas? Thanks.

incalculable-dream-27508

02/09/2020, 10:50 AM

I'll forward it here as well, since I'm not sure which place is the correct one for discussion about that

incalculable-dream-27508

02/09/2020, 4:16 PM

Huh, I can't really find any examples on how to add to

awsx.lb.ApplicationLoadBalancer

any health checks

incalculable-dream-27508

02/09/2020, 4:17 PM

Right now mostly trying to extend https://github.com/pulumi/infrastructure-as-code-workshop/blob/master/labs/02-app-arch/code/01-provisioning-vms/step4.ts

incalculable-dream-27508

02/09/2020, 4:18 PM

Already had to make some changes, since security groups as defined there apparently allow port 80 to instances, not only to LB

melodic-byte-32771

02/09/2020, 4:42 PM

Hey guys, I stucked with custom domain registration in aws. Somehow pulumi just reaches a point where it waits but nothing happens. I used the example https://github.com/pulumi/examples/blob/master/aws-ts-static-website/index.ts This is my output:

Copy code

Previewing update (production):

 +  pulumi:pulumi:Stack aws-project-production create 
 +  pulumi:providers:aws east create 
 +  aws:s3:Bucket aws-project-requestLogs create 
 +  aws:s3:Bucket aws-project-contentBucket create 
@ previewing update....

and here it just hang off

incalculable-dream-27508

02/09/2020, 4:55 PM

you could try adding something like

-d -v=5

to get some debug output, maybe see what's going on

refined-vegetable-66224

02/10/2020, 2:58 PM

Hi all I'm new to Pulumi, so I apologize in advance if this is a basic question... I'm trying to launch an ECS cluster on AWS of a dockerized express.js app. I can't seem to figure out how to appropriately set the load balancer to default to HTTPS traffic. Here is a snippet from my index.ts file.

const alb = new awsx.elasticloadbalancingv2.ApplicationLoadBalancer(

``net-lb-${envName}`, { external: true, securityGroups: cluster.securityGroups });` `const web = alb.createListener(

web-${envName}

, {`

port: 80,

external: true,

defaultAction: {

type: "redirect",

redirect: {

protocol: "HTTPS",

port: "443",

statusCode: "HTTP_301",

},

},

});

But, when trying to "pulumi up" I'm getting the following error :

Error: [Listener] was not connected to a [defaultAction] that can provide [portMapping]s

I couldn't find anything in the Pulumi docs: https://www.pulumi.com/docs/reference/pkg/python/pulumi_aws/elasticloadbalancingv2/ Any help would be appreciated

rhythmic-camera-25993

02/10/2020, 3:16 PM

you'll also need another listener that listens on https/443 and forwards to a target group

rhythmic-camera-25993

02/10/2020, 3:18 PM

Copy code

alb.createListener("blah", { 
  port: 443, 
  protocol: "HTTPS", 
  external: true, 
  defaultAction: { 
    type: "forward", 
    targetGroupArn: "your target group arn here" 
  }, 
  certificateArn: "your certificate arn here"
});

refined-vegetable-66224

02/10/2020, 3:24 PM

Ah I see, thank you. And when I define my service, do I reference both listeners in the portMappings? i.e. `const httpPort = alb.createListener(

web-${envName}

, {`

port: 80,

external: true,

protocol: "HTTP",

defaultAction: {

type: "redirect",

redirect: {

protocol: "HTTPS",

port: "443",

statusCode: "HTTP_301",

},

},

});

Copy code

const httpsPort = alb.createListener("blah", { 
  port: 443, 
  protocol: "HTTPS", 
  external: true, 
  defaultAction: { 
    type: "forward", 
    targetGroupArn: "your target group arn here" 
  }, 
  certificateArn: "your certificate arn here"
});

`const appService = new awsx.ecs.FargateService(

express-svc-${envName}

, {`

cluster,

taskDefinitionArgs: {

container: {

image: img,

cpu: 102 /*10% of 1024*/,

memory: 1000 /*MB*/,

portMappings: [ httpPort, httpsPort ],

},

},

desiredCount: 5,

});

rhythmic-camera-25993

02/10/2020, 3:28 PM

no, I only did the https one for my fargate services

rhythmic-camera-25993

02/10/2020, 3:28 PM

well, here's the actual deal

rhythmic-camera-25993

02/10/2020, 3:28 PM

my listeners terminate SSL, so the listener itself needs to be configured for ssl, but then it forwards traffic to a backend service that only listens on http/80

rhythmic-camera-25993

02/10/2020, 3:29 PM

my services use the

targetGroup

they belong to as the source of the portMappings rather than the listener

rhythmic-camera-25993

02/10/2020, 3:29 PM

but if yours are configured to accept ssl with the same cert as the listener, I believe that you could just use the listener directly

refined-vegetable-66224

02/10/2020, 3:30 PM

Any way you can provide me with a snapshot of your config?