Also it seems like changes to the container configuration result in a new task definition each time instead of a new revision

Hi pals Does anybody have an example of vpn with transit gateway?

I'm using

awsx.ec2.Vpc

to generate a VPC across two availability zones:

const vpc = new awsx.ec2.Vpc(`${shortName(nameConfig)}-vpc`, {
    availabilityZoneNames: [zoneName, albSecondZoneName],
    cidrBlock: '10.0.0.0/16',
    enableDnsHostnames: true,
    tags: { name: `${shortName(nameConfig)}-vpc` },
    subnetSpecs:[
      {
        type: awsx.ec2.SubnetType.Public,
        cidrMask: 22,
      },
      {
        type: awsx.ec2.SubnetType.Private,
        cidrMask: 20,
      },
    ],
  })

How do I get the public subnet for the availability zone

zoneName

to launch an EC2 instance in? This seems like it should be easy, but the examples all just choose the first public subnet ID (which isn't correct). There is

vpc.subnets

but checking

tagsAll

and

availabilityZone

inside

subnets.apply()

doesn't seem to work (it appears

tagsAll.apply()

and

availabilityZone.apply()

don't block?)

Hi, I am trying to run my TypeScript backend on ECS + Fargete. I have created a web target group and an alb using the following code:

const webTargetGroup = new aws.lb.TargetGroup(`web-target-${stack}`, {
  port: 3000,
  protocol: "HTTP",
  vpcId: vpc.vpcId,
  targetType: "ip",
});

const loadbalancer = new awsx.lb.ApplicationLoadBalancer(
  `loadbalancer-${stack}`,
  {
    listeners: [
      {
        port: 3000,
        protocol: "HTTP",
        defaultActions: [
          {
            type: "redirect",
            redirect: {
              protocol: "HTTPS",
              port: "443",
              statusCode: "HTTP_301",
            },
          },
        ],
        tags: {
          Environment: stack,
        },
      },
      {
        port: 443,
        certificateArn: apiCert.arn,
        protocol: "HTTPS",
        sslPolicy: "ELBSecurityPolicy-2016-08",
        defaultActions: [
          {
            type: "forward",
            forward: {
              targetGroups: [
                {
                  arn: webTargetGroup.arn,
                },
              ],
            },
          },
        ],
        tags: {
          Environment: stack,
        },
      },
    ],
    tags: {
      Environment: stack,
    },
  }
);

I am also creating a Farget service using the code below

const webTargetGroup = stackRef.getOutput('webApplicationTargetGroup');

const image = new awsx.ecr.Image(`image-${stack}`, {
  repositoryUrl: repoUrl,
  path: '../',
});

new awsx.ecs.FargateService(`service-${stack}`, {
  cluster: clusterArn,
  assignPublicIp: true,
  taskDefinitionArgs: {
    container: {
      image: image.imageUri,
      cpu: cpu,
      memory: memory,
      essential: true,
      portMappings: [
        {
          containerPort: containerPort,
          targetGroup: webTargetGroup,
        },
      ],
    },
  },
});

I am getting a 503 error after deployment. I believe its due to some port mapping configuration that I have excluded or entered incorrectly. My backend is running on port 3000. Any help is appreciated

How can I clear an assumed role? I had it set in the stack config file but I want to perform an action without assuming the role but when I comment it out or remove it, Pulumi still assumes the role.

Hello, is there any way to run an SQL script on an RDS instances once it has been provisioned?

New to AWS, but not to Pulumi. I am trying to create a Client VPN with

certificate-authentication

, but I am a bit unsure as to how to approach this? I assume I have to create a CA, and then have Pulumi create a cert from this? Or can I somehow upload a keypair created by Pulumi to ACM and use this with the Client VPN? Any pointers on how to do this with Pulumi would be greatly appreciated.

This message was deleted.

Do you know with what package I can do this?

aws emr-containers update-role-trust-policy --cluster-name eksworkshop-eksctl --namespace spark --role-name EMRContainers-JobExecutionRole

I mean,

emr-containers update-role-trust-policy

Whenever I try to create a AWS Elastic Container Registry Policy I get the following error:

Error creating ECR Registry Policy: InvalidParameterException: Invalid parameter at 'PolicyText' failed to satisfy constraint: 'Invalid registry policy provided'

I noticed that the Pulumi API for RegistryPolicy doesn’t take a repository ID, only a policy (https://www.pulumi.com/registry/packages/aws/api-docs/ecr/registrypolicy/#create). Whereas the terraform API takes both a repository ID and a policy (https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy#argument-reference). Is it possible that this Pulumi API is wrong and it’s impossible to make AWS ECR Registry Policies or am I missing something? I don’t see how Pulumi could know what repository to apply this policy to without a registry/repository ID

hello, How could one use Pulumi to check if an ECR image should be build again? we are building images using the

awsx.classic.ecr.buildAndPushImage

function

another q 🙂 when using providers like PostgreSQL, how can one retrigger or force Pulumi to provision/run those resources? Im having an issue where the RDS instance changed, erasing roles provisioned via pulumi.postgres but Pulumi is not detecting that it changed to run again and create the roles in the new instance

Howdy, I’m getting a 403 when I

pulumi up

at the preview stage:

aws:lambda:Function (PROJECT-exec-role):
    error: Preview failed: refreshing urn:pulumi:dev::PROJECT::aws:lambda/function:Function::PROJECT-exec-role: 1 error occurred:
        * AccessDeniedException:
        status code: 403, request id: 649a5d8a-83ac-4194-82b9-0b11a1309de7

I’ve confirmed that my AWS CLI credentials are current and valid, and can perform the needed action (updating the IAM role) with these credentials manually; and this error reads more as a 403 from Pulumi, not AWS. I’ve tried

pulumi logout && pulumi login

to no avail.

Hi all! I need to set up an IAM Policy for an IAM User, credentials of which I'd use for Pulumi. So in my Pulumi code I'm setting up several services like Lambda, S3, ECR and IAM Policy/Roles and I want the Pulumi to have ONLY needed permissions and not anything else for those services. I'm not completely aware of API calls that Pulumi uses for setting up those services and I tried AWS CloudTrail to track all API calls made to my IAM User username. I identified those API calls and tried to set up the IAM Policy with all of the API calls that were made by Pulumi. However, I kept getting Access Denied error by Pulumi, so the list of API calls identified by AWS CloudTrail was incomplete. Identifying those permissions one by one seemed to be not a great idea and time-consuming task. Any ideas of how to identify needed permissions for Pulumi when setting up IAM Policy? Is there any way to automatically identify them or the only way is to do it manually? I know that there are such services as AWS RAM, AWS Service Catalog or AWS Config, but I'm not sure if they can figure out all get, update, delete, list permissions on single run of Pulumi code. Any help or advice is appreciated! Thanks in advance for any support 🙂

Hi all, I'm using Pulumi in Java to try get a lambda layer by name, and attach it to a lambda function using the layer arn, as per the example in https://www.pulumi.com/registry/packages/aws/api-docs/lambda/function/. • I am able to find the Layer, it's a

LayerVersion

object in Pulumi • I am able to get the arn using

layerVersion.arn()

this returns an

Output<String>

• I am not able to attach that value to a lambda function

Function

object. The

layers

field expects a String, not the Output<String> we have Am I doing something wrong here?

Hi!, I am getting a

VersionsLimitExceededException

when updating a

aws.iot.policy

:

* error updating IoT Policy (my_policy): VersionsLimitExceededException: The policy my_policy already has the maximum number of versions (5)

Is there something special I need to do to prune the oldest version of the policy to make room for the new one? thanks!

Hi all, I am new to Pulumi. I used Java to deploy an EKS cluster. After some problems using a class from the wrong package, I found that there are two distinct packages:

com.pulumi.aws.eks

and

com.pulumi.eks

. What is the difference between the two? Is there some article that explains it?

What is the difference between the parameters inside the cluster creation and

node_group_options

, for example, for

min_size

?

Is there any way to update a resource that is created by Crosswalk? For example adding the trigger params to a Deployment resource created internally by the API pulumi package?

what is the current status of AWS native? • Is it recommended for new projects? • Is there some list of what isn't supported yet? • Does it play well with awsx? (seems e.g. awsx Vpc creates classic resources) • How does migration from classic to native work? One thing is updating the code, but what about state, don't really want to re-create production resources just to upgrade to aws-native?

Hey guys I have a question about MSK SASL Secret Association If we want to add an association with some users on a project and some others on another (on the same cluster), what is the best way? We tried simply adding a new

aws.msk.ScramSecretAssociation

, but it is replacing the association instead of adding. Is importing the resource and modifying it the suggested way or there is another?

https://docs.aws.amazon.com/emr/latest/EMR-on-EKS-DevelopmentGuide/create-managed-endpoint.html How can I do this with pulumi?

Still looks like some pretty fundamental stuff is missing from aws-native, like VPCGatewayAttachment or Route. Can't really build a working VPC without those :S

Not sure if this should be in here or in #kubernetes but my specific issue is aws/ec2 related so I chose here. I have deployed an eks cluster (or two) with pulumi using the eks module. Each kluster has 3 node pools, and my issue occurs when I come to update them, either because a new ami has been released or because I wish to change some aspect of the node pool, like the min/max or the node type. The ami changing causes the biggest issue as it changes all the node pools and then the nodes 'all roll at once'. By 'all roll at once' I need to further explain that I have some stateful services running on these clusters, e.g. percona's mysql, loki, redis and potentially ElasticSearch. These use ebs volumes to store state on using the ebs csi plugin/driver to mount ebs volumes to the required node. Experimentation has taught me that an ebs volume takes at least 8 minutes to disconnect from a terminating node and then reconnect to a new node and thus allow the pod it belongs to to be scheduled. Of course the ASG rolls the nodes based on their EC2 health check, rolling the next node as soon as its replacement is healthy, which means for a kluster of 10-15 nodes they all roll in a couple of minutes which is much faster than the 8min delay required to get a stateful node back an healthy. I have looked at the checkpointing available for the instance Refresh command, but that would seem to only work when using instance refresh and not when updating the instance profile of the ASG via pulumi. Also there are no options in the eks.createNodePool function which allow setting checkpoints. I guess my ideal solution would involve the autoscaler informing the ASG of which nodes have pods on which cannot be evicted now, and the ASG pausing the cluster roll until quorum is achieved again in the stateful service and the next node can be rolled, but I can't see an easy way of doing that, I guess something could be done with lifecycle events on the node pool's ASG and toggling the instance protection on nodes which need to be preserved, but it all feels kludgey. Secondly would be a setting on the ASG which slows down any roll of the nodes to have 10min pauses between each one, but there doesn't seem to be one. I guess I could look at setting the default instance warmup to 10mins but I'm not sure that will stop the old instances being replaced. This seems like it should be a common issue as updating node pools with stateful services is something everyone needs to do, right? How do you manage this?

Hello i'm very disappointed. Running

@pulumi/awsx@1.0.1

and following https://www.pulumi.com/docs/guides/crosswalk/aws/elb/#manually-configuring-listeners. It says

const alb = new awsx.lb.NetworkLoadBalancer("web-traffic");
const httpListener = alb.createListener("http-listener", {
    port: 80,
    protocol: "HTTP",
    defaultAction: {
        type: "redirect",
        redirect: {
            protocol: "HTTPS",
            port: "443",
            statusCode: "HTTP_301",
        },
    },
});

but locally I get an error

TS2339: Property 'createListener' does not exist on type 'NetworkLoadBalancer'

. Any idea?

Hi, I'm running ec2 services on ecs and my tasks are running using network mode "host", which means I can not run more than one instance of the same container. Pulumi up is stuck after building and pushing an image because the same service tries to create a steady task using the new task definition revision but the container throws EADDRINUSE when trying to listen on the wanted port. I tried using deleteBeforeReplace on the service and taskDefinition but it doesn't seem to do anything. Is there a way (in the same pulumi up) to stop the old task before the new one reaches steady state? thanks!

Hi there I am facing this issue when using response headers. I have a cloudfront distribution pulumi file. To the cloudfront distribution I have added a response headers policy's to the admin cloudfront.

Strict-Transport-Security 
    Content-Security-Policy 
    X-Frame-Options 
    X-Content-Type-Options 
    X-XSS-Protection

It successfully deployed when I have deployed the changes into my personal testing account. When I am trying deploy those into my deployment accounts it fails with following error

error updating CloudFront Response Headers Policy (94c6753d-9e56-4ed9-84ba-415369322fec): InvalidIfMatchVersion: The If-Match version is missing or not valid for the resource.

Any ideas on this issue ?

Hey folks. Hitting an oddity with outputs/strings when transitioning from

aws

->

awsnative

. Specifically an API where an

Output

worked before, now hitting a runtime error with AWS’s CloudControl complaining that it

expected type: String, found: JSONObject

. The API isn’t a direct mapping, formerly a plain object, now a

ServiceKeyValuePairArgs

. Anyone experienced anything like this before? Filed an issue here.

Will Pulumi always provision cloud resources at the maximum simultaneous number possible? Is the ceiling on parallelism inter-resource dependencies or anything else? Thank you in advance 🙂

I couldn't find any references in the github repo or here, but the cloud control api supports list for most resources, but aws-native does not seem to. Am I missing something? example classic has getEIPs, native only has get getEIP. Overall looking to see if I can look up resources by tag or if I have to fall back to classic for that?