pulumi-community #aws

aws

magnificent-lifeguard-15082

11/21/2022, 4:39 PM

Has anybody had issues where

aws:iam:RolePolicyAttachment

appear to be created in pulumi state but have not been created in aws?

elegant-laptop-80400

11/21/2022, 6:08 PM

are there some examples of using aws-sdk inside of an inline lambda code? like

const lambda = new aws.lambda.CallbackFunction("mylambda", {
  callback: async e => {
    // aws sdk code here
  }
});

The serialization isn't going right for me and I am getting module not found error when it runs

brave-motorcycle-67487

11/22/2022, 7:47 PM

I'm trying to fit together the last piece of an ECS deployment pipeline and I'm not sure how to go about it, and the bits I've found on how others have don't seem to fit with how I'm approaching the problem. So I'm wondering if I need to rethink the entire approach. I have an infrastructure repo that has Pulumi code for defining all sorts of things. This includes all the stuff required for the ECS cluster, including the container definitions themselves for an app. Right now it's using a statically-defined

image

. In the apps' repos, I have Github Actions rules that build the containers and push them to ECR. Now I need to close the gap between these two. My thought was that I'd trigger CodeDeploy from Actions (we're doing that for the old process I'm replacing) and that would handle the deployment. The problem is that the next time I run

pulumi up

, it'll re-deploy some old version of the app. Ideally I'd just leave that field out, but it is required by the SDK. The few things I've found about how other people do this is to run pulumi in the deploy pipeline and pass it the container version in an environment variable. I don't particularly want to run all of the infrastructure configuration stuff on a code deploy, though (and especially don't want changes to infra to potentially roll out while a developer is running what they think is a normal code deploy). But is that what I have to do?

astonishing-dress-81433

11/22/2022, 8:25 PM

Hi folks. I’m giving Pulumi a spin for a new project. The project is pretty simple. • Docker image running a FastAPI REST API • AWS App Runner My Pulumi program looks like this:

import pulumi
import pulumi_aws as aws
import pulumi_awsx as awsx


repo = awsx.ecr.Repository("ecr-repository")

image = awsx.ecr.Image(
    "image",
    repository_url=repo.url,
    path="../",
    env={"DOCKER_DEFAULT_PLATFORM": "linux/amd64"},  # attempt 2: running on M2 chip
    extra_options=["--platform", "linux/amd64"],  # attempt 1: running on M2 chip
)

service = aws.apprunner.Service(
    "myservice",
    service_name="myservice",
    source_configuration=aws.apprunner.ServiceSourceConfigurationArgs(
        auto_deployments_enabled=False,
        image_repository=aws.apprunner.ServiceSourceConfigurationImageRepositoryArgs(
            image_configuration=aws.apprunner.ServiceSourceConfigurationImageRepositoryImageConfigurationArgs(
                port="8000",
            ),
            image_identifier=image.image_uri,
            image_repository_type="ECR_PUBLIC",
        ),
    ),
)
pulumi.export("service", service.service_url)

This stack builds and pushes my docker image but fails to create the AppRunner service:

aws:apprunner:Service (myservice):
    error: 1 error occurred:
    	* creating urn:pulumi:dev::infrastructure::aws:apprunner/service:Service::myservice: 1 error occurred:
    	* error waiting for App Runner Service (arn:aws:apprunner:us-east-1:11111111111:service/myservice/111111111111111111111111) creation: unexpected state 'CREATE_FAILED', wanted target 'RUNNING'. last error: %!s(<nil>)

  pulumi:pulumi:Stack (infrastructure-dev):
    error: update failed

There’s not much to work off here. My App Runner console does give me these logs:

11-22-2022 12:16:30 PM [AppRunner] Failed to pull your application image. Be sure you configure your service with a valid access role to your ECR repository.
11-22-2022 12:14:13 PM [AppRunner] Starting to pull your application image.

My impression was that

awsx

is managing the needed roles/policies for the image. Is that correct, or is there more to do here?

adamant-guitar-56279

11/22/2022, 9:02 PM

Anyone know why I would be getting

Error: failed to register new resource ***** [aws-apigateway:index:RestAPI]: 2 UNKNOWN: plugins that can construct components must support secrets

When doing as per example in https://www.pulumi.com/docs/guides/crosswalk/aws/api-gateway/#lambda-request-handling but with a provider eg:

export const openapiAPI = new apigateway.RestAPI(
  `api`,
  routes: [
    {
      path: "/",
      method: "GET",
      eventHandler: helloHandler,
    },
  ],
  { provider }
);

enough-pager-36335

11/23/2022, 11:02 AM

I'm setting up EC2 services over ECS using Auto Scaling Groups, there's this weirdest bug I can'g seem to solve, my pulumi up update is stuck on read aws:autoscaling:Group Running the exact same code on another machine works perfectly somehow. Anyone might know what can cause this? I have tried running destroy and then up again, I have tried pulumi refresh, I have even tried deleting and reinstalling pulumi on my machine, thanks.

rough-jordan-15935

11/24/2022, 6:20 AM

hey all quick question when im working with my team and we each do a pulumi deployment, why does the next user who deploys have to redeploy the entire stack and not only the diff?

icy-controller-6092

11/26/2022, 4:13 AM

hi all, how long does it typically take for new enums to come through? I’m trying to up a

AWS::KinesisAnalyticsV2::Application

but Pulumi doesn’t seem to have the latest enum for

RuntimeEnvironment

polite-rainbow-37545

11/27/2022, 7:02 AM

Hey everyone, I am facing a weird issue with pulumi_eks python package. I created a cluster as below. As per the doc - “Cluster is a component that wraps the AWS and Kubernetes resources necessary to run an EKS cluster, its worker nodes, its optional StorageClasses, and an optional deployment of the Kubernetes Dashboard.:” https://www.pulumi.com/registry/packages/eks/api-docs/cluster/#cluster BUT after creating the cluster, the nodegroups are also created (i can see them in ec2 console) but not attached to the cluster. I checked the EKS console and also tried to get the nodes using $ kubectl get nodes which returns empty. What could be the issue? I am flying blind here without any error output from pulumi. Pulumi says creation of cluster is successful. Appreciate if anyone could point me to the right direction.

import pulumi
import pulumi_aws as aws
import pulumi_eks as eks

# Get some values from the Pulumi configuration (or use defaults)
config = pulumi.Config()
min_cluster_size = config.get_float("minClusterSize", 3)
max_cluster_size = config.get_float("maxClusterSize", 6)
desired_cluster_size = config.get_float("desiredClusterSize", 3)
eks_node_instance_type = config.get("eksNodeInstanceType", "t2.medium")

eks_vpc = aws.ec2.Vpc.get("<mydefaultVPC", "<vpc-ID>")  # reusing an existing VPC
public_subnet_ids = aws.ec2.get_subnets([
    {
        'name': 'vpc-id',
        'values': [eks_vpc.id]
    },
    {
        'name': 'subnet-id',
        'values': ['subnet-xxxxxxx', 'subnet-xxxxxx']
    }

])
private_subnet_ids = aws.ec2.get_subnets([
    {
        'name': 'vpc-id',
        'values': [eks_vpc.id]
    },
    {
        'name': 'subnet-id',
        'values': ['subnet-xxxxxxxxxxxxxxxxx', 'subnet-xxxxxxxxxxxxxxx']
    }
])
eks_cluster = eks.Cluster("eks-cluster",
                          # Put the cluster in the new VPC created earlier
                          vpc_id=eks_vpc.id,
                          # Public subnets will be used for load balancers
                          public_subnet_ids=public_subnet_ids.ids,
                          # Private subnets will be used for cluster nodes
                          private_subnet_ids=private_subnet_ids.ids,
                          desired_capacity=desired_cluster_size,
                          max_size=max_cluster_size,
                          min_size=min_cluster_size,
                          )
pulumi.export("kubeconfig", eks_cluster.kubeconfig)
pulumi.export("vpcId", eks_vpc.id)
pulumi.export("aws_provider", eks_cluster.aws_provider)
pulumi.export("name", eks_cluster.eks_cluster.id)
pulumi.export("default_node_group", eks_cluster.default_node_group)

thankful-stone-34269

11/27/2022, 6:29 PM

Howdy y'all! Where can I find a list of resource types that i can

pulumi import

? I'm getting sick of the trial-and-error like

pulumi import aws:ec2:SecurityGroup

aws:ec2/securitygroup:SecurityGroup

etc etc.

lively-needle-84406

11/28/2022, 4:34 PM

Hey all, I am still stuck on an issue with using

pulumi.interpolate

inside an iam PolicyDocument. Here is my code:

const stringEqualsKey = pulumi.interpolate`aws:ResourceTag/k8s.io/cluster-autoscaler/${cluster.core.cluster.name}`;

export const clusterAutoScalingPolicy = new aws.iam.Policy("clusterAutoScalingPolicy", {
    policy: {
        Version: "2012-10-17",
        Statement: [
            {
                Sid: "VisualEditor0",
                Effect: "Allow",
                Action: [
                    "autoscaling:SetDesiredCapacity",
                    "autoscaling:TerminateInstanceInAutoScalingGroup"
                ],
                Resource: "*",
                Condition: {
                    StringEquals: {
                        [`${stringEqualsKey}`]: "owned"
                    }
                }
            },
            {
                Sid: "VisualEditor1",
                Effect: "Allow",
                Action: [
                    "autoscaling:DescribeAutoScalingInstances",
                    "autoscaling:DescribeAutoScalingGroups",
                    "ec2:DescribeLaunchTemplateVersions",
                    "autoscaling:DescribeTags",
                    "autoscaling:DescribeLaunchConfigurations"
                ],
                Resource: "*"
            }
        ]
    }
}, {
    dependsOn: [cluster]
});

Here is the error I am receiving:

Calling [toString] on an [Output\u003cT\u003e] is not supported.\n\nTo get the value of an Output\u003cT\u003e as an Output\u003cstring\u003e consider either:\n1: o.apply(v =\u003e `prefix${v}suffix`)\n2: pulumi.interpolate `prefix${v}suffix`\n\nSee <https://pulumi.io/help/outputs> for more details.\nThis function may throw in a future version of @pulumi/pulumi.

I have tried

apply

and

pulumi.interpolate

to resolve this issue, but neither seem to work. Am I missing something about outputs? Thanks

icy-controller-6092

11/28/2022, 8:50 PM

Hi all, thought I’d try asking one more time. Does anyone know how I can use

FLINK-1_15

as the runtime environment when deploying a new Kinesis Analytics application? It was only released a few days ago and I understand the internal enum has not yet been updated (throwing an error) - just wondering if there is a workaround?

white-chef-55657

11/29/2022, 8:18 AM

updating from awsxv0.40.1 to v1.0.0 results in a complete rebuild of our VPC - did anyone else figure how out how to avoid this breaking change?

white-chef-55657

11/29/2022, 8:27 AM

also, awsx plugin now wants to listen for incoming connections? what’s going on?

echoing-butcher-64641

11/29/2022, 2:35 PM

Hello Everyone I am struggling with something and I would appreciate your help so much 😄 I am creating a

managed node group

with this function

createManagedNodeGroup

and I would like to do some changes to the

kubelet configuration

but I found out its not possible due to this issue https://github.com/pulumi/pulumi-eks/issues/611. Is there any other way to pass

kubelet extra args

fresh-minister-66960

11/29/2022, 9:56 PM

Hello, I need some help here. I have started using Deployments REST API but I am getting an error when trying to provision a lambda function in a subaccount. I get this error:

aws:lambda:Function (XXXXX): 
44
     error: 1 error occurred: 
45
     	* error creating Lambda Function (1): AccessDeniedException: 
46
     	status code: 403, request id: 2224b871-f8fc-43f9-baf5-c62809b1779d

I am creating a new account in my organization using IAM credentials of an admin user in my main account. Will post the code in a comment here.

adamant-dress-73325

11/29/2022, 10:16 PM

FYI folks, the

elasticloadbalancingv2

namespace was not kept around in classic from 0.40 -> 1.0 of pulumi-awsx, should be mentioned in migration notes, we had to change it to

lb

to keep things working post upgrade to 1.0

wooden-architect-84094

11/30/2022, 10:50 AM

Hello. Would like to quickly run by you an issue with

pulumi refresh

i’ve come across when using explicit aws providers within a specific scenario. For context I am wanting to use explicit aws providers to enable easy cross account deployment of resources. Most deployments will be done via a github actions workflow, but we will occasionally be required to deploy from local machines too. The iam roles we use for deployments from github and local machines are not the same and so the provider’s

role_to_assume

is changed based on the deployment environment. However running the

pulumi refresh

command locally if the previous deployment was made from github causes an access denied error, but running

pulumi up

does not give the same error and will simply deploy any changes. Was wondering if there’s a neat workaround i’ve not thought of to enable

pulumi refresh

in this scenario, something other than manually editing the the aws provider

role_to_assume

in the backend state file after changing deployment environment?

loud-australia-45001

11/30/2022, 11:47 AM

Hello guys I've tried to upgrade the version for

awsx

from 0.40 to 1.0 and I'm finding that when doing

preview

update

, it wants to recreate my VPC I saw in the https://www.pulumi.com/docs/guides/crosswalk/aws/ documentation that it is suggested to use the

classic

package, but that means that there is no way to upgrade apart destroying all the resources and recreate them?

loud-australia-45001

11/30/2022, 2:03 PM

Hello again, another doubt: We are facing a strange issue with creating the subnets in the VPC with

AWS CrossWalk

the following worked on

0.40.0

, the latter didn't with

1.0.0

. Can't understand why, it seems something related to the IPs This worked

const vpc = new awsx.ec2.Vpc(VPC_NAME, {
  cidrBlock: CIDR_BLOCK //is 10.0.0.0/16,
  numberOfAvailabilityZones: AVAILABILITY_ZONE //is 3,
  numberOfNatGateways: NUMBER_OF_GATEWAYS //is 1,
  subnets: [
    {
      cidrMask: 18,
      name: 'Private',
      type: 'private',
    },
    {
      cidrMask: 20,
      name: 'DBs',
      type: 'isolated',
    },
    {
      cidrMask: 22,
      name: 'Public',
      type: 'public',
    },
  ],
  tags: vpcTags,
});

This doesn't

const vpc = new awsx.ec2.Vpc(VPC_NAME, {
    cidrBlock: CIDR_BLOCK //is 10.0.0.0/16,
    numberOfAvailabilityZones: AVAILABILITY_ZONE //is 3,
    natGateways: {
      strategy: awsx.ec2.NatGatewayStrategy.Single,
    },
    subnetSpecs: [
      {
        cidrMask: 18,
        name: 'Private',
        type: awsx.ec2.SubnetType.Private,
      },
      {
        cidrMask: 20,
        name: 'Isolated',
        type: awsx.ec2.SubnetType.Isolated,
      },
      {
        cidrMask: 22,
        name: 'Public',
        type: awsx.ec2.SubnetType.Public,
      },
    ],
    tags: vpcTags,
  });

swift-fireman-31153

11/30/2022, 10:35 PM

has anyone had any issues with

new aws.Provider

not using the

profile

provide and just using the aws configure

default

profile?

curved-appointment-51749

12/01/2022, 12:59 PM

Hi. For a resource like

aws.iam.Role

where there is a property

managedPolicyArns

, if you import the resource or run

pulumi up --refresh

pulumi will populate

managedPolicyArns

with the policy even if you use

aws.iam.PolicyAttachment

aws.iam.RolePolicyAttachment

and

aws.iam.RolePolicy

. Pulumi warns that you should not use both. It is possible to use Resource Tranforms to remove

managedPolicyArns

but then running

pulumi up --refresh

results in policies being detached and then only maybe being reattached. Is it possible to use a resource like

aws.iam.Role

without

managedPolicyArns

in practice or do you really not have a choice?

icy-controller-6092

12/02/2022, 4:36 AM

It takes quite a while for new runtime environments to make it through to Pulumi 😞 I’m still waiting for Flink v1.15 for Kinesis, and Node.js v18 for lambda

icy-controller-6092

12/02/2022, 4:36 AM

is there anything I can hack away in my local packages that will just ignore the enum validation check? e.g. a way to get around this error:

expected runtime_environment to be one of [SQL-1_0 FLINK-1_6 FLINK-1_8 ZEPPELIN-FLINK-1_0 FLINK-1_11 FLINK-1_13 ZEPPELIN-FLINK-2_0], got FLINK-1_15.

it seems to be a local validation error and not a remote one, as the cloudformation docs are up to date, plus terraform has included the two new enum entries

astonishing-dentist-11149

12/02/2022, 8:54 PM

Hey all, what is the proper way to have pulumi "redeploy" a fargateService if all I did was update the latest image (same docker tag)? There is no change to tell pulumi this needs to be updated again, so not sure the best way to do this, short of going to AWS and redeploying the task.

most-lighter-95902

12/03/2022, 4:38 PM

Hi, I just upgraded awsx version and Vpc endpoint is giving me type errors. I can’t seem to find any examples for this so can someone suggest how can change my previous setup to the new api?

most-lighter-95902

12/03/2022, 4:39 PM

const vpc = new awsx.ec2.Vpc(`vpc-${clusterName}`, {
      numberOfAvailabilityZones: 2,
      subnets: [
        { type: 'public' },
        {
          type: 'private',
          tags: {
            [`<http://kubernetes.io/cluster/${clusterName}`|kubernetes.io/cluster/${clusterName}`>]: 'owned',
            [`<http://karpenter.sh/discovery`|karpenter.sh/discovery`>]: clusterName,
          },
        }, // tags required for Karpenter setup
      ],
    })

most-lighter-95902

12/03/2022, 4:42 PM

Looks like I have to change subnets to subnetSpecs, but unsure what serviceName is for

most-lighter-95902

12/03/2022, 4:42 PM

As for the type, I assume I need to set privateDnsEnabled?

most-lighter-95902

12/03/2022, 4:47 PM

Also, ec2.SecurityGroup is now gone - is there any migration docs for this?