fast-river-57630
03/07/2022, 8:48 PMbumpy-restaurant-1466
03/08/2022, 12:47 AMadorable-waitress-13708
03/08/2022, 4:21 AMmysterious-dusk-52695
03/08/2022, 10:07 AMmillions-furniture-75402
03/08/2022, 3:58 PM// KMS
// <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html>
const cloudTrailKmsKey: aws.kms.Key = new aws.kms.Key(`${appName}-kms-trail-key`, {
deletionWindowInDays: 7,
description: "CloudTrail Trail key",
policy: accountId.apply(awsAccountId => {
return JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Sid: "AllowRootForKms",
Effect: "Allow",
Principal: { AWS: `arn:aws:iam::${awsAccountId}:root` },
Action: "kms:*",
Resource: "*",
},
{
Sid: "AllowCloudTrailDecryptLogs",
Effect: "Allow",
Principal: { Service: "<http://cloudtrail.amazonaws.com|cloudtrail.amazonaws.com>" },
Action: "kms:Decrypt",
Resource: "${cloudTrailKmsKey.arn} GOES HERE",
Condition: {
Null: { "kms:EncryptionContext:aws:cloudtrail:arn": "false" },
},
},
],
});
}),
});
jolly-alligator-19698
03/08/2022, 4:25 PMCreating EventBridge Target failed: ValidationException: Parameter(s) EcsParameters not supported for target
Here's the resource code. Is there an error in the code? Or a way to get more information about the failure? Thank you.
const eventTarget = pulumi.all([subnetIds.ids, taskDefinition.taskDefinition.arn, deadLetterQueue.arn])
.apply(([subnetIds, taskDefinitionArn, deadLetterQueueArn]) => new aws.cloudwatch.EventTarget("event-target", {
arn: deadLetterQueueArn,
name: `${pulumi.getProject()}-event-target`,
description: genericDescription,
ecsTarget: {
taskDefinitionArn: taskDefinitionArn,
enableEcsManagedTags: true,
enableExecuteCommand: true,
group: pulumi.getProject(),
launchType: "FARGATE",
networkConfiguration: {
assignPublicIp: false,
securityGroups: [securityGroupId],
subnets: subnetIds,
},
platformVersion: "1.4.0",
taskCount: 1,
},
eventBusName: "default",
retryPolicy: {
maximumEventAgeInSeconds: 60,
maximumRetryAttempts: 1,
},
rule: eventRule.name,
}, {provider: targetAwsProvider}));
prehistoric-kite-30979
03/08/2022, 5:43 PMhappy-grass-868
03/09/2022, 9:02 PMDockerfile
is pulling in, the changes are not reflected in the Image in ECR.
2. The lambda does not seem to be getting created and it fails when my code tries to attach my permissions to the lambda, I get a Error adding new Lambda Permission for donor-score-lambda-dev: ResourceNotFoundException: Function not found
. The code is in the thread below.
Thank you!brainy-furniture-43093
03/10/2022, 10:46 PMCodeBuildProdRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub ${ProjectName}-codepipeline-deploy-prod-role
Description: CodePipeline role to deploy dev artifacts and infrastructure changes to production
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${DevAccountId}:role/${ProjectName}-codepipeline-deploy-prod-role
Action: sts:AssumeRole
Path: /
Policies:
- PolicyName: !Sub ${ProjectName}-codepipeline-deploy-prod-role-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Resource: !Sub arn:aws:iam::${DevAccountId}:role/${ProjectName}-codepipeline-deploy-prod-role
Action: sts:AssumeRole
- Effect: Allow
Action:
- s3:*
Resource:
- arn:aws:s3:::PROD s3 bucket for Pulumi state
- arn:aws:s3:::PROD s3 bucket for Pulumi state/*
...
DEV account:
CodeBuildProdRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub ${ProjectName}-codepipeline-deploy-prod-role
Description: CodePipeline role to deploy dev artifacts and infrastructure changes to production
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: <http://codebuild.amazonaws.com|codebuild.amazonaws.com>
Action:
- sts:AssumeRole
Policies:
- PolicyName: !Sub ${ProjectName}-codepipeline-deploy-prod-role-policy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action: sts:AssumeRole
# The role I want to assume from the PROD account
Resource: !Sub arn:aws:iam::${ProdAccountId}:role/${ProjectName}-codepipeline-deploy-prod-role
...
When I run Pulumi login (PROD s3 bucket for Pulumi state) I get this access denied error
[Container] 2022/03/10 20:58:23 Running command pulumi login s3://(PROD s3 bucket for Pulumi state)
Logged in to (id) as root (s3://(PROD s3 bucket for Pulumi state))
[Container] 2022/03/10 20:58:23 Running command pulumi stack select prod
error: failed to load checkpoint: blob (key ".pulumi/stacks/prod.json") (code=Unknown): AccessDenied: Access Denied
I would imagine I need to do the equivalent of export AWS_PROFILE="PROD"
which I do in my terminal to switch account for my user, but I would like to do this for a role. I would rather not start generating credentials on the fly and dynamically populate them as environment variables into CodeBuild. So is there a way I can tell Pulumi to assume a certain role in another account if the role it is currently using is the Principal to the role I want it to use, also making sure it modifies resources in the PROD account although it is running in the DEV account?
Any help is much appreciated.
Thank you!
Adobillowy-horse-79629
03/13/2022, 1:59 PMlet spotPrice = aws.ec2.getSpotPriceOutput({instanceType: eksInstanceType}).get()
and this is the cluster node-pool options:
{
instanceType: instanceType,
desiredCapacity:desiredCapacity,
minSize: minSize,
maxSize: maxSize,
...(spotPrice) && {spotPrice: spotPrice},
}
The error that I get is pretty clear, I need to add more filter to the getSpotPriceOutput function.
I wonder whether there’s a better way to set the spot price instead of fetching the live spot price, can’t I just set the nodepool to be Spot, without configuring the price ?
Thanks guys 🙂purple-plumber-90981
03/15/2022, 9:27 PMhelpful-book-29233
03/16/2022, 12:21 AMmillions-furniture-75402
03/16/2022, 9:06 PMconst ssmClient = new aws.sdk.SSM();
ssmClient.getParameter({ Name: "does-not-exist" }, function (err: any, data: any) {
if (err) {
new aws.ssm.Parameter("foo", {
type: "String",
value: "bar",
});
}
});
but it errors when I try to handle one not existing with getParameter:
pulumi.output(
aws.ssm.getParameter({
name: "does-not-exist",
}),
) ||
new aws.ssm.Parameter("foo", {
type: "String",
value: "bar",
});
Error: invocation of aws:ssm/getParameter:getParameter returned an error: invoking aws:ssm/getParameter:getParameter: 1 error occurred:
* Error describing SSM parameter (doesn-not-exist): ParameterNotFound:
rhythmic-whale-48997
03/17/2022, 9:19 AMresolv.conf
on the worker nodes. I'm using Typescript. Launch template is killing mebusy-lion-51883
03/18/2022, 12:45 PM- pulumi stack select -c -s <my fully qualified stack name>
- pulumi up -s <my fully qualified stack name> --skip-preview --yes
if the stack doesn’t exist yet, it is successfully created (due to the -c flag in the stack select). But the correct vcs and github tags are not created. In particular it looks I should expect the following to be set:
gitHub:owner
gitHub:repo
vcs:kind
vcs:owner
vcs:repo
I have found a work around by manually adding these tags after the pulumi up
, but is there something I can do to have these tags auto generated?quiet-gold-81036
03/21/2022, 11:00 AMSharedConfigErr: only one credential type may be specified per profile: source profile, credential source, credential process, web identity token, or sso
we have to use credential_process
for the SDK so I tried to create a separate profile for Pulumi:
[pulumi-tst]
region = us-east-1
sso_start_url = <https://d-XXXX.awsapps.com/start>
sso_region = us-east-1
sso_account_id = XXXXAccountId
sso_role_name = XXXRole
but the backend doesn’t seem to respect aws:profile
config form the stack, it only works if I specify it as an env variable AWS_PROFILE
which isn’t very ergonomic for developers to manage separate profiles for the appand Pulumi.
would love any pointers you have mayechoing-actor-55539
03/22/2022, 7:48 PMquaint-guitar-13446
03/23/2022, 11:31 PMclever-dog-35937
03/24/2022, 4:04 PMworried-city-86458
03/25/2022, 10:58 PMwonderful-twilight-70958
03/28/2022, 5:41 PMerror: TypeError: Cannot read properties of undefined (reading 'data')
at /home/john/projects/pulumi-quicktest/node_modules/@pulumi/cluster.ts:567:105
at /home/john/projects/pulumi-quicktest/node_modules/@pulumi/output.ts:383:31
at Generator.next (<anonymous>)
at /home/john/projects/pulumi-quicktest/node_modules/@pulumi/pulumi/output.js:21:71
at new Promise (<anonymous>)
at __awaiter (/home/john/projects/pulumi-quicktest/node_modules/@pulumi/pulumi/output.js:17:12)
at applyHelperAsync (/home/john/projects/pulumi-quicktest/node_modules/@pulumi/pulumi/output.js:229:12)
at /home/john/projects/pulumi-quicktest/node_modules/@pulumi/output.ts:302:65
at runMicrotasks (<anonymous>)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
That cluster.ts
doesn't exist at that location, and the cluster.js
in the eks
directory doesn't have anything meaningful on line 567wonderful-twilight-70958
03/28/2022, 5:41 PM-v 10
doesn't seem to do anything 👀 (I get no additional debugging output)ambitious-father-68746
03/28/2022, 5:44 PMname
has been deprecated in favor of db_name
. Indeed, this shows up when I run Pulumi:
├─ aws:rds:Instance db1 [diff: +name-dbName]; 1 warning
warning: name is deprecated: Use db_name instead
But when I actually make the code change to db_name
, Pulumi wants to replace all my databases:
+- ├─ aws:rds:Instance db1 replace [diff: +dbName]
I'm not sure how to progress from here, I've checked the state file and it mentions dbName
, not name
, so I wonder why it complains. Thank you.breezy-diamond-32138
03/29/2022, 9:35 AM// Create an EKS cluster with the default configuration.
export const cluster = new eks.Cluster(addPrefix("cluster"), {
vpcId: stampVpc.id,
privateSubnetIds: stampVpc.privateSubnetIds,
publicSubnetIds: stampVpc.publicSubnetIds,
nodeAssociatePublicIpAddress: false,
encryptRootBlockDevice: true,
version: config.require("eks.version"),
desiredCapacity: config.requireNumber("eks.desiredCapacity"),
minSize: config.requireNumber("eks.minSize"),
maxSize: config.requireNumber("eks.maxSize"),
instanceType: config.require<aws.ec2.InstanceType>("eks.instanceType"),
nodeAmiId: config.get("eks.ami") ?? latestAmiId,
enabledClusterLogTypes: ["api", "audit", "authenticator", "controllerManager", "scheduler"],
endpointPublicAccess: true, // TODO: Change this...
endpointPrivateAccess: true,
createOidcProvider: true,
roleMappings: [
{
groups: ["system:masters"],
roleArn: deployerAdminRole.arn,
username: "argocd-deployer"
}
],
publicAccessCidrs: CNC_IPS,
encryptionConfigKeyArn: clusterEncryptionKey.arn,
providerCredentialOpts: {
profileName: AWS_PROFILE,
roleArn: AWS_ROLE_ARN
}
});
And this is the new code:
cluster = new eks.Cluster(addPrefix("cluster"), {
skipDefaultNodeGroup: true,
vpcId: stampVpc.id,
privateSubnetIds: stampVpc.privateSubnetIds,
publicSubnetIds: stampVpc.publicSubnetIds,
nodeAssociatePublicIpAddress: false,
encryptRootBlockDevice: true,
instanceRole: instanceRole,
version: config.require("eks.version"),
enabledClusterLogTypes: ["api", "audit", "authenticator", "controllerManager", "scheduler"],
endpointPublicAccess: true, // TODO: Change this...
endpointPrivateAccess: true,
createOidcProvider: true,
roleMappings: [
{
groups: ["system:masters"],
roleArn: deployerAdminRole.arn,
username: "argocd-deployer"
}
],
publicAccessCidrs: CNC_IPS,
encryptionConfigKeyArn: clusterEncryptionKey.arn,
providerCredentialOpts: {
profileName: AWS_PROFILE,
roleArn: AWS_ROLE_ARN
},
});
// Create a simple AWS managed node group using a cluster as input.
managedNodeGroup = eks.createManagedNodeGroup("my-cluster-ng", {
cluster: cluster,
nodeGroupName: "aws-managed-ng1",
nodeRole: instanceRole,
amiType: "AL2_x86_64",
instanceTypes: [config.require<aws.ec2.InstanceType>("eks.instanceType")],
// releaseVersion: config.get("eks.ami") ?? latestAmiId,
// labels: { "ondemand": "true" },
scalingConfig: {
minSize: config.requireNumber("eks.minSize"),
maxSize: config.requireNumber("eks.maxSize"),
desiredSize: config.requireNumber("eks.desiredCapacity")
},
}, cluster);
However the security group of the nodes changes and other resources that take the cluster.nodeSecurityGroup.id
get messed up.
How do I link the same security group with the new nodes?
Thanksrhythmic-whale-48997
03/29/2022, 1:46 PMastonishing-quill-88807
03/29/2022, 2:28 PMquaint-air-36266
03/30/2022, 3:49 AMcidrBlock
(screenshot), Pulumi creates an empty security group in AWS without an egress rule. But, in Pulumi’s stack output, it says that the egress rule exists. Even after a refresh the state is not updated.
Only when I create an egress (or ingress) rule with a cidrBlock
does Pulumi function as expected.
Any idea why this would be happening?quiet-architect-91246
03/30/2022, 10:20 AMstocky-petabyte-29883
03/30/2022, 2:40 PMbest-train-86003
03/30/2022, 2:50 PMbest-train-86003
03/30/2022, 2:50 PMbillowy-army-68599
03/30/2022, 3:26 PMbest-train-86003
04/03/2022, 4:52 PMcustomTimeouts
property but it didn't help. The timeouts remain on 2m. what else can i do?pulumi state delete
However, it failed again on creation and not update. the timeout there is still "2m"billowy-army-68599
04/04/2022, 3:23 PMbest-train-86003
04/05/2022, 10:28 AMimport * as aws from "@pulumi/aws";
const q = new aws.sqs.Queue('Experts-CS-dev-Experts-CSLambda20220404121254156400000016', {
kmsDataKeyReusePeriodSeconds: 300,
maxMessageSize: 10240,
messageRetentionSeconds: 604800,
namePrefix: 'Experts-CS-dev-Experts-CSLambda',
policy: '{"Statement":[{"Action":["sqs:SendMessage"],"Condition":{"ArnEquals":{"aws:SourceArn":"arn:aws:sns:eu-west-1:225051786593:Experts-CS-dev-f8eba3f"}},"Effect":"Allow","Principal":{"Service":"<http://sns.amazonaws.com|sns.amazonaws.com>"},"Resource":"*"}]}',
redrivePolicy: '{"deadLetterTargetArn":"arn:aws:sqs:eu-west-1:225051786593:Experts-CS-dev-Experts-CSLambda-dlq-8672972","maxReceiveCount":10}',
tags: {
costCenter: 'operations',
org: 'cliotechweb',
project: 'backend-stacks',
stack: 'dev'
},
visibilityTimeoutSeconds: 30
})
exports.queueName = q.id;