https://pulumi.com logo
Docs
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
aws
  • v

    victorious-dusk-75271

    09/07/2022, 6:23 PM
    its replaces pretty much everything related to
    @pulumi/eks
    on every
    up
    command šŸ˜ž
  • v

    victorious-dusk-75271

    09/07/2022, 11:07 PM
    what does this error mean?
    Error: invocation of aws:lb/getLoadBalancer:getLoadBalancer returned an error: invoking aws:lb/getLoadBalancer:getLoadBalancer: 1 error occurred:
            * Search returned 2 results, please revise so only one is returned
    • 1
    • 1
  • b

    breezy-airplane-94478

    09/08/2022, 4:14 PM
    Does anybody else have the hardest time finding Crosswalk docs (https://www.pulumi.com/registry/packages/awsx/api-docs/)? I don’t think it’s listed in the Pulumi Registry, and the search bar on Pulumi’s website only ever finds the Guides for crosswalk, but finding the actual API Docs is always a challenge imo
    • 1
    • 1
  • b

    brave-angle-33257

    09/08/2022, 5:06 PM
    is Node12 still the latest available runtime in the lambda provider? https://github.com/pulumi/pulumi-aws/blob/master/sdk/nodejs/lambda/runtimes.ts
    l
    • 2
    • 25
  • p

    polite-window-12946

    09/08/2022, 5:15 PM
    Has anyone tried to have docker builds with a shared base image? How do you control the build order? It doesn't seem like the awsx (typescript sdk 0.40) ECR docker builds expose the dependsOn or anything like that.
  • s

    swift-fireman-31153

    09/08/2022, 6:07 PM
    So I am getting an error
    Active stages pointing to this deployment must be moved or deleted
    the stage and deployment are in the same index.ts file but for some reason after initial deployment
    pulumi up
    fails with an update.
    • 1
    • 3
  • s

    sticky-country-73582

    09/08/2022, 7:27 PM
    Hi, I'm trying to use Pulumi to create an API Gateway that can call multiple Lambda endpoints, i.e, there is a one-to-one mapping between the path called and the respective Lambda function invoked. Is there any available example in Pulumi documentation for achieving this? I tried using the
    body
    argument in
    apigateway.RestApi
    to have OpenAPI specs for each individual path and a corresponding integration under
    x-amazon-apigateway-integration
    but it gives an error like this -
    Unable to put integration on 'POST' for resource at path '/<some>/<path>': Integrations of type 'AWS_PROXY' currently only supports Lambda function and Firehose stream invocations.
    s
    • 2
    • 4
  • s

    swift-fireman-31153

    09/09/2022, 12:13 AM
    Everytime I do a pulumi up
    Type              Name        Plan    Info
       pulumi:pulumi:Stack      open-api-infra-dev
     +- └─ aws:apigateway:Integration integrationOptions replace   [diff: ~integrationHttpMethod]
    the
    integrationHttpMethod
    ALWAYS has a diff. What am I doing wrong?
    const openAPI = new aws.apigateway.RestApi("openAPI", {})
    
    const rootMethodOptions = new aws.apigateway.Method("options", {
        authorization: "NONE",
        httpMethod: "OPTIONS",
        resourceId: openAPI.rootResourceId,
        restApi: openAPI.id,
    });
    
    const integrationOptions = new aws.apigateway.Integration("integrationOptions", {
        restApi: openAPI.id,
        resourceId: openAPI.rootResourceId,
        httpMethod: rootMethodOptions.httpMethod,
        integrationHttpMethod: "OPTIONS",
        type: "MOCK",
    }, {
        dependsOn: [rootMethodOptions, openAPI],
    });
  • s

    swift-fireman-31153

    09/09/2022, 12:16 AM
    It's just these 3 things
    • 1
    • 1
  • v

    victorious-dusk-75271

    09/09/2022, 2:27 AM
    does
    new aws.Provider()
    use aws:* configs?
    l
    s
    • 3
    • 2
  • f

    freezing-artist-36980

    09/09/2022, 3:23 AM
    Hi! I'm trying to create a bastion host to connect my private (subnet) RDS. I created a VPC with
    awsx
    and it throws an error at assigning public subnet ID from newly created VPC to a new EC2 instance. Please help me.
    const vpc = new awsx.ec2.Vpc("my-vpc");
    
    // Create bastion host
    const bastionHost = new awsc.ec2.Instance("bastion-host", {
      ami: ami.id,
      instanceType: awsc.ec2.InstanceTypes.T2_Micro,
      associatePublicIpAddress: true,
      // Reference the public subnet from the custom vpc above
      subnetId: vpc.publicSubnetIds.apply(x => x![0]), // ! Property apply does not exist on type ...
      vpcSecurityGroupIds: [ec2SecurityGroup.id],
      keyName: sshKey.keyName,
    });
    l
    • 2
    • 6
  • f

    freezing-artist-36980

    09/09/2022, 3:34 AM
    How do I assign VPC's public subnet ID to the EC2 instance (bastion host)?
  • l

    lively-rain-14200

    09/09/2022, 7:51 AM
    I'd like to create a
    FargateService
    with Auto Scaling. It is possible in AWS's UI, but I don't see any option related to scaling here: https://www.pulumi.com/registry/packages/awsx/api-docs/ecs/fargateservice/ Am I missing something?
    • 1
    • 1
  • i

    incalculable-midnight-8291

    09/09/2022, 8:20 AM
    Does anyone know of any repo to setup karpenter for eks with pulumi?
    b
    • 2
    • 1
  • v

    victorious-dusk-75271

    09/09/2022, 10:44 AM
    does anyone know how to set this? https://www.pulumi.com/registry/packages/awsx/api-docs/ecr/repository/#imagescanningconfiguration_nodejs
    • 1
    • 1
  • a

    acoustic-truck-53557

    09/09/2022, 7:25 PM
    Hi. I'm creating an AWS IAM user for Pulumi, but with the intent to only run
    pulumi preview
    . What is the appropriate permission to give to this user? Given that it will just "read"/"describe" elements on the infra, it won't change anything.
    s
    • 2
    • 4
  • s

    strong-helmet-83704

    09/09/2022, 11:33 PM
    I have encountered a bug related to imports of the directconnect.GatewayAssociation resource. When i use the _import option for an existing resource, it seems to work. During subsequent runs, Pulumi will recognize the resource as requiring ā€œreplaceā€ and curiously this does not happen every run. Usually it occurs when something else changes in the stack. This also seems to either not occur or behave differently in different versions of pulumi-aws… which leads me to suspect a bug. This replacement does not do anything on the cloud side, it’s purely local as far i can tell. The same importing seems to work fine for other resources.
    associatedGatewayId: "vgw-x"
            dxGatewayId        : "x"
        +-aws:directconnect/gatewayAssociation:GatewayAssociation: (replace)
            [id=ga-x]
            [urn=urn:pulumi:x::aws:directconnect/gatewayAssociation:GatewayAssociation::x]
            [provider=urn:pulumi:x::x::pulumi:providers:aws::us-west-2_Provider::x]
            allowedPrefixes                : [
                [0]: "x/24"
            ]
            associatedGatewayId            : "vgw-x"
            associatedGatewayOwnerAccountId: "x"
            associatedGatewayType          : "virtualPrivateGateway"
            dxGatewayAssociationId         : "x"
            dxGatewayId                    : "x"
            dxGatewayOwnerAccountId        : "x"
            id                             : "ga-x"
        --aws:directconnect/gatewayAssociation:GatewayAssociation: (delete-replaced)
            [id=ga-x]
            [urn=urn:pulumi:x::x::aws:directconnect/gatewayAssociation:GatewayAssociation::x]
            [provider=urn:pulumi:x::x::pulumi:providers:aws::us-west-2_Provider::x]
    ā— 1
    šŸ”“ 1
    šŸ†˜ 1
    • 1
    • 1
  • f

    freezing-artist-36980

    09/10/2022, 3:20 PM
    How do I add subnets of a vpc to vpc connector? I tried adding like this:
    const vpcConnector = new awsc.apprunner.VpcConnector("vpc-connector", {
    securityGroups: [ec2SecurityGroup.id],
    subnets: [pulumi.output(vpc.getSubnetsIds)], // ERROR HERE!
    vpcConnectorName: "my-vpc-connector",
    });
    But it throws error:
    1. Type 'Output<(type: VpcSubnetType) => Promise<Output<string>[]>>[]' is not assignable to type 'Input<Input<string>[]>'.
    f
    l
    • 3
    • 3
  • w

    white-beach-28459

    09/12/2022, 4:55 PM
    Any known issues with adding S3 bucket notifications? I already have 3 notifications setup for a S3 bucket and as soon as this code is executed, it removes all of them and adds only that one. It's one s3.bucketNotification object per bucket then? or?
    const crawler_bucket_notification = new aws.s3.BucketNotification("crawler_bucket_notification-" + name, {
                bucket: "data-lake-" + config.get("env")  + "-" + name,
                queues: [{
                    events: [
                        "s3:ObjectRemoved:*",
                        "s3:ObjectCreated:*",
                    ],
                    filterPrefix: name + "/",
                    id: "data-lake-" + config.get("env") + "-" + name,
                    queueArn: crawler_sqs_queue.arn,
                }],
                eventbridge: false
            });
  • w

    white-beach-28459

    09/12/2022, 5:00 PM
    So what would be the best approach to put multiple S3 bucket notifications without having to put the in the same object creation?
    m
    • 2
    • 2
  • s

    square-hair-965

    09/12/2022, 9:06 PM
    Anyone able to point me in the right direction in the docs for setting up an s3 trigger for a lambda function? It didn't come through in an import so I'm assuming its a separate resource. Is
    s3/BucketNotification
    what I actually want?
    • 1
    • 1
  • a

    abundant-hair-53100

    09/13/2022, 7:49 AM
    Hei guys, I’m trying to set a policy for a lambda to run post user confirmation in cognito and I want to give it permissions to just be able to PUT in a usersTable but I get this error
    aws:iam:Policy (confirm-user-signup-role-policy):
        error: 1 error occurred:
            * error creating IAM Policy confirm-user-signup-role-policy-18437fc: MalformedPolicyDocument: Partition "
            1" is not valid for resource "arn:
            1: o.apply(v => v.toJSON())
            2: o.apply(v => JSON.stringify(v))
    My code:
    const confirmUserIamRolePolicy = new aws.iam.Policy(
      'confirm-user-signup-role-policy',
      {
        policy: JSON.stringify({
          Version: '2012-10-17',
          Statement: [
            {
              Effect: 'Allow',
              Action: [DBAction.Put],
              Resource: usersTable.arn.apply((arn) => `${arn}`),
            },
          ],
        }),
      }
    )
    
    export const confirmUserIamRole = new aws.iam.Role('confirm-user-signup-role', {
      assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({
        Service: '<http://lambda.amazonaws.com|lambda.amazonaws.com>',
      }),
      managedPolicyArns: [confirmUserIamRolePolicy.arn],
    })
    
    const confirmUserIamRolePolicyAttachment = new aws.iam.PolicyAttachment(
      'confirm-user-signup-role-policy-attachment',
      {
        policyArn: confirmUserIamRolePolicy.arn,
        roles: [confirmUserIamRole],
      }
    )
    
    export const postConfirmationLambda = new aws.lambda.CallbackFunction(
      'post-confirmation-signup-lambda',
      {
        runtime: 'nodejs14.x',
        callback: confirmUserSignupHandler,
        role: confirmUserIamRole,
        environment: {
          variables: {
            USERS_TABLE: usersTable.name,
            REGION: region,
          },
        },
      }
    )
    In the docs I mostly see
    Resource: '*'
    but havent found a place where a policy is for a specific resource
    v
    m
    • 3
    • 3
  • q

    quaint-eye-38036

    09/13/2022, 3:43 PM
    Using the AWS classic EKS Cluster resource, how do I create the cluster end-point in public and private mode?
    āœ… 1
    • 1
    • 1
  • b

    bitter-france-47214

    09/13/2022, 5:10 PM
    Lambda@Edge
    503 ERROR
    The situation • I have a Cloudfront Distribution and defined
    defaultCacheBehavior.lambdaFunctionAssociations
    to trigger a lambda on
    origin-request
    . • Weirly enough, there is no trigger in the lambda function overview, it says "+ Add trigger". I am not sure if I am missing iac here at some point. The Problem When I open the url, I get an
    503 ERROR
    . What I tried • There are some logs written to s3 (linked in CloudFront > Telemetry > Logs > S3 Bucket) , but the only valuable information I read out of it that there was a
    LambdaExecutionError
    . • If I go to the Lambda@Edge Function and click in Monitoring and then View in CloudWatch, it says
    Log group does not exist
    . Can anybody point me into the right direction? Many thanks in advance
    āœ… 1
    • 1
    • 1
  • b

    brave-motorcycle-67487

    09/13/2022, 5:33 PM
    I've been getting a number of errors similar to this:
    aws-native:ecs:TaskDefinition (winnie-web-task-staging):
        error: operation error CloudControl: UpdateResource, https response error StatusCode: 400, RequestID: 45ff56cc-8cce-4eac-9ca3-2be60468d69b, NotUpdatableException: Invalid patch update: createOnlyProperties [/properties/TaskRoleArn] cannot be updated
    Isn't this what pulumi is supposed to handle for me - creating a new resource and switching everything over to it?
    v
    s
    • 3
    • 8
  • b

    breezy-airplane-94478

    09/14/2022, 4:31 PM
    Maybe I’ve missed some documentation recently, but how is everybody handling configuration? I come from a Spring Boot background, where there could be a single place to configure everything via a cloud config server Is there something that could ease our transition into Pulumi/AWS similar to that? I know there’s a few options like • hosting a configuration stack and exporting configuration to your stacks, • using pulumi config The problem with just relying on pulumi config is having to config stuff in every stack as opposed to just having it be centralized. Maybe I’m dreaming but the ideal would be one central YAML that holds any global config, and then draws any secrets from AWS secrets manager. if i need to change a config, i have one spot to change it, and redeploy any stacks that need it. or maybe lean into the pulumi stack/config setup and have a hierarchical deployment flow where all stacks are considered downstream of the main config stack and are redeployed accordingly. Sorry for the rambling, just haven’t found something that really feels like we can lean on
    s
    l
    • 3
    • 7
  • b

    bright-orange-69401

    09/15/2022, 6:42 AM
    🐳 How do you usually build your Docker images ? 🐳 Do you use
    pulumi-docker
    or do you build your images externally ? We’ve been using
    pulumi-docker
    for about two years and there’s a ton of stuff that doesn’t work very well : log outputs, using buildx for multi-platform builds (AWS Graviton is on ARM arch), caching... Overall, it feels like we’re using
    docker.Image
    merely because we have to : otherwise we can’t get the build digest which uniquely identifies an image So I’m wondering if there are other ways : how can I build my image externally (e.g. using GitHub Action’s build and push), push it on ECR and yet let Pulumi know which exact version (tag, on ECR) I want to deploy in a given Lambda ?
    s
    f
    +4
    • 7
    • 28
  • f

    fast-island-38778

    09/16/2022, 5:53 AM
    are there any examples to setup a https ELB listener on a fargate service?
  • f

    fast-island-38778

    09/16/2022, 5:54 AM
    the github example only shows a http example, and i was having troubles setting up a https listener for the fargate task
  • f

    fast-island-38778

    09/16/2022, 6:02 AM
    i have this so far, i want to point the
    httpsListener
    to the task target group, but i am not sure how to do that (i tried putting it in portMappings but it didn’t work)
    const apiCertificateArn = 'some-arn'
    
    const httpsListener = alb.createListener('https-listener', {
      port: 443,
      protocol: 'HTTPS',
      external: true,
      certificateArn: apiCertificateArn,
    });
    
    const httpListener = alb.createListener('http-listener', {
      port: 80,
      protocol: 'HTTP',
      external: true,
    });
    
    // Build and publish a Docker image to a private ECR registry.
    const img = awsx.ecs.Image.fromPath('api-img', '.');
    
    // Create a Fargate service task that can scale out.
    const appService = new awsx.ecs.FargateService('api-service', {
      cluster,
      taskDefinitionArgs: {
        container: {
          image: img,
          cpu: 2048,
          memory: 1024,
          portMappings: [httpListener],
          environment: [{ name: 'PORT', value: '80' }],
        },
      },
      desiredCount: 1,
    });
    m
    • 2
    • 3
Powered by Linen
Title
f

fast-island-38778

09/16/2022, 6:02 AM
i have this so far, i want to point the
httpsListener
to the task target group, but i am not sure how to do that (i tried putting it in portMappings but it didn’t work)
const apiCertificateArn = 'some-arn'

const httpsListener = alb.createListener('https-listener', {
  port: 443,
  protocol: 'HTTPS',
  external: true,
  certificateArn: apiCertificateArn,
});

const httpListener = alb.createListener('http-listener', {
  port: 80,
  protocol: 'HTTP',
  external: true,
});

// Build and publish a Docker image to a private ECR registry.
const img = awsx.ecs.Image.fromPath('api-img', '.');

// Create a Fargate service task that can scale out.
const appService = new awsx.ecs.FargateService('api-service', {
  cluster,
  taskDefinitionArgs: {
    container: {
      image: img,
      cpu: 2048,
      memory: 1024,
      portMappings: [httpListener],
      environment: [{ name: 'PORT', value: '80' }],
    },
  },
  desiredCount: 1,
});
m

millions-furniture-75402

09/16/2022, 1:28 PM
const albSecurityGroup = new awsx.ec2.SecurityGroup(`${appName}-lb-sg`, {
  egress: [
    {
      fromPort: 443,
      toPort: 443,
      protocol: "tcp",
      cidrBlocks: ["0.0.0.0/0"],
      description: `For ${appName} load balancer`,
    },
  ],
  ingress: [
    {
      fromPort: 443,
      toPort: 443,
      protocol: "tcp",
      cidrBlocks: ["0.0.0.0/0"],
      description: `For ${appName} load balancer`,
    },
  ],
  vpc,
});

const alb = new awsx.lb.ApplicationLoadBalancer(`${appName}-lb`, {
  loadBalancer: new aws.lb.LoadBalancer(`${appName}-alb`, {
    accessLogs: {
      bucket: logBucketId,
      enabled: true,
      prefix: appName,
    },
    dropInvalidHeaderFields: true,
    external: true,
    securityGroups: [albSecurityGroup.id],
    subnets: publicSubnetIds,
  }),
  vpc,
});

alb.createListener(`${appName}-http`, {
  defaultAction: {
    type: "redirect",
    redirect: {
      protocol: "HTTPS",
      port: "443",
      statusCode: "HTTP_301",
    },
  },
  external: false,
  port: 80,
  protocol: "HTTP",
  vpc,
});

const https = alb.createListener(`${appName}-https`, {
  certificateArn,
  defaultActions: [
    {
      fixedResponse: {
        contentType: "text/plain",
        messageBody: "404 Site Not Found",
        statusCode: "404",
      },
      type: "fixed-response",
    },
  ],
  external: false,
  port: 443,
  protocol: "HTTPS",
  sslPolicy: "ELBSecurityPolicy-TLS-1-2-Ext-2018-06",
  vpc: vpc.vpc,
});

const appTargetGroup = new awsx.lb.ApplicationTargetGroup(`${appName}-tg`, {
  deregistrationDelay: 0,
  healthCheck: {
    path: "/",
    port: "443",
    protocol: "HTTPS",
    matcher: "200",
  },
  loadBalancer: alb,
  port: 443,
  protocol: "HTTPS",
  vpc,
});

new awsx.lb.ListenerRule(`${appName}-lr`, https, {
  actions: [
    {
      targetGroupArn: appTargetGroup.targetGroup.arn.apply(v => v),
      type: "forward",
    },
  ],
  conditions: [
    {
      hostHeader: {
        values: [`${appName}.*`],
      },
    },
  ],
  priority: 1,
});

new aws.route53.Record(`${appName}-www`, {
  aliases: [
    {
      evaluateTargetHealth: true,
      name: alb.loadBalancer.dnsName,
      zoneId: zoneId,
    },
  ],
  name: appName,
  type: "A",
  zoneId: hostedZoneId,
});
And the service has:
portMappings: [appTargetGroup],
f

fast-island-38778

09/16/2022, 1:41 PM
thanks for the thorough answer
all i had to do was adding httpListener’s default target group to the httpsListener like this
const httpsListener = alb.createListener(withAppNamePrefix('https-listener'), {
  port: 443,
  protocol: 'HTTPS',
  external: true,
  certificateArn: apiCertificateArn,
  targetGroup: httpListener.defaultTargetGroup,
});
šŸ‘ 1
View count: 3