pulumi-community #aws

aws

brief-ram-15160

07/20/2022, 10:40 AM

hey all. Did anyone here managed to create a

cloudfront

security headers policy in Pulumi?

alert-spoon-97538

07/20/2022, 8:43 PM

Trying to run Pulumi in GitHub Action CI but keep seeing the following line implying a Profile is passed even though no AWS profile is defined.

A Profile was specified along with the environment variables "AWS_ACCESS_KEY_ID" and "AWS_SECRET_ACCESS_KEY". The Profile is now used instead of the environment variable credentials. This may lead to unexpected behavior.

I do set the config aws:profile locally and I tried removing that in the CI prior to

up

and re-adding it after though that didn't change the log line above. Is this an issue or a red herring?

adorable-summer-21974

07/21/2022, 8:42 AM

Hi, does anyone know how I can get past a 'duplicate security group' error. The issue seems to have been fixed in Terraform about 6 years ago!

aws:ec2:SecurityGroupRule (wiki-https-external-0-egress):
    error: 1 error occurred:
    	* [WARN] A duplicate Security Group rule was found on (sg-002096ed4ca1220a3). This may be
    a side effect of a now-fixed Terraform issue causing two security groups with
    identical attributes but different source_security_group_ids to overwrite each
    other in the state. See <https://github.com/hashicorp/terraform/pull/2376> for more
    information and instructions for recovery. Error: InvalidPermission.Duplicate: the specified rule "peer: 0.0.0.0/0, TCP, from port: 443, to port: 443, ALLOW" already exists
    	status code: 400, request id: 1b6001e7-2dc7-437f-aa56-c92a32fa707b

modern-evening-83482

07/21/2022, 5:32 PM

Hello Everyone, I am trying to achieve blue green for ecs backed by ec2 via code deploy. I am setting the following in the aws.ecs.Service object

deployment_controller=aws.ecs.ServiceDeploymentControllerArgs(
      type="CODE_DEPLOY",
    )

However I dont see any changes on the ecs service side. Am I missing something? My goal is to get a blue green for an ecs service backed by ec2

quaint-match-50796

07/22/2022, 12:18 PM

Hi, do anyone have issues when: 1. Create EKS cluster 2. Setup AWS Load Balanacer Controller 3. Create some services that deploys load balancers 4. Try to take down stack As a result, we got stuck at delete subnet because the load balancers are not deleted. Anyone has implemented anything? Options could be manual removal or listing and removing, that I can think of.

polite-napkin-90098

07/22/2022, 6:12 PM

I'm trying to look up a load balancer by tags, so I can create a DNS record to point a hostname at it. I can't find any examples for how to construct the

{[key: string]: string}

block described here https://www.pulumi.com/registry/packages/aws/api-docs/alb/getloadbalancer/#using

💯 1

bored-vase-40478

07/22/2022, 6:22 PM

Hi Pulumi Community, Does anyone tried to create ec2 instances and pause the resource deploying process until the ec2 instances have a healthy status? I would like to continue deploying resources until the ec2 instances have a healthy status. Not sure if the right way is to configure Pulumi custom timeouts

opts=ResourceOptions(custom_timeouts=CustomTimeouts(create='30m'))

early-keyboard-41388

07/24/2022, 2:46 PM

Hi! Does anyone have an implementation on a similar use case as this? Serverless alias handling for lambdas. Main questions is how to handle a

getAllAliases

for a lambda. So to keep all created ones, and don’t delete existing ones.

icy-pilot-31118

07/26/2022, 1:51 AM

I deployed a service/load balancer within kubernetes cluster using the default VPC. I wanted to have the cluster use fargate so that I don’t have to worry about provisioning. Since fargate requires a private subnet, I needed to create a new VPC and deploy the cluster under this new VPC. After I did this though, the service/load balancer returned an empty reply when queried. Anybody know why? Code in thread.

aloof-dress-1001

07/26/2022, 2:48 PM

Hey guys, is anybody familiar with step functions? I’m deploying a state machine that creates an EMR Cluster and runs some steps. I want to pass a date parameter in this format: YYYY-MM-DD, that changes every day (inside the state definition) and i cant figure out how to do that. Can someone help please? The output should be something like: { … “Parameters”:{ “date”: “2022-07-26”, …..} }

gorgeous-ability-71963

07/26/2022, 7:27 PM

Hi! Does anyone know how to export an accessKey

encryptedSecret

on the stack outputs? I’ve tried this:

const lbUser = new aws.iam.User("lbUser", {path: "/system/"});
const lbAccessKey = new aws.iam.AccessKey("lbAccessKey", {
    user: lbUser.name,
});
export const secret = lbAccessKey.encryptedSecret;

But this does not exports the secret. The

pgpKey

parameter is required? If so, how do I generate one?

helpful-account-44059

07/27/2022, 3:12 AM

Hi there, the aws,lambda.EventSourceMapping not support SNS topic??

helpful-account-44059

07/27/2022, 6:31 AM

Hi, I have aws sns topic access policy as picture, it was edited by manual, when i try to translate to pulumi IaC code, it not accepted 1. Statement IDs (SID) must be alpha-numeric.

Check that your input satisfies the regular expression [0-9A-Za-z]*

2. I change the Sid to AllowPublishAlarms

error creating IAM Policy sns-access-policy: MalformedPolicyDocument: Policy document should not specify a principal

const snsAccessPolicy = new aws.iam.Policy("sns-access-policy", {
  name: "sns-access-policy",
  policy: {
    Version: "2012-10-17",
    Statement: [
      {
        Sid: "Allow_Publish_Alarms",
        Effect: "Allow",
        Principal: {
          Service: "<http://aps.amazonaws.com|aps.amazonaws.com>",
        },
        Action: ["sns:Publish", "sns:GetTopicAttributes"],
        Resource: "arn:aws:sns:ap-southeast-1:482414749843:amp-sns-topic",
        Condition: {
          StringEquals: {
            "AWS:SourceAccount": "482414749843",
          },
          ArnEquals: {
            "aws:SourceArn":
              "arn:aws:aps:ap-southeast-1:482414749843:workspace/ws-be6e741f-d8ac-4330-b0fb-6a0c0aa92d6f",
          },
        },
      },
    ],
  },
});

busy-helicopter-97413

07/27/2022, 3:56 PM

Hey all! I am running some automation in golang that involves retrieving AMIs that breaks on certain occasions but not on others. Specifically, the error message I'm getting is

rpc error: code = Unknown desc = invocation of aws:ec2/getAmi:getAmi returned an error: unrecognized data function (Invoke): aws:ec2/getAmi:getAmi

I am thinking the reason why is that there are two versions of

getAMI

as one is deprecated (https://www.pulumi.com/registry/packages/aws/api-docs/getami/ vs https://www.pulumi.com/registry/packages/aws/api-docs/ec2/getami/) I am running this automation on multiple versions of k8s, so is it possible that somehow the wrong implementation of getAMI is being called depending on the version?

adorable-summer-21974

07/28/2022, 9:46 AM

Hey, does anyone know if its possible to add an origin to an existing cloudfront distribution using pulumi? Thanks!

aloof-dress-1001

07/28/2022, 1:00 PM

Hey, Why can’t i run “nodejs16.x” runtime from pulumi when creating a lambda function?

glamorous-spring-30202

07/29/2022, 3:35 AM

Hi, I recently started using

registerAutoTags

as described here. After that I notice that my lambda resources are losing its policies, and I am puzzled as to why this is happening. I use pulumi to create a lambda, add a role, and policy attachments to it. After a successful

pulumi up

, after a few seconds my lambdas do not work, permission issues. I go look in AWS console, and they do not have my custom policy attachment anymore. If I

pulumi refresh

, I see the removed policies/attachments, and if I

pulumi up

again, it will create them. But on next re-deploy, the lambdas lose their policies again. I am thinking that there is something going on with the stack transformations I am trying to apply, but honestly, I have no good idea why this is happening, apart from the only change before this started, being the tagging. If anyone ever faced this issue or has some pointers on where I should look, it would be much appreciated. Thank you

rhythmic-branch-12845

07/29/2022, 8:52 AM

can Pulumi be run from an EC2 instance that has an instance profile assigned to it? or must we set up AWS credentials?

rhythmic-branch-12845

07/29/2022, 9:34 AM

hi, I am importing an EC2 instance (using

pulumi import

) and then pasting the code into my file, and when I try to run

pulumi up

again using the same code, Pulumi claims that there is a diff in the user data when the strings are the same?

Type                 Name        Plan       Info
     pulumi:pulumi:Stack  test-dev
 ~   └─ aws:ec2:Instance  api         update     [diff: ~userData]

Resources:
    ~ 1 to update
    1 unchanged

Do you want to perform this update? details
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:dev::test::pulumi:pulumi:Stack::test-dev]
    ~ aws:ec2/instance:Instance: (update) 🔒
        [id=i-0a1fd51cf5f02a8b4]
        [urn=urn:pulumi:dev::test::aws:ec2/instance:Instance::api]
        [provider=urn:pulumi:dev::test::pulumi:providers:aws::default_5_10_0::bdc3a497-cbed-47f9-98ef-99acbed1740f]
      ~ userData: "85de5fdec580fbc6617d9b2bfbddbae346a45ef4" => "85de5fdec580fbc6617d9b2bfbddbae346a45ef4"

rough-jewelry-40643

07/29/2022, 3:10 PM

Hi all, I have a question about deploying multi region resources. In general we use AWS us-east-2. I need to build a stack which contains CloudFront and some CloudFront associated lamda fucntions. B/c cloudfront is global the lambda fucntions must be in us-east-1. Is there a way in pulumi to specify this, without changing my overall

Pulumi.stack.yml

and thus building all the stack resources in us-east-1?

most-lighter-95902

07/30/2022, 11:15 PM

Hi, I’m getting the following error even though my aws credentials are set as env variables as per the doc:

most-lighter-95902

07/30/2022, 11:15 PM

error: Running program '/app' failed with an unhandled exception:
Error: invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: unable to validate AWS credentials

most-lighter-95902

07/30/2022, 11:16 PM

This is running inside a container - why would I be getting this error? Not sure where to start debugging this?

thankful-horse-13152

08/01/2022, 4:45 PM

I am new to Pulumi. I am looking at creating a new IAM user just for Pulumi. Following the Principle of Least Privilege. What are the bare minimum permissions a Pulumi IAM user would need? (I am not very well versed in AWS IAM)

brief-baker-41837

08/01/2022, 7:50 PM

Hi, I am trying to create a VPC and then query the result object to get the private subnet but it is always failing with the following error during preview itself:

* multiple EC2 Subnets matched; use additional constraints to reduce matches to a single EC2 Subnet

I cant seem to figure out the cause specially when this is occurring in preview itself. Please help.

fast-river-57630

08/01/2022, 7:55 PM

I expected retainOnDelete to keep my EC2 Instance running and just spawn i new one when my AMI caused a replace. Should I have run 'pulumi state delete' on the EC2 instance first to keep the old instance around?

little-soccer-5693

08/02/2022, 4:22 PM

the example code for bucket lifecycle configuration doesn't seem to work. reference: https://www.pulumi.com/registry/packages/aws/api-docs/s3control/bucketlifecycleconfiguration/ I get:

main.go:365:11: cannot use pulumi.Any(uploadBucket.Arn) (value of type pulumi.AnyOutput) as type pulumi.StringInput in struct literal:

pulumi.AnyOutput does not implement pulumi.StringInput (missing ToStringOutput method)

when specifying bucket I've also tried:

pulumi.Sprintf("arn:aws:s3:::%v", uploadBucket.ID()))

and

pulumi.Sprintf("%v", uploadBucket.Arn)

but both result in a different error:

aws:s3control:BucketLifecycleConfiguration (mybucket-lifecycle):

error: 1 error occurred:

* error parsing S3 Control Bucket ARN (): unknown format

any suggestions?

aloof-dress-1001

08/02/2022, 5:07 PM

Hey guys, is it possible to deploy pulumi_kuberenetes and pulumi_aws in the same program? i want to deploy an EKS Cluster with some other resources, and in the same program use helm.release function of pulumi_kubernetes. but i cant import the modules of k8s into my aws program, what is the best way to do it?

strong-helmet-83704

08/03/2022, 1:13 AM

I’ve noticed that sometimes Pulumi will take multiple runs to complete all of its tasks… Is this normal or expected in some situations?

stocky-petabyte-29883

08/03/2022, 10:05 AM

Hey About using mysql provider for an aurora instance that is not publicly accessible, I have created a bastion machine that I am trying to use to access the database. Can I create a remote ssh connection the bastion via pulumi command and use it for the pulumi mysql provider? If not what is the recommended approach to run mysql commands to create a user.