pulumi-community #aws

broad-dog-22463

04/19/2022, 10:54 PM

Hi all, We are looking to find a few of our community users to help give us some feedback on the new changes we are adding the pulumi-awsx. If we have some users of AWSX or some people waiting to use AWSX then please do let us know and we can talk

glamorous-camera-26392

04/20/2022, 6:39 AM

i’ve been running in to an issue with awsx.ecs. initial deployments work fine, but when we try to push new versions the task definition is being marked as

inactive

, but the task is not stopped, so the new definition is never used to create new tasks. relevant ecs code looks like

Copy code

const cluster = new awsx.ecs.Cluster('mycluster', { vpc });
const myecs = new awsx.ecs.EC2Service('myservice', {
  cluster,
  securityGroups,
  taskDefinitionArgs: {
    containers: {
      flyway: {
        image: 'my/flyway:latest',
        entryPoint: ['/bin/sh'],
        command: ['-c', 'flyway -url=${JDBC_URL} -user=${POSTGRES_USER} -password=${POSTGRES_PASSWORD} migrate'],
        cpu: 1,
        memory: 1024,
        essential: false,
        environment: [
          { 'name': 'POSTGRES_PASSWORD', 'value': dbPassword },
          { 'name': 'JDBC_URL', 'value': jdbcUrl },
          { 'name': 'POSTGRES_USER', 'value': dbUsername },
        ],
      },
      myservice: {
        image: 'my/service:latest',
        cpu: 2,
        memory: 2750,
        environment: [
          { 'name': 'JDBC_PASSWORD', 'value': dbPassword },
          { 'name': 'JDBC_URL', 'value': jdbcUrl },
          { 'name': 'JDBC_USER', 'value': dbUsername },
        ],
        portMappings: [web],
        essential: true,
        dependsOn: [{
          containerName: 'flyway',
          condition: 'SUCCESS'
        }],
      },
    },
  },
});

billowy-horse-79629

04/20/2022, 8:41 AM

Hey guys, Does someone have an idea how to activate MFA on AWS account for pulumi ? Also using github actions, so if someone know about good Action to use it could be great. Thanks 🙂

fancy-eve-82724

04/20/2022, 8:48 PM

I've upgraded to the pulumi-aws 5.1.3 provider from an older 4.26.0 version I was using previously. I'm now encountering a few deprecation warnings re S3 Buckets and BucketObjects:

Copy code

warning: bucket is deprecated: Use the aws_s3_object resource instead

➕ 1

fancy-eve-82724

04/20/2022, 8:49 PM

Any recommendations on how to migrate my Pulumi config forward without having to recreate my buckets and objects therin?

miniature-oxygen-33318

04/21/2022, 3:46 PM

Hi I’m using python and aws and need to unit test some functions which use

pulumi_aws.apigateqway.RestApi

I have a class which has an input arg `api`type

pulumi_aws.apigateway

(`api:

pulumi_aws.apigateway

)and I need to test the values of

api.id

and `api.id.apply`but I’m struggling to work out how to mock this up. I found this https://www.pulumi.com/docs/guides/testing/unit/ but I can’t work out how to apply it to my case - is there more documentation; or preferably more complex examples to follow? Thanks!

acoustic-truck-53557

04/21/2022, 7:15 PM

I'm trying to enable AWS Inspector using Pulumi, but I can't get it working. AWS Classic provider seems to have only the classic Inspector, while AWS Native Provider seems incomplete, with only the Filter class https://www.pulumi.com/registry/packages/aws-native/api-docs/inspectorv2/ Does anyone know how to enable AWS Inspector using Pulumi?

fierce-manchester-32400

04/21/2022, 7:16 PM

hi, new to pulumi, how can I do an import over my whole aws deployment vs individual resources?

stocky-petabyte-29883

04/22/2022, 10:01 AM

Hi Do you guys have any general examples of creating aws aurora cluster and instances via pulumi aws classic? Thanks

magnificent-church-42829

04/22/2022, 5:55 PM

Hi, I am a relatively new user of Pulumi and IaC in general, but i’m loving the experience. I have a question about pulumi destroy and the order of steps when deleting resources. I create an internet gateway and map 2 public subnets to it via routetableassociation but when i execute pulumi destroy i get an error about not being able to detach the internet gateway from the VPC because there are still public subnet addresses mapped to it. Here is the error message:

magnificent-church-42829

04/22/2022, 5:58 PM

the same problem with a security group. That security group is the source for another security group so presumably there is an issue with the ordering of destroy steps

icy-controller-6092

04/24/2022, 12:59 AM

when creating customer api keys for api gateway, would I do that through Pulumi or does it make more sense to use the AWS Console

worried-terabyte-60325

04/24/2022, 7:50 AM

Hi folks, I met an issue on creating aws serviceRole with pulumi, some code example needs to be updated. In pulumi's doc, rolePolicy string is

Copy code

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAssumeRole",
      "Effect": "Allow",
      "Principal": "<http://ec2.amazonaws.com|ec2.amazonaws.com>",
      "Action": "sts:AssumeRole"
    }
  ]
}

Which is different from AWS' doc

Copy code

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "<http://ec2.amazonaws.com|ec2.amazonaws.com>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Different schema on

Principal

field. And that will cause error like:

Error creating IAM Role xxx-role-53da5df: MalformedPolicyDocument: Syntax error at position (6,41)

worried-terabyte-60325

04/24/2022, 10:42 AM

Is there a solution to attach

ExtraNodeSecurityGroups

to a NodeGroup? I met the same issue as https://github.com/pulumi/pulumi-eks/issues/616, have got any luck to solve it by my own😢

quaint-book-39362

04/25/2022, 10:37 PM

is there an example of using a aws*.lambda.*Function with crosswalk apigateway? i want to invoke a container image lambda function with aws_proxy integration mode so that the lambda function can be a rest api with routing

quaint-book-39362

04/25/2022, 10:38 PM

i believe i do need aws_proxy for this, but https://www.pulumi.com/docs/guides/crosswalk/aws/api-gateway/ has no examples of it

average-school-38756

04/26/2022, 7:11 PM

i created an EventTarget for an event bus with a CloudWatch LogGroup as the ARN, but there are no logs being written to it. This pattern works when the target is defined from the console. i thought at first that the console might have transparently made some IAM changes, but that's not so - there are no new roles or policies created. Is it possible to write this implementation with Pulumi?

thousands-area-40147

04/26/2022, 9:01 PM

Heyo, any timeline on when Aurora Serverless v2 will be supported by the AWS Classic provider? Cheers!

magnificent-church-42829

04/26/2022, 10:41 PM

i have a postgres hosted in an ec2 instance on a private subnet. I need to copy over and run some intialization scripts to open connections, create a database and user, etc. How would i go about copying over files and running commands for an instance in a private subnet? i know of the

command.remote.ConnectionArgs

command.remote.CopyFile

, and

command.remote.Command

but this wouldn’t work if the instance is in a private subnet.

green-daybreak-91402

04/28/2022, 10:40 AM

Hello! Using the

@pulumi/awsx

package for API Gateway, how are subroutes setup? Im trying to setup a route like this:

/test/{proxy+}

but get this error:

Copy code

Unable to create resource at path '/{proxy+}/{proxy+}': Cannot create a child of a resource with a greedy path variable: {proxy+}

I cant find an example of how to setup subroutes, this is how Ive setup my routes:

Copy code

{
            path: '/test/{proxy+}',
            apiKeyRequired: false,
            method: 'ANY',
            eventHandler: functions.testFunction,
          },
          {
            path: '/{proxy+}',
            method: 'ANY',
            apiKeyRequired: true,
            target: apiServerTarget,
          },

green-daybreak-91402

04/28/2022, 11:55 AM

I think I know the issue.

awsx.apigateway

is appending a

{proxy+}

route to all created paths, so it is duplicating paths. I see this happening no matter the integration type i select for my path/route. Any way to specify a route and match exactly the path without creating a

{proxy+}

sub-resource?

delightful-monkey-90700

04/28/2022, 5:38 PM

Howdy. I'm migrating some code from CDK to Pulumi. It's a simple application using Lambda and DynamoDB. In the CDK, I grant access to the DynamoDB tables using "`<tableObject>.grantReadWrite(<lambdaObject>)`" -- but I'm having a hard time finding an equivalent in Pulumi. Any insights ?

polite-napkin-90098

04/28/2022, 6:17 PM

I'm trying to get an EKS cluster to work with the efs csi driver. https://www.pulumi.com/blog/persisting-kubernetes-workloads-with-amazon-efscsi-volumes-using-pulumi-sdks/ this suggests using the helm chart as the other advice there is out of date. But when I tried that I ran into an issue where the driver is already in the cluster and thus pulumi fails to install it, which I wrote up here: https://github.com/kubernetes-sigs/aws-efs-csi-driver/issues/685 but I closed that issue as the helm chart works fine if I use helm to install it and not pulumi, and pulumi gives the hooks warning so I assume the hooks are what is deleting the already existing driver from the cluster so the chart can install a new one (and it does as the timestamp on the driver updated when I installed the chart with helm. So, how can I fake up what the helm hooks are doing? Is there a way in pulumi for me to delete the csidriver which it seems EKS installs by default? I could obviously do it using kubectl, but it would be nicer if I could capture that in the pulumi code so future me can follow the breadcrumbs

quaint-guitar-13446

04/29/2022, 4:54 AM

I'm having a weird issue with multiple

portMappings

on a

awsx.ecs.FargateService

container. I want both port 80 and 443 forwarded to the fargate service. For some reason, only the first target group gets a registered target

quaint-guitar-13446

04/29/2022, 4:55 AM

Copy code

const service = new awsx.ecs.FargateService(n('caddy-service'), {
  cluster,
  taskDefinitionArgs: {
    container: {
      image: caddyImage,
      environment: getCaddyEnvironment(),
      portMappings: targetGroups,
    },
    volumes: [
      {
        name: 'certificates',
        efsVolumeConfiguration: {
          fileSystemId: certificatesEfs.efs.id,
          authorizationConfig: {
            accessPointId: certificatesEfs.ap.id,
            iam: 'ENABLED',
          },
          transitEncryption: 'ENABLED',
        },
      },
    ],
    executionRole: ecsExecutionRole,
    taskRole: createFargateTaskRole('caddy', [certificatesEfs.mountPolicy]),
  },
  waitForSteadyState: false,
});

quaint-guitar-13446

04/29/2022, 4:56 AM

Copy code

const httpListener = loadBalancer.createListener(n('http'), {
    vpc,
    port: 80,
    protocol: 'TCP',
    loadBalancer,
    targetGroup: {
      vpc,
      port: 80,
      protocol: 'TCP',
      targetType: 'ip',
      loadBalancer,
    }
  });

  const httpsListener = loadBalancer.createListener(n('https'), {
    vpc,
    port: 443,
    protocol: 'TCP',
    loadBalancer,
    targetGroup: {
      vpc,
      port: 443,
      protocol: 'TCP',
      targetType: 'ip',
      loadBalancer,
    },

quaint-guitar-13446

04/29/2022, 4:57 AM

I originally was passing the listeners directly to

portMappings

. I also tried creating the target groups separately. In this code I'm passing

listener.defaultTargetGroup

quaint-guitar-13446

04/29/2022, 6:00 AM

To follow up, the task definition looks correct.

Copy code

"portMappings": [
                {
                    "containerPort": 80,
                    "hostPort": 80,
                    "protocol": "tcp"
                },
                {
                    "containerPort": 443,
                    "hostPort": 443,
                    "protocol": "tcp"
                }
            ],

It's just that it does not register both entries into a target group

kind-keyboard-17263

04/29/2022, 4:59 PM

Hi folks ! I am starting now with Pulumi on AWS, and I am trying to execute this, straight from https://www.pulumi.com/docs/guides/crosswalk/aws/lambda/:

Copy code

const pulumi = require("@pulumi/pulumi");
const aws = require("@pulumi/aws");
const awsx = require("@pulumi/awsx");

// Create a public HTTP endpoint (using AWS APIGateway)
const endpoint = new awsx.apigateway.API("hello", {
    routes: [
        // Serve a simple REST API on `GET /name` (using AWS Lambda)
        {
            path: "/source",
            method: "GET",
            eventHandler: (req: any, ctx: any, cb: any) => {
                cb(undefined, {
                    statusCode: 200,
                    body: Buffer.from(JSON.stringify({ name: "AWS" }), "utf8").toString("base64"),
                    isBase64Encoded: true,
                    headers: { "content-type": "application/json" },
                })
            }
        }
    ]
});

// Export the public URL for the HTTP service
exports.url = endpoint.url;

but I am having the following error:

Copy code

Type                             Name             Status                  Info
     pulumi:pulumi:Stack              store_event-dev  **failed**              1 error; 2 warnings            └─ aws:apigateway:x:API          hello
 ~      ├─ aws:apigateway:RestApi     hello            updated
 +      └─ aws:apigateway:Deployment  hello            **creating failed**     1 error

Diagnostics:
  aws:apigateway:Deployment (hello):
    error: 1 error occurred:
        * Error creating API Gateway Deployment: BadRequestException: The REST API doesn't contain any methods

  pulumi:pulumi:Stack (store_event-dev):
    warning: resource plugin aws is expected to have version >=5.3.0, but has 5.2.0; the wrong version may be on your path, or this may be a bug in the plugin
    warning: resource plugin aws is expected to have version >=5.3.0, but has 5.2.0; the wrong version may be on your path, or this may be a bug in the plugin
    error: update failed

Resources:
    ~ 1 updated
    13 unchanged

Duration: 4s

Which I am not able to find much about 😕

green-crowd-42127

04/29/2022, 8:37 PM

Hey all. Quick question on aws crosswalk load balancers and target groups. When creating an ApplicationLoadBalancer and a subsequent

ApplicationLoadBalancerTargetGroup

, it looks like I don't have the ability to set the

loadBalancingAlgorithmType

even though is only a setting available to

ApplicationLoadBalancerTargetGroups

. Example Code:

Copy code

const loadBalancer = new awsx.lb.ApplicationLoadBalancer(`${resourcePrefix}ALB`, { securityGroups: [ sg ] }, { replaceOnChanges: ['*'] });

    const targetGroup = loadBalancer.createTargetGroup(
        `${resourcePrefix}Group`, { 
            targetType: "instance", 
            healthCheck: { ... },
            // Would expect loadBalancingAlgorithmType to be set here
            //     but it is not a property of type: ApplicationTargetGroupArgs
        }, { replaceOnChanges: ['*']  });

It's creating each target group as a

round_robin

which isn't ideal for what I'm building. Any work arounds besides going into the console and editing it?