My IAM policy is listed as 'delete' with no replacement even though I still have it defined. Is that just a UI quirk?

If starting a new Python-based AWS project from scratch, can/should I be using only the AWS Native provider and not the older one?

Is it ok to seek a pulumi developer for a simple paid task here?

Hello, with the aws-native provider, I get the message "AWS::EC2::Subnet is not yet supported via Cloud Control API", but on the page https://docs.aws.amazon.com/cloudcontrolapi/latest/userguide/supported-resources.html it says it is a supported resource. Is Subnet supposed to be working with the native aws provider?

How can I declare a KMS Key with a policy that references the ID of the declared key? e.g.

// KMS
  // <https://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-with-aws-kms.html>
  const cloudTrailKmsKey: aws.kms.Key = new aws.kms.Key(`${appName}-kms-trail-key`, {
    deletionWindowInDays: 7,
    description: "CloudTrail Trail key",
    policy: accountId.apply(awsAccountId => {
      return JSON.stringify({
        Version: "2012-10-17",
        Statement: [
          {
            Sid: "AllowRootForKms",
            Effect: "Allow",
            Principal: { AWS: `arn:aws:iam::${awsAccountId}:root` },
            Action: "kms:*",
            Resource: "*",
          },
          {
            Sid: "AllowCloudTrailDecryptLogs",
            Effect: "Allow",
            Principal: { Service: "<http://cloudtrail.amazonaws.com|cloudtrail.amazonaws.com>" },
            Action: "kms:Decrypt",
            Resource: "${cloudTrailKmsKey.arn} GOES HERE",
            Condition: {
              Null: { "kms:EncryptionContext:aws:cloudtrail:arn": "false" },
            },
          },
        ],
      });
    }),
  });

Hello. I'm trying to create a cloudwatch EventTarget and am getting this less-than-helpful error message:

Creating EventBridge Target failed: ValidationException: Parameter(s) EcsParameters not supported for target

Here's the resource code. Is there an error in the code? Or a way to get more information about the failure? Thank you.

const eventTarget = pulumi.all([subnetIds.ids, taskDefinition.taskDefinition.arn, deadLetterQueue.arn])
    .apply(([subnetIds, taskDefinitionArn, deadLetterQueueArn]) => new aws.cloudwatch.EventTarget("event-target", {
        arn: deadLetterQueueArn,
        name: `${pulumi.getProject()}-event-target`,
        description: genericDescription,
        ecsTarget: {
            taskDefinitionArn: taskDefinitionArn,
            enableEcsManagedTags: true,
            enableExecuteCommand: true,
            group: pulumi.getProject(),
            launchType: "FARGATE",
            networkConfiguration: {
                assignPublicIp: false,
                securityGroups: [securityGroupId],
                subnets: subnetIds,
            },
            platformVersion: "1.4.0",
            taskCount: 1,
        },
        eventBusName: "default",
        retryPolicy: {
            maximumEventAgeInSeconds: 60,
            maximumRetryAttempts: 1,
        },
        rule: eventRule.name,
    }, {provider: targetAwsProvider}));

Hi all, I’m trying to use the new local Command provider to create an AWS profile which I can then consume in the aws provider. However, I keep getting errors…

Hi all, I’m working to create a lambda function in js from an image I push to ECR. I’m noticing 2 issues: 1. If I make any changes to the lambda handler code that the

Dockerfile

is pulling in, the changes are not reflected in the Image in ECR. 2. The lambda does not seem to be getting created and it fails when my code tries to attach my permissions to the lambda, I get a

Error adding new Lambda Permission for donor-score-lambda-dev: ResourceNotFoundException: Function not found

. The code is in the thread below. Thank you!

Hello everyone, My situation: I built a CodePipeline project in my DEV environment that on a push to a specific branch in my source code repo is kicked off, it immediately launches a CodeBuild environment that downloads Go and Pulumi, runs unit tests, builds my source code into a zip file then deploys my now built code and all of my Pulumi infrastructure to my dev environment, modifying dev resources on that DEV account. I have given that CodeBuild a specific IAM role with access to the s3 bucket that Pulumi uses for state, my bucket with my source code and all other resources Pulumi modifies during deployment. So far all works great. My Problem: Next, after a manual approval step I attempt to deploy my Pulumi infrastructure in my prod environment. This environment is in a PROD account, and I am trying to modify those resources from my CodeBuild in my DEV account where the CodePipeline runs. To try and accomplish this I have attempted to create an IAM role in my PROD account that I can assume in my DEV account. Prod account:

CodeBuildProdRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub ${ProjectName}-codepipeline-deploy-prod-role
      Description: CodePipeline role to deploy dev artifacts and infrastructure changes to production
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              AWS: !Sub arn:aws:iam::${DevAccountId}:role/${ProjectName}-codepipeline-deploy-prod-role
            Action: sts:AssumeRole
      Path: /
      Policies:
        - PolicyName: !Sub ${ProjectName}-codepipeline-deploy-prod-role-policy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
            - Effect: Allow
              Resource: !Sub arn:aws:iam::${DevAccountId}:role/${ProjectName}-codepipeline-deploy-prod-role
              Action: sts:AssumeRole
            - Effect: Allow
              Action:
              - s3:*
              Resource:
              - arn:aws:s3:::PROD s3 bucket for Pulumi state
              - arn:aws:s3:::PROD s3 bucket for Pulumi state/*
            ...

DEV account:

CodeBuildProdRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub ${ProjectName}-codepipeline-deploy-prod-role
      Description: CodePipeline role to deploy dev artifacts and infrastructure changes to production
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: <http://codebuild.amazonaws.com|codebuild.amazonaws.com>
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyName: !Sub ${ProjectName}-codepipeline-deploy-prod-role-policy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action: sts:AssumeRole
                # The role I want to assume from the PROD account
                Resource: !Sub arn:aws:iam::${ProdAccountId}:role/${ProjectName}-codepipeline-deploy-prod-role
            ...

When I run Pulumi login (PROD s3 bucket for Pulumi state) I get this access denied error

[Container] 2022/03/10 20:58:23 Running command pulumi login s3://(PROD s3 bucket for Pulumi state)
Logged in to (id) as root (s3://(PROD s3 bucket for Pulumi state))

[Container] 2022/03/10 20:58:23 Running command pulumi stack select prod
error: failed to load checkpoint: blob (key ".pulumi/stacks/prod.json") (code=Unknown): AccessDenied: Access Denied

I would imagine I need to do the equivalent of

export AWS_PROFILE="PROD"

which I do in my terminal to switch account for my user, but I would like to do this for a role. I would rather not start generating credentials on the fly and dynamically populate them as environment variables into CodeBuild. So is there a way I can tell Pulumi to assume a certain role in another account if the role it is currently using is the Principal to the role I want it to use, also making sure it modifies resources in the PROD account although it is running in the DEV account? Any help is much appreciated. Thank you! Ado

Hey guys, I want to create an eks nodepool that will have spot ec2 instances for my development environment. This is what i’m trying to do, and for some reason failing to achieve my goal. This is how I fetch the spot price:

let spotPrice = aws.ec2.getSpotPriceOutput({instanceType: eksInstanceType}).get()

and this is the cluster node-pool options:

{
        instanceType: instanceType,
        desiredCapacity:desiredCapacity,
        minSize: minSize,
        maxSize: maxSize,
        ...(spotPrice) && {spotPrice: spotPrice},

    }

The error that I get is pretty clear, I need to add more filter to the getSpotPriceOutput function. I wonder whether there’s a better way to set the spot price instead of fetching the live spot price, can’t I just set the nodepool to be Spot, without configuring the price ? Thanks guys 🙂

hi folks... is there an AWS Sytems Manager Application Mmanager wrapper in pulumi ?

Hey all, I was wondering if anyone knows of a way to add cache behaviours and origins to an existing cloudfront.Distribution resource so that different stacks can add behaviours/origins to the same distribution? Ideally I was thinking of something analogous to apigatewayv2.Route which attaches a route to an existing gateway, but this doesn't seem to exist for CloudFront distribution behaviours/origins.

What is the "Pulumi native" way to handle getParameter when one does not exist? I can handle it with the SDK:

const ssmClient = new aws.sdk.SSM();
ssmClient.getParameter({ Name: "does-not-exist" }, function (err: any, data: any) {
  if (err) {
    new aws.ssm.Parameter("foo", {
      type: "String",
      value: "bar",
    });
  }
});

but it errors when I try to handle one not existing with getParameter:

pulumi.output(
    aws.ssm.getParameter({
      name: "does-not-exist",
    }),
  ) ||
  new aws.ssm.Parameter("foo", {
    type: "String",
    value: "bar",
  });

Error: invocation of aws:ssm/getParameter:getParameter returned an error: invoking aws:ssm/getParameter:getParameter: 1 error occurred:
        * Error describing SSM parameter (doesn-not-exist): ParameterNotFound:

Anyone has an example using cloudinit or userdata with managed node group? I'm struggling to create everything, and I need to modify

resolv.conf

on the worker nodes. I'm using Typescript. Launch template is killing me

tldr issue: stacks created via codebuild are not tagged with github/vcs tags _________________________ more detail: I am using the following pulumi cli commands in my codebuild buildspec:

- pulumi stack select -c -s <my fully qualified stack name>
- pulumi up -s <my fully qualified stack name> --skip-preview --yes

if the stack doesn’t exist yet, it is successfully created (due to the -c flag in the stack select). But the correct vcs and github tags are not created. In particular it looks I should expect the following to be set:

gitHub:owner
gitHub:repo
vcs:kind
vcs:owner
vcs:repo

I have found a work around by manually adding these tags after the

pulumi up

, but is there something I can do to have these tags auto generated?

hi all, we’re trying to switch to AWS SSO but when using Pulumi’s S3 backend, it keeps throwing

SharedConfigErr: only one credential type may be specified per profile: source profile, credential source, credential process, web identity token, or sso

we have to use

credential_process

for the SDK so I tried to create a separate profile for Pulumi:

[pulumi-tst]
region = us-east-1
sso_start_url = <https://d-XXXX.awsapps.com/start>
sso_region = us-east-1
sso_account_id = XXXXAccountId
sso_role_name = XXXRole

but the backend doesn’t seem to respect

aws:profile

config form the stack, it only works if I specify it as an env variable

AWS_PROFILE

which isn’t very ergonomic for developers to manage separate profiles for the appand Pulumi. would love any pointers you have may

using pulumi typescript and setting the attemptDurationSeconds on my batch job definition however job timeout does appear to be getting set in aws. anybody else experience / notice this?

I've recently upgraded to an M1 Mac, and my docker builds are ARM64 which doesn't work on default Fargate. Would this be considered a bug? If I'm targeting Fargate shouldn't my docker builds target the correct platform?

Is there a way to generate a signed url for an s3 object and provide as output that I'm missing?

I'm hitting an issue with https://github.com/pulumi/pulumi-aws/releases/tag/v5.0.0 with the change to eks cluster certificate authorities

Any good way of debugging this? (trying to create a pretty vanilla EKS cluster)

error: TypeError: Cannot read properties of undefined (reading 'data')
        at /home/john/projects/pulumi-quicktest/node_modules/@pulumi/cluster.ts:567:105
        at /home/john/projects/pulumi-quicktest/node_modules/@pulumi/output.ts:383:31
        at Generator.next (<anonymous>)
        at /home/john/projects/pulumi-quicktest/node_modules/@pulumi/pulumi/output.js:21:71
        at new Promise (<anonymous>)
        at __awaiter (/home/john/projects/pulumi-quicktest/node_modules/@pulumi/pulumi/output.js:17:12)
        at applyHelperAsync (/home/john/projects/pulumi-quicktest/node_modules/@pulumi/pulumi/output.js:229:12)
        at /home/john/projects/pulumi-quicktest/node_modules/@pulumi/output.ts:302:65
        at runMicrotasks (<anonymous>)
        at processTicksAndRejections (node:internal/process/task_queues:96:5)

That

cluster.ts

doesn't exist at that location, and the

cluster.js

in the

eks

directory doesn't have anything meaningful on line 567

Also

-v 10

doesn't seem to do anything 👀 (I get no additional debugging output)

Hi, I'm trying to switch to v5.1.0 of the Pulumi AWS provider, but I'm hitting a problem with RDS Instaces. The documentation says that

name

has been deprecated in favor of

db_name

. Indeed, this shows up when I run Pulumi:

├─ aws:rds:Instance         db1              [diff: +name-dbName]; 1 warning

warning: name is deprecated: Use db_name instead

But when I actually make the code change to

db_name

, Pulumi wants to replace all my databases:

+-  ├─ aws:rds:Instance           db1                 replace     [diff: +dbName]

I'm not sure how to progress from here, I've checked the state file and it mentions

dbName

, not

name

, so I wonder why it complains. Thank you.

Hi, I’m using EKS, and want to migrate from the default node group to a managed node group. How do I link the new nodes to the same security group as the old nodes? This was my previous code that generates the cluster and nodes:

// Create an EKS cluster with the default configuration.
export const cluster = new eks.Cluster(addPrefix("cluster"), {
  vpcId: stampVpc.id,
  privateSubnetIds: stampVpc.privateSubnetIds,
  publicSubnetIds: stampVpc.publicSubnetIds,
  nodeAssociatePublicIpAddress: false,
  encryptRootBlockDevice: true,
  version: config.require("eks.version"),

  desiredCapacity: config.requireNumber("eks.desiredCapacity"),
  minSize: config.requireNumber("eks.minSize"),
  maxSize: config.requireNumber("eks.maxSize"),
  instanceType: config.require<aws.ec2.InstanceType>("eks.instanceType"),
  nodeAmiId: config.get("eks.ami") ?? latestAmiId,

  enabledClusterLogTypes: ["api", "audit", "authenticator", "controllerManager", "scheduler"],
  endpointPublicAccess: true, // TODO: Change this...
  endpointPrivateAccess: true,
  createOidcProvider: true,

  roleMappings: [
    {
      groups: ["system:masters"],
      roleArn: deployerAdminRole.arn,
      username: "argocd-deployer"
    }
  ],

  publicAccessCidrs: CNC_IPS,
  encryptionConfigKeyArn: clusterEncryptionKey.arn,
  providerCredentialOpts: {
    profileName: AWS_PROFILE,
    roleArn: AWS_ROLE_ARN
  }
});

And this is the new code:

cluster = new eks.Cluster(addPrefix("cluster"), {
  skipDefaultNodeGroup: true,
  vpcId: stampVpc.id,
  privateSubnetIds: stampVpc.privateSubnetIds,
  publicSubnetIds: stampVpc.publicSubnetIds,
  nodeAssociatePublicIpAddress: false,
  encryptRootBlockDevice: true,
  instanceRole: instanceRole,
  version: config.require("eks.version"),

  enabledClusterLogTypes: ["api", "audit", "authenticator", "controllerManager", "scheduler"],
  endpointPublicAccess: true, // TODO: Change this...
  endpointPrivateAccess: true,
  createOidcProvider: true,

  roleMappings: [
    {
      groups: ["system:masters"],
      roleArn: deployerAdminRole.arn,
      username: "argocd-deployer"
    }
  ],

  publicAccessCidrs: CNC_IPS,
  encryptionConfigKeyArn: clusterEncryptionKey.arn,
  providerCredentialOpts: {
    profileName: AWS_PROFILE,
    roleArn: AWS_ROLE_ARN
  },
});

// Create a simple AWS managed node group using a cluster as input.
managedNodeGroup = eks.createManagedNodeGroup("my-cluster-ng", {
  cluster: cluster,
  nodeGroupName: "aws-managed-ng1",
  nodeRole: instanceRole,
  amiType: "AL2_x86_64",
  instanceTypes: [config.require<aws.ec2.InstanceType>("eks.instanceType")],
  // releaseVersion: config.get("eks.ami") ?? latestAmiId,
  // labels: { "ondemand": "true" },
  scalingConfig: {
    minSize: config.requireNumber("eks.minSize"),
    maxSize: config.requireNumber("eks.maxSize"),
    desiredSize: config.requireNumber("eks.desiredCapacity")
  },
}, cluster);

However the security group of the nodes changes and other resources that take the

cluster.nodeSecurityGroup.id

get messed up. How do I link the same security group with the new nodes? Thanks

Is there a way to prevent NodeGroup to create EC2 instances with public ip? I'm creating a new NodeGroup, and my EC2 instances have public ip and public dns. If I create ManagedNodeGroup, then EC2 are private

Has anyone been able to use an instance profile on an EC2 instance for authenticating with the default AWS provider? It seems like it defaults to disabling the EC2 metadata access and validating credentials. I was able to override those values and get things working on <5.0 but I'm hitting the same set of errors again after the update.

Hey Pulumi - got a question about AWS Security Groups. If I create a security group with an egress rule that doesn’t contain a

cidrBlock

(screenshot), Pulumi creates an empty security group in AWS without an egress rule. But, in Pulumi’s stack output, it says that the egress rule exists. Even after a refresh the state is not updated. Only when I create an egress (or ingress) rule with a

cidrBlock

does Pulumi function as expected. Any idea why this would be happening?

Hi everyone, im trying to get the folowing setup working with pulumi: • create a EventRule in EventBridge bus that matches certain events and forwards them to a sqs queue • the sqs then triggers a lambda function Whats working so far: • if I create an event in the sqs manually it trigges the lambda • the initial event reaches the eventbus (checked with another eventrule that prints to CloudWatch loggroup) Problem: • it seems the event is not being forwarded from EventBridge to sqs Additional: I managed to "resolve" the issue by running a clean pulumi up, then creating an additional target in the EventRule that matches exactly the already configured target (and therefore ioverwrites it in aws) in the aws console. Only then is the event forwarded from EventBridge to sqs. Interestingly if I run a pulumi up after doing the change in the console pulumi doesnt detect any changes its trying to overwrite. This obviously is no permanent solution. Any help would be great!

Hi Question around best practices. We are currently upscaling to multi region deployments and creating our stack from scratch. We created an AWS organisation and we will be creating different accounts here for different prod accounts. We have existing iam admin users in our management AWS account and they will be used for assuming a role for different test/prod accounts to interact with those accounts I am wondering what is the best practice with pulumi. How we are visualising our suite at present is to have projects with multiple stacks where each stack is pointing to an environment. However regarding the creds for the AWS account we are under a slight dilemma. We have considered two options, both we like and dislike at the same time. 1. Create iam users in the child AWS accounts aswell and use those credentials for pulumi. However with a growing number of regions this means a fair amount of creds to store and switch between each stack deployment. 2. Use the iam user in the management account, use the single set of credentials of the user for all resources and stacks by creating a provider which assumes the role and making the account id configurable, however this means we will need to pass in the provider across every resources we create and if someone misses using the provider it ll be devastating. I am wondering if there is any best practices that pulumi suggests in this scenario.