pulumi-community #aws

most-lighter-95902

06/23/2022, 3:37 AM

Hi, is there a way to add multiple assumeRolePolicy in aws.iam?

Copy code

const saRole = new aws.iam.Role(saName, {
  assumeRolePolicy: saAssumeRolePolicy.json,
});

most-lighter-95902

06/23/2022, 3:38 AM

I’m new to this so I might be completely off-base here, but I’m trying to add both instance assume role policy and oidc assume role policy

most-lighter-95902

06/23/2022, 3:38 AM

Copy code

const instanceAssumeRolePolicyDocument = aws.iam.getPolicyDocument({
      statements: [
        {
          actions: ['sts:AssumeRole'],
          principals: [
            {
              type: 'Service',
              identifiers: ['<http://ec2.amazonaws.com|ec2.amazonaws.com>'],
            },
          ],
        },
      ],
    })
    const oidcAssumeRolePolicyDocument = pulumi
      .all([clusterOidcProviderUrl, clusterOidcProviderArn])
      .apply(([url, arn]) =>
        aws.iam.getPolicyDocument({
          statements: [
            {
              effect: 'Allow',
              actions: ['sts:AssumeRoleWithWebIdentity'],
              principals: [
                {
                  type: 'Federated',
                  identifiers: [arn],
                },
              ],
              conditions: [
                {
                  test: 'StringEquals',
                  variable: `${url.replace('https://', '')}:aud`,
                  values: [`<http://sts.amazonaws.com|sts.amazonaws.com>`],
                },
              ],
            },
          ],
        })
      )

jolly-alligator-19698

06/23/2022, 8:25 PM

Copy code

panic: fatal: An assertion has failed: Expected string 'awsx:x:elasticloadbalancingv2:ApplicationLoadBalancer' to be a name (([A-Za-z0-9_.-][A-Za-z0-9_.-]*\/)*[A-Za-z0-9_.-][A-Za-z0-9_.-]*)

Hey y'all, just here to share an issue I discovered with the latest awsx release and an invitation to 👍 the GitHub issue if you've had the same problem. Also: does anyone have a workaround? I'm seeing the same

awsx

error as far back as

v1.0.0-beta.1

https://github.com/pulumi/pulumi-awsx/issues/873

⬆️ 1

most-lighter-95902

06/25/2022, 9:36 PM

I’m trying to create a namespace in my kubernetes cluster, and continue to get this error

most-lighter-95902

06/25/2022, 9:36 PM

Copy code

kubernetes:core/v1:Namespace (1989f0db-a509-433f-8223-2a463ead81c0):
    error: failed to initialize discovery client: exec plugin: invalid apiVersion "<http://client.authentication.k8s.io/v1alpha1|client.authentication.k8s.io/v1alpha1>"

most-lighter-95902

06/25/2022, 9:37 PM

I did some searching and updated all my packages as well as clis (kubectl and aws-cli) and also updated my kubeconfig to “client.authentication.k8s.io/v1beta1” version but it’s still throwing this error on

pulumi up

- has anyone run into this issue?

bitter-france-47214

06/26/2022, 11:00 AM

Is there some way to define a

apigateway.RestAPi

using OpenAPI but do not rely on the

x-amazon-apigateway-integration

that is used within the OpenApi spec? Why I want this? Since the spec is JSON ARN and other has to be hardcoded, so I loose the advantage of referring to a lambda (

const myLambda = aws.lambda.Function

) defined with pulumi as code.

witty-shampoo-9794

06/26/2022, 2:58 PM

Hey everyone, I’m new to Pulumi and also to aws. I want to create some lambda functions for handling the user authentication for the Twitter API (oauth1.0a) Now I wonder what’s the difference between

Copy code

awsx.apigateway.API

and

Copy code

cloud.API

witty-shampoo-9794

06/26/2022, 3:00 PM

As far as I understand cloud.API is a higher level abstraction, right?

millions-furniture-75402

06/27/2022, 2:35 PM

Has anyone overcome the size limit of lambda layers by chunking dependencies across layers? It looks like I need to do either that, or succumb to using a container runtime.

polite-window-12946

06/27/2022, 8:09 PM

Hello! it's been a while since I used pulumi and I'm just starting a new project. Is

pulumi logs

expected to work with Crosswalk (awsx) out of the box?

famous-salesclerk-74711

06/27/2022, 10:53 PM

question - we recently had to upgrade to

pulumi-aws@5.9.1

one thing we’re noticing is when executing pulumi from CI/CD, our runners didn’t need things like:

Copy code

ssm.get_parameter()

to explicitly need the aws provider or role to assume to function — it used to fall back to the default profile in the stack and assume the default profile’s role. Now we’re seeing that the pulumi_aws methods are attempting (and failing) to run w/o assuming the default profile. is there a graceful way for us to opt into that old functionality w/o going and passing the provider explicitly in all method calls?

future-refrigerator-88869

06/28/2022, 9:00 AM

Not pulumi related, but I maybe someone can still help me with an answer. Is it normal for sqs to replace

with (empty space) in header values? For example: If i pass the message attribute

Foo: Some+header+value

it will be transformed to ->

Foo: Some header value

I have an integration between api gateway and sqs and In the logs I can see that the message is sent correctly from apigateway integration but when i get to receive in sqs, it has the characters replaced.

helpful-easter-62786

06/28/2022, 2:59 PM

Can anyone recommend a simple solution to generating a self signed cert and adding it and the private key to a Fargate ecs instance?

sparse-spring-91820

06/29/2022, 3:52 PM

Hello community 👋 Is there any way to enable encryption, backup, and other options that are visible when using AWS console to create

Redis Elasticeche instance

? https://www.pulumi.com/registry/packages/aws/api-docs/elasticache/cluster/ I can’t find options to enable encryption and backup for

aws.elasticache.Cluster

✅ 1

aloof-tailor-28919

06/29/2022, 4:59 PM

Hello! 👋 I am trying to use the ca_cert_identifier parameter when creating an aws.rds.ClusterInstance resource. When I pass in the Pulumi id value from an aws.acmpca.Certificate resource, I get an error that the id is too long. -- This is a showstopper for us. Since Terraform id values were shorter than Pulumi id values, I am concerned that the length restriction may be a holdover that should not exist. There is detailed information here: https://pulumi-community.slack.com/archives/CDE799L1M/p1656112753501619

bulky-address-22596

06/30/2022, 9:24 AM

Hi. 👋 First time writer in Pulumi’s slack. ❔ I’m trying to use EKS Blueprints with Pulumi, however I’m not able to find the provider to install anywhere, not in NPM public registry. I’m using JS/TS. https://www.pulumi.com/blog/eks-blueprints-for-pulumi/ Also no installation instructions in the repo https://github.com/pulumi/eks-blueprint Hope someone can guide me here!

damp-school-17708

06/30/2022, 1:22 PM

Hello I was trying to import an opensearch cluster, as per documentation, with the

Copy code

pulumi import aws:opensearch/domain:Domain example domain_name

https://www.pulumi.com/registry/packages/aws/api-docs/opensearch/domain/ Diagnostics: awsopensearchDomain (link-dev): error: Preview failed: unrecognized resource type (Read): awsopensearch/domainDomain Is there an error in the documentation or this is still not fully supported? thanks

most-state-94104

07/01/2022, 8:44 PM

Any idea how to create an SMTP user using pulumi? https://www.pulumi.com/registry/packages/aws/api-docs/ses/ shows me how to create lots of different ses resources but not an SMTP user…

wonderful-postman-42028

07/01/2022, 10:57 PM

Hi 👋🏻, I'm considering use pulumi with yaml as my iac tool instead terraform. Anybody here can provide me an example of how to create an eks cluster and how can I install helm packages/releases with pulumi ?

adamant-honey-71910

07/02/2022, 5:24 PM

I joined a team already using Pulumi and am working to spin up a new resource. In spinning up an ec2 instance, it seems as though setting

associatePublicIpAddress

to false doesn't actually do anything and it assigns it anyway and tracks it as true. I'm new to Pulumi so I may be missing something, or maybe just be missing some odd default behavior in AWS. Code in thread.

stale-iron-26898

07/03/2022, 7:58 AM

Hi! does anyone able to resolve this issue https://github.com/pulumi/pulumi-aws/issues/751 I’m seeing the same issue using pulumi-aws 4.15.0 and pulumi 2.23.1 lambda environment variables doesn’t updated after a change

glamorous-spring-30202

07/04/2022, 7:14 AM

Hi all, I am trying to create a Transfer server with pulumi and I want to register a custom domain for it. As per this guide, I need to add two tags to the pulumi component,

aws:transfer:customHostname

and

aws:transfer:route53HostedZoneId

. The problem is that those tags start with

aws:

which is a reserved prefix. It works if I add those tags through the command line, and the guide mentions it should work with CDK. So, I am wondering if there is a way I can create those tags with pulumi as well, or if anyone encountered this and has a workaround. Thank you

acoustic-spring-42110

07/04/2022, 5:08 PM

anyone here work with the newrelic package, specifically the AwsLinkAccount resource?

quaint-book-39362

07/05/2022, 4:15 PM

in https://www.pulumi.com/blog/simplify-kubernetes-rbac-in-amazon-eks-with-open-source-pulumi-packages/, what would

arn:aws:iam::153052954103:root

be referring to. what would i need to change that value to in my environment?

polite-napkin-90098

07/05/2022, 4:27 PM

I built an EKS cluster using the EKS module v 0.37.1 with RBAC and efs-csi pvc support I then launched fluent-bit and prometheus on it all from helm charts. Between the fleunt-bit and prometheus installs I upgraded all my pulumi modules so upgraded eks to 0.41.0 Now whenever I try and run

kubectl logs <pod>

I get a long delay followed by an error

Copy code

Error from server (InternalError): Internal error occurred: Authorization error (user=kube-apiserver-kubelet-client, verb=get, resource=nodes, subresource=proxy)

Reading on stackexchange etc. it seems that this means I have somehow hosed my RBAC. I'm considering taking off and nuking the whole site from orbit, as this cluster is not in production yet, but before I do I was hoping to understand how I have broken it. I have been comparing clusterRoles and clusterRoleBindings between this new broken cluster and the other one which I have built using the 0.37.1 code. I can't find any mention of

kube-apiserver-kubelet-client

in there but

Copy code

Name:         system:kubelet-api-admin
Labels:       <http://kubernetes.io/bootstrapping=rbac-defaults|kubernetes.io/bootstrapping=rbac-defaults>
Annotations:  <http://rbac.authorization.kubernetes.io/autoupdate|rbac.authorization.kubernetes.io/autoupdate>: true
PolicyRule:
  Resources      Non-Resource URLs  Resource Names  Verbs
  ---------      -----------------  --------------  -----
  nodes/log      []                 []              [*]
  nodes/metrics  []                 []              [*]
  nodes/proxy    []                 []              [*]
  nodes/spec     []                 []              [*]
  nodes/stats    []                 []              [*]
  nodes          []                 []              [get list watch proxy]

Looks the same on both clusters. Does anyone have any pointers as to where I can look, or what causes this error?

polite-window-12946

07/05/2022, 7:58 PM

I was trying to publish to ECR and I found the documentation did not match the code. Specifically https://github.com/pulumi/pulumi-hugo/commit/87c09bb1cc94f06ea5e98e537e73a8841f35f340#diff-cea23732bd3ad9f80e0bc092[…]9bd54741787556f5a0b84b08828R49 I do not see awsx.ecr.Image - is that something that maybe is in development / not released yet?

polite-napkin-90098

07/06/2022, 4:06 PM

I upgraded the eks module from 0.37.1 to 0.41.0 and this resulted in updating the ami that the default node pool runs on. Updating that will roll all the nodes. I think that because it's a change to the cloudformation template i.e. ASG that k8s won't have a chance to ensure that all the stateful sets remain quorate etc. whilst that roll happens. To avoid this I could make a second node pool and then only update each node pool in isolation after having moved sufficient members of the stateful sets over to the safe pool. I think this means I need the node pool in a separate stack so I can update the modules in each stack independently to ensure I can do this. Is this right? Is there some other way to achieve this? Am I wrong about updates to the cloudformation template rolling the nodes without paying attention to the workloads, is there some setting I can make to the ASG to make it k8s aware?

quick-stone-19389

07/06/2022, 4:21 PM

Hey - we’re trying to explicitly create the security groups for an eks cluster (+ nodes) but I’m struggling to see how to define then in code. the first one I’ve tried is creating the security group that appears as “cluster security group” on the control panel for EKS, but placing a security group in the argument

cluster_security_group

in a

pulumi_eks.eks.cluster

object doesn’t seem to have the desired effect. The same is roughly true for the “additional security group” (as it appears on the control panel, and there doesn’t seem to be a kwarg for that) and the node too. tl;dr: 4 security groups are getting made when creating eks clusters, and we’d like to have more control over them but not sure how