what does this error mean?

Error: invocation of aws:lb/getLoadBalancer:getLoadBalancer returned an error: invoking aws:lb/getLoadBalancer:getLoadBalancer: 1 error occurred:
        * Search returned 2 results, please revise so only one is returned

Does anybody else have the hardest time finding Crosswalk docs (https://www.pulumi.com/registry/packages/awsx/api-docs/)? I don’t think it’s listed in the Pulumi Registry, and the search bar on Pulumi’s website only ever finds the Guides for crosswalk, but finding the actual API Docs is always a challenge imo

is Node12 still the latest available runtime in the lambda provider? https://github.com/pulumi/pulumi-aws/blob/master/sdk/nodejs/lambda/runtimes.ts

Has anyone tried to have docker builds with a shared base image? How do you control the build order? It doesn't seem like the awsx (typescript sdk 0.40) ECR docker builds expose the dependsOn or anything like that.

So I am getting an error

Active stages pointing to this deployment must be moved or deleted

the stage and deployment are in the same index.ts file but for some reason after initial deployment

pulumi up

fails with an update.

Hi, I'm trying to use Pulumi to create an API Gateway that can call multiple Lambda endpoints, i.e, there is a one-to-one mapping between the path called and the respective Lambda function invoked. Is there any available example in Pulumi documentation for achieving this? I tried using the

body

argument in

apigateway.RestApi

to have OpenAPI specs for each individual path and a corresponding integration under

x-amazon-apigateway-integration

but it gives an error like this -

Unable to put integration on 'POST' for resource at path '/<some>/<path>': Integrations of type 'AWS_PROXY' currently only supports Lambda function and Firehose stream invocations.

Everytime I do a pulumi up

Type              Name        Plan    Info
   pulumi:pulumi:Stack      open-api-infra-dev
 +- └─ aws:apigateway:Integration integrationOptions replace   [diff: ~integrationHttpMethod]

the

integrationHttpMethod

ALWAYS has a diff. What am I doing wrong?

const openAPI = new aws.apigateway.RestApi("openAPI", {})

const rootMethodOptions = new aws.apigateway.Method("options", {
    authorization: "NONE",
    httpMethod: "OPTIONS",
    resourceId: openAPI.rootResourceId,
    restApi: openAPI.id,
});

const integrationOptions = new aws.apigateway.Integration("integrationOptions", {
    restApi: openAPI.id,
    resourceId: openAPI.rootResourceId,
    httpMethod: rootMethodOptions.httpMethod,
    integrationHttpMethod: "OPTIONS",
    type: "MOCK",
}, {
    dependsOn: [rootMethodOptions, openAPI],
});

It's just these 3 things

does

new aws.Provider()

use aws:* configs?

Hi! I'm trying to create a bastion host to connect my private (subnet) RDS. I created a VPC with

awsx

and it throws an error at assigning public subnet ID from newly created VPC to a new EC2 instance. Please help me.

const vpc = new awsx.ec2.Vpc("my-vpc");

// Create bastion host
const bastionHost = new awsc.ec2.Instance("bastion-host", {
  ami: ami.id,
  instanceType: awsc.ec2.InstanceTypes.T2_Micro,
  associatePublicIpAddress: true,
  // Reference the public subnet from the custom vpc above
  subnetId: vpc.publicSubnetIds.apply(x => x![0]), // ! Property apply does not exist on type ...
  vpcSecurityGroupIds: [ec2SecurityGroup.id],
  keyName: sshKey.keyName,
});

How do I assign VPC's public subnet ID to the EC2 instance (bastion host)?

I'd like to create a

FargateService

with Auto Scaling. It is possible in AWS's UI, but I don't see any option related to scaling here: https://www.pulumi.com/registry/packages/awsx/api-docs/ecs/fargateservice/ Am I missing something?

Does anyone know of any repo to setup karpenter for eks with pulumi?

does anyone know how to set this? https://www.pulumi.com/registry/packages/awsx/api-docs/ecr/repository/#imagescanningconfiguration_nodejs

Hi. I'm creating an AWS IAM user for Pulumi, but with the intent to only run

pulumi preview

. What is the appropriate permission to give to this user? Given that it will just "read"/"describe" elements on the infra, it won't change anything.

I have encountered a bug related to imports of the directconnect.GatewayAssociation resource. When i use the _import option for an existing resource, it seems to work. During subsequent runs, Pulumi will recognize the resource as requiring “replace” and curiously this does not happen every run. Usually it occurs when something else changes in the stack. This also seems to either not occur or behave differently in different versions of pulumi-aws… which leads me to suspect a bug. This replacement does not do anything on the cloud side, it’s purely local as far i can tell. The same importing seems to work fine for other resources.

associatedGatewayId: "vgw-x"
        dxGatewayId        : "x"
    +-aws:directconnect/gatewayAssociation:GatewayAssociation: (replace)
        [id=ga-x]
        [urn=urn:pulumi:x::aws:directconnect/gatewayAssociation:GatewayAssociation::x]
        [provider=urn:pulumi:x::x::pulumi:providers:aws::us-west-2_Provider::x]
        allowedPrefixes                : [
            [0]: "x/24"
        ]
        associatedGatewayId            : "vgw-x"
        associatedGatewayOwnerAccountId: "x"
        associatedGatewayType          : "virtualPrivateGateway"
        dxGatewayAssociationId         : "x"
        dxGatewayId                    : "x"
        dxGatewayOwnerAccountId        : "x"
        id                             : "ga-x"
    --aws:directconnect/gatewayAssociation:GatewayAssociation: (delete-replaced)
        [id=ga-x]
        [urn=urn:pulumi:x::x::aws:directconnect/gatewayAssociation:GatewayAssociation::x]
        [provider=urn:pulumi:x::x::pulumi:providers:aws::us-west-2_Provider::x]

How do I add subnets of a vpc to vpc connector? I tried adding like this:

const vpcConnector = new awsc.apprunner.VpcConnector("vpc-connector", {

securityGroups: [ec2SecurityGroup.id],

subnets: [pulumi.output(vpc.getSubnetsIds)], // ERROR HERE!

vpcConnectorName: "my-vpc-connector",

});

But it throws error:

1. Type 'Output<(type: VpcSubnetType) => Promise<Output<string>[]>>[]' is not assignable to type 'Input<Input<string>[]>'.

Any known issues with adding S3 bucket notifications? I already have 3 notifications setup for a S3 bucket and as soon as this code is executed, it removes all of them and adds only that one. It's one s3.bucketNotification object per bucket then? or?

const crawler_bucket_notification = new aws.s3.BucketNotification("crawler_bucket_notification-" + name, {
            bucket: "data-lake-" + config.get("env")  + "-" + name,
            queues: [{
                events: [
                    "s3:ObjectRemoved:*",
                    "s3:ObjectCreated:*",
                ],
                filterPrefix: name + "/",
                id: "data-lake-" + config.get("env") + "-" + name,
                queueArn: crawler_sqs_queue.arn,
            }],
            eventbridge: false
        });

So what would be the best approach to put multiple S3 bucket notifications without having to put the in the same object creation?

Anyone able to point me in the right direction in the docs for setting up an s3 trigger for a lambda function? It didn't come through in an import so I'm assuming its a separate resource. Is

s3/BucketNotification

what I actually want?

Hei guys, I’m trying to set a policy for a lambda to run post user confirmation in cognito and I want to give it permissions to just be able to PUT in a usersTable but I get this error

aws:iam:Policy (confirm-user-signup-role-policy):
    error: 1 error occurred:
        * error creating IAM Policy confirm-user-signup-role-policy-18437fc: MalformedPolicyDocument: Partition "
        1" is not valid for resource "arn:
        1: o.apply(v => v.toJSON())
        2: o.apply(v => JSON.stringify(v))

My code:

const confirmUserIamRolePolicy = new aws.iam.Policy(
  'confirm-user-signup-role-policy',
  {
    policy: JSON.stringify({
      Version: '2012-10-17',
      Statement: [
        {
          Effect: 'Allow',
          Action: [DBAction.Put],
          Resource: usersTable.arn.apply((arn) => `${arn}`),
        },
      ],
    }),
  }
)

export const confirmUserIamRole = new aws.iam.Role('confirm-user-signup-role', {
  assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({
    Service: '<http://lambda.amazonaws.com|lambda.amazonaws.com>',
  }),
  managedPolicyArns: [confirmUserIamRolePolicy.arn],
})

const confirmUserIamRolePolicyAttachment = new aws.iam.PolicyAttachment(
  'confirm-user-signup-role-policy-attachment',
  {
    policyArn: confirmUserIamRolePolicy.arn,
    roles: [confirmUserIamRole],
  }
)

export const postConfirmationLambda = new aws.lambda.CallbackFunction(
  'post-confirmation-signup-lambda',
  {
    runtime: 'nodejs14.x',
    callback: confirmUserSignupHandler,
    role: confirmUserIamRole,
    environment: {
      variables: {
        USERS_TABLE: usersTable.name,
        REGION: region,
      },
    },
  }
)

In the docs I mostly see

Resource: '*'

but havent found a place where a policy is for a specific resource

Using the AWS classic EKS Cluster resource, how do I create the cluster end-point in public and private mode?

Lambda@Edge

503 ERROR

The situation • I have a Cloudfront Distribution and defined

defaultCacheBehavior.lambdaFunctionAssociations

to trigger a lambda on

origin-request

. • Weirly enough, there is no trigger in the lambda function overview, it says "+ Add trigger". I am not sure if I am missing iac here at some point. The Problem When I open the url, I get an

503 ERROR

. What I tried • There are some logs written to s3 (linked in CloudFront > Telemetry > Logs > S3 Bucket) , but the only valuable information I read out of it that there was a

LambdaExecutionError

. • If I go to the Lambda@Edge Function and click in Monitoring and then View in CloudWatch, it says

Log group does not exist

. Can anybody point me into the right direction? Many thanks in advance

I've been getting a number of errors similar to this:

aws-native:ecs:TaskDefinition (winnie-web-task-staging):
    error: operation error CloudControl: UpdateResource, https response error StatusCode: 400, RequestID: 45ff56cc-8cce-4eac-9ca3-2be60468d69b, NotUpdatableException: Invalid patch update: createOnlyProperties [/properties/TaskRoleArn] cannot be updated

Isn't this what pulumi is supposed to handle for me - creating a new resource and switching everything over to it?

Maybe I’ve missed some documentation recently, but how is everybody handling configuration? I come from a Spring Boot background, where there could be a single place to configure everything via a cloud config server Is there something that could ease our transition into Pulumi/AWS similar to that? I know there’s a few options like • hosting a configuration stack and exporting configuration to your stacks, • using pulumi config The problem with just relying on pulumi config is having to config stuff in every stack as opposed to just having it be centralized. Maybe I’m dreaming but the ideal would be one central YAML that holds any global config, and then draws any secrets from AWS secrets manager. if i need to change a config, i have one spot to change it, and redeploy any stacks that need it. or maybe lean into the pulumi stack/config setup and have a hierarchical deployment flow where all stacks are considered downstream of the main config stack and are redeployed accordingly. Sorry for the rambling, just haven’t found something that really feels like we can lean on

🐳 How do you usually build your Docker images ? 🐳 Do you use

pulumi-docker

or do you build your images externally ? We’ve been using

pulumi-docker

for about two years and there’s a ton of stuff that doesn’t work very well : log outputs, using buildx for multi-platform builds (AWS Graviton is on ARM arch), caching... Overall, it feels like we’re using

docker.Image

merely because we have to : otherwise we can’t get the build digest which uniquely identifies an image So I’m wondering if there are other ways : how can I build my image externally (e.g. using GitHub Action’s build and push), push it on ECR and yet let Pulumi know which exact version (tag, on ECR) I want to deploy in a given Lambda ?

are there any examples to setup a https ELB listener on a fargate service?

the github example only shows a http example, and i was having troubles setting up a https listener for the fargate task

i have this so far, i want to point the

httpsListener

to the task target group, but i am not sure how to do that (i tried putting it in portMappings but it didn’t work)

const apiCertificateArn = 'some-arn'

const httpsListener = alb.createListener('https-listener', {
  port: 443,
  protocol: 'HTTPS',
  external: true,
  certificateArn: apiCertificateArn,
});

const httpListener = alb.createListener('http-listener', {
  port: 80,
  protocol: 'HTTP',
  external: true,
});

// Build and publish a Docker image to a private ECR registry.
const img = awsx.ecs.Image.fromPath('api-img', '.');

// Create a Fargate service task that can scale out.
const appService = new awsx.ecs.FargateService('api-service', {
  cluster,
  taskDefinitionArgs: {
    container: {
      image: img,
      cpu: 2048,
      memory: 1024,
      portMappings: [httpListener],
      environment: [{ name: 'PORT', value: '80' }],
    },
  },
  desiredCount: 1,
});

the http listener is pointing to the correct target group already, is there a way for the https listener to point to the same target group?