https://pulumi.com logo
Docs
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
aws
  • n

    nice-father-44210

    10/23/2022, 4:28 PM
    Is installing a Helm chart from an AWS ECR repo supported in
    pulumi-kubernetes
    ? I’m trying to find the right combination of arguments to make it work but coming up short (I’m new to Helm). Any ideas?
    ecr_token = aws.ecr.get_authorization_token()
    
    pulumi_kubernetes.helm.v3.Release(
        "release",
        pulumi_kubernetes.helm.v3.ReleaseArgs(
            name = "test",
            chart = "my-chart",
            version = "0.1.0",
            repository_opts = pulumi_kubernetes.helm.v3.RepositoryOptsArgs(
                repo = f"oci://{account_id}.dkr.ecr.{region}.<http://amazonaws.com/my-chart|amazonaws.com/my-chart>",
                username = "AWS",
                password = ecr_token.authorization_token,
            ),
            values = {}
        ),
        opts = pulumi.ResourceOptions(provider = my_k8s_provider, )
    )
    • 1
    • 1
  • s

    steep-lamp-20408

    10/24/2022, 8:08 AM
    Hello! I am blocked since a few days while trying to create a way to create a direct lambda resolver to invoke an AWS lambda (https://aws.amazon.com/blogs/mobile/appsync-direct-lambda/) with Pulumi. According to several online resources it seems we still need a basic resolver when doing it with an IaC tool/Terraform (https://github.com/hashicorp/terraform-provider-aws/issues/14488#issuecomment-678101695). So here is my graphQL schema :
    type Mutation @aws_api_key @aws_oidc {
    inviteUser(
        email: String!
        organizationId: ID!
        referrerUserId: ID!
      ): User
    }
    ...and here is my resolver creation Pulumi code, knowing the Appsync API (
    my_appsync_api
    ) lambda and its datasource (
    my_lambda_datasource
    ) are already created successfully:
    import pulumi_aws as aws
    
    my_resolver = aws.appsync.Resolver(
        "my-resolver",
        api_id=my_appsync.id,
        type="Mutation",
        field="inviteUser",
        data_source=my_lambda_datasource.name,
        request_template="""
        {
            "version": "2017-02-28",
            "operation": "Invoke",
            "payload": {
                "arguments": $utils.toJson($ctx.args)
            }
        }
        """,
        response_template="""
        ## Raise a GraphQL field error in case of a datasource invocation error
        #if($ctx.error)
            $util.error($ctx.error.message, $ctx.error.type)
        #end
        $util.toJson($ctx.result)
        """,
    )
    On Pulumi up, I get the error:
    error creating AppSync Resolver: NotFoundException: No field named inviteUser found on type Mutation
    What is/should be
    field
    in the case of direct invocation? Any idea?
  • s

    sticky-country-73582

    10/24/2022, 1:46 PM
    Hi, I want to use OpenAPI specs to define the routes and integrations in a Rest API. I have multiple Lambda endpoints that get invoked from a single API Gateway. Each resource path is Lambda proxy path of the form "/a/b/c_1/{proxy+}" , "/a/b/c_2/{proxy+}", and so on, and I want to attach ANY methods and the respective Lambda integration to each of these paths. I couldn't find any such example on the Pulumi docs or in AWS. Could anyone help me point to such an example or provide some guidance on how to write the swagger JSON? Thanks!
    • 1
    • 1
  • f

    few-carpenter-12885

    10/24/2022, 2:02 PM
    Has anyone ever had issues adding a
    logConfiguration
    to a
    awsx.ecs.FargateService
    ? I'm attempting to add the following block to my fargate service but receiving a rather unhelpful error. Anyone have ideas? The service has no issues before adding the logConfiguration block.
    logConfiguration: {
      logDriver: 'awslogs',
      options: {
        'awslogs-group': logGroup.name,
        'awslogs-region': awsRegion,
        'awslogs-stream-prefixs': logGroup.namePrefix,
      },
    },
    The error:
    <ref *1> Error: failed to register new resource service [awsx:ecs:FargateService]: Resource monitor is terminating
        at Object.registerResource (/Users/elliot/dev/cloud-platform/node_modules/@pulumi/runtime/resource.ts:292:27)
        at new Resource (/Users/elliot/dev/cloud-platform/node_modules/@pulumi/resource.ts:401:13)
        at new ComponentResource (/Users/elliot/dev/cloud-platform/node_modules/@pulumi/resource.ts:889:9)
        at new FargateService (/Users/elliot/dev/cloud-platform/node_modules/@pulumi/ecs/fargateService.ts:78:9)
        at /Users/elliot/dev/cloud-platform/apps/pulumi-tenant-stack/payload-stack.ts:109:23
        at Generator.next (<anonymous>)
        at fulfilled (/Users/elliot/dev/cloud-platform/apps/pulumi-tenant-stack/payload-stack.ts:5:58)
        at processTicksAndRejections (node:internal/process/task_queues:96:5) {
      code: 14,
      promise: Promise { <rejected> [Circular *1] }
    I modeled the code from this section in the examples repo.
    p
    k
    • 3
    • 5
  • w

    white-rain-67342

    10/24/2022, 9:23 PM
    Hello. My pulumi stack is in a state as to which I cannot bring it up or down. Either way there are errors that don't allow me to proceed. When I try and bring it down it says:
    InvalidInternetGatewayID.NotFound: The internetGateway ID 'igw-00723087241a0bcd2' does not exist
    and when I try and bring it up it says:
    * error creating EC2 Subnet: InvalidVpcID.NotFound: The vpc ID 'vpc-01138ddbefce5c6c0' does not exist
            status code: 400, request id: 13273317-ace3-4b32-a18b-e4501b40b77a
    What is the best way to proceed?
    b
    • 2
    • 3
  • l

    little-cartoon-10569

    10/25/2022, 12:10 AM
    Does anyone have a recommendation on how to use an ACM certificate in the same
    pulumi up
    as it was created? Is there an option when creating / updating a load balancer to say "don't fail yet, just wait for the certificate to be validated`? I know it can be done by using separate projects, but if AWS did the waiting for me, I'd be happier :)
    b
    n
    l
    • 4
    • 11
  • i

    icy-controller-6092

    10/25/2022, 1:31 AM
    hi aws frends, I’m managing a kinesis app with pulumi, but when I update the code on S3 that will be used by the app, the
    aws.kinesisanalyticsv2.Application
    resource doesn’t seem to reload the code. at the moment I’m manually bumping a version number in the s3 code key to get it to all properly cycle — does anyone know a better way?
    l
    • 2
    • 15
  • b

    boundless-tomato-68419

    10/25/2022, 11:32 AM
    Hi guys, do you have any idea of why i’m getting this error when i try to delete a child resource from the state?
    error: No such resource "urn:pulumi:staging::*::*-parent:ec2/securityGroup:SecurityGroup::sg-ecs-*" exists in the current state
  • l

    limited-rainbow-51650

    10/25/2022, 12:09 PM
    If you are an
    pulumi-eks
    user and you notice an unexpected amount of proposed changes on Kubernetes resources when running
    preview
    or
    up
    , see this issue for the reason and a workaround: https://github.com/pulumi/pulumi-eks/issues/800
  • b

    boundless-tomato-68419

    10/25/2022, 2:49 PM
    Hi, do you guys know any workaround for this?
  • f

    full-analyst-32960

    10/25/2022, 9:28 PM
    I’ve inherited a fairly large (to me) AWS deployment that was setup with the web UI (over years). Is there documentation on how best to proceed on changing Web UI infrastructure into IaC with pulumi? I’ve been code a resources,
    pulumi refresh
    but I feel like there’s a better way. Any help would be appreciated.
    b
    • 2
    • 3
  • l

    lemon-salesclerk-6224

    10/25/2022, 10:32 PM
    Hey Folks - we've been using pulumi eks and seemingly suddenly today we're now getting a panic when doing a pulumi up. It also causes memory usage on a couple folks macs to steadily climb before freezing up their computers. I'm pasting the panic in the thread + some extra info
    b
    l
    k
    • 4
    • 16
  • l

    little-cartoon-10569

    10/26/2022, 1:43 AM
    What's the best way to read a file that's in a lambda's zip? I have some code in a CallbackFunction's
    callback
    property (typescript), and it uses
    fs.readFileSync("subdir/file")
    . This works so long as subdir/file is relative to the pulumi project. But since the CallbackFunction is defined in a component resource in a different subdirectory, it's pretty confusing. I'd like subdir/file to be relative to the directory that the CallbackFunction is defined in.
  • b

    bland-tailor-50336

    10/26/2022, 2:49 AM
    Is there a list of all the Pulumi resource types to use with the import command? Do they follow the resource namespace in the docs?
    l
    • 2
    • 6
  • f

    full-artist-27215

    10/26/2022, 8:04 PM
    I'm trying to set up a Transit Gateway-based network and am running into some issues. You can create a transit gateway that automatically accepts any attachment requests; alternatively, you can set it up so that the attachment must be affirmatively accepted using a
    pulumi_aws.ec2transitgateway.VpcAttachmentAccepter
    . My problem comes when trying to set up route table associations. I would like to have the gateway configured to automatically accept attachments, but route table associations can't be created if the attachment hasn't been accepted yet (the error is
    IncorrectState: tgw-attach-XXXXXXXXXXXX is in invalid state
    ). Auto-acceptance still takes some time, though, and I can't seem to find a way to have the route table associations to wait until the attachment has been accepted; the first
    pulumi up
    fails on all the route table associations, but if I wait a minute, I can re-run and they'll all proceed. Is there a way to make this work in Pulumi? Thanks.
    b
    • 2
    • 15
  • c

    cuddly-australia-69919

    10/26/2022, 11:03 PM
    Hello all! I’m working with Pulumi in Python, which has been great so far. One area I’m stuck on is how to build and push a docker image to ECR with a custom tag. I’m able to build and push by creating an
    awsx.ecr.Image
    object but I haven’t been able to get a custom tag. Does anyone know how to achieve custom tags with ECR and pulumi? I’m happy to shift away from
    awsx
    as well if there is a different approach to this.
    b
    • 2
    • 6
  • r

    rhythmic-whale-48997

    10/27/2022, 7:28 AM
    I'm trying to create a Virtual Private Gateway and create a route propagation. Issue is that the Gateway is stil
    attaching
    while Pulumi states that it's created and my code then errors out. Is there a way to check that Gatway is attached and then do the creation of
    VpnGatewayRoutePropagation
    . Sample code and errors bellow:
    Code:
    
            new aws.ec2.VpnGatewayAttachment("vpnAttachment", {
                vpcId: vpc.id,
                vpnGatewayId: vpnGatewayId,
            });
    
            let counter = 0;
            vpc.vpc.mainRouteTableId.apply(id => {
                new aws.ec2.VpnGatewayRoutePropagation(`rtp0-0`, {
                    routeTableId: id,
                    vpnGatewayId: vpnGatewayId,
                });
            });
    
    Error: 
      aws:ec2:VpnGatewayRoutePropagation (rtp0-0):
        error: 1 error occurred:
            * error enabling Route Table (rtb-0758b4e60d9497beb) VPN Gateway (vgw-059b13ce88dec40dd) route propagation: Gateway.NotAttached: resource vgw-059b13ce88dec40dd
            status code: 400, request id: d67fdaa0-7ecf-4019-bc97-1c33007dfd51
    s
    • 2
    • 5
  • s

    strong-helmet-83704

    10/27/2022, 6:23 PM
    I’ll raise a ticket about this also. We have run into what seems like a showstopper of a problem, at least for us. New regions are being provisioned with session tokens v2 and this breaks our aws.Provider() with the following errors:
    Error: failed to refresh cached credentials, operation error STS: AssumeRole, failed to sign request: failed to retrieve credentials:
    raise invoke_error
        Exception: invoke of aws:index/getCallerIdentity:getCallerIdentity failed: invocation of aws:index/getCallerIdentity:getCallerIdentity returned an error: 1 error occurred:
        	* error configuring Terraform AWS Provider: no valid credential sources for Terraform AWS Provider found.
    I know there is a newer aws_native library which may fix this, we’re not using that. How do we use new regions?
    • 1
    • 2
  • f

    full-analyst-32960

    10/27/2022, 9:07 PM
    Create a new VPC, code snippet
    vpc = aws.ec2.Vpc("vpc",
        cidr_block="172.31.0.0/16",
        enable_dns_hostnames=True,
        enable_dns_support=True,
        instance_tenancy="default"
    )
    Is there a way to programmatically change the “Name” on the AWS web UI?
    b
    s
    • 3
    • 7
  • g

    gifted-traffic-76521

    10/30/2022, 1:56 PM
    Does Pulumi have guides or tools for configuring an ec2 after launch from image? Or are we on our own with tools like ssh and fabric at that point? I'm good with that (have done a bunch of various things with bash, ssh and fabric in the past...), but hoping for something perhaps more elegant. I looked around the docs and guides but have not found anything yet. thanks
    m
    m
    • 3
    • 6
  • f

    few-carpenter-12885

    10/31/2022, 6:43 PM
    Is it normal to get intermittent
    unable to validate AWS credentials
    errors? I seem to get them from time to time on S3 buckets. Simply retrying the
    pulumi up
    another time tends to get around it. Any possible cause?
    l
    v
    • 3
    • 6
  • l

    little-cartoon-10569

    11/02/2022, 4:01 AM
    Unusual bug #1: I have a ComponentResource containing an aws.iam.User and that user's aws.iam.AccessKey. Dependencies look good. When I rename the ComponentReosurce, and therefore the nested resources, Pulumi attempts to delete the aws.iam.User first, which fails because the access key still exists in AWS.
  • l

    little-cartoon-10569

    11/02/2022, 4:03 AM
    Unusual bug #2: while attempting to recover from #1, I added an alias on the aws.iam.User. The alias got created, and so did the renamed aws.iam.User, and now Pulumi won't start the project at all:
    16:55 $ pulumi up 
    Previewing update (myorg/mystack)
    
    View Live: <https://app.pulumi.com/myorg/myproj/mystack/previews/9b6816dd>
    
    error: unexpected duplicate resource 'mystack::myproj::myorg:myapp:MyUserResource$aws:iam/user:User::myname'
    • 1
    • 2
  • l

    little-soccer-5693

    11/02/2022, 8:55 PM
    has anyone successfully used cognito.NewUserPoolDomain()? I'm getting the following error returned from AWS: Custom domain is not a valid subdomain: Was not able to resolve the root domain, please ensure an A record exists for the root domain. despite an A record for the root domain existing.
    f
    • 2
    • 3
  • f

    few-carpenter-12885

    11/03/2022, 1:32 PM
    What are the implications of setting
    skipCredentialsValidation
    to false? I was getting intermittent
    unable to validate AWS credentials
    errors despite using a static key/secret. Setting this value to false prevented that error from happening. Is there any downside to keeping this false permanently?
    l
    • 2
    • 1
  • m

    millions-furniture-75402

    11/03/2022, 2:26 PM
    With the latest
    pulumi-aws
    classic provider, is there a clean way for me to share credentials to sdk calls that aren't part of a Custom Resource Component? I can mix an match aws-sdk v3 with the aws-sdk v2 bundled with the provider:
    import * as aws from "@pulumi/aws";
    import { fromIni } from "@aws-sdk/credential-providers";
    
    fromIni({
        profile: aws.config.profile,
    })().then(credentials => {
        const s3Client = new aws.sdk.S3({
            credentials,
            region: aws.sdk.config.region,
        });
        s3Client.listBuckets().promise().then(data => {
            console.log(data);
        });
    });
    Neither of these work for my setup that uses SSO:
    aws.sdk.config.credentials = new aws.sdk.SharedIniFileCredentials({ profile: aws.config.profile });
    aws.sdk.config.credentials = new aws.sdk.SsoCredentials({ profile: aws.config.profile });
    Alternatively, I can ignore Pulumi's aws sdk, and go all v3, but then I'm managing 2 versions of the SDK among other issues 💀
    import { S3Client, ListBucketsCommand } from "@aws-sdk/client-s3";
    import { fromIni } from "@aws-sdk/credential-providers";
    
    const s3Client = new S3Client({
        credentials: fromIni({
            profile: aws.config.profile,
        }),
        region: aws.sdk.config.region,
    });
    s3Client.send(new ListBucketsCommand({})).then((data) => {
        console.log(data);
    });
    • 1
    • 3
  • m

    millions-furniture-75402

    11/04/2022, 3:41 PM
    I'm trying to deploy an VPC to localstack, and getting a failure. Looks like there is a patch in flight for localstack via moto (https://github.com/localstack/localstack/issues/7046), but it's not released yet and I need a solution now. Do I have to create a custom resource component with a transformation to delete the property, or what are my options to have the AWS provider not attempt to set
    enableNetworkAddressUsageMetrics
    ?
    aws:ec2:Vpc (default):
        error: 1 error occurred:
            * creating urn:pulumi:localstack::content-asset-service::aws:ec2/vpc:Vpc::default: 1 error occurred:
            * error reading EC2 VPC (vpc-5344499e) Attribute (enableNetworkAddressUsageMetrics): InvalidParameterValue: Value enable_network_address_usage_metrics is invalid for parameter.
    • 1
    • 1
  • f

    flat-appointment-12338

    11/04/2022, 3:50 PM
    I've started seeing
    error: unable to validate AWS credentials
    after my ECS task deployments, but they seem to have completed correctly:
    awsx:x:ecs:EC2TaskDefinition$aws:ecs/taskDefinition:TaskDefinition (QaWeb)
        error: unable to validate AWS credentials. Make sure you have: 
    
     	 • Set your AWS region, e.g. `pulumi config set aws:region us-west-2` 
     	 • Configured your AWS credentials as per <https://pulumi.io/install/aws.html> 
     	 You can also set these via cli using `aws configure`.
    m
    • 2
    • 16
  • c

    crooked-student-89656

    11/04/2022, 6:25 PM
    I’m attempting to destroy an rds cluster from my stack and I keep getting the error “FinalSnapshotIdentifier is required when a final snapshot is required”, but I ended up deleting the cluster from my aws through their website and now its saying the resource isnt in the available state. What can i do to just completely be done with it
    m
    • 2
    • 3
  • e

    elegant-laptop-80400

    11/07/2022, 6:34 PM
    How do you do a policy with * principal?, this doesn't work
    const policyDoc = sqs.arn.apply(arn => aws.iam.getPolicyDocument({
        policyId: "1234",
        statements: [{
            effect: "Allow",
            principals: [{type: "*", identifiers:["*"]}],
    b
    • 2
    • 3
Powered by Linen
Title
e

elegant-laptop-80400

11/07/2022, 6:34 PM
How do you do a policy with * principal?, this doesn't work
const policyDoc = sqs.arn.apply(arn => aws.iam.getPolicyDocument({
    policyId: "1234",
    statements: [{
        effect: "Allow",
        principals: [{type: "*", identifiers:["*"]}],
b

billowy-army-68599

11/07/2022, 6:36 PM
https://github.com/jaxxstorm/pulumi-examples/blob/599320ad90b8cc2fc73e7b8b411dbbdec041888a/typescript/aws/s3/index.ts#L13-L19
e

elegant-laptop-80400

11/07/2022, 6:38 PM
Yeah, I might have to switch it to string json
b

billowy-army-68599

11/07/2022, 6:39 PM
you should be able to do the same with
getPolicyDocument
View count: 5