https://pulumi.com logo
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
aws
  • p

    purple-megabyte-83002

    02/19/2022, 5:50 PM
    Hello ! How to invalidate Cloudfront cache depending on S3 Bucket files changes ?
  • p

    purple-megabyte-83002

    02/19/2022, 5:51 PM
    found this https://github.com/pulumi/pulumi-aws/issues/916 tried impl dynamic providers but I really don’t get how its going to help me on this
    f
    • 2
    • 4
  • c

    crooked-pillow-11944

    02/20/2022, 9:25 PM
    Is it possible to use AutoTag (https://github.com/joeduffy/aws-tags-example) with custom
    Name
    tags without causing Pulumi to treat the tags as changes?
    l
    • 2
    • 19
  • c

    cool-glass-63014

    02/21/2022, 12:28 PM
    For some reason I can't update my AWS stack at the moment as I just keep getting:
    aws:ecs:Service (backend):
      error: unable to discover AWS AccessKeyID and/or SecretAccessKey - see <https://pulumi.io/install/aws.html> for details on configuration
    even though I have several profiles, and for the stack I have the proper AWS profile configured in the yaml file. And it seems like it can build and push the docker image but it cannot edit the Fargate task definition or something? I am not savvy with either AWS or Pulumi and this is something I've inherited, but I can't wrap my head around this. I also followed the linked and repeated the setup and yet nothing. EDIT: I can't seem to restore the state of whatever it is I've managed to bork up at all? I haven't changed any credentials or keys to begin with so this feels like such a weird curve ball? 🤔 Any ideas?
    l
    • 2
    • 18
  • r

    rough-intern-34947

    02/21/2022, 2:52 PM
    The
    aws.secretsmanager.getSecret()
    works, but
    aws.secretsmanager.getSecretVersion()
    doesn’t for some reason, it throws the following error:
    error: Error: Invoke of 'aws:secretsmanager/getSecretVersion:getSecretVersion' failed: Missing required argument: The argument "secret_id" is required, but no definition was found. ()
        at deserializeResponse (./node_modules/@pulumi/runtime/invoke.ts:227:15)
        at ./node_modules/@pulumi/runtime/invoke.ts:169:16
        at Generator.next (<anonymous>)
        at fulfilled (./node_modules/@pulumi/pulumi/runtime/invoke.js:18:58)
        at processTicksAndRejections (node:internal/process/task_queues:96:5)
    There is no
    secret_id
    specified in the TypeScript defintions - only
    secretId
    which is used on the example page as well. This is the code:
    const credentials = aws.secretsmanager.getSecretVersion({
      secretId: mySecret.id,
    })
    https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/getsecretversion/ https://www.pulumi.com/registry/packages/aws/api-docs/secretsmanager/getsecret/
    ✅ 1
    l
    • 2
    • 3
  • c

    cool-glass-63014

    02/21/2022, 3:10 PM
    Is there anything I can do to fix a
    pulumi up
    just spinning for 16 minutes? I feel like every other time when there's a bunch of updates to do, it just gets stuck? This is AWS
    r
    • 2
    • 8
  • i

    incalculable-midnight-8291

    02/21/2022, 8:04 PM
    Has anyone managed to set
    kubeletExtraArgs
    on a managed nodegroup for eks? I see it in the docs, but I cant add it https://www.pulumi.com/registry/packages/eks/api-docs/managednodegroup/#clusternodegroupoptions
    w
    • 2
    • 5
  • b

    bumpy-laptop-30846

    02/22/2022, 10:19 AM
    Hello, I have an issue with eks autoscaling. I create the cluster with default auto scaling like so:
    return new eks.Cluster(
      getClusterName(),
      {
        name: getClusterName(),
        vpcId: vpc.id,
        publicSubnetIds: vpc.publicSubnetIds,
        privateSubnetIds: vpc.privateSubnetIds,
        nodeAssociatePublicIpAddress: false,
        instanceType: 'c5.xlarge',
        nodeRootVolumeSize: 50,
        desiredCapacity: 3,
        minSize: 2,
        maxSize: 8,
    but when I add a deployment it does not increase the number of nodes. Is there something to do to have autoscaling working when using the cluster default nodegroup?
    q
    b
    c
    • 4
    • 15
  • f

    fancy-lighter-60600

    02/22/2022, 12:37 PM
    We all know AWS regions have disparity in service hosting. As of today, us-east-1 (N. Virginia) hosts a max of 306 services while ap-northeast-3 (Osaka) has only 127 services hosted. I needed to answer, for any given AWS service which regions host the service, what services are hosted in a given region. Found a few ways. https://www.cloudyali.io/blogs/how-to-find-all-regions-an-aws-service-is-available
  • s

    stocky-petabyte-29883

    02/23/2022, 1:53 PM
    Hey If I am using awsguard for policies and if I have all the available awsguard policies enabled, does this mean this includes all policies in the vanilla policies pack in crossguard that applies to aws?
  • h

    high-grass-3103

    02/23/2022, 3:28 PM
    How do I login to public.ecr.aws with docker provider to pull a public image?
  • c

    crooked-pillow-11944

    02/24/2022, 2:35 AM
    I'm trying to get the hostname for an ingress created on EKS. I'm getting
    AttributeError: 'ServiceStatus' object has no attribute 'loadBalancer'
    • 1
    • 3
  • i

    incalculable-midnight-8291

    02/24/2022, 2:41 PM
    Pulumi eks seems to create three security groups: • eksClusterSecurityGroup with 443 between the nodes, available as
    cluster.clusterSecurityGroup
    • nodeSecurityGroup with who knows, available as
    cluster.nodeSecurityGroup
    • and eks-cluster-sg-cluster-name, where I actually need to add rules to expose for example nodeports. Anyone got any idea how I can get the id of the third one through pulumi? Is it hidden in some object?
    • 1
    • 1
  • s

    strong-printer-79519

    02/25/2022, 12:41 PM
    AWS lambda now supports ,net 6 as managed runtime. I tried to change runtime like this in “runtime: ‘dotnet6’,“, But I get an error because it seems Pulumi checks against a static list:
    expected runtime to be one of [nodejs nodejs4.3 nodejs6.10 nodejs8.10 nodejs10.x nodejs12.x nodejs14.x java8 java8.al2 java11 python2.7 python3.6 python3.7 python3.8 python3.9 dotnetcore1.0 dotnetcore2.0 dotnetcore2.1 dotnetcore3.1 nodejs4.3-edge go1.x ruby2.5 ruby2.7 provided provided.al2]
    When will you update the supported list? Is there a workaround?
    m
    s
    • 3
    • 3
  • b

    bored-table-20691

    02/25/2022, 9:35 PM
    We’re hitting a behavior that I wasn’t sure is expected or not. We use the AWS provider with assume-role, like this:
    awsProvider, err := aws.NewProvider(ctx, "aws-provider", &aws.ProviderArgs{
    		AssumeRole: &aws.ProviderAssumeRoleArgs{
    			RoleArn:     awsAssumeRoleArn,
    			SessionName: pulumi.Sprintf("%s-tenant-%s", awsAssumeRoleSessionName, tenant.name),
    		},
    		SkipMetadataApiCheck: pulumi.Bool(false),
    	})
    When the session name is longer than 64 characters (which is invalid for the AWS API), the error we get from Pulumi is:
    error: an unhandled error occurred: 1 error occurred:
        	* rpc error: code = Unknown desc = invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: 1 error occurred:
        	* error configuring Terraform AWS Provider: IAM Role (arn:aws:iam::xxxxxxx:role/CI) cannot be assumed.
        
        There are a number of possible causes of this - the most common are:
          * The credentials used in order to assume the role are invalid
          * The credentials do not have appropriate permission to assume the role
          * The role ARN is not valid
        
        Error: NoCredentialProviders: no valid providers in chain. Deprecated.
        	For verbose messaging see aws.Config.CredentialsChainVerboseErrors
    If I run this manually via the AWS CLI, I get a proper error:
    > aws sts assume-role --role-arn arn:aws:iam::xxxxxxx:role/CI --role-session-name abcd-xvy-asdjh-adfdfsdfsdfdfdfAda-sdfhsfbhbdfjsdjjajdadasdsadada-asdhajdhjashdjhajfhjahf
    
    An error occurred (ValidationError) when calling the AssumeRole operation: 1 validation error detected: Value 'abcd-xvy-asdjh-adfdfsdfsdfdfdfAda-sdfhsfbhbdfjsdjjajdadasdsadada-asdhajdhjashdjhajfhjahf' at 'roleSessionName' failed to satisfy constraint: Member must have length less than or equal to 64
    Is this a Terraform issue that we don’t get a proper error, or is this fixable? This led us down a wild goose chase on whether our pod IAM role was wrong so we couldn’t assume, etc, but we eventually narrowed it down to the length. We’ll fix that issue on our end, but it would be nice if this returned a better error.
    • 1
    • 1
  • b

    big-potato-91793

    02/28/2022, 9:22 PM
    what is the best way to get the aws iam role policy from a file?
    b
    • 2
    • 2
  • b

    big-potato-91793

    02/28/2022, 9:22 PM
    const gitRunnerAllowFile = new pulumi.asset.StringAsset("file.json");
  • b

    big-potato-91793

    02/28/2022, 9:23 PM
    i’m trying that but always getting this error
    error: aws:iam/rolePolicy:RolePolicy resource 'Gitrunner-Allow-Access' has a problem: "policy" contains an invalid JSON policy. Examine values at 'RolePolicy.Policy'.
  • s

    strong-printer-79519

    03/02/2022, 6:50 AM
    So i have been waiting for this fix to be released. It adds support for dotnet6 managed lambdas: https://github.com/pulumi/pulumi-aws/pull/1840 It seems to be a part of pulumi-aws 4.38.0 (https://github.com/pulumi/pulumi-aws/releases/tag/v4.38.0),  but when i upgraded to this version I still get the same error that I reported in the first place. I can see that the package contains the fix, but I have hard time debugging to figure out exactly where the error message origins: The error message:
    aws:lambda/function:Function resource ’name-of-lambda has a problem: expected runtime to be one of [nodejs nodejs4.3 nodejs6.10 nodejs8.10 nodejs10.x nodejs12.x nodejs14.x java8 java8.al2 java11 python2.7 python3.6 python3.7 python3.8 python3.9 dotnetcore1.0 dotnetcore2.0 dotnetcore2.1 dotnetcore3.1 nodejs4.3-edge go1.x ruby2.5 ruby2.7 provided provided.al2], got dotnet6. Examine values at ‘Function.Runtime’.
    Version 4.38.0 does contain dotnet 6:
    export declare const Runtime: {
      readonly DotnetCore2d1: “dotnetcore2.1”;
      readonly DotnetCore3d1: “dotnetcore3.1";
      readonly Dotnet6: “dotnet6”;            <————— HERE
      readonly Go1dx: “go1.x”;
      readonly Java8: “java8”;
      readonly Java8AL2: “java8.al2";
      readonly Java11: “java11”;
      readonly Ruby2d5: “ruby2.5";
      readonly Ruby2d7: “ruby2.7”;
      readonly NodeJS10dX: “nodejs10.x”;
      readonly NodeJS12dX: “nodejs12.x”;
      readonly NodeJS14dX: “nodejs14.x”;
      readonly Python2d7: “python2.7”;
      readonly Python3d6: “python3.6";
      readonly Python3d7: “python3.7”;
      readonly Python3d8: “python3.8";
      readonly Custom: “provided”;
      readonly CustomAL2: “provided.al2";
    };
    Can anyone help for a quick fix?
    s
    • 2
    • 7
  • s

    salmon-musician-20405

    03/02/2022, 5:38 PM
    Need some help . I have installed new pulumi version pulumi 3.25.0. But have problem with providers.
    In the middle of building stack the provider assumes a different role ( or provider is switched to different account, Eg: below code
    
    provider = Provider(
            resource_name="different_account",
            region="eu-west-1",
            assume_role=ProviderAssumeRoleArgs(role_arn=role_arn),
        )
     BucketObject( resource_name=f"{name}-glue-job-script",
                opts=ResourceOptions(depends_on=[self._rolePolicy], provider=provider),
                bucket=destination_bucket.name,
                key=f"glue-job-scripts/{glue_script.split('/')[-1]}",
                source=FileAsset(glue_script))
    Fails while doing above operation and following error occurs - Access denied error
    
    aws:s3:BucketObject test-ab40dc-glue-job-script creating failed '
    'Diagnostics:'
    Error uploading object to S3 bucket (test-ab40dc-curated): '
    'AccessDenied: Access Denied'
    The same code works at 3.22.1 Provider assume role doesnt seem to work for latest code
    g
    • 2
    • 22
  • b

    busy-lion-51883

    03/02/2022, 7:18 PM
    Hi there - I am looking for some help with unexpected behavior from the
    awsx.ec2.Vpc.fromExistingIds()
    method:
    const vpc = awsx.ec2.Vpc.fromExistingIds("vpcFromId", {
            vpcId: configData.vpcId,
        },{provider: provider})
    When I run this code against one aws provider, it executes as expected. Against another aws provider, connected to a different account profile, I get the following error:
    error: Error: invocation of aws:ec2/getVpc:getVpc returned an error: invoking aws:ec2/getVpc:getVpc: 1 error occurred:
            * no matching EC2 VPC found
    This is very strange because I can verify that the vpc does exist for this provider (both from the aws console and also from the aws cli) What would cause this behavior?
    g
    • 2
    • 9
  • p

    polite-tailor-82854

    03/03/2022, 2:58 PM
    Hello! Is there any documentation on attaching a lambda to an existing vpc via
    CallbackFunction
    ?
    m
    • 2
    • 3
  • w

    wonderful-twilight-70958

    03/03/2022, 11:02 PM
    Attaching a custom LaunchTemplate to an EKS ManagedNodeGroup doesn't seem to work? For example, following this: https://github.com/pulumi/pulumi-eks/tree/master/examples/managed-nodegroups. I create a new LaunchTemplate with some metadata options and a key pair, refer to it in the
    eks.createManagedNodeGroup()
    args:
    launchTemplate: {
      id: pulumi.interpolate`${myLaunchTemplate.id}`,
      version: "1",
    },
    When the node group comes up, it says on the EKS page that it's using mine, but on the instances themselves in the ASG, it's using an auto-created one. Is this a bug? Or am I missing something fundamental?
    g
    • 2
    • 11
  • b

    busy-lion-51883

    03/04/2022, 1:23 PM
    I created the following bug ticket for an issue with using pulumi.interpolate within an iam policy document: https://github.com/pulumi/pulumi/issues/9114 Has anyone seen anything similar?
  • m

    mammoth-art-6111

    03/04/2022, 5:29 PM
    getting a strange error when trying to import a Pipeline via the ImportOptions path:
    * error reading CodePipeline: ValidationException: 1 validation error detected: Value at 'name' failed to satisfy constraint: Member must satisfy regular expression pattern: [A-Za-z0-9.@\-_]+
    g
    • 2
    • 19
  • m

    magnificent-lifeguard-15082

    03/04/2022, 5:41 PM
    message has been deleted
    b
    m
    g
    • 4
    • 5
  • b

    busy-lion-51883

    03/04/2022, 8:06 PM
    Is there a way to force the output of the
    pulumi.Config("aws").require("region")
    to confrom to type Region. For example:
    const region = new pulumi.Config("aws").require('region');
    
    const codepipelinesProvider = new aws.Provider("codepipelinesProvider", {
      profile: CODEPIPELINES_PROFILE_ID,
      region: region,
    });
    in this case I get a type mismatch error:
    Type string is not assignable to Type Input
    b
    j
    • 3
    • 7
  • h

    happy-window-22449

    03/05/2022, 11:46 AM
    I’m deploying an appliation via ECS, and whenever I deploy a new version of the task def, the old task is being marked INACTIVE but the task itself doesn’t change from RUNNING, so suddenly there are two tasks running with different versions. Pulumi reports 1 updated, 1 replaced, with
    aws:ecs/taskDefinition:TaskDefinition: (replace)
    and
    aws:ecs/service:Service: (update)
    I can see the task definition in the service change, but why doesn’t Pulumi also delete/stop the old task?
    g
    • 2
    • 1
  • r

    ripe-lifeguard-34041

    03/06/2022, 1:07 PM
    Hi Team, I am looking for sample code - working on selfservice-flatform application folder structure 1. vpc.py - creates vpc, route tables, subnets, security groups, nat gateway, Internetgateway. (this created as it is one time setup) 2. ec2.py. - Team creates ec2 instances when ever required from UI, challenge - how can i get VPC id in ec2.py file
    g
    • 2
    • 4
  • b

    billowy-horse-79629

    03/07/2022, 1:21 PM
    Hey Guys, I’m trying to create an aws eks cluster and i’m running into IAM authorizations error about “AssumeRole”, this is the output :
    arn:aws:iam::111111111:user/pulumi-dev is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111:user/pulumi-dev
    I created a group for this user, gave it the sufficient permissions, also created a role that have this as the trust relationship :
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::076477451822:user/pulumi-dev"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
    can you guys refer me to the right way to do this ? Thanks, Raz.
    q
    l
    • 3
    • 4
Powered by Linen
Title
b

billowy-horse-79629

03/07/2022, 1:21 PM
Hey Guys, I’m trying to create an aws eks cluster and i’m running into IAM authorizations error about “AssumeRole”, this is the output :
arn:aws:iam::111111111:user/pulumi-dev is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111:user/pulumi-dev
I created a group for this user, gave it the sufficient permissions, also created a role that have this as the trust relationship :
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::076477451822:user/pulumi-dev"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
can you guys refer me to the right way to do this ? Thanks, Raz.
Solved by better understanding of roles and trust relationship. thanks anyway 🙂
q

quiet-wolf-18467

03/07/2022, 4:32 PM
How did you solve it? Someone else may find this question in the future 🙂
l

little-cartoon-10569

03/07/2022, 6:17 PM
Was it that the assuming was being done by a group, but the assumption was trusting a user?
b

billowy-horse-79629

03/08/2022, 10:45 AM
Reading about aws roles and role-assuming made it more easier for me 🙂
View count: 4