pulumi-community #aws

purple-megabyte-83002

02/19/2022, 5:50 PM

Hello ! How to invalidate Cloudfront cache depending on S3 Bucket files changes ?

purple-megabyte-83002

02/19/2022, 5:51 PM

found this https://github.com/pulumi/pulumi-aws/issues/916 tried impl dynamic providers but I really don’t get how its going to help me on this

crooked-pillow-11944

02/20/2022, 9:25 PM

Is it possible to use AutoTag (https://github.com/joeduffy/aws-tags-example) with custom

Name

tags without causing Pulumi to treat the tags as changes?

cool-glass-63014

02/21/2022, 12:28 PM

For some reason I can't update my AWS stack at the moment as I just keep getting:

Copy code

aws:ecs:Service (backend):
  error: unable to discover AWS AccessKeyID and/or SecretAccessKey - see <https://pulumi.io/install/aws.html> for details on configuration

even though I have several profiles, and for the stack I have the proper AWS profile configured in the yaml file. And it seems like it can build and push the docker image but it cannot edit the Fargate task definition or something? I am not savvy with either AWS or Pulumi and this is something I've inherited, but I can't wrap my head around this. I also followed the linked and repeated the setup and yet nothing. EDIT: I can't seem to restore the state of whatever it is I've managed to bork up at all? I haven't changed any credentials or keys to begin with so this feels like such a weird curve ball? 🤔 Any ideas?

rough-intern-34947

02/21/2022, 2:52 PM

The

aws.secretsmanager.getSecret()

works, but

aws.secretsmanager.getSecretVersion()

doesn’t for some reason, it throws the following error:

Copy code

error: Error: Invoke of 'aws:secretsmanager/getSecretVersion:getSecretVersion' failed: Missing required argument: The argument "secret_id" is required, but no definition was found. ()
    at deserializeResponse (./node_modules/@pulumi/runtime/invoke.ts:227:15)
    at ./node_modules/@pulumi/runtime/invoke.ts:169:16
    at Generator.next (<anonymous>)
    at fulfilled (./node_modules/@pulumi/pulumi/runtime/invoke.js:18:58)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)

There is no

secret_id

specified in the TypeScript defintions - only

secretId

which is used on the example page as well. This is the code:

Copy code

const credentials = aws.secretsmanager.getSecretVersion({
  secretId: mySecret.id,
})

https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/getsecretversion/ https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/getsecret/

✅ 1

cool-glass-63014

02/21/2022, 3:10 PM

Is there anything I can do to fix a

pulumi up

just spinning for 16 minutes? I feel like every other time when there's a bunch of updates to do, it just gets stuck? This is AWS

incalculable-midnight-8291

02/21/2022, 8:04 PM

Has anyone managed to set

kubeletExtraArgs

on a managed nodegroup for eks? I see it in the docs, but I cant add it https://www.pulumi.com/registry/packages/eks/api-docs/managednodegroup/#clusternodegroupoptions

bumpy-laptop-30846

02/22/2022, 10:19 AM

Hello, I have an issue with eks autoscaling. I create the cluster with default auto scaling like so:

Copy code

return new eks.Cluster(
  getClusterName(),
  {
    name: getClusterName(),
    vpcId: vpc.id,
    publicSubnetIds: vpc.publicSubnetIds,
    privateSubnetIds: vpc.privateSubnetIds,
    nodeAssociatePublicIpAddress: false,
    instanceType: 'c5.xlarge',
    nodeRootVolumeSize: 50,
    desiredCapacity: 3,
    minSize: 2,
    maxSize: 8,

but when I add a deployment it does not increase the number of nodes. Is there something to do to have autoscaling working when using the cluster default nodegroup?

fancy-lighter-60600

02/22/2022, 12:37 PM

We all know AWS regions have disparity in service hosting. As of today, us-east-1 (N. Virginia) hosts a max of 306 services while ap-northeast-3 (Osaka) has only 127 services hosted. I needed to answer, for any given AWS service which regions host the service, what services are hosted in a given region. Found a few ways. https://www.cloudyali.io/blogs/how-to-find-all-regions-an-aws-service-is-available

stocky-petabyte-29883

02/23/2022, 1:53 PM

Hey If I am using awsguard for policies and if I have all the available awsguard policies enabled, does this mean this includes all policies in the vanilla policies pack in crossguard that applies to aws?

high-grass-3103

02/23/2022, 3:28 PM

How do I login to public.ecr.aws with docker provider to pull a public image?

crooked-pillow-11944

02/24/2022, 2:35 AM

I'm trying to get the hostname for an ingress created on EKS. I'm getting

AttributeError: 'ServiceStatus' object has no attribute 'loadBalancer'

incalculable-midnight-8291

02/24/2022, 2:41 PM

Pulumi eks seems to create three security groups: • eksClusterSecurityGroup with 443 between the nodes, available as

cluster.clusterSecurityGroup

• nodeSecurityGroup with who knows, available as

cluster.nodeSecurityGroup

• and eks-cluster-sg-cluster-name, where I actually need to add rules to expose for example nodeports. Anyone got any idea how I can get the id of the third one through pulumi? Is it hidden in some object?

strong-printer-79519

02/25/2022, 12:41 PM

AWS lambda now supports ,net 6 as managed runtime. I tried to change runtime like this in “runtime: ‘dotnet6’,“, But I get an error because it seems Pulumi checks against a static list:

expected runtime to be one of [nodejs nodejs4.3 nodejs6.10 nodejs8.10 nodejs10.x nodejs12.x nodejs14.x java8 java8.al2 java11 python2.7 python3.6 python3.7 python3.8 python3.9 dotnetcore1.0 dotnetcore2.0 dotnetcore2.1 dotnetcore3.1 nodejs4.3-edge go1.x ruby2.5 ruby2.7 provided provided.al2]

When will you update the supported list? Is there a workaround?

bored-table-20691

02/25/2022, 9:35 PM

We’re hitting a behavior that I wasn’t sure is expected or not. We use the AWS provider with assume-role, like this:

Copy code

awsProvider, err := aws.NewProvider(ctx, "aws-provider", &aws.ProviderArgs{
		AssumeRole: &aws.ProviderAssumeRoleArgs{
			RoleArn:     awsAssumeRoleArn,
			SessionName: pulumi.Sprintf("%s-tenant-%s", awsAssumeRoleSessionName, tenant.name),
		},
		SkipMetadataApiCheck: pulumi.Bool(false),
	})

When the session name is longer than 64 characters (which is invalid for the AWS API), the error we get from Pulumi is:

Copy code

error: an unhandled error occurred: 1 error occurred:
    	* rpc error: code = Unknown desc = invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: 1 error occurred:
    	* error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::xxxxxxx:role/CI) cannot be assumed.
    
    There are a number of possible causes of this - the most common are:
      * The credentials used in order to assume the role are invalid
      * The credentials do not have appropriate permission to assume the role
      * The role ARN is not valid
    
    Error: NoCredentialProviders: no valid providers in chain. Deprecated.
    	For verbose messaging see aws.Config.CredentialsChainVerboseErrors

If I run this manually via the AWS CLI, I get a proper error:

Copy code

> aws sts assume-role --role-arn arn:aws:iam::xxxxxxx:role/CI --role-session-name abcd-xvy-asdjh-adfdfsdfsdfdfdfAda-sdfhsfbhbdfjsdjjajdadasdsadada-asdhajdhjashdjhajfhjahf

An error occurred (ValidationError) when calling the AssumeRole operation: 1 validation error detected: Value 'abcd-xvy-asdjh-adfdfsdfsdfdfdfAda-sdfhsfbhbdfjsdjjajdadasdsadada-asdhajdhjashdjhajfhjahf' at 'roleSessionName' failed to satisfy constraint: Member must have length less than or equal to 64

Is this a Terraform issue that we don’t get a proper error, or is this fixable? This led us down a wild goose chase on whether our pod IAM role was wrong so we couldn’t assume, etc, but we eventually narrowed it down to the length. We’ll fix that issue on our end, but it would be nice if this returned a better error.

big-potato-91793

02/28/2022, 9:22 PM

what is the best way to get the aws iam role policy from a file?

big-potato-91793

02/28/2022, 9:22 PM

Copy code

const gitRunnerAllowFile = new pulumi.asset.StringAsset("file.json");

big-potato-91793

02/28/2022, 9:23 PM

i’m trying that but always getting this error

Copy code

error: aws:iam/rolePolicy:RolePolicy resource 'Gitrunner-Allow-Access' has a problem: "policy" contains an invalid JSON policy. Examine values at 'RolePolicy.Policy'.

strong-printer-79519

03/02/2022, 6:50 AM

So i have been waiting for this fix to be released. It adds support for dotnet6 managed lambdas: https://github.com/pulumi/pulumi-aws/pull/1840 It seems to be a part of pulumi-aws 4.38.0 (https://github.com/pulumi/pulumi-aws/releases/tag/v4.38.0), but when i upgraded to this version I still get the same error that I reported in the first place. I can see that the package contains the fix, but I have hard time debugging to figure out exactly where the error message origins: The error message:

aws:lambda/function:Function resource ’name-of-lambda has a problem: expected runtime to be one of [nodejs nodejs4.3 nodejs6.10 nodejs8.10 nodejs10.x nodejs12.x nodejs14.x java8 java8.al2 java11 python2.7 python3.6 python3.7 python3.8 python3.9 dotnetcore1.0 dotnetcore2.0 dotnetcore2.1 dotnetcore3.1 nodejs4.3-edge go1.x ruby2.5 ruby2.7 provided provided.al2], got dotnet6. Examine values at ‘Function.Runtime’.

Version 4.38.0 does contain dotnet 6:

Copy code

export declare const Runtime: {
  readonly DotnetCore2d1: “dotnetcore2.1”;
  readonly DotnetCore3d1: “dotnetcore3.1";
  readonly Dotnet6: “dotnet6”;            <————— HERE
  readonly Go1dx: “go1.x”;
  readonly Java8: “java8”;
  readonly Java8AL2: “java8.al2";
  readonly Java11: “java11”;
  readonly Ruby2d5: “ruby2.5";
  readonly Ruby2d7: “ruby2.7”;
  readonly NodeJS10dX: “nodejs10.x”;
  readonly NodeJS12dX: “nodejs12.x”;
  readonly NodeJS14dX: “nodejs14.x”;
  readonly Python2d7: “python2.7”;
  readonly Python3d6: “python3.6";
  readonly Python3d7: “python3.7”;
  readonly Python3d8: “python3.8";
  readonly Custom: “provided”;
  readonly CustomAL2: “provided.al2";
};

Can anyone help for a quick fix?

salmon-musician-20405

03/02/2022, 5:38 PM

Need some help . I have installed new pulumi version pulumi 3.25.0. But have problem with providers.

Copy code

In the middle of building stack the provider assumes a different role ( or provider is switched to different account, Eg: below code

provider = Provider(
        resource_name="different_account",
        region="eu-west-1",
        assume_role=ProviderAssumeRoleArgs(role_arn=role_arn),
    )
 BucketObject( resource_name=f"{name}-glue-job-script",
            opts=ResourceOptions(depends_on=[self._rolePolicy], provider=provider),
            bucket=destination_bucket.name,
            key=f"glue-job-scripts/{glue_script.split('/')[-1]}",
            source=FileAsset(glue_script))
Fails while doing above operation and following error occurs - Access denied error

aws:s3:BucketObject test-ab40dc-glue-job-script creating failed '
'Diagnostics:'
Error uploading object to S3 bucket (test-ab40dc-curated): '
'AccessDenied: Access Denied'

The same code works at 3.22.1 Provider assume role doesnt seem to work for latest code

busy-lion-51883

03/02/2022, 7:18 PM

Hi there - I am looking for some help with unexpected behavior from the

awsx.ec2.Vpc.fromExistingIds()

method:

Copy code

const vpc = awsx.ec2.Vpc.fromExistingIds("vpcFromId", {
        vpcId: configData.vpcId,
    },{provider: provider})

When I run this code against one aws provider, it executes as expected. Against another aws provider, connected to a different account profile, I get the following error:

Copy code

error: Error: invocation of aws:ec2/getVpc:getVpc returned an error: invoking aws:ec2/getVpc:getVpc: 1 error occurred:
        * no matching EC2 VPC found

This is very strange because I can verify that the vpc does exist for this provider (both from the aws console and also from the aws cli) What would cause this behavior?

polite-tailor-82854

03/03/2022, 2:58 PM

Hello! Is there any documentation on attaching a lambda to an existing vpc via

CallbackFunction

wonderful-twilight-70958

03/03/2022, 11:02 PM

Attaching a custom LaunchTemplate to an EKS ManagedNodeGroup doesn't seem to work? For example, following this: https://github.com/pulumi/pulumi-eks/tree/master/examples/managed-nodegroups. I create a new LaunchTemplate with some metadata options and a key pair, refer to it in the

eks.createManagedNodeGroup()

args:

Copy code

launchTemplate: {
  id: pulumi.interpolate`${myLaunchTemplate.id}`,
  version: "1",
},

When the node group comes up, it says on the EKS page that it's using mine, but on the instances themselves in the ASG, it's using an auto-created one. Is this a bug? Or am I missing something fundamental?

busy-lion-51883

03/04/2022, 1:23 PM

I created the following bug ticket for an issue with using pulumi.interpolate within an iam policy document: https://github.com/pulumi/pulumi/issues/9114 Has anyone seen anything similar?

mammoth-art-6111

03/04/2022, 5:29 PM

getting a strange error when trying to import a Pipeline via the ImportOptions path:

Copy code

* error reading CodePipeline: ValidationException: 1 validation error detected: Value at 'name' failed to satisfy constraint: Member must satisfy regular expression pattern: [A-Za-z0-9.@\-_]+

broad-gold-44713

03/04/2022, 6:05 PM

Definitely a problem for SSM parameters as well.

busy-lion-51883

03/04/2022, 8:06 PM

Is there a way to force the output of the

pulumi.Config("aws").require("region")

to confrom to type Region. For example:

Copy code

const region = new pulumi.Config("aws").require('region');

const codepipelinesProvider = new aws.Provider("codepipelinesProvider", {
  profile: CODEPIPELINES_PROFILE_ID,
  region: region,
});

in this case I get a type mismatch error:

Type string is not assignable to Type Input

happy-window-22449

03/05/2022, 11:46 AM

I’m deploying an appliation via ECS, and whenever I deploy a new version of the task def, the old task is being marked INACTIVE but the task itself doesn’t change from RUNNING, so suddenly there are two tasks running with different versions. Pulumi reports 1 updated, 1 replaced, with

aws:ecs/taskDefinition:TaskDefinition: (replace)

and

aws:ecs/service:Service: (update)

I can see the task definition in the service change, but why doesn’t Pulumi also delete/stop the old task?

ripe-lifeguard-34041

03/06/2022, 1:07 PM

Hi Team, I am looking for sample code - working on selfservice-flatform application folder structure 1. vpc.py - creates vpc, route tables, subnets, security groups, nat gateway, Internetgateway. (this created as it is one time setup) 2. ec2.py. - Team creates ec2 instances when ever required from UI, challenge - how can i get VPC id in ec2.py file

billowy-horse-79629

03/07/2022, 1:21 PM

Hey Guys, I’m trying to create an aws eks cluster and i’m running into IAM authorizations error about “AssumeRole”, this is the output :

arn:aws:iam::111111111:user/pulumi-dev is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111:user/pulumi-dev

I created a group for this user, gave it the sufficient permissions, also created a role that have this as the trust relationship :

Copy code

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::076477451822:user/pulumi-dev"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

can you guys refer me to the right way to do this ? Thanks, Raz.