https://pulumi.com logo
Docs
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
aws
  • f

    fresh-notebook-40503

    06/21/2022, 4:47 PM
    I have an EKS question. Is there a way to use pulumi to edit the
    aws-auth
    ConfigMap to add
    mapUsers
    entries? I can definitely add
    mapRoles
    entries via the
    roleMappings
    argument in the
    eks.Cluster
    constructor, but it doesn't seem to be possible to edit
    mapUsers
    in the ConfigMap via pulumi
    b
    g
    • 3
    • 13
  • m

    most-lighter-95902

    06/23/2022, 3:37 AM
    Hi, is there a way to add multiple assumeRolePolicy in aws.iam?
    const saRole = new aws.iam.Role(saName, {
      assumeRolePolicy: saAssumeRolePolicy.json,
    });
    l
    • 2
    • 1
  • m

    most-lighter-95902

    06/23/2022, 3:38 AM
    I’m new to this so I might be completely off-base here, but I’m trying to add both instance assume role policy and oidc assume role policy
  • m

    most-lighter-95902

    06/23/2022, 3:38 AM
    const instanceAssumeRolePolicyDocument = aws.iam.getPolicyDocument({
          statements: [
            {
              actions: ['sts:AssumeRole'],
              principals: [
                {
                  type: 'Service',
                  identifiers: ['<http://ec2.amazonaws.com|ec2.amazonaws.com>'],
                },
              ],
            },
          ],
        })
        const oidcAssumeRolePolicyDocument = pulumi
          .all([clusterOidcProviderUrl, clusterOidcProviderArn])
          .apply(([url, arn]) =>
            aws.iam.getPolicyDocument({
              statements: [
                {
                  effect: 'Allow',
                  actions: ['sts:AssumeRoleWithWebIdentity'],
                  principals: [
                    {
                      type: 'Federated',
                      identifiers: [arn],
                    },
                  ],
                  conditions: [
                    {
                      test: 'StringEquals',
                      variable: `${url.replace('https://', '')}:aud`,
                      values: [`<http://sts.amazonaws.com|sts.amazonaws.com>`],
                    },
                  ],
                },
              ],
            })
          )
  • j

    jolly-alligator-19698

    06/23/2022, 8:25 PM
    panic: fatal: An assertion has failed: Expected string 'awsx:x:elasticloadbalancingv2:ApplicationLoadBalancer' to be a name (([A-Za-z0-9_.-][A-Za-z0-9_.-]*\/)*[A-Za-z0-9_.-][A-Za-z0-9_.-]*)
    Hey y'all, just here to share an issue I discovered with the latest awsx release and an invitation to 👍 the GitHub issue if you've had the same problem. Also: does anyone have a workaround? I'm seeing the same
    awsx
    error as far back as
    v1.0.0-beta.1
    https://github.com/pulumi/pulumi-awsx/issues/873
    ⬆️ 1
  • m

    most-lighter-95902

    06/25/2022, 9:36 PM
    I’m trying to create a namespace in my kubernetes cluster, and continue to get this error
  • m

    most-lighter-95902

    06/25/2022, 9:36 PM
    kubernetes:core/v1:Namespace (1989f0db-a509-433f-8223-2a463ead81c0):
        error: failed to initialize discovery client: exec plugin: invalid apiVersion "<http://client.authentication.k8s.io/v1alpha1|client.authentication.k8s.io/v1alpha1>"
    b
    • 2
    • 16
  • m

    most-lighter-95902

    06/25/2022, 9:37 PM
    I did some searching and updated all my packages as well as clis (kubectl and aws-cli) and also updated my kubeconfig to “client.authentication.k8s.io/v1beta1” version but it’s still throwing this error on
    pulumi up
    - has anyone run into this issue?
  • b

    bitter-france-47214

    06/26/2022, 11:00 AM
    Is there some way to define a
    apigateway.RestAPi
    using OpenAPI but do not rely on the
    x-amazon-apigateway-integration
    that is used within the OpenApi spec? Why I want this? Since the spec is JSON ARN and other has to be hardcoded, so I loose the advantage of referring to a lambda (
    const myLambda = aws.lambda.Function
    ) defined with pulumi as code.
    l
    • 2
    • 5
  • w

    witty-shampoo-9794

    06/26/2022, 2:58 PM
    Hey everyone, I’m new to Pulumi and also to aws. I want to create some lambda functions for handling the user authentication for the Twitter API (oauth1.0a) Now I wonder what’s the difference between
    awsx.apigateway.API
    and
    cloud.API
    f
    • 2
    • 3
  • w

    witty-shampoo-9794

    06/26/2022, 3:00 PM
    As far as I understand cloud.API is a higher level abstraction, right?
  • m

    millions-furniture-75402

    06/27/2022, 2:35 PM
    Has anyone overcome the size limit of lambda layers by chunking dependencies across layers? It looks like I need to do either that, or succumb to using a container runtime.
    l
    • 2
    • 3
  • p

    polite-window-12946

    06/27/2022, 8:09 PM
    Hello! it's been a while since I used pulumi and I'm just starting a new project. Is
    pulumi logs
    expected to work with Crosswalk (awsx) out of the box?
    b
    l
    • 3
    • 18
  • f

    famous-salesclerk-74711

    06/27/2022, 10:53 PM
    question - we recently had to upgrade to
    pulumi-aws@5.9.1
    one thing we’re noticing is when executing pulumi from CI/CD, our runners didn’t need things like:
    ssm.get_parameter()
    to explicitly need the aws provider or role to assume to function — it used to fall back to the default profile in the stack and assume the default profile’s role. Now we’re seeing that the pulumi_aws methods are attempting (and failing) to run w/o assuming the default profile. is there a graceful way for us to opt into that old functionality w/o going and passing the provider explicitly in all method calls?
    • 1
    • 5
  • f

    future-refrigerator-88869

    06/28/2022, 9:00 AM
    Not pulumi related, but I maybe someone can still help me with an answer. Is it normal for sqs to replace
    +
    with (empty space) in header values? For example: If i pass the message attribute
    Foo: Some+header+value
    it will be transformed to ->
    Foo: Some header value
    I have an integration between api gateway and sqs and In the logs I can see that the message is sent correctly from apigateway integration but when i get to receive in sqs, it has the characters replaced.
    d
    • 2
    • 2
  • h

    helpful-easter-62786

    06/28/2022, 2:59 PM
    Can anyone recommend a simple solution to generating a self signed cert and adding it and the private key to a Fargate ecs instance?
    b
    • 2
    • 3
  • s

    sparse-spring-91820

    06/29/2022, 3:52 PM
    Hello community 👋 Is there any way to enable encryption, backup, and other options that are visible when using AWS console to create
    Redis Elasticeche instance
    ? https://www.pulumi.com/registry/packages/aws/api-docs/elasticache/cluster/ I can’t find options to enable encryption and backup for
    aws.elasticache.Cluster
    ✅ 1
    b
    • 2
    • 8
  • a

    aloof-tailor-28919

    06/29/2022, 4:59 PM
    Hello! 👋 I am trying to use the ca_cert_identifier parameter when creating an aws.rds.ClusterInstance resource. When I pass in the Pulumi id value from an aws.acmpca.Certificate resource, I get an error that the id is too long. -- This is a showstopper for us. Since Terraform id values were shorter than Pulumi id values, I am concerned that the length restriction may be a holdover that should not exist. There is detailed information here: https://pulumi-community.slack.com/archives/CDE799L1M/p1656112753501619
    b
    • 2
    • 1
  • b

    bulky-address-22596

    06/30/2022, 9:24 AM
    Hi. 👋 First time writer in Pulumi’s slack. ❔ I’m trying to use EKS Blueprints with Pulumi, however I’m not able to find the provider to install anywhere, not in NPM public registry. I’m using JS/TS. https://www.pulumi.com/blog/eks-blueprints-for-pulumi/ Also no installation instructions in the repo https://github.com/pulumi/eks-blueprint Hope someone can guide me here!
    v
    • 2
    • 9
  • d

    damp-school-17708

    06/30/2022, 1:22 PM
    Hello I was trying to import an opensearch cluster, as per documentation, with the
    pulumi import aws:opensearch/domain:Domain example domain_name
    https://www.pulumi.com/registry/packages/aws/api-docs/opensearch/domain/ Diagnostics: aws😮pensearch:Domain (link-dev): error: Preview failed: unrecognized resource type (Read): aws😮pensearch/domain:Domain Is there an error in the documentation or this is still not fully supported? thanks
    • 1
    • 1
  • m

    most-state-94104

    07/01/2022, 8:44 PM
    Any idea how to create an SMTP user using pulumi? https://www.pulumi.com/registry/packages/aws/api-docs/ses/ shows me how to create lots of different ses resources but not an SMTP user…
    b
    • 2
    • 9
  • w

    wonderful-postman-42028

    07/01/2022, 10:57 PM
    Hi 👋🏻, I'm considering use pulumi with yaml as my iac tool instead terraform. Anybody here can provide me an example of how to create an eks cluster and how can I install helm packages/releases with pulumi ?
    b
    • 2
    • 2
  • a

    adamant-honey-71910

    07/02/2022, 5:24 PM
    I joined a team already using Pulumi and am working to spin up a new resource. In spinning up an ec2 instance, it seems as though setting
    associatePublicIpAddress
    to false doesn't actually do anything and it assigns it anyway and tracks it as true. I'm new to Pulumi so I may be missing something, or maybe just be missing some odd default behavior in AWS. Code in thread.
    b
    • 2
    • 3
  • s

    stale-iron-26898

    07/03/2022, 7:58 AM
    Hi! does anyone able to resolve this issue https://github.com/pulumi/pulumi-aws/issues/751 I’m seeing the same issue using pulumi-aws 4.15.0 and pulumi 2.23.1 lambda environment variables doesn’t updated after a change
  • g

    glamorous-spring-30202

    07/04/2022, 7:14 AM
    Hi all, I am trying to create a Transfer server with pulumi and I want to register a custom domain for it. As per this guide, I need to add two tags to the pulumi component,
    aws:transfer:customHostname
    and
    aws:transfer:route53HostedZoneId
    . The problem is that those tags start with
    aws:
    which is a reserved prefix. It works if I add those tags through the command line, and the guide mentions it should work with CDK. So, I am wondering if there is a way I can create those tags with pulumi as well, or if anyone encountered this and has a workaround. Thank you
    b
    • 2
    • 6
  • a

    acoustic-spring-42110

    07/04/2022, 5:08 PM
    anyone here work with the newrelic package, specifically the AwsLinkAccount resource?
  • q

    quaint-book-39362

    07/05/2022, 4:15 PM
    in https://www.pulumi.com/blog/simplify-kubernetes-rbac-in-amazon-eks-with-open-source-pulumi-packages/, what would
    arn:aws:iam::153052954103:root
    be referring to. what would i need to change that value to in my environment?
    p
    • 2
    • 2
  • p

    polite-napkin-90098

    07/05/2022, 4:27 PM
    I built an EKS cluster using the EKS module v 0.37.1 with RBAC and efs-csi pvc support I then launched fluent-bit and prometheus on it all from helm charts. Between the fleunt-bit and prometheus installs I upgraded all my pulumi modules so upgraded eks to 0.41.0 Now whenever I try and run
    kubectl logs <pod>
    I get a long delay followed by an error
    Error from server (InternalError): Internal error occurred: Authorization error (user=kube-apiserver-kubelet-client, verb=get, resource=nodes, subresource=proxy)
    Reading on stackexchange etc. it seems that this means I have somehow hosed my RBAC. I'm considering taking off and nuking the whole site from orbit, as this cluster is not in production yet, but before I do I was hoping to understand how I have broken it. I have been comparing clusterRoles and clusterRoleBindings between this new broken cluster and the other one which I have built using the 0.37.1 code. I can't find any mention of
    kube-apiserver-kubelet-client
    in there but
    Name:         system:kubelet-api-admin
    Labels:       <http://kubernetes.io/bootstrapping=rbac-defaults|kubernetes.io/bootstrapping=rbac-defaults>
    Annotations:  <http://rbac.authorization.kubernetes.io/autoupdate|rbac.authorization.kubernetes.io/autoupdate>: true
    PolicyRule:
      Resources      Non-Resource URLs  Resource Names  Verbs
      ---------      -----------------  --------------  -----
      nodes/log      []                 []              [*]
      nodes/metrics  []                 []              [*]
      nodes/proxy    []                 []              [*]
      nodes/spec     []                 []              [*]
      nodes/stats    []                 []              [*]
      nodes          []                 []              [get list watch proxy]
    Looks the same on both clusters. Does anyone have any pointers as to where I can look, or what causes this error?
    • 1
    • 2
  • p

    polite-window-12946

    07/05/2022, 7:58 PM
    I was trying to publish to ECR and I found the documentation did not match the code. Specifically https://github.com/pulumi/pulumi-hugo/commit/87c09bb1cc94f06ea5e98e537e73a8841f35f340#diff-cea23732bd3ad9f80e0bc092[…]9bd54741787556f5a0b84b08828R49 I do not see awsx.ecr.Image - is that something that maybe is in development / not released yet?
    • 1
    • 2
  • p

    polite-napkin-90098

    07/06/2022, 4:06 PM
    I upgraded the eks module from 0.37.1 to 0.41.0 and this resulted in updating the ami that the default node pool runs on. Updating that will roll all the nodes. I think that because it's a change to the cloudformation template i.e. ASG that k8s won't have a chance to ensure that all the stateful sets remain quorate etc. whilst that roll happens. To avoid this I could make a second node pool and then only update each node pool in isolation after having moved sufficient members of the stateful sets over to the safe pool. I think this means I need the node pool in a separate stack so I can update the modules in each stack independently to ensure I can do this. Is this right? Is there some other way to achieve this? Am I wrong about updates to the cloudformation template rolling the nodes without paying attention to the workloads, is there some setting I can make to the ASG to make it k8s aware?
    b
    • 2
    • 6
Powered by Linen
Title
p

polite-napkin-90098

07/06/2022, 4:06 PM
I upgraded the eks module from 0.37.1 to 0.41.0 and this resulted in updating the ami that the default node pool runs on. Updating that will roll all the nodes. I think that because it's a change to the cloudformation template i.e. ASG that k8s won't have a chance to ensure that all the stateful sets remain quorate etc. whilst that roll happens. To avoid this I could make a second node pool and then only update each node pool in isolation after having moved sufficient members of the stateful sets over to the safe pool. I think this means I need the node pool in a separate stack so I can update the modules in each stack independently to ensure I can do this. Is this right? Is there some other way to achieve this? Am I wrong about updates to the cloudformation template rolling the nodes without paying attention to the workloads, is there some setting I can make to the ASG to make it k8s aware?
b

billowy-army-68599

07/06/2022, 4:07 PM
you can
ignoreChanges
to the AMI
https://www.pulumi.com/docs/intro/concepts/resources/options/ignorechanges/
p

polite-napkin-90098

07/06/2022, 4:08 PM
So I guess I can use 1 stack with 2 node pools and when the updtae happens ignoreChanges on one pool, update the other and then stop ignoring them and updating the secon
d
b

billowy-army-68599

07/06/2022, 4:12 PM
what are you ultimately trying to achieve?
p

polite-napkin-90098

07/07/2022, 5:00 PM
A resilient cluster which can survive updates to the cloudformation stack which include things like changing the ami- or the node types. i.e. something where I can update the pulumi/eks module for different node pools at different times. Thus ensuring I can make such updates without downtime for my essential services.
View count: 5