Hello! I am blocked since a few days while trying to create a way to create a direct lambda resolver to invoke an AWS lambda (https://aws.amazon.com/blogs/mobile/appsync-direct-lambda/) with Pulumi. According to several online resources it seems we still need a basic resolver when doing it with an IaC tool/Terraform (https://github.com/hashicorp/terraform-provider-aws/issues/14488#issuecomment-678101695). So here is my graphQL schema :

type Mutation @aws_api_key @aws_oidc {
inviteUser(
    email: String!
    organizationId: ID!
    referrerUserId: ID!
  ): User
}

...and here is my resolver creation Pulumi code, knowing the Appsync API (

my_appsync_api

) lambda and its datasource (

my_lambda_datasource

) are already created successfully:

import pulumi_aws as aws

my_resolver = aws.appsync.Resolver(
    "my-resolver",
    api_id=my_appsync.id,
    type="Mutation",
    field="inviteUser",
    data_source=my_lambda_datasource.name,
    request_template="""
    {
        "version": "2017-02-28",
        "operation": "Invoke",
        "payload": {
            "arguments": $utils.toJson($ctx.args)
        }
    }
    """,
    response_template="""
    ## Raise a GraphQL field error in case of a datasource invocation error
    #if($ctx.error)
        $util.error($ctx.error.message, $ctx.error.type)
    #end
    $util.toJson($ctx.result)
    """,
)

On Pulumi up, I get the error:

error creating AppSync Resolver: NotFoundException: No field named inviteUser found on type Mutation

What is/should be

field

in the case of direct invocation? Any idea?

Hi, I want to use OpenAPI specs to define the routes and integrations in a Rest API. I have multiple Lambda endpoints that get invoked from a single API Gateway. Each resource path is Lambda proxy path of the form "/a/b/c_1/{proxy+}" , "/a/b/c_2/{proxy+}", and so on, and I want to attach ANY methods and the respective Lambda integration to each of these paths. I couldn't find any such example on the Pulumi docs or in AWS. Could anyone help me point to such an example or provide some guidance on how to write the swagger JSON? Thanks!

Has anyone ever had issues adding a

logConfiguration

to a

awsx.ecs.FargateService

? I'm attempting to add the following block to my fargate service but receiving a rather unhelpful error. Anyone have ideas? The service has no issues before adding the logConfiguration block.

logConfiguration: {
  logDriver: 'awslogs',
  options: {
    'awslogs-group': logGroup.name,
    'awslogs-region': awsRegion,
    'awslogs-stream-prefixs': logGroup.namePrefix,
  },
},

The error:

<ref *1> Error: failed to register new resource service [awsx:ecs:FargateService]: Resource monitor is terminating
    at Object.registerResource (/Users/elliot/dev/cloud-platform/node_modules/@pulumi/runtime/resource.ts:292:27)
    at new Resource (/Users/elliot/dev/cloud-platform/node_modules/@pulumi/resource.ts:401:13)
    at new ComponentResource (/Users/elliot/dev/cloud-platform/node_modules/@pulumi/resource.ts:889:9)
    at new FargateService (/Users/elliot/dev/cloud-platform/node_modules/@pulumi/ecs/fargateService.ts:78:9)
    at /Users/elliot/dev/cloud-platform/apps/pulumi-tenant-stack/payload-stack.ts:109:23
    at Generator.next (<anonymous>)
    at fulfilled (/Users/elliot/dev/cloud-platform/apps/pulumi-tenant-stack/payload-stack.ts:5:58)
    at processTicksAndRejections (node:internal/process/task_queues:96:5) {
  code: 14,
  promise: Promise { <rejected> [Circular *1] }

I modeled the code from this section in the examples repo.

Hello. My pulumi stack is in a state as to which I cannot bring it up or down. Either way there are errors that don't allow me to proceed. When I try and bring it down it says:

InvalidInternetGatewayID.NotFound: The internetGateway ID 'igw-00723087241a0bcd2' does not exist

and when I try and bring it up it says:

* error creating EC2 Subnet: InvalidVpcID.NotFound: The vpc ID 'vpc-01138ddbefce5c6c0' does not exist
        status code: 400, request id: 13273317-ace3-4b32-a18b-e4501b40b77a

What is the best way to proceed?

Does anyone have a recommendation on how to use an ACM certificate in the same

pulumi up

as it was created? Is there an option when creating / updating a load balancer to say "don't fail yet, just wait for the certificate to be validated`? I know it can be done by using separate projects, but if AWS did the waiting for me, I'd be happier :)

hi aws frends, I’m managing a kinesis app with pulumi, but when I update the code on S3 that will be used by the app, the

aws.kinesisanalyticsv2.Application

resource doesn’t seem to reload the code. at the moment I’m manually bumping a version number in the s3 code key to get it to all properly cycle — does anyone know a better way?

Hi guys, do you have any idea of why i’m getting this error when i try to delete a child resource from the state?

error: No such resource "urn:pulumi:staging::*::*-parent:ec2/securityGroup:SecurityGroup::sg-ecs-*" exists in the current state

If you are an

pulumi-eks

user and you notice an unexpected amount of proposed changes on Kubernetes resources when running

preview

or

up

, see this issue for the reason and a workaround: https://github.com/pulumi/pulumi-eks/issues/800

Hi, do you guys know any workaround for this?

I’ve inherited a fairly large (to me) AWS deployment that was setup with the web UI (over years). Is there documentation on how best to proceed on changing Web UI infrastructure into IaC with pulumi? I’ve been code a resources,

pulumi refresh

but I feel like there’s a better way. Any help would be appreciated.

Hey Folks - we've been using pulumi eks and seemingly suddenly today we're now getting a panic when doing a pulumi up. It also causes memory usage on a couple folks macs to steadily climb before freezing up their computers. I'm pasting the panic in the thread + some extra info

What's the best way to read a file that's in a lambda's zip? I have some code in a CallbackFunction's

callback

property (typescript), and it uses

fs.readFileSync("subdir/file")

. This works so long as subdir/file is relative to the pulumi project. But since the CallbackFunction is defined in a component resource in a different subdirectory, it's pretty confusing. I'd like subdir/file to be relative to the directory that the CallbackFunction is defined in.

Is there a list of all the Pulumi resource types to use with the import command? Do they follow the resource namespace in the docs?

I'm trying to set up a Transit Gateway-based network and am running into some issues. You can create a transit gateway that automatically accepts any attachment requests; alternatively, you can set it up so that the attachment must be affirmatively accepted using a

pulumi_aws.ec2transitgateway.VpcAttachmentAccepter

. My problem comes when trying to set up route table associations. I would like to have the gateway configured to automatically accept attachments, but route table associations can't be created if the attachment hasn't been accepted yet (the error is

IncorrectState: tgw-attach-XXXXXXXXXXXX is in invalid state

). Auto-acceptance still takes some time, though, and I can't seem to find a way to have the route table associations to wait until the attachment has been accepted; the first

pulumi up

fails on all the route table associations, but if I wait a minute, I can re-run and they'll all proceed. Is there a way to make this work in Pulumi? Thanks.

Hello all! I’m working with Pulumi in Python, which has been great so far. One area I’m stuck on is how to build and push a docker image to ECR with a custom tag. I’m able to build and push by creating an

awsx.ecr.Image

object but I haven’t been able to get a custom tag. Does anyone know how to achieve custom tags with ECR and pulumi? I’m happy to shift away from

awsx

as well if there is a different approach to this.

I'm trying to create a Virtual Private Gateway and create a route propagation. Issue is that the Gateway is stil

attaching

while Pulumi states that it's created and my code then errors out. Is there a way to check that Gatway is attached and then do the creation of

VpnGatewayRoutePropagation

. Sample code and errors bellow:

Code:

        new aws.ec2.VpnGatewayAttachment("vpnAttachment", {
            vpcId: vpc.id,
            vpnGatewayId: vpnGatewayId,
        });

        let counter = 0;
        vpc.vpc.mainRouteTableId.apply(id => {
            new aws.ec2.VpnGatewayRoutePropagation(`rtp0-0`, {
                routeTableId: id,
                vpnGatewayId: vpnGatewayId,
            });
        });

Error: 
  aws:ec2:VpnGatewayRoutePropagation (rtp0-0):
    error: 1 error occurred:
        * error enabling Route Table (rtb-0758b4e60d9497beb) VPN Gateway (vgw-059b13ce88dec40dd) route propagation: Gateway.NotAttached: resource vgw-059b13ce88dec40dd
        status code: 400, request id: d67fdaa0-7ecf-4019-bc97-1c33007dfd51

I’ll raise a ticket about this also. We have run into what seems like a showstopper of a problem, at least for us. New regions are being provisioned with session tokens v2 and this breaks our aws.Provider() with the following errors:

Error: failed to refresh cached credentials, operation error STS: AssumeRole, failed to sign request: failed to retrieve credentials:

raise invoke_error
    Exception: invoke of aws:index/getCallerIdentity:getCallerIdentity failed: invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: 1 error occurred:
    	* error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.

I know there is a newer aws_native library which may fix this, we’re not using that. How do we use new regions?

Create a new VPC, code snippet

vpc = aws.ec2.Vpc("vpc",
    cidr_block="172.31.0.0/16",
    enable_dns_hostnames=True,
    enable_dns_support=True,
    instance_tenancy="default"
)

Is there a way to programmatically change the “Name” on the AWS web UI?

Does Pulumi have guides or tools for configuring an ec2 after launch from image? Or are we on our own with tools like ssh and fabric at that point? I'm good with that (have done a bunch of various things with bash, ssh and fabric in the past...), but hoping for something perhaps more elegant. I looked around the docs and guides but have not found anything yet. thanks

Is it normal to get intermittent

unable to validate AWS credentials

errors? I seem to get them from time to time on S3 buckets. Simply retrying the

pulumi up

another time tends to get around it. Any possible cause?

Unusual bug #1: I have a ComponentResource containing an aws.iam.User and that user's aws.iam.AccessKey. Dependencies look good. When I rename the ComponentReosurce, and therefore the nested resources, Pulumi attempts to delete the aws.iam.User first, which fails because the access key still exists in AWS.

Unusual bug #2: while attempting to recover from #1, I added an alias on the aws.iam.User. The alias got created, and so did the renamed aws.iam.User, and now Pulumi won't start the project at all:

16:55 $ pulumi up 
Previewing update (myorg/mystack)

View Live: <https://app.pulumi.com/myorg/myproj/mystack/previews/9b6816dd>

error: unexpected duplicate resource 'mystack::myproj::myorg:myapp:MyUserResource$aws:iam/user:User::myname'

has anyone successfully used cognito.NewUserPoolDomain()? I'm getting the following error returned from AWS: Custom domain is not a valid subdomain: Was not able to resolve the root domain, please ensure an A record exists for the root domain. despite an A record for the root domain existing.

What are the implications of setting

skipCredentialsValidation

to false? I was getting intermittent

unable to validate AWS credentials

errors despite using a static key/secret. Setting this value to false prevented that error from happening. Is there any downside to keeping this false permanently?

With the latest

pulumi-aws

classic provider, is there a clean way for me to share credentials to sdk calls that aren't part of a Custom Resource Component? I can mix an match aws-sdk v3 with the aws-sdk v2 bundled with the provider:

import * as aws from "@pulumi/aws";
import { fromIni } from "@aws-sdk/credential-providers";

fromIni({
    profile: aws.config.profile,
})().then(credentials => {
    const s3Client = new aws.sdk.S3({
        credentials,
        region: aws.sdk.config.region,
    });
    s3Client.listBuckets().promise().then(data => {
        console.log(data);
    });
});

Neither of these work for my setup that uses SSO:

aws.sdk.config.credentials = new aws.sdk.SharedIniFileCredentials({ profile: aws.config.profile });
aws.sdk.config.credentials = new aws.sdk.SsoCredentials({ profile: aws.config.profile });

Alternatively, I can ignore Pulumi's aws sdk, and go all v3, but then I'm managing 2 versions of the SDK among other issues 💀

import { S3Client, ListBucketsCommand } from "@aws-sdk/client-s3";
import { fromIni } from "@aws-sdk/credential-providers";

const s3Client = new S3Client({
    credentials: fromIni({
        profile: aws.config.profile,
    }),
    region: aws.sdk.config.region,
});
s3Client.send(new ListBucketsCommand({})).then((data) => {
    console.log(data);
});

I'm trying to deploy an VPC to localstack, and getting a failure. Looks like there is a patch in flight for localstack via moto (https://github.com/localstack/localstack/issues/7046), but it's not released yet and I need a solution now. Do I have to create a custom resource component with a transformation to delete the property, or what are my options to have the AWS provider not attempt to set

enableNetworkAddressUsageMetrics

?

aws:ec2:Vpc (default):
    error: 1 error occurred:
        * creating urn:pulumi:localstack::content-asset-service::aws:ec2/vpc:Vpc::default: 1 error occurred:
        * error reading EC2 VPC (vpc-5344499e) Attribute (enableNetworkAddressUsageMetrics): InvalidParameterValue: Value enable_network_address_usage_metrics is invalid for parameter.

I've started seeing

error: unable to validate AWS credentials

after my ECS task deployments, but they seem to have completed correctly:

awsx:x:ecs:EC2TaskDefinition$aws:ecs/taskDefinition:TaskDefinition (QaWeb)
    error: unable to validate AWS credentials. Make sure you have: 

 	 • Set your AWS region, e.g. `pulumi config set aws:region us-west-2` 
 	 • Configured your AWS credentials as per <https://pulumi.io/install/aws.html> 
 	 You can also set these via cli using `aws configure`.

I’m attempting to destroy an rds cluster from my stack and I keep getting the error “FinalSnapshotIdentifier is required when a final snapshot is required”, but I ended up deleting the cluster from my aws through their website and now its saying the resource isnt in the available state. What can i do to just completely be done with it

How do you do a policy with * principal?, this doesn't work

const policyDoc = sqs.arn.apply(arn => aws.iam.getPolicyDocument({
    policyId: "1234",
    statements: [{
        effect: "Allow",
        principals: [{type: "*", identifiers:["*"]}],

I have a Pulumi configuration to deploy something onto fargate using

awsx

. However, when the service errors, AWS simply keeps trying to deploy the same service and Pulumi hangs indefinitely. How can I get Pulumi to fail on a failed deploy instead of having AWS retry endlessly?