Hi all ! Our org is implementing Service Control Policies on all resources to make sure all of them are tagged. That being said we are facing issues where in we are unable to tag resources created by AWS as a part of EKS Cluster bring up. For example, resources like ASGs, EC2 and EBS volumes. What would be the best approach to tag these resources before SCP rules kick in and prevent infrastructure provisioning. We used this example for our tagging strategy in AWS. link

Hey team, I’ve been trying the pulumi crosswalk api gateway + lambda example in Pulumi’s docs, which defines routes using an OpenAPI specification. Their first typescript example is super simple, but I get a series of errors. Example here: https://www.pulumi.com/docs/guides/crosswalk/aws/api-gateway/

import * as aws from "@pulumi/aws";
import * as apigateway from "@pulumi/aws-apigateway";

// Create a Lambda Function
const helloHandler = new aws.lambda.CallbackFunction("hello-handler", {
  callback: async (ev, ctx) => {
    return {
      statusCode: 200,
      body: "Hello, API Gateway!",
    };
  },
});

// Define an endpoint that invokes a lambda to handle requests
const api = new apigateway.RestAPI("api", {
  routes: [
    {
      path: "/",
      method: "GET",
      eventHandler: helloHandler,
    },
  ],
});

export const url = api.url;

The first error I usually get is around needing an ARN (I think because it wants to run on behalf of a user), so try adding

apiKeyRequired: false

to the route

Unable to put integration on 'GET' for resource at path '/': Invalid ARN specified in the request

(edited)

Hello, Not sure if this is the correct channel but i could not find relating to `CICD`/`Github Actions`. I am deploying to

AWS

and in one of the workflows i am using the

preview

command.

- name: Preview changes to Infra  🚀
  uses: pulumi/actions@v4
  id: pulumi
  with:
    command: preview
    stack-name: ${{ env.PULUMY_XXXX }}
    work-dir: ${{ env.PULUMY_XXXXX }}
    color: always
  env:
    PULUMI_CONFIG_PASSPHRASE: ${{ secrets.PULUMI_XXXXXX }}

This works fine but the output looks is very verbose and like this:

Matched version: v3.55.0

Install destination is /home/runner/.pulumi

Successfully deleted pre-existing /home/runner/.pulumi/bin

/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/.pulumi -f /home/runner/work/_temp/6726a8cc-1cb3-41ec-b817-25afe86c25a2

pulumi preview on dev

Previewing update (dev):

Creating virtual environment...

Finished creating virtual environment

Updating pip, setuptools, and wheel in virtual environment...

Requirement already satisfied: pip in ./venv/lib/python3.11/site-packages (22.3.1)

Collecting pip

Downloading pip-23.0.1-py3-none-any.whl (2.1 MB)

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 2.1/2.1 MB 24.5 MB/s eta 0:00:00

Requirement already satisfied: setuptools in ./venv/lib/python3.11/site-packages (65.5.0)

Collecting setuptools

Downloading setuptools-67.4.0-py3-none-any.whl (1.1 MB)

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 1.1/1.1 MB 80.9 MB/s eta 0:00:00

Collecting wheel

Downloading wheel-0.38.4-py3-none-any.whl (36 kB)

Cutting out allot of output ...........

Configured range: ^3

Successfully built pulumi-aws

Installing collected packages: arpeggio, six, semver, pyyaml, protobuf, dill, attrs, parver, grpcio, pulumi, pulumi-aws

@ previewing update....

Successfully installed arpeggio-2.0.0 attrs-22.2.0 dill-0.3.6 grpcio-1.50.0 parver-0.4 protobuf-4.22.0 pulumi-3.55.0 pulumi-aws-5.30.0 pyyaml-6.0 semver-2.13.0 six-1.16.0

Finished installing dependencies

pulumi:pulumi:Stack: (same)

[urn=urn:pulumi:dev::infra::pulumi:pulumi:Stack::infra-dev]

+ aws:s3/bucket:bucket: (create)

[urn=urn:pulumi:dev::infra::aws:s3/bucket:bucket::my-bucket2]

[provider=urn:pulumi:dev::infra::pulumi:providers:aws::default_5_30_0::ba1943d5-aa7e-478e-be4d-e00ca96278e9]

acl         : "private"

bucket      : "my-bucket2-6e404a3"

forceDestroy: false

Resources:

+ 1 to create

2 unchanged

is there a way to reduce all the noise ? would it be possible to just see the changes that will be made without all the python dependency details ? for example just:

pulumi:pulumi:Stack: (same)

[urn=urn:pulumi:dev::infra::pulumi:pulumi:Stack::infra-dev]

+ aws:s3/bucket:bucket: (create)

[urn=urn:pulumi:dev::infra::aws:s3/bucket:bucket::my-bucket2]

[provider=urn:pulumi:dev::infra::pulumi:providers:aws::default_5_30_0::ba1943d5-aa7e-478e-be4d-e00ca96278e9]

acl         : "private"

bucket      : "my-bucket2-6e404a3"

forceDestroy: false

Resources:

+ 1 to create

2 unchanged

thanks for the time and help

Hello, I'm currently trying to set up NodeGroups on my EKS cluster. I'm using the this guide as a reference: https://www.pulumi.com/docs/guides/crosswalk/aws/eks/ and in that a NodeGroup is created using

eks.NodeGroupV2

, which isn't found by my TypeScript linter while

eks.NodeGroup

is. Furthermore, this How-to from Pulumi (which contains some functionality I would like to have) https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/eks-migrate-nodegroups/, abstracts the creation and ultimately uses

eks.NodeGroup

. Is there a difference between those two functions?

is it possible to use a kinesis consumer (for enhanced fanout) when mapping kinesis events to a lambda?

I can do it in Console just haven’t found a way to do it in Pulumi

Ah found it, just replace the kinesis stream ARN with the consumer ARN in the EventSourceMapping

is there a way to instruct pulumi on how it can pack a lambda function built with Rust? the doc states

Any of the supported Lambda runtimes can be used, including Node.js (as shown here), Python, Ruby, Java, Go, and .NET.

But I don't see any mention about custom provided runtimes

If I’m trying to deploy a new image with a specific version, should I do something like this:

const version = require('../../apps/service/package.json').version;
...
const image = new awsx.ecr.Image(`image:${version}`, {
  repositoryUrl: repository.url,
  path: "./app/service/",
});

Or is there a different way to specify the version on the image?

How can I create a iam.Role that is self-assuming? the assumeRolePolicy would need to reference itself, which it cannot do

what is

lamp-test

in

pulumi stack init lamp-test

?

Hi, I have a problem with AWS EKS and pulumi. When I run my script after a day or two since the last execution, which involves an EKS cluster, I get this as the info on changes:

$ pulumi up
Previewing update (sandbox):
     Type                               Name                                  Plan        Info
     pulumi:pulumi:Stack                xxx-sandbox                                       2 warnings
     └─ eks:index:Cluster               xxx-cluster
 +-     ├─ aws:ec2:LaunchConfiguration  xxx-cluster-nodeLaunchConfiguration  replace     [diff: ~imageId]
 ~      └─ aws:cloudformation:Stack     xxx-cluster-nodes                    update      [diff: ~templateBody]

that happens even when I have not made any changes to the script at all. Full diff in thread under this. When I run the changes, there is a short downtime in the EKS cluster which is not great, when I just want to run an update of something unrelated. I found a similar question from here but with no solution. The script uses EKS in a simple way:

import pulumi_eks as eks

cluster = eks.Cluster(
    self._name,
    create_oidc_provider=True,  # Allows connecting k8s serviceAccounts with AWS roles
    desired_capacity=2,
    min_size=1,
    max_size=2,
    vpc_id=self._vpc_id,
    private_subnet_ids=subnets.ids,
    node_associate_public_ip_address=False,
    instance_type='t3.medium',
    user_mappings=self._user_mappings,
)

What can I do to fix this? Thanks!

for the pulumi-aws-apigateway, is there a way to pass down to the constructor the endpoint configuration (edge vs regional)? I don't see an immediate way to do so (doing python fwiw)

How would I get the current aws account id, so that I can interpolate it into the middle of a role ARN?

Hello guys, I'd like to ask before opening a Feature Request if editing anomaly detection models for cloudwatch metric alarms is currently supported? This is how it would be done using AWS console: 1- Go to the metric alarm and clicking on "Edit anomaly detection model" (Attachment) 2- Adding an exclusion time range to the anomaly detection model (Attachment)

I'm having a problem at the moment, we use Emissary Ingress to handle our ingress, which creates an NLB for us, and it attaches to our Security Group some manual rules. When I do a

refresh

it will update our state to have these rules, which means that when I do a

update

these rules get deleted (because we have it missing in our

.ts

file since we don't know what the node endpoint IPs are etc. How can I handle this?

hey everyone, I am trying to set up a cloudwatch EventRule for

guardDuty

findings. I am following this link

<https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_findings_cloudwatch.html#guardduty_findings_cloudwatch_multiaccount>

- here we can see that we have to specify all the member

accountIds

(i am running from the admin account). is there an easier way to specify the member accounts? without having to type them all? My code so far:

const cloudwatchEventRule = new aws.cloudwatch.EventRule(
    "XXXXXXXXX",
    {
      description: "CloudWatch event rule to trigger on GuardDuty Findings",
      isEnabled: true,
      eventPattern: JSON.stringify({
        source: ["aws.guardduty"],
        detailType: ["GuardDuty Finding"],
        detail: {
          accountId: ["AWS"],
          severity: Array.from({ length: 55 }, (_, i) => 4 + i * 0.1), // [4, 4.1, 4.2, 4.3 ..., 8.9]
        },
      }),
    }
  );

thank you!

Hi, I recently added

publish: true

and a ProvisionedConcurrencyConfig to a lambda and now whenever it is deployed in Github Actions it times out due to:

aws:lambda:Function (function-name):
      error: 1 error occurred:
      	* updating urn:pulumi:staging::infra-protected::aws:lambda/function:Function::function-name: 1 error occurred:
      	* while waiting for function (function-name-e55a050) update: ResourceNotReady: exceeded wait attempts

But the deploy has actually succeeded in deploying the lambda and the new version but since it times out here it doesn't update the version in the provisioned concurrency configuration. Is there a solution to this?

I have a deploy running right now and I can see the new version has already been made but it is still waiting

Greetings All. I'm trying to deploy a Pulumi upgrade and the build keeps complaining about the alias that we add on one of our certificates (

aws:acm/certificate:Certificate

). Specifically, we're getting the error:

error: Error: No valid 'type' passed in for alias.
    at /home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/node_modules/@pulumi/resource.ts:516:19
    at /home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/node_modules/@pulumi/output.ts:383:31
    at Generator.next (<anonymous>)
    at /home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/node_modules/@pulumi/pulumi/output.js:21:71
    at new Promise (<anonymous>)
    at __awaiter (/home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/node_modules/@pulumi/pulumi/output.js:17:12)
    at applyHelperAsync (/home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/node_modules/@pulumi/pulumi/output.js:236:12)
    at /home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/node_modules/@pulumi/output.ts:302:65
    at dynatraceRegularInvoke (/opt/dynatrace/oneagent/agent/bin/1.259.304.20230210-081346/any/nodejs/nodejsagent.js:3093:20)
    at Object.a.safeInvoke (/opt/dynatrace/oneagent/agent/bin/1.259.304.20230210-081346/any/nodejs/nodejsagent.js:3168:41)

This error is down in the

resource.ts

file here: https://github.com/pulumi/pulumi/blob/24f0ae32f7c02bf1906a6081cab81217872c7d38/sdk/nodejs/resource.ts#L516 We created our own

CertificateManager

class, which has a

getCert(

) method for creating the necessary certs for our web properties. One of those certs (support) needs an Alias added to it, and our code in the

getCert()

method handles that. Here's the code:

public getCert(
    name: string,
    zone: aws.route53.Zone,
    domainName?: string,
  ): aws.acm.CertificateValidation {
    let certAlias: CustomResourceOptions = {};
	//Add required alias for the support cert.
    if (name === "support") {
      certAlias = {
        aliases: [
          {
            name: this.config.getResourceName("supportability-cert"),
            type: "aws:acm/certificate:Certificate",
          },
        ],
      };
    }
    const cert = new aws.acm.Certificate(
      this.config.getResourceName(`${name}-cert`),
      {
        domainName: domainName ?? zone.name,
        tags: this.config.getTags(),
        validationMethod: "DNS",
      },
      certAlias,
    );

    const validationRecords = cert.domainValidationOptions.apply(
      (domainValidationOptions) => {
        return domainValidationOptions.map((domainValidationOption) => {
          return new aws.route53.Record(
            `validation-record-${domainValidationOption.domainName}`,
            {
              allowOverwrite: true,
              name: domainValidationOption.resourceRecordName,
              records: [domainValidationOption.resourceRecordValue],
              ttl: ONE_HOUR,
              type: domainValidationOption.resourceRecordType,
              zoneId: zone.zoneId,
            },
          );
        });
      },
    );

    let certValidationAlias: CustomResourceOptions = {};
	//Add required alias for the support cert.
    if (name === "support") {
      certValidationAlias = {
        aliases: [
          {
            name: this.config.getResourceName("certificate-validation"),
            type: "aws:acm/certificateValidation:CertificateValidation",
          },
        ],
      };
    }
    return new aws.acm.CertificateValidation(
      this.config.getResourceName(`${name}-certificate-validation`),
      {
        certificateArn: cert.arn,
        validationRecordFqdns: validationRecords.apply((records) =>
          records.map((record) => record.fqdn),
        ),
      },
      certValidationAlias,
    );
  }

Based on these select lines from the build output (running a Pulumi Preview), the cert handling is working for everything but the

support

cert that is supposed to get the alias.

pulumi:pulumi:Stack pulumi-artemis-infrastructure running error: Error: No valid 'type' passed in for alias.
aws:acm:Certificate artemis-dev-artemis-dev-chat-proxy-cert  [diff: ~provider]
aws:acm:Certificate artemis-dev-search-cert  [diff: ~provider]
aws:acm:CertificateValidation artemis-dev-search-certificate-validation  [diff: ~provider]

So, the non-support cases, where we include an empty object for the

CustomResourceParameters

for the

new Certificate

, it works. When we add the alias and type for the support cert, it fails. In

resources.ts

on line 506, the

collapseAliasToUrn

function should be taking the explicit type that we're providing in favor of the passed

defaultType

, so how that type becomes

undefined

and triggers the error on line 516, I haven't a clue. This code had been working, but started causing problems when we updated Pulumi. Here are the version changes: @pulumi/aws from 5.10.0 to 5.30.0 @pulumi/awsx from 0.40.0 to 1.0.2 @pulumi/docker from 3.2.0 to 3.6.1 @pulumi/kubernetes from 3.19.4 to 3.24.1 @pulumi/pulumi from 3.35.3 to 3.55.0 Could this be a state problem? Do we need to sync from the deployed state before we run another build? I confess that I'm at a loss.

Hi, I need to get the arn from an apigateway method. Can't seem to do this.

Error: routes does not exist on api.api
      on Pulumi.yaml line 69:
      69:   apiGatewayRoutes: ${api.api.routes}
    Existing properties are: body, name, policy, tags, urn and 14 others

Firstly how do I see what these "14 others" are? I'm using what appears to be aws crosswalk, for which there is very little documentation. This is my api definition

api:
    type: aws-apigateway:RestAPI
    properties:
      routes:
        - target:
            uri: "http://${frontendBucket.websiteEndpoint}"
            type: http_proxy
          method: GET
          path: /
        - eventHandler: ${fn_rasd_fastapi}
          method: ANY
          path: /api/{proxy+}
        - eventHandler: ${fn_rasd_fastapi}
          method: ANY
          path: /api
      stageName: ${pulumi.stack}

In the aws apigateway console, I can click on the "ANY" method and see the ARN for the http_proxy request. I need to use this ARN in a bucket policy. But I cannot seem to see how to get this arn from within pulumi

Is this PR is going to be merged https://github.com/pulumi/pulumi-eks/pull/847 ? I need to update my EC2 instances to use

imdsv2

but I can't seem to do it with the latest version of

EKS

I’ve been trying out container lambdas. One thing I notice is that pulumi seems to build and push my image every time I run

pulumi up

, whether or not there are any updates to the Dockerfile or any of its dependencies. I say “seems” because the image in ECR doesn’t actually get updated unless there’s a change. Is there a way to get pulumi to skip the image build step unless there are changes to the files in the Dockefile’s directory?

Does pulumi-aws use regional STS endpoints for API requests? Or the global one? I've been reading this: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html?icmpid=docs_iam_console

Hello all! I am trying to create a cluster with multiple node groups following this tutorial (my code is attached): https://www.pulumi.com/docs/guides/crosswalk/aws/eks/#configuring-your-eks-clusters-worker-nodes-and-node-groups I run pulumi up successfully, but when I access the cluster no nodes appear in it. I can see the instances running on the EC2 panel, but no system pod, like coredns, gets deployed. Also when I run

kubectl get nodes

I dont see any nodes. I used

aws eks update-kubeconfig --name CLUSTER_NAME --region us-east-2

to point kubectl to the cluster, the user configured has admin access to everything. Any idea why that is happening? Appreciate your attention

Hello everyone, I hope all are fine. I have a question Base on example: https://github.com/pulumi/examples/blob/master/aws-ts-hello-fargate/index.ts Someone has problem with the deploy on AWS? The Deployment is delayed an the end the response of GET is a 503

<html>
<head><title>503 Service Temporarily Unavailable</title></head>
<body>
<center><h1>503 Service Temporarily Unavailable</h1></center>
</body>
</html>

thanks a lot Regards

Hello I am trying to create a managed node group that contains nodes that only use imds v2. But I can't seem to achieve this. I am using the

eks.createManagedNodeGroup

function but I can't add

metadataOptions

. I would appreciate any workarounds Thanks

Is ap-southeast-4 (Melbourne) available via Pulumi? We've created a provider with

region: "ap-southeast-4" as Region

, but as soon as it's used in a resource, we're getting:

error: unable to validate AWS credentials.
    Details: no valid credential sources for  found.
    
    Please see
    for more information about providing credentials.
    
    Error: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: 36223ba0-c4c9-4a7c-b795-59636, api error InvalidClientTokenId: The security token included in the request is invalid

(Note the missing interpolated values in for found and _Please see _)

Hello Is there any way to change the

metadataOptions

for my EKS workers without recreating the launch template in the function

eks.createManagedNodeGroup

??