pulumi-community #aws

aws

quick-stone-19389

07/06/2022, 4:21 PM

Hey - we’re trying to explicitly create the security groups for an eks cluster (+ nodes) but I’m struggling to see how to define then in code. the first one I’ve tried is creating the security group that appears as “cluster security group” on the control panel for EKS, but placing a security group in the argument

cluster_security_group

in a

pulumi_eks.eks.cluster

object doesn’t seem to have the desired effect. The same is roughly true for the “additional security group” (as it appears on the control panel, and there doesn’t seem to be a kwarg for that) and the node too. tl;dr: 4 security groups are getting made when creating eks clusters, and we’d like to have more control over them but not sure how

limited-rain-96205

07/06/2022, 7:39 PM

What’s the equivalent of this for Pulumi? (From https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html)

eksctl create iamserviceaccount \
    --name my-service-account \
    --namespace my-namespace \
    --cluster my-cluster \
    --role-name "my-role-name" \
    --attach-policy-arn arn:aws:iam::111122223333:policy/my-iam-policy \
    --approve \
    --override-existing-serviceaccounts

fresh-notebook-40503

07/07/2022, 6:59 PM

Having an issue with

eks.Cluster

. The EC2 instances are being created, but they are not being associated with the EKS cluster. Specifically, the default node group is not being created. Also, the OIDC provider is created, but it is not associated with the EKS cluster. Everything was working earlier, but then I created a new AWS account and started using AWS profiles to stand up infrastructure in the new account. All other components are being created properly in the new AWS account

const eksCluster = new eks.Cluster("eks-cluster", {
    vpcId: vpc.id,
    publicSubnetIds: vpc.publicSubnetIds,
    privateSubnetIds: vpc.privateSubnetIds,
    nodeAssociatePublicIpAddress: false,
    instanceType: "m5.large",
    desiredCapacity: 2,
    minSize: 2,
    maxSize: 4,
    createOidcProvider: true,
    roleMappings: [
      {
        groups: ["system:masters"],
        roleArn: clusterAdminRole.arn,
        username: "pulumi:admin-user",
      }
    ],
    providerCredentialOpts: {
      profileName: aws.config.profile,
    }
  });

Has anyone run into this problem before?

sticky-match-71841

07/08/2022, 11:12 AM

We recently upgraded the aws provider from 5.9.1 to 5.9.2 and got this problem: https://github.com/pulumi/pulumi-aws/issues/2043. How does pulumi exactly behave in this situation? I believe that

output<string>

in this case will eventually resolve to the same value as is stored in the state, but does that mean pulumi will then not execute the update? When is the decision to execute a replace made? Is it during the initial preview phase or does it also happen after outputs are resolved?

bitter-france-47214

07/10/2022, 10:03 PM

Problem:

Could not include required dependency '@aws-sdk/client-cognito-identity-provider'

This causes

new CognitoIdentityProviderClient()

to be undefined (see screenshot from lambda) Situation: I am defining a lambda function with

new aws.lambda.CallbackFunction()

. Within that I am using a module from the

@aws-sdk/client-cognito-identity-provider

. I expect this function to build and include dependecies used that I defined in the

callback

. This does not happen. Instead I get a warning (see Problem). Question What do I have to do so that dependencies are included?

bitter-france-47214

07/10/2022, 10:04 PM

stocky-petabyte-29883

07/11/2022, 9:39 AM

Hi Guys I want to read a remote file(possibly using remoteasset) and then use the file contents for creating an iam policy.

const albPolicy = new aws.iam.Policy("alb-policy", {
    name: "AWSLoadBalancerControllerIAMPolicy",
    policy: new pulumi.asset.RemoteAsset("<https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.0/docs/install/iam_policy.json>"),
    tags: {
        Environment: stack,
    },
});

The code I sent doesn't work, but is there any way to achieve this?

future-refrigerator-88869

07/11/2022, 10:41 PM

I am having a problem with the pulumi spot fleet request, maybe someone can help. Everything works as expected, except when i try to destroy the stack. Because pulumi doesn't wait for the ec2 instances of the spot request to be deleted, it starts romoving the VPC which removes the internet gateway and all other associated resources. It then waits until the subnet can be deleted which happens after the actual instance is terminated. Becuase of this behaviour, the ec2 instance cannot trigger an http call that I have configured on termination. (no internet gateway, no security group to allow any traffic). Anyone has any ideas how to tell pulumi to basically remove spot fleet request, then maybe wait 2 minutes, then continue to remove the vpc and its resources?

gorgeous-insurance-82079

07/12/2022, 6:39 PM

Hey guys, I wonder if there is a more easy way to check what are the whole package of AWS Policy Permissions I need to add to my CI user in order to do both preview+deploy resources with Pulumi. The current situation causes me to do multiple cycles of permissions update -> run ci -> ci fails -> permissions update (and go on). If there is a solution/tools for that I’d be happy to try Thanks!

rhythmic-branch-12845

07/13/2022, 9:20 AM

Is anybody using

aws-native

here? do you know if you need to consult different documentation from

aws

? I’ve been using https://www.pulumi.com/registry/packages/aws/api-docs/, and I assume that that’s the right place to look at for

aws

clean-tomato-15613

07/13/2022, 11:02 AM

Hi all, 2 Questions about Lambdas. 1. How do I change the retention of the log group a lambda generates for its logs? In the docs I found https://www.pulumi.com/registry/packages/aws/api-docs/lambda/function/#cloudwatch-logging-and-permissions, but when I do the same it does not work - the log group for the lambda created has a

never expire

retention policy - to be more specific, the log group I create manually does get a retention policy, but the logs for the lambda are being registered into the default log group the lambda generates which is marked as

never expire

2. How to I disable tracing/xray for Lambdas? In the tracing options (https://www.pulumi.com/registry/packages/aws/api-docs/lambda/function/#functiontracingconfig), mode can only be

Pass Through

Active

and there’s no mentioning what is the default. When I try to set it to

Disabled

I get an error from Pulumi. Truly appreciate assistance with these Thanks!

polite-napkin-90098

07/13/2022, 8:49 PM

I'm having fun trying to make my EKS cluster work with ALB. There's some docs here https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html I'm adding in the roles I need for that and installing the controller from the helm chart in the same pulumi typescript script which creates the EKS cluster. When I try to get the name of the cluster to pass into the helm chart using

cluster.name

I get a compile error saying:

TSError: ⨯ Unable to compile TypeScript:
    index.ts(427,24): error TS2339: Property 'name' does not exist on type 'Cluster'.

but looking in the docs https://www.pulumi.com/registry/packages/eks/api-docs/cluster/#name_nodejs it has name as an input and all inputs are outputs, so why doesn't that work. To prove it wasn't some other issue, like the cluster var being the wrong type of object or something I tried

cluster.core.vpcId

and then the TS compiles fine but obviously the ClusterName is set wrong in the helm chart.

ripe-shampoo-80285

07/14/2022, 1:03 AM

I’m trying to upgrade golang plumi-aws/sdk from v4 to v5. Anybody know why I am getting the following errors: # infra ./main.go:193:19: cannot use iam.RoleArray{…} (value of type “github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam”.RoleArray) as type “github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam”.RoleArrayInput in struct literal: “github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam”.RoleArray does not implement “github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam”.RoleArrayInput (wrong type for ToRoleArrayOutput method) have ToRoleArrayOutput() “github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam”.RoleArrayOutput want ToRoleArrayOutput() “github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam”.RoleArrayOutput ./main.go:238:19: cannot use &awseks.NodeGroupScalingConfigArgs{…} (value of type *“github.com/pulumi/pulumi-aws/sdk/v5/go/aws/eks”.NodeGroupScalingConfigArgs) as type “github.com/pulumi/pulumi-aws/sdk/v4/go/aws/eks”.NodeGroupScalingConfigPtrInput in struct literal: *“github.com/pulumi/pulumi-aws/sdk/v5/go/aws/eks”.NodeGroupScalingConfigArgs does not implement “github.com/pulumi/pulumi-aws/sdk/v4/go/aws/eks”.NodeGroupScalingConfigPtrInput (wrong type for ToNodeGroupScalingConfigPtrOutput method) have ToNodeGroupScalingConfigPtrOutput() “github.com/pulumi/pulumi-aws/sdk/v5/go/aws/eks”.NodeGroupScalingConfigPtrOutput want ToNodeGroupScalingConfigPtrOutput() “github.com/pulumi/pulumi-aws/sdk/v4/go/aws/eks”.NodeGroupScalingConfigPtrOutput ./main.go:244:19: cannot use nodeRole (variable of type *“github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam”.Role) as type “github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam”.RoleInput in struct literal: *“github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam”.Role does not implement “github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam”.RoleInput (wrong type for ToRoleOutput method) have ToRoleOutput() “github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam”.RoleOutput want ToRoleOutput() “github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam”.RoleOutput

ripe-shampoo-80285

07/14/2022, 1:04 AM

Here is my golang input: “github.com/pulumi/pulumi-aws/sdk/v5/go/aws” “github.com/pulumi/pulumi-aws/sdk/v5/go/aws/ec2” awseks “github.com/pulumi/pulumi-aws/sdk/v5/go/aws/eks” “github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam” “github.com/pulumi/pulumi-aws/sdk/v5/go/aws/rds” “github.com/pulumi/pulumi-aws/sdk/v5/go/aws/route53” “github.com/pulumi/pulumi-eks/sdk/go/eks”

ripe-shampoo-80285

07/14/2022, 1:04 AM

It looks like “github.com/pulumi/pulumi-eks/sdk/go/eks” is not compatible with pulumi-aws/sdk/v5

stocky-petabyte-29883

07/14/2022, 8:30 AM

Hi Looking at awsx vpc package This document mentions about a natgateway strategy, (https://www.pulumi.com/docs/guides/crosswalk/aws/vpc/) However this doesn't seem to be available in the package, only fields found regarding nats are numberOfNatGateways. Am I looking at the wrong place?

enough-pager-36335

07/14/2022, 8:37 AM

When I update an ecs service (EC2 or Fargate) using pulumi up, what is the sequence of operations happening under the hood? is the service being updated (like in the aws console) or anything a bit more complex happening?

lemon-salesclerk-6224

07/15/2022, 1:20 AM

Hi there, I'm trying to pass an image created by the ecr repository

buildAndPushImage

function to the container image parameter in a

aws.ecs.TaskDefinition

container definition block and keep running into this error

Container.image repository should be 255 characters or less

. This seems to happen with any Output<string> type. Is this a known issue?

helpful-account-44059

07/15/2022, 9:33 AM

Hi there, the aws,lambda.EventSourceMapping nut support SNS topic?

sparse-intern-71089

07/15/2022, 4:51 PM

This message was deleted.

enough-pager-36335

07/17/2022, 8:58 AM

I'm trying to add the DeleteBeforeReplace flag when I'm constructing a new awsx.ecs.EC2Service (or Fargate) but that doesn't seem to work, is there any option to force it other than giving the resource a name? that also doesn't seem to work

helpful-account-44059

07/18/2022, 8:27 AM

Hi. i'm trying to create AWS RDS Multi AZ cluster, got this error, i have tryied the availabilityZones with null or [ ap-southeast-1a, ap-southeast-1b, ap-southeast-1c] , my region is ap-southeast-1

InvalidParameterCombination: Can't create a Multi-AZ DB cluster because there aren't enough Availability Zones (AZs).

gray-translator-86978

07/18/2022, 10:23 AM

I am trying to set up Elasticache/Redis with auth and encryption. Is that possible? I am using TypeScript I can't see any options for those in the type definition (or the online docs!)

best-appointment-51810

07/18/2022, 5:34 PM

Hey Ive been trying to get pulumi to run in github codespaces I got the binary to work but then I always get:

error: unable to validate AWS credentials - see <https://pulumi.io/install/aws.html> for details on configuration

I already tested that the aws cli can see the credentials

clever-dog-35937

07/18/2022, 10:45 PM

https://www.pulumi.com/docs/guides/crosswalk/aws/vpc/#configuring-security-groups-for-a-vpc this Crosswalk example is broken, and it appears that the

vpc.get...

functions aren't able to be used to reference the subnets/routetables/etc. because they don't get resolved, but also lack

apply()

to force a resolve

swift-planet-53281

07/19/2022, 5:36 AM

Hey guys, we're currently building a prototype deployment with pulumi for microservice. We recognize 3 general parts in our cloud deployment: 1. General infrastructure (VPC, subnets, EKS cluster, etc) 2. Per service: required infrastructure/resources (S3 bucket, Database, ECR repos, etc) 3. Per service: deployment resources (pipelines, kubernetes deployments, services, ingress etc) We are wondering what is the best practice with regard to separating these parts over different pulumi projects. We're pretty sure it is a good idea to have a separate project for 1 (general infra). However, we are wondering where 2 and 3 should be split up in two pulumi projects, where number 3 will update automatically in a deployment pipeline, and 2 won't, or whether we should make it 1 project, reducing the amount of pulumi projects to maintain. Any suggestions or best practices?

modern-evening-83482

07/19/2022, 3:16 PM

Hello Everyone, After importing a aws resource(subnet) into pulumi I would like to modify the properties. This leads to replacement. Is this a pulumi thing or an aws thing? I would like to change few properties on the resource...

pulumi up
Previewing update (network.staging):
     Type                     Name                                           Plan        Info
     pulumi:pulumi:Stack      pulumi-staging-infrastructure-network.staging              
 +   ├─ pulumi:providers:aws  provider                                       create      
 +-  ├─ aws:ec2:Vpc           vpc-staging                                    replace     [diff: +enableDnsSupport,instanceTenancy~__defaults,protect,provider]
 +-  └─ aws:ec2:Subnet        public_subnet_stvk                             replace     [diff: +assignIpv6AddressOnCreation,enableDns64,enableResourceNameDnsARecordOnLaunch,ena
 
Resources:
    + 1 to create
    +-2 to replace
    3 changes. 1 unchanged

witty-monitor-18849

07/20/2022, 9:33 AM

Morning, I'm creating a Cloudfront distribution with the aws-native provider and an alias route53 record pointing to it with the aws-classic provider. While writing the latter, I noticed a distinct lack of outputs/exports from the aws-native's Cloudfront distribution, which were present in the aws-classic Cloudfront distribution. i.e. zoneId Is this by design and I'm using the aws-native provider incorrectly?

witty-monitor-18849

07/20/2022, 9:34 AM

new route53.Record(domain, {
        name: domain,
        zoneId: zoneId,
        type: 'A',

        aliases: [
            {
                name: cloudFrontDist.domainName,
                zoneId: cloudFrontDist.**NO ZONE ID**,
                evaluateTargetHealth: true
            }
        ]
    })

adorable-wall-67745

07/20/2022, 9:47 AM

Hi guys, I have encountered a strange problem that has been bothering me for a long time. I followed the documentation of Pulumi to create a demo, but when I run to

pulumi up

, it always throws an exception

unable to validate AWS credentials - see <https://pulumi.io/install/aws.html> for details on configuration

I tested the command

aws sts get-caller-identity

and it can works. Documentation which I followed is: https://www.pulumi.com/docs/get-started/aws/create-project/

Title

adorable-wall-67745

07/20/2022, 9:47 AM

Hi guys, I have encountered a strange problem that has been bothering me for a long time. I followed the documentation of Pulumi to create a demo, but when I run to

pulumi up

, it always throws an exception

unable to validate AWS credentials - see <https://pulumi.io/install/aws.html> for details on configuration

I tested the command

aws sts get-caller-identity

and it can works. Documentation which I followed is: https://www.pulumi.com/docs/get-started/aws/create-project/

narrow-barista-48437

09/28/2022, 6:03 PM

Hi Ethan, I`m with very similar problem.. Did you find a solution?

View count: 1