Oh you can still use classic module

I think https://github.com/pulumi/pulumi-aws/commit/c984ddfba812c33e5ebf7267cdf9c1498174f3d4 broke https://github.com/pulumi/pulumi-aws/blob/master/sdk/nodejs/types/s3/input.ts on line 10 🧐 Probably should be

import { RoutingRule} from "@pulumi/aws/s3";

Edit: Added issue here.

So

ec2:SecurityGroup

is not supported in aws-native, only in the classic provider, but there’s no GH issue for this? Shouldn’t there be, to track eventual parity between the providers?

Flink v1.15 was released on Kinesis Analytics a couple of weeks ago, and it’s still not possible to use it when deploying via Pulumi. Same thing with node.js v18 on Lambda. I knew Flink v1.15 was being released on Kinesis in November so I built my analytics app to work with it, and have been eagerly waiting for Flink v1.15 for a couple of months now. I feel kinda disappointed that the holdup now is Pulumi not allowing me to deploy the app, despite the new enum value being available in the Terraform AWS provider since 9 days ago The team & everyone on Slack have been super helpful when I’ve asked about the new Kinesis and Lambda runtimes, and I also note that there was the Thanksgiving break in the US. But I’m now concerned about the lead time here to add a new entry to an enum value, and starting to research whether I should just move my IaC over to terraform to avoid running into this type of issue again I know Pulumi is free & open source, and I’m not criticising the time taken to bring the new enum value through to the CLI, just thought it might be a feedback signal the pulumi team might want to think about as I imagine this can impact adoption

hi, i'm using pulumi to construct aws dms(data migration sercice) tasks, i set the

startReplicationTask

as true, but got the error message

start: timeout while waiting for state to become 'running' (last state: 'starting', timeout: 5m0s)

i have set the

customTimeouts: { create: "15m", update: "15m", delete: "15m" },

it seems not work

Is it possible to use the pulumi github app with an AWS self-hosted backend instead of the pulumi service?

Hi everyone, I have an apigateway v1 using @pulumi/awsx and need to create BasePathMapping like '/api/v1' , however AWS throws an error:

"Error creating Gateway base path mapping: BadRequestException: API Gateway V1 doesn't support the slash character (/) in base path mappings. To create a multi-level base path mapping, use API Gateway V2"

Can I use aws.apigatewayv2.ApiMapping with apigateway v1 ? Or is there another way to go about solving this??

Hello everyone. I am seeing that whenever I deploy a new version of my infrastructure, it replaces my RDS replica -despite no changes happening to my RDS definition. I see the following when I run my

pulumi up

command:

+-     └─ aws:rds:Instance                              dev-db-rds-replica                  replace     [diff: -storageEncrypted~replicateSourceDb]

Has anyone seen this before? It is quite frustrating?

I have some EC2 instances managed by Pulumi. Various config files are written using

cloudinit

. If I change this data, Pulumi correctly identified the resources affected and shutsdown the correct EC2 instances. However, it doesn't write the new config data, so when it starts up the machines the old versions are still there. If I manually terminate the EC2 instances, then run

pulumi refresh

and

pulumi up

it all works. What am I doing wrong?

Hi, I'm using

ec2.Instance

to spin up a new EC2 instance which employes user data to provision the needed software upon start. Now I want to use

ec2.AmiFromInstance

to create an AMI from the newly created EC2 instance. However, it seems that the later resource doesn't wait until the instance is fully up. Creating an AMI involves stopping the instance, creating a snapshot of EBS volume and starting it up again. However, I can see in the cloud init logs that the EC2 instance user data script is interrupted before it can finish the provisioning. Is there any way to wait for the user data script to finish? I could put some artificial sleep/delay before the creating the AMI resource, but there might be a better and more elegant way.

Hi, I'm trying to use this GitHubAction - https://github.com/pulumi/actions/blob/master/examples/python-pulumi.yaml But all I've is .py files that have implemented pulumi automation API and I run those from command line without specifying up/preview/etc as required by the above link. Can someone suggest how to use the python scripts with the above GH Action as I don't have the pulumi projects with YAML files...just the pulumi automation api scripts? Thx.

Hi I am experiencing weird behaviour I have an IAM policy like this

{
    "Statement": [
        {
            "Action": "ssm:DescribeParameters",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/pulumi_project": "sandbox",
                    "aws:ResourceTag/pulumi_stack": "dev",
                    "aws:ResourceTag/tier": "dev"
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/pulumi_project": "sandbox",
                    "aws:RequestTag/pulumi_stack": "dev",
                    "aws:RequestTag/tier": "dev"
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        },
    ],
    "Version": "2012-10-17"
}

and my pulumi code is deploying SSM parameters

const dbParams = [
      { role: ro, type: "ro", endpoint: args.masterHostReadOnly },
      { role: rw, type: "rw", endpoint: args.masterHost },
      { role: mig, type: "mig", endpoint: args.masterHost },
    ].map(({ role, type, endpoint }) => {
      const ssmPrefix = `ecs/${namespace}/db/${clusterName}/${type}`;

      return [
        { name: "pguser", value: role.name },
        { name: "pgpassword", value: role.password },
        { name: "pghost", value: endpoint },
        { name: "pgdatabase", value: db.name },
        { name: "pgport", value: DefaultPort.toString() },
        { name: "pgssl", value: "true" },
      ].map((p) => {
        const param = new aws.ssm.Parameter(
          rcName(`${type}-${p.name.replace("/", "-")}`),
          {
            name: `/${ssmPrefix}/${databaseName === "service" ? "" : `${databaseName}_`}${p.name}`,
            type: "SecureString",
            value: pulumi.output(p.value).apply(
              (v) => {
              if (!v)
                throw Error(`Missing value for RdsClusterDatabase parameter: ${p.name}`);
              return `${v}`;
            }
            ),
            tags,
          },
          { parent: role }
        )
        return {name: p.name.toUpperCase(), arn:param.arn}
      });

However sometimes during the initial deployment one or more parameters fail with error

error reading SSM Parameter (/ecs/main/db/sandbox/ro/pguser): AccessDeniedException: User: arn:aws:sts::<accounted>:assumed-role/pulumi-ci-sandbox-role/dev-jan-Session is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-central-1:<accountId>:parameter/ecs/main/db/sandbox/ro/pguser because no identity-based policy allows the ssm:GetParameter action
        status code: 400, request id: 30c9a9dd-23af-4bb5-b4e7-a6801667db51

then the second run of

pulumi up

just works Other times the error is triggered inside

apply

Error: Missing value for RdsClusterDatabase parameter: pghost

Can anyone tell me how to debug this?

Hello everyone! Has anyone gotten Pulumi CLI working when working with AWS Identity Center (SSO). I am getting error:

Details: loading configuration: profile "value-dev" is configured to use SSO but is missing required configuration: sso_region, sso_start_url

When I add the missing parameters, I get error:

Error: failed to refresh cached credentials, the SSO session has expired or is invalid: open /Users/my-user/.aws/sso/cache/5b4332413256eb7492af48c99f1ed4408c4ad28e.json: no such file or directory

.aws/config:

[profile value-dev]
sso_session = my-sso
sso_account_id = 12341234123
sso_role_name = PowerUserAccess
region = eu-north-1
output = json

[sso-session my-sso]
sso_start_url = <https://my-sso.awsapps.com/start>
sso_region = eu-west-1
sso_registration_scopes = sso:account:access

Some version details:

$ aws --version
aws-cli/2.9.4 Python/3.11.0 Darwin/21.6.0 source/arm64 prompt/off

$ pulumi version
v3.48.0

Any help on this is appreciated!

Hey, I am building and deploying an image to ECR using

awsx.ecr.Image

. It's working great. I was wondering if there is a workflow/story for conveniently accessing a Dockerfile from a remote URL, rather than a local path. My application code as well as its corresponding Dockerfile are in a separate repo from my infra repo in this case. E.g. something like this (doesn't work, of course):

const image = new awsx.ecr.Image("image", {
  // ...
  path: "<https://github.com/>...",
  // dockerfile: "...",
});

I have some ideas for dynamically pulling in the dockerfile by leveraging the language ecosystem (JS/TS/Node in this case) but I think that might be overcomplicating this a bit

Hi, I want to deploy a node lambda using Pulumi which reads a file using fs.readFile when executed - does anyone know the right way to copy this file up as part of the lambda's file structure?

Has anybody used AWS CDK on Pulumi? Does it support other languages other than Typescript?

Hey all,

working on a fargate task that has pulumi installed

looking to run a python file in an ecs task that has pulumi on the requirements.txt?

I have a weird IAM issue where I receive:

xyz is not authorized to perform: lambda:GetEventSourceMapping on resource: * because no identity-based policy allows the lambda:GetEventSourceMapping action"

But, my user clearly has these permissions (check sshot). Will all of the Cloudtrail debugging (the above message is from it) and trying different things, I still didn't manage to find what is running this and why wildcard is being used. I'm at a point where I'll just put

Resource: *

but still, just in case, I decided to ask if anybody had a similar experience.

hey all, I have a simple dockerfile with a base image of

FROM python:3.9

that runs

RUN pip3 install -r requirements.txt

with a file that looks like this:

Hello all! I am having an issue with this simple example from the site:

import pulumi
import json
import pulumi_aws as aws

managed_policy_arns = [
    "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
]


assume_role_policy = json.dumps({
    "Version": "2012-10-17",
    "Statement": [{
        "Action": "sts:AssumeRole",
        "Effect": "Allow",
        "Sid": None,
        "Principal": {
            "Service": "<http://ec2.amazonaws.com|ec2.amazonaws.com>",
        },
    }],
})

role1 = aws.iam.Role("jarvis",
    assume_role_policy=assume_role_policy,
    managed_policy_arns=managed_policy_arns)

When I try to run I get MalformedPolicyDocument error. I debugged following this https://aws.amazon.com/premiumsupport/knowledge-center/cloudformation-malformed-policy-errors/ and I saw that the assumeRolePolicyDocument seemed bad formatted, it was like this:

{
    "path": "/",
    "roleName": "jarvis-1be401b",
    "assumeRolePolicyDocument": "{"Version": "2012-10-17", "Statement": [{"Action": "sts:AssumeRole", "Effect": "Allow", "Sid": null, "Principal": {"Service": "<http://ec2.amazonaws.com|ec2.amazonaws.com>"}}]}",
    "maxSessionDuration": 3600
}

But it seems it should not the double quotes at the beginning... anyone else with this problem? any work around it? Appreciate your attention

getting this errro when deploying. could i get any help? error occurs when deploying from codebuild pulumi😛ulumi:Stack <<STACK>> running error: error reading from server: EOF

Hey all, are there any upgrade guides anywhere for awsx version 1, I am coming from the beta, and there are a ton of breaking changes in the full upgrade.

Has anybody come across this weird issue related to API Gateway. Seems a Golang + macOS level thing related to certs.

A true hero who would wanna take a look at implementing https://github.com/pulumi/pulumi-eks/issues/611 letting users select the max pods per node? This is hurting both the environment and the wallet X)

is there a way to get the security group's id of a newly created group? https://www.pulumi.com/registry/packages/aws/api-docs/ec2/securitygroup/#outputs

https://www.pulumi.com/registry/packages/aws/api-docs/wafv2/webacl/ How to get this page? Chrome always die on this page. And it is more than 60 Mb of text

Hi team, does anyone used or have a project using SSM with Pulumi to run Ansible Commands? 🤔