Hello! Is there a way to create an EC2 instance and automatically pull and run an image from ECR? I tried by passing commands to

user_data

, but it doesn't seem to work.

# Create an EC2 instance
instance = aws.ec2.Instance(
    config.INSTANCE_NAME,
    instance_type=config.INSTANCE_TYPE,
    ami=config.AMI,
    key_name=config.KEY_NAME,
    vpc_security_group_ids=[security_group.id],
    user_data=f"""#!/bin/bash
            yum update -y
            amazon-linux-extras install docker
            service docker start
            usermod -a -G docker ec2-user
            chkconfig docker on
            docker login --username AWS --password $(aws ecr get-login-password --region {config.AWS_REGION})
            docker pull {image.image_uri}
            docker run -d -p 80:80 {image.image_uri} > /hello.txt"""
)

If I ssh into the instance and run those commands, I get an error with

docker login --username AWS --password $(aws ecr get-login-password --region {config.AWS_REGION})

namely

Unable to locate credentials. You can configure credentials by running "aws configure".

How make it working?

Hey all, this seems like really bad code here, and it makes me believe I am doing something really wrong. I am coming to typescript from python so there are some serious gaps in understanding. I assume that I need to do something with apply. Right now this is the only way I have figured out how to get my code to work, but I hate the idea of using an as, because you are never guaranteed to get that structure from the other end. It feels generally like a bad practice. The point here is to feed in secrets that are created from my infra stack, as we follow the microstack model.

Hi everybody, I need to upgrade eks control and data plane versions, and I wanted to know which is the best strategy to prevent downtime. I’m using the

aws.eks.Cluster

and

aws.eks.NodeGroup

resource providers. I’ve done this in the past on GCP, so the strategy was pretty straight-forward: 1. Provide a new NodePool with

autoscalling

enabled. 2. Cordon, then drain nodes using

kubectl

. 3. Decommission the nodepool with an old kubernetes version, which equates here to remove the resource from the pulumi stack. Again, my goal is to prevent worker nodes from being unreachable while upgrading to a more recent version. I’m operating under the following assumptions: 1. control plane upgrades do not compromise data plane workloads in any way, with the exception that the api server will not be reachable for a few minutes. 2. There can not be more than two minor versions delta between master and worker nodes. Your insight will be very much appreciated. Many thanks,

hi, im trying to create a Lambda function with 5gb memory. i get a validation error on the memory configuration. but the lambda creates with 2gb memory. is 5gb memory not supported in pulumi ? configuration : ValidationException: status code: 400

Hello everyone. Something I haven't been able to figure out is when Pulumi creates an SNS Topic Subscription, the value 'MessageBody' of the filterPolicyScope attribute is ignored and the default value of 'MessageAttributes' is used instead. If Pulumi is run a 2nd time without any code changes, Pulumi will detect a difference between the desired state ('MessageBody') and the current state ('MessageAttributes') and update the value to 'MessageBody'. Any ideas why it would do that? Because of this, we have to remember to run Pulumi twice any time we want to create a new SNS Topic Subscription. const createTopicSubscription = ( name: string, endpoint: pulumi.Input<string>, protocol: pulumi.Input<string>, topic: aws.sns.Topic, filterPolicy: pulumi.Input<string>, ) => { const topicSubscription = new aws.sns.TopicSubscription(name, { endpoint: endpoint, protocol: protocol, topic: topic, filterPolicy: filterPolicy, filterPolicyScope: 'MessageBody', }); };

EDIT: Resolved in thread. Ended up using the

lifecycleRules

property within aws.s3.Bucket Hey everyone, I’m trying to create a

BucketLifecycleConfiguration

resource for an existing S3 bucket and I’m running into this error when the lifecycle config resource is attempting to create

aws:s3control:BucketLifecycleConfiguration (lifecycle-config):
    error: 1 error occurred:
    	* error parsing S3 Control Bucket ARN (): unknown format

Here’s how I am creating the resources:

const bucket = new aws.s3.Bucket('bucket-name', {
    acl: 'private',
    corsRules: [
      {
        allowedHeaders: ['Content-Type', 'Content-Disposition'],
        allowedMethods: ['PUT', 'GET', 'HEAD'],
        allowedOrigins: [`https://${config.require('webPublicDomain')}`],
        exposeHeaders: [
          'Content-Type',
          'Content-Disposition',
          'x-amz-id-2',
          'x-amz-request-id',
          'x-amz-server-side-encryption',
          'ETag',
        ],
        maxAgeSeconds: 3000,
      },
    ],
    serverSideEncryptionConfiguration: {
      rule: {
        applyServerSideEncryptionByDefault: {
          sseAlgorithm: 'AES256',
        },
      },
    },
    versioning: {
      enabled: true,
    },
  });

  new aws.s3.BucketPublicAccessBlock('access-block', {
    bucket: bucket.id,
    ignorePublicAcls: true,
    restrictPublicBuckets: true,
    blockPublicAcls: true,
    blockPublicPolicy: true,
  });

  new aws.s3control.BucketLifecycleConfiguration('lifecycle-config', {
    bucket: bucket.arn,
    rules: [
      {
        id: 'my-rule',
        abortIncompleteMultipartUpload: {
          daysAfterInitiation: 2,
        },
      },
    ],
  });

The only thing I’ve added is the

aws.s3control.BucketLifecycleConfiguration

resource. When I run

pulumi preview --diff

locally, the correct bucket ARN for the lifecycle config resource is shown and there are no errors. When I run

pulumi up --yes

in CI, I get that error. Both local and CI versions are 3.57.1. Any help is appreciated!

I find it hard to do a sensible lockdown of GitHub Actions based on repositories using idp, because even though I am using a tool like https://github.com/iann0036/iamlive it means we have to bring up every stack as a admin user in AWS or just keep running the Action over and over again, basically brute forcing it. I don’t want to use

action:*

, but I also can’t help every single developer with what ever minor action they need added to their runner (it also pollutes our Pulumi Service history with a bunch of failures). I know I have asked this before, but I would love to get some input from real world experience. Do people actually list out every specific action in each GitHub Action, or do they use wildcards?

Does it normally take a couple hundred seconds (>400 on last execution) to delete an

aws:ecs:Service

?

Going in circles trying to understand building an arm64 docker image for aws lambda on github actions. It looks like there’s a feature in the works to support multi-arch builds, but is there a workaround in the mean time?

👋 Hi everybody, I’m struggling with SSO authentication when using SSO token provider config. Legacy non-refreshable configuration works fine, but I’m curious to know if there’s a way to configure token provider properly as a default preferred auth. Any docs or ideas on that?

So I’m setting up Pulumi Deployments and have set up an OIDC provider and role in an AWS account that Pulumi deployment executor can assume. Now… any recommendations for set up if different stacks are in different AWS accounts? E.g. we have

dev

,

staging

, and

prod

stacks each in a separate account. Do I need to set up the OIDC provider and role to assume in every account? Or can I have one and somehow use cross-account role assuming?

Anyone knows if there somewhere is type definitions for ECS TaskDefs? Docs just use

JSON.toString({...})

:S (for TypeScript)

I couldn’t see any advice online so I’ve written a blog about implementing Feature flags with Pulumi. It demonstrate how to exploit the Pulumi configuration system and deploy stacks with optional features while maintaining a single source code branch. It references demo repo using a very simple AWS python project. Comments/feedback welcome!

Hello bros, does anyone have an example of aws glue with s3 with pulumi? 💌

Morning! I've just joined this Slack group so not sure if this is the right channel...but here goes. I'm trying to apply a major version upgrade to an RDS instance. I've changed

engineVersion

to 14 and tried to run

pulumi preview

, but I get this very strange error:

panic: fatal: An assertion has failed: Expected diff to not require deletion or replacement during Update of <urn redacted>

This worked in another environment, so I'm not sure what is causing this. Anyone seen this before?

Hello everyone ! I’m trying to setup a full ecr-fargate-ecs pipeline with Pulumi. I need to pass some secrets stored in secrets manager to my image. I’ve declared a

FargateService

with a

taskDefinitionArgs

and gave it a

taskRole

and

executionRole

with an Role containing the right permissions to retrieve secrets (‘secretsmanager:GetSecretValue’, ‘kms:Decrypt’ and ‘ssm:GetParameters’). But i’m stuck with an error:

RessourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve secrets from ssm: service call has been retried 1 times): Invalld ssm parameters

I was unaware that secrets manager uses ssm store parameter under the hood since i have not set any parameter store. Does anyone has any idea to help me figure this ? Thanks in advance 🙏

Hello, I need to configure kubelet on my EKS cluster as indicated here. Does anyone have any experience with this with Pulumi?

Hi, does anyone has experience on how to create Oracle rds instance using pulumi aws with supplemental logging enable for DMS connectivity? I tried using rds.OptionGroup() but not getting proper option_name to setup option group.

Is it possible to create an RDS instance that does not have suffix characters in the DB identifier? I have tried setting the

name

attribute but I still keep getting a DB identifier

nameXXXXXXX

snippet of code

const rds = new aws.rds.Instance(dbName, {
        name: dbName,
        engine: 'mysql',
        username: mysqlUser,
        password: mysqlPassword,
...});

Hi, I am new to pulumi and IAC in general so let me know if this is not the rirght place to ask this question. I am currently trying to setup our companies initial infrastructure which I would like to use ECS + fargate services to keep the management of docker containers pretty low touch. I am currently envisioning a ECS cluster that will run three different example services. - two of which will be accessible to the public internet which also have access to services within the VPC. - web server - api server - One which is not but has access to other services within the VPC (ex: RDS) - background workers First given that I am new to IAC and pulumi I have been trying to follow the example here with Pulumi Crosswalk and changed it a bit (see thread for code). The idea that I was going for with these tweaks was to use a public image

nginx:latest

(for example) + add a ALB as well just to make sure that this works and I can reach it at a public IP. However I am running into the following issue and not really sure what the issue is

error: Error: invocation of aws:ec2/getVpc:getVpc returned an error: invoking aws:ec2/getVpc:getVpc: 1 error occurred:
      * no matching EC2 VPC found


        at Object.callback (/snapshot/awsx/node_modules/@pulumi/pulumi/runtime/invoke.js:148:33)
        at Object.onReceiveStatus (/snapshot/awsx/node_modules/@grpc/grpc-js/src/client.ts:338:26)
        at Object.onReceiveStatus (/snapshot/awsx/node_modules/@grpc/grpc-js/src/client-interceptors.ts:426:34)
        at Object.onReceiveStatus (/snapshot/awsx/node_modules/@grpc/grpc-js/src/client-interceptors.ts:389:48)
        at /snapshot/awsx/node_modules/@grpc/grpc-js/src/call-stream.ts:276:24
        at processTicksAndRejections (node:internal/process/task_queues:78:11)
    error: Error: failed to register new resource pulumi-service [awsx:ecs:FargateService]: 2 UNKNOWN: invocation of aws:ec2/getVpc:getVpc returned an error: invoking aws:ec2/getVpc:getVpc: 1 error occurred:
      * no matching EC2 VPC found

Hi all! I have a problem when try to make a

pulumi up -r

on a stack with:

export const directory = new aws.directoryservice.Directory(
  'credijusto',
  {
    edition: 'Standard',
    name: '<http://ds.credijusto.info|ds.credijusto.info>',
    password: '',
    size: 'Small',
    type: 'MicrosoftAD',
    vpcSettings: {
      subnetIds: ['subnet-0d8a88b0bcacb298c', 'subnet-0a10d5aad6b1ada7c'],
      vpcId: vpc.id,
    },
    tags: config.tags,
  },
  {
    protect: true,
  },
);

I receive:

Diagnostics:
  aws:directoryservice:Directory (credijusto):
    error: aws:directoryservice/directory:Directory resource 'credijusto' has a problem: Missing required argument: The argument "password" is required, but no definition was found.. Examine values at 'Directory.Password'.

So, at first I have realised that the password in the new version of the aws npm library can't be empty. So, I put the password that Admin user has on the AD. But Pulumi try to recreate the resource, and I don't want to. I think that there is a bug, because if I put 'password' on ignoreChanges Pulumi said that password is mandatory. So at this time, i think that I have no solution.

How can I modify the stack file with the encrypted password to avoid Pulumi tries to recreate the resource?

I have a situation that I'm not able to figure out at this moment. When creating an S3 bucket with Pulumi, our Cloud alarms get triggered because the S3 bucket is created with a "private" acl and then the BucketPublicAccessBlock is then applied after the fact. The issue is that for a few seconds, the bucket is technically "public" in the eyes of the alarm and automated intervention occurs. Is there a way to avoid to potentially avoid this situation?

I'm reading the AWSx docs here, which have cluster creation: https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/awsx/classic/ecs/#clusters Has something changed as Cluster does not exist as part of ecs? Or is that intending to use awsx-classic?

awsx.ecs.Cluster

I've been working with the pulumi awsx package to set up a VPC and encountered an issue where only the VPC was set with IPv6 cidr block, but not the subnet. I've set the "assignGeneratedIpv6CidrBlock" parameter to true in the awsx.ec2.Vpc config. Is it not possible for the subnet to automatically assigned ipv6 cidr? If the subnet cannot be automatically assigned an IPv6 CIDR, how can I update it?

Can anyone share the correct config for a Lambda whose code is hosted in S3? Getting

code: Cannot assign type 'string' to type 'archive'

from below:

service:
  type: aws:lambda:Function
  properties:
    role: ${lambda-role.arn}
    code: s3_bucket
    memorySize: 512
    runtime: "go1.x"
    s3Bucket: mybucket
    s3Key: service.zip
    timeout: 15
    environment:
      variables:
        foo: bar

Edit- solved. Documentation is misleading.

code

should not be used for type

s3_bucket

Hi all, I'm struggling to find documentation for creating & configuring "Scheduled tasks" for an ECS cluster. Can someone point me to it?

Hey folks. I am trying to update an AWSx VPC to have one public Subnet, one private subnet then a final subnet in each VPC that will be responsible for attaching to TGWs. has anyone done this before?

I had a AWS Role resource that I imported into a stack that I left as “protected” — it’s the AWSControlTowerAdmin role that control tower creates out the box. I want to use Pulumi to lock down this role a bit more as per AWS documentation. I successfully ran the stack and brought the role under Pulumi management. I now want to refactor the code and I moved the resource into a

ComponentResource

. When I rerun the stack, it doesn’t recognize it as an update and instead tries to recreate the resource. It fails because `creating IAM Role (AWSControlTowerAdmin): EntityAlreadyExists: Role with name AWSControlTowerAdmin already exists`… any thoughts on the correct approach to this?

Hey everyone, I have a resource in mongodb atlas that is made outside pulumi. I use one of the get functions to get the information on the resource, the specifics of this is getting a connection string. Additionally I am creating a privatelink from aws to mongodb atlas. When the privatelink is created the connection string is populated with the values I need. And then i take those values and save it to the secrets manager. i have my secret dependent on the privatelink being created and for the

secret_string

param i am using an

apply

function to transform the Output. The issue i am having is that event though the secret is dependent on the private link, the

apply

runs before the privatelink finishes causing my build to error out. Does anyone know how to make the apply wait until a resource is finished being created? Here is a mock code snippet to help with context:

aws_endpoint_service = aws.ec2.VpcEndpoint(
    f"{environment}-aws-vpc-endpoint",
    vpc_id=vpc_configs["vpc_id"],
    service_name=mongo_private_link_endpoint.endpoint_service_name,
    vpc_endpoint_type="Interface",
    subnet_ids=vpc_configs["subnet_ids"],
    security_group_ids=vpc_configs["security_group_ids"],
)
mongo_private_link_endpoint_service = mongodbatlas.PrivateLinkEndpointService(
    f"{environment}-PrivateLinkEndpointService",
    project_id=mongo_private_link_endpoint.project_id,
    private_link_id=mongo_private_link_endpoint.private_link_id,
    endpoint_service_id=aws_endpoint_service.id,
    provider_name="AWS",
)
cluster = mongodbatlas.get_cluster(
    name=mongo_configs["cluster_name"], project_id=mongo_configs["project_id"]
)

secret = aws.secretsmanager.Secret(
        resource_name=f"{environment}_mongo_connections",
        name=f"{environment}_mongo_connections",
        opts=ResourceOptions(delete_before_replace=True),
        recovery_window_in_days=0,
    )
secret_version = aws.secretsmanager.SecretVersion(
        resource_name=f"{environment}_mongo_connections",
        secret_id=secret.arn,
        # the id does not exist until the endpoint service is created
        # but the apply runs before it finishes causing a failure
        secret_string=cluster.connection_strings.apply(
            lambda x: json.dumps({"private_connection": f"{x[0].get(mongo_private_link_endpoint_service.id).split('://')[1]}"}
                                 )
            ),
        opts=ResourceOptions(depends_on=[mongo_private_link_endpoint_service]),
    )