fresh-notebook-40503
06/21/2022, 4:47 PMaws-auth
ConfigMap to add mapUsers
entries? I can definitely add mapRoles
entries via the roleMappings
argument in the eks.Cluster
constructor, but it doesn't seem to be possible to edit mapUsers
in the ConfigMap via pulumimost-lighter-95902
06/23/2022, 3:37 AMconst saRole = new aws.iam.Role(saName, {
assumeRolePolicy: saAssumeRolePolicy.json,
});
most-lighter-95902
06/23/2022, 3:38 AMmost-lighter-95902
06/23/2022, 3:38 AMconst instanceAssumeRolePolicyDocument = aws.iam.getPolicyDocument({
statements: [
{
actions: ['sts:AssumeRole'],
principals: [
{
type: 'Service',
identifiers: ['<http://ec2.amazonaws.com|ec2.amazonaws.com>'],
},
],
},
],
})
const oidcAssumeRolePolicyDocument = pulumi
.all([clusterOidcProviderUrl, clusterOidcProviderArn])
.apply(([url, arn]) =>
aws.iam.getPolicyDocument({
statements: [
{
effect: 'Allow',
actions: ['sts:AssumeRoleWithWebIdentity'],
principals: [
{
type: 'Federated',
identifiers: [arn],
},
],
conditions: [
{
test: 'StringEquals',
variable: `${url.replace('https://', '')}:aud`,
values: [`<http://sts.amazonaws.com|sts.amazonaws.com>`],
},
],
},
],
})
)
jolly-alligator-19698
06/23/2022, 8:25 PMpanic: fatal: An assertion has failed: Expected string 'awsx:x:elasticloadbalancingv2:ApplicationLoadBalancer' to be a name (([A-Za-z0-9_.-][A-Za-z0-9_.-]*\/)*[A-Za-z0-9_.-][A-Za-z0-9_.-]*)
Hey y'all, just here to share an issue I discovered with the latest awsx release and an invitation to 👍 the GitHub issue if you've had the same problem.
Also: does anyone have a workaround? I'm seeing the same awsx
error as far back as v1.0.0-beta.1
https://github.com/pulumi/pulumi-awsx/issues/873most-lighter-95902
06/25/2022, 9:36 PMmost-lighter-95902
06/25/2022, 9:36 PMkubernetes:core/v1:Namespace (1989f0db-a509-433f-8223-2a463ead81c0):
error: failed to initialize discovery client: exec plugin: invalid apiVersion "<http://client.authentication.k8s.io/v1alpha1|client.authentication.k8s.io/v1alpha1>"
most-lighter-95902
06/25/2022, 9:37 PMpulumi up
- has anyone run into this issue?bitter-france-47214
06/26/2022, 11:00 AMapigateway.RestAPi
using OpenAPI but do not rely on the x-amazon-apigateway-integration
that is used within the OpenApi spec?
Why I want this?
Since the spec is JSON ARN and other has to be hardcoded, so I loose the advantage of referring to a lambda (const myLambda = aws.lambda.Function
) defined with pulumi as code.witty-shampoo-9794
06/26/2022, 2:58 PMawsx.apigateway.API
and
cloud.API
witty-shampoo-9794
06/26/2022, 3:00 PMmillions-furniture-75402
06/27/2022, 2:35 PMpolite-window-12946
06/27/2022, 8:09 PMpulumi logs
expected to work with Crosswalk (awsx) out of the box?famous-salesclerk-74711
06/27/2022, 10:53 PMpulumi-aws@5.9.1
one thing we’re noticing is when executing pulumi from CI/CD, our runners didn’t need things like:
ssm.get_parameter()
to explicitly need the aws provider or role to assume to function — it used to fall back to the default profile in the stack and assume the default profile’s role.
Now we’re seeing that the pulumi_aws methods are attempting (and failing) to run w/o assuming the default profile. is there a graceful way for us to opt into that old functionality w/o going and passing the provider explicitly in all method calls?future-refrigerator-88869
06/28/2022, 9:00 AM+
with (empty space) in header values?
For example: If i pass the message attribute Foo: Some+header+value
it will be transformed to -> Foo: Some header value
I have an integration between api gateway and sqs and In the logs I can see that the message is sent correctly from apigateway integration but when i get to receive in sqs, it has the characters replaced.helpful-easter-62786
06/28/2022, 2:59 PMsparse-spring-91820
06/29/2022, 3:52 PMRedis Elasticeche instance
?
https://www.pulumi.com/registry/packages/aws/api-docs/elasticache/cluster/ I can’t find options to enable encryption and backup for aws.elasticache.Cluster
aloof-tailor-28919
06/29/2022, 4:59 PMbulky-address-22596
06/30/2022, 9:24 AMdamp-school-17708
06/30/2022, 1:22 PMpulumi import aws:opensearch/domain:Domain example domain_name
https://www.pulumi.com/registry/packages/aws/api-docs/opensearch/domain/
Diagnostics:
aws😮pensearch:Domain (link-dev):
error: Preview failed: unrecognized resource type (Read): aws😮pensearch/domain:Domain
Is there an error in the documentation or this is still not fully supported?
thanksmost-state-94104
07/01/2022, 8:44 PMwonderful-postman-42028
07/01/2022, 10:57 PMadamant-honey-71910
07/02/2022, 5:24 PMassociatePublicIpAddress
to false doesn't actually do anything and it assigns it anyway and tracks it as true. I'm new to Pulumi so I may be missing something, or maybe just be missing some odd default behavior in AWS. Code in thread.stale-iron-26898
07/03/2022, 7:58 AMglamorous-spring-30202
07/04/2022, 7:14 AMaws:transfer:customHostname
and aws:transfer:route53HostedZoneId
. The problem is that those tags start with aws:
which is a reserved prefix. It works if I add those tags through the command line, and the guide mentions it should work with CDK. So, I am wondering if there is a way I can create those tags with pulumi as well, or if anyone encountered this and has a workaround. Thank youacoustic-spring-42110
07/04/2022, 5:08 PMquaint-book-39362
07/05/2022, 4:15 PMarn:aws:iam::153052954103:root
be referring to. what would i need to change that value to in my environment?polite-napkin-90098
07/05/2022, 4:27 PMkubectl logs <pod>
I get a long delay followed by an error
Error from server (InternalError): Internal error occurred: Authorization error (user=kube-apiserver-kubelet-client, verb=get, resource=nodes, subresource=proxy)
Reading on stackexchange etc. it seems that this means I have somehow hosed my RBAC.
I'm considering taking off and nuking the whole site from orbit, as this cluster is not in production yet, but before I do I was hoping to understand how I have broken it.
I have been comparing clusterRoles and clusterRoleBindings between this new broken cluster and the other one which I have built using the 0.37.1 code.
I can't find any mention of kube-apiserver-kubelet-client
in there but
Name: system:kubelet-api-admin
Labels: <http://kubernetes.io/bootstrapping=rbac-defaults|kubernetes.io/bootstrapping=rbac-defaults>
Annotations: <http://rbac.authorization.kubernetes.io/autoupdate|rbac.authorization.kubernetes.io/autoupdate>: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
nodes/log [] [] [*]
nodes/metrics [] [] [*]
nodes/proxy [] [] [*]
nodes/spec [] [] [*]
nodes/stats [] [] [*]
nodes [] [] [get list watch proxy]
Looks the same on both clusters.
Does anyone have any pointers as to where I can look, or what causes this error?polite-window-12946
07/05/2022, 7:58 PMpolite-napkin-90098
07/06/2022, 4:06 PMpolite-napkin-90098
07/06/2022, 4:06 PMbillowy-army-68599
07/06/2022, 4:07 PMignoreChanges
to the AMIpolite-napkin-90098
07/06/2022, 4:08 PMbillowy-army-68599
07/06/2022, 4:12 PMpolite-napkin-90098
07/07/2022, 5:00 PM