Hi I am trying to export outputs from resources created inside a loop using typescript. However the accountOutput is always empty. I am wondering whats the right approach to do this.

let accountDetails = [
    {name: 'test', email: '<mailto:testt@example.io|testt@example.io>', environment: 'test', billingInfoAccess: 'ALLOW'}
];

var accountOutput: { accountName: string, accountId: string }[] = [];

for (const accountDetail of accountDetails) {
    const account = new aws.organizations.Account(accountDetail.name, {
        email: accountDetail.email,
        iamUserAccessToBilling: accountDetail.billingInfoAccess,
        name: accountDetail.name,
        tags: {
            Environment: accountDetail.environment
        },
    });

    account.arn.apply(arn => {
        console.log(arn);
        accountOutput.push({accountName: accountDetail.name, accountId: arn})
    })
};


export const outputs = {
    accountInfo: accountOutput,
}

Hi, I was wondering about some unexpected behavior I'm seeing from

pulumi stack output

inside of Github actions. When I run

pulumi stack output website_url

on my local, it prints the bucket URL with the AWS region

us-west-2

included (

<http://s3-website-bucket-1234567.s3-website-us-west-2.amazonaws.com|s3-website-bucket-1234567.s3-website-us-west-2.amazonaws.com>

) while my Github action sets the region as `***`:

s3-website-bucket-1234567.s3-website-***.<http://amazonaws.com|amazonaws.com>

. My Github action uses

steps.<id>.outputs.website_url

to access the value (

run: echo ${{ steps.publish_website.outputs.website_url }}

, but I don't know why it would be different. I thought this was worth mentioning because the preceding

curl

test succeeds with the same value, almost as if it's using a different URL than what I'm seeing in the Github web console logs. The test reads

curl -I s3-website-bucket-4ac29a1.s3-website-***.<http://amazonaws.com|amazonaws.com>

. For reference, the project is the S3 static website on AWS Python tutorial and the Github Action is the push workflow for Python.

Is there any way to update

ephemeralStorage

for a

FargateTaskDefinition

? https://docs.aws.amazon.com/AmazonECS/latest/developerguide/fargate-task-storage.html

Hey yall - running into an issue after refactoring a deployment to use it's own VPC - now I'm running into a problem when trying to update the environment.

error: 1 error occurred:
	* updating urn:pulumi:STAGE::rms-strata::aws:lb:ApplicationLoadBalancer$aws:lb/loadBalancer:LoadBalancer::strata-lb-stage: 1 error occurred:
	* failure Setting LB Security Groups: InvalidConfigurationRequest: Security group 'sg-08d526aacc421c6e8' does not belong to VPC 'vpc-ee8dcb97'
	status code: 400, request id: a925e681-199d-48a8-bd0d-31ce8344a40e

Hoping to find a way around this since there is data in this environment that can't be lost. I don't want to tear down the entire thing. What options do I have to get around this?

Hi guys! I’m new to pulumi, but with help of docs I’ve managed to build infrastructure as I wanted. Now I try to move it to Github Actions and in preview I get this error after docker image is successfully built. This doesn’t happen locally. I’ve been googling for few hours now and I don’t have a clue of what is going on. I’ve created a dedicated AWS user for Pulumi with full access and I’m using this users access key id and secret access key in my GH Actions. It looks like Pulumi can’t push an image to ECR. Here is my job setup:

preview_iaac:
    name: Preview IaaC
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: 3.8
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ secrets.PULUMI_AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.PULUMI_AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.STAGING_AWS_DEFAULT_REGION }}
      - run: pip install pipenv && pipenv lock -r > requirements.txt && pip install -r requirements.txt
      - uses: pulumi/actions@v3
        with:
          command: preview
          stack-name: ***/dev
        env:
          PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}

Here is an output that I get:

docker:image:Image ***-api-dev-django-dockerimage  Successfully built 481a2e057dd2
      docker:image:Image ***-api-dev-django-dockerimage  Successfully tagged ***.dkr.ecr.***.<http://amazonaws.com/***-api-dev-ecr-repo-5b4a376:latest|amazonaws.com/***-api-dev-ecr-repo-5b4a376:latest>
      pulumi:pulumi:Stack ***-dev running error: Program failed with an unhandled exception:
      pulumi:pulumi:Stack ***-dev running error: Traceback (most recent call last):
      pulumi:pulumi:Stack ***-dev running error: an unhandled error occurred: Program exited with non-zero exit code: 1
      pulumi:pulumi:Stack ***-dev  3 errors
   
  Diagnostics:
    pulumi:pulumi:Stack (***-dev):
      error: Program failed with an unhandled exception:
      error: Traceback (most recent call last):
        File "/opt/hostedtoolcache/pulumi/3.28.0/x64/pulumi-language-python-exec", line 107, in <module>
          loop.run_until_complete(coro)
        File "/opt/hostedtoolcache/Python/3.8.12/x64/lib/python3.8/asyncio/base_events.py", line 616, in run_until_complete
          return future.result()
        File "/opt/hostedtoolcache/Python/3.8.12/x64/lib/python3.8/site-packages/pulumi/runtime/stack.py", line 126, in run_in_stack
          await run_pulumi_func(lambda: Stack(func))
        File "/opt/hostedtoolcache/Python/3.8.12/x64/lib/python3.8/site-packages/pulumi/runtime/stack.py", line 51, in run_pulumi_func
          await wait_for_rpcs()
        File "/opt/hostedtoolcache/Python/3.8.12/x64/lib/python3.8/site-packages/pulumi/runtime/stack.py", line 110, in wait_for_rpcs
          raise exception
        File "/opt/hostedtoolcache/Python/3.8.12/x64/lib/python3.8/site-packages/pulumi/output.py", line 98, in is_value_known
          return await is_known and not contains_unknowns(await future)
        File "/opt/hostedtoolcache/Python/3.8.12/x64/lib/python3.8/site-packages/pulumi/output.py", line 214, in run
          return await cast(Awaitable[U], transformed)
        File "/opt/hostedtoolcache/Python/3.8.12/x64/lib/python3.8/site-packages/pulumi_docker/docker.py", line 243, in build_and_push_image
          build_result = await build_image(base_image_name, path_or_build, log_resource, cache_from)
        File "/opt/hostedtoolcache/Python/3.8.12/x64/lib/python3.8/site-packages/pulumi_docker/docker.py", line 444, in build_image
          raise ResourceError(
      pulumi_docker.docker.ResourceError: No digest available for image ***.dkr.ecr.***.<http://amazonaws.com/***-api-dev-ecr-repo-5b4a376|amazonaws.com/***-api-dev-ecr-repo-5b4a376>
      error: an unhandled error occurred: Program exited with non-zero exit code: 1
   
  
  
   stderr: 
   err?: 
  
  (node:1766) UnhandledPromiseRejectionWarning: Error: ENOENT: no such file or directory, stat '/tmp/automation-logs-preview-pp2jEL/eventlog.txt'
  (node:1766) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see <https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode>). (rejection id: 2)
  (node:1766) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

ive noticed that pulumi will import AWS managed policies without issue; this raised a couple of questions in my mind. 1) isn't that problematic? you can't really change them 2) how would you normally refer to an aws-managed resource in pulumi? are there helper libs for that?

whats the recommended way of deleting a aws certificate? im removing a elasticbeanstalk application and moving it to EKS, while trying to delete the existing stack it fails to delete the certificate created

saying it’s in use

Hey y'all question for Pulumi for RDS. Documentation states the following.

snapshotIdentifier
string

Specifies whether or not to create this database from a snapshot. This correlates to the snapshot ID you'd find in the RDS console, e.g: rds:production-2015-06-26-06-05.

Is this the

snapshot name

? There is nothing in aws RDS specifically called

snapshot ID

.. there is

ARN

curious if this documentation should be updated?

Hi Guys -

Hi Guys - i really need your help here - i opened an issue https://github.com/pulumi/pulumi-aws/issues/1893 deployment runs fail on timeout. Can someone help me out on this? i truly don't know what else to do

running pulumi up, and theres a change

├─ aws:acm:Certificate               frontend-dev-cert                                                                                      [diff: +__defaults]

while actually running this, this tries to delete the certificate, and after waiting like half a hr, it gives me an error saying

certificates in use

i didnt actually make any changes to this cert, but i added more things into the hosted zone.

is there a way to get around this?

Using

cloud-aws

: • What is the best way to get a secret into a

RouteHandler

? • Is there authentication for

API

?

Additionally, with Pulumi Cloud, is there a way (or future plans for a way) to access the underlying generated infrastructure? Like at some point could you easily "eject" from Pulumi Cloud?

Hey guys, Quick question, i'm trying to deploy a Glue data catalog table with pulumi (using python deployment). I'm creating a glue schema, and i cant figure out how to base my table on the schema inside pulumi. how can i use the supporting types that are seen in the documenation?

glue_schema_for_affected_entities = aws.glue.Schema("schema-for-glue-ent",

schema_name="affected_entities",

registry_arn=f"arn:aws:glue:{aws_region.id}:{user_id.id}:registry/default-registry",

data_format="JSON",

compatibility="NONE",

schema_definition=entities_data

)

aws_glue_catalog_table = aws.glue.CatalogTable("glue-table",

database_name="glue-for-xm-database",

name="glue-table",

opts=pulumi.ResourceOptions(depends_on=[aws_glue_catalog_database])

)

This is the pulumi python code for the schema and table

Hello guys. I need to create an aws.acm.Certificate after creating self signed certificate with new pvk.SelfSignedCert call. At the first pulumi up, the aws.acm.Certificate call fails with the following error: "* error importing ACM Certificate: ValidationException: The certificate is valid in the future. You can Import a certificate only during its validity period." If I retry the with 'pulumi update' after a few seconds, everything goes fine and the acm certificate is correctly created. Any suggestion..?....thanks so much.

Hi! Hoping the Pulumi hive mind can help me here. A while back I created a stack using a KMS key as the secrets manager. I removed all the stack resources, but didn’t delete the stack itself. Fast forward a few months and I replaced the KMS key that I’d used, but reused the same alias. Now, when I try to remove the stack created with the old KMS key (but same alias), I get:

error: constructing secrets manager of type "cloud": secrets (code=Unknown): AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
	status code: 400, request id: bda7408f-f87b-43a1-86bd-bf0671c0346d

I have no issues creating/removing a new stack with the same KMS alias as the backing key still exists. Any idea how I can remove that stack? I can just nuke it from the state bucket, but I’m wondering if there’s a more idiomatic way.

I have gotten into a situation where I cannot destroy my stack due to an ALB being in use by a listener or a rule and a security group being in use. Should I manually delete these objects or will I get into an even worse state?

How can I make it so Pulumi creates a new WebACL and associates it with resources (a CloudFront Distribution) before deleting the old one?

Error deleting WAFv2 WebACL: WAFAssociatedItemException: AWS WAF couldn't perform the operation because your resource is being used by another resource or it's associated with another resource.

Hi I am using pulumi/eks to create a cluster and nodegroup. We use aws sso to switch between profiles. We logged with sso to the corresponding account and fetched our credentials. We then set the profile using

export AWS_PROFILE=XXXX

to set our profile. When we run pulumi up we are getting an error.

Error: It looks like you're using AWS profiles. Please specify this profile in providerCredentialOpts

I think this issue only happens when using crossrails EKS and not aws-classic(could be wrong here). I know there is a profile key in providerCredentialOpts I can add, but we can't ensure everyone who uses pulumi uses the same naming for their aws profiles. Am I missing something here?

I'm looking at provisioning a WAF/Web ACL, I'm not clear how you can refer to managed rule groups like "Core rule set" to add to the web acl. Any examples?

UnsupportedActionException: The resource AWS::S3::Bucket is not yet supported via Cloud Control API

- is it true or I'm doing something completely wrong?

The pulumi article on Lambda Function URL doesn’t contain a working example. I can’t call the URL that is created because the Lambda is lacking a critical permission (

lambda:InvokeFunctionUrl

) and I don’t know how to add it because I don’t know how to add the necessary condition using the classic

aws.lambda.Permission

resource. Any help?

Hi we are using ECS Service deployed via pulumi https://www.pulumi.com/registry/packages/aws/api-docs/ecs/service/ with enabled the circuit breaker and roll back but it never kicks in It looks like the root cause is this issue: https://github.com/aws/containers-roadmap/issues/1206#issuecomment-840124853 Are there any workarounds you'd suggest?

Is there support for this feature yet by chance? https://aws.amazon.com/blogs/aws/new-additional-checksum-algorithms-for-amazon-s3/

Has anyone used SSM sessions manager to ssh tunnel to private instances from a pulumi program? I'm thinking about creating a dynamic provider and I'm curious if anyone else has ever tried something like that