most-lighter-95902
06/23/2022, 3:37 AMconst saRole = new aws.iam.Role(saName, {
assumeRolePolicy: saAssumeRolePolicy.json,
});
most-lighter-95902
06/23/2022, 3:38 AMmost-lighter-95902
06/23/2022, 3:38 AMconst instanceAssumeRolePolicyDocument = aws.iam.getPolicyDocument({
statements: [
{
actions: ['sts:AssumeRole'],
principals: [
{
type: 'Service',
identifiers: ['<http://ec2.amazonaws.com|ec2.amazonaws.com>'],
},
],
},
],
})
const oidcAssumeRolePolicyDocument = pulumi
.all([clusterOidcProviderUrl, clusterOidcProviderArn])
.apply(([url, arn]) =>
aws.iam.getPolicyDocument({
statements: [
{
effect: 'Allow',
actions: ['sts:AssumeRoleWithWebIdentity'],
principals: [
{
type: 'Federated',
identifiers: [arn],
},
],
conditions: [
{
test: 'StringEquals',
variable: `${url.replace('https://', '')}:aud`,
values: [`<http://sts.amazonaws.com|sts.amazonaws.com>`],
},
],
},
],
})
)
jolly-alligator-19698
06/23/2022, 8:25 PMpanic: fatal: An assertion has failed: Expected string 'awsx:x:elasticloadbalancingv2:ApplicationLoadBalancer' to be a name (([A-Za-z0-9_.-][A-Za-z0-9_.-]*\/)*[A-Za-z0-9_.-][A-Za-z0-9_.-]*)
Hey y'all, just here to share an issue I discovered with the latest awsx release and an invitation to 👍 the GitHub issue if you've had the same problem.
Also: does anyone have a workaround? I'm seeing the same awsx
error as far back as v1.0.0-beta.1
https://github.com/pulumi/pulumi-awsx/issues/873most-lighter-95902
06/25/2022, 9:36 PMmost-lighter-95902
06/25/2022, 9:36 PMkubernetes:core/v1:Namespace (1989f0db-a509-433f-8223-2a463ead81c0):
error: failed to initialize discovery client: exec plugin: invalid apiVersion "<http://client.authentication.k8s.io/v1alpha1|client.authentication.k8s.io/v1alpha1>"
most-lighter-95902
06/25/2022, 9:37 PMpulumi up
- has anyone run into this issue?bitter-france-47214
06/26/2022, 11:00 AMapigateway.RestAPi
using OpenAPI but do not rely on the x-amazon-apigateway-integration
that is used within the OpenApi spec?
Why I want this?
Since the spec is JSON ARN and other has to be hardcoded, so I loose the advantage of referring to a lambda (const myLambda = aws.lambda.Function
) defined with pulumi as code.witty-shampoo-9794
06/26/2022, 2:58 PMawsx.apigateway.API
and
cloud.API
witty-shampoo-9794
06/26/2022, 3:00 PMmillions-furniture-75402
06/27/2022, 2:35 PMpolite-window-12946
06/27/2022, 8:09 PMpulumi logs
expected to work with Crosswalk (awsx) out of the box?famous-salesclerk-74711
06/27/2022, 10:53 PMpulumi-aws@5.9.1
one thing we’re noticing is when executing pulumi from CI/CD, our runners didn’t need things like:
ssm.get_parameter()
to explicitly need the aws provider or role to assume to function — it used to fall back to the default profile in the stack and assume the default profile’s role.
Now we’re seeing that the pulumi_aws methods are attempting (and failing) to run w/o assuming the default profile. is there a graceful way for us to opt into that old functionality w/o going and passing the provider explicitly in all method calls?future-refrigerator-88869
06/28/2022, 9:00 AM+
with (empty space) in header values?
For example: If i pass the message attribute Foo: Some+header+value
it will be transformed to -> Foo: Some header value
I have an integration between api gateway and sqs and In the logs I can see that the message is sent correctly from apigateway integration but when i get to receive in sqs, it has the characters replaced.helpful-easter-62786
06/28/2022, 2:59 PMsparse-spring-91820
06/29/2022, 3:52 PMRedis Elasticeche instance
?
https://www.pulumi.com/registry/packages/aws/api-docs/elasticache/cluster/ I can’t find options to enable encryption and backup for aws.elasticache.Cluster
aloof-tailor-28919
06/29/2022, 4:59 PMbulky-address-22596
06/30/2022, 9:24 AMdamp-school-17708
06/30/2022, 1:22 PMpulumi import aws:opensearch/domain:Domain example domain_name
https://www.pulumi.com/registry/packages/aws/api-docs/opensearch/domain/
Diagnostics:
awsopensearchDomain (link-dev):
error: Preview failed: unrecognized resource type (Read): awsopensearch/domainDomain
Is there an error in the documentation or this is still not fully supported?
thanksmost-state-94104
07/01/2022, 8:44 PMwonderful-postman-42028
07/01/2022, 10:57 PMadamant-honey-71910
07/02/2022, 5:24 PMassociatePublicIpAddress
to false doesn't actually do anything and it assigns it anyway and tracks it as true. I'm new to Pulumi so I may be missing something, or maybe just be missing some odd default behavior in AWS. Code in thread.stale-iron-26898
07/03/2022, 7:58 AMglamorous-spring-30202
07/04/2022, 7:14 AMaws:transfer:customHostname
and aws:transfer:route53HostedZoneId
. The problem is that those tags start with aws:
which is a reserved prefix. It works if I add those tags through the command line, and the guide mentions it should work with CDK. So, I am wondering if there is a way I can create those tags with pulumi as well, or if anyone encountered this and has a workaround. Thank youacoustic-spring-42110
07/04/2022, 5:08 PMquaint-book-39362
07/05/2022, 4:15 PMarn:aws:iam::153052954103:root
be referring to. what would i need to change that value to in my environment?polite-napkin-90098
07/05/2022, 4:27 PMkubectl logs <pod>
I get a long delay followed by an error
Error from server (InternalError): Internal error occurred: Authorization error (user=kube-apiserver-kubelet-client, verb=get, resource=nodes, subresource=proxy)
Reading on stackexchange etc. it seems that this means I have somehow hosed my RBAC.
I'm considering taking off and nuking the whole site from orbit, as this cluster is not in production yet, but before I do I was hoping to understand how I have broken it.
I have been comparing clusterRoles and clusterRoleBindings between this new broken cluster and the other one which I have built using the 0.37.1 code.
I can't find any mention of kube-apiserver-kubelet-client
in there but
Name: system:kubelet-api-admin
Labels: <http://kubernetes.io/bootstrapping=rbac-defaults|kubernetes.io/bootstrapping=rbac-defaults>
Annotations: <http://rbac.authorization.kubernetes.io/autoupdate|rbac.authorization.kubernetes.io/autoupdate>: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
nodes/log [] [] [*]
nodes/metrics [] [] [*]
nodes/proxy [] [] [*]
nodes/spec [] [] [*]
nodes/stats [] [] [*]
nodes [] [] [get list watch proxy]
Looks the same on both clusters.
Does anyone have any pointers as to where I can look, or what causes this error?polite-window-12946
07/05/2022, 7:58 PMpolite-napkin-90098
07/06/2022, 4:06 PMquick-stone-19389
07/06/2022, 4:21 PMcluster_security_group
in a pulumi_eks.eks.cluster
object doesn’t seem to have the desired effect.
The same is roughly true for the “additional security group” (as it appears on the control panel, and there doesn’t seem to be a kwarg for that) and the node too.
tl;dr: 4 security groups are getting made when creating eks clusters, and we’d like to have more control over them but not sure how