hey guys, i'm not sure whether this is a pulumi issue or an AWS issue.. we have an elasticache cluster in our stack that was created with compatibility version:

6.x

eg:

const redis = new Cluster(ResourceName("redis"), {        
        engine: "redis",
        engineVersion: "6.x",
        nodeType: "cache.t3.micro",
        numCacheNodes: 1,
        parameterGroupName: "default.redis6.x",
        port: 6379,
        subnetGroupName: redisSubnetGroup.name,
        securityGroupIds: [redisSecurityGroup.id]
...

i'm trying to upgrade it to version 7 but not having any luck.. i change to:

...
        engineVersion: "7.x",
        parameterGroupName: "default.redis7",
...

and i get the following error:

Error updating ElastiCache cluster (kp-au-test2-redis-9221ace), error: InvalidParameterCombination: Cannot find version 7.x for redis

i also tried specifying

engineVersion: "7.0"

,

engineVersion: "7"

and

engineVersion: "7.0.7"

and each time, i get the error:

engine_version: Redis versions must match <major>.x when using version 6 or higher, or <major>.<minor>.<bug-fix>

would anybody have any clues what we might be doing wrong?

Hi! I have deployed the global accelerator of aws with pulumi. Currently, When I check the pulumi resource, the ga is fine, but if I run

pulumi preview

, it tries to create the same resource. Do anyone happen to know the reason for this?

Hey there everyone! Hope you're all doing well. I'm looking for some insights on maintaining resource tag hygiene in AWS environments. I'd love to hear your thoughts on how you standardize and enforce resource tags across your teams, projects, and deployments. Additionally, I'm currently working on a tool to help with tags hygiene, and I would be thrilled to receive any feedback or comments from you all. If anyone is interested in working more closely with me on this, feel free to DM me or drop a note in the comments. Thank you all in advance for your help and support!

Hi, does anyone have a recommended helm chart for EKS log shipping? The incubator fluentd-cloudwatch uses the old rbac api so I’m struggling to deploy it to a 1.24 k8s ver EKS

Hi all, I'm trying to destroy a stack that creates a VPC however I am getting the below error. Is anyone able to assist?

aws:ec2:Vpc (eu-west-1-sandbox):
    error: deleting urn:pulumi:core-sandbox::core::aws:ec2/vpc:Vpc::eu-west-1-sandbox: 1 error occurred:
        * error deleting EC2 VPC (vpc-082befcf081fca371): DependencyViolation: The vpc 'vpc-082befcf081fca371' has dependencies and cannot be deleted.

For some reason, when I run

pulumi up

on a stack that includes a ecr Repository and a RepositoryPolicy, it thinks the policy is different every run:

# Allow app subaccounts to pull from image repository
repository_policy = aws.ecr.RepositoryPolicy(
    "repository-policy",
    repository=repository.name,
    policy={
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowCrossAccountPull",
                "Effect": "Allow",
                "Principal": {
                    "AWS": [
                        f"arn:aws:iam::{account_id}:root"
                        for account_id in ALLOWED_ACCOUNT_IDS
                    ]
                },
                "Action": [
                    "ecr:BatchCheckLayerAvailability",
                    "ecr:BatchGetImage",
                    "ecr:GetDownloadUrlForLayer",
                ],
            }
        ],
    },
)

Does anyone have an example for apigatewayv2 with aws-native?

Hello! I'm having a strange problem with setting up an eks cluster. I've inherited an older pulumi codebase, which is used in part to manage an EKS cluster. The cluster is at version 1.25. However, when pulumi is setting up the vpc cni, it complains about

error: no matches for kind "CustomResourceDefinition" in version "<http://apiextensions.k8s.io/v1beta1|apiextensions.k8s.io/v1beta1>"

. The issue is similar to https://github.com/pulumi/pulumi-eks/issues/720. I attempted to fix this issue by upgrading to the latest

@pulumi/eks

, but the problem persists, and pulumi keeps trying to use

kubectl

to apply an older

amazon-k8s-cni.yaml

file.

Hello. I would like to use

preview --expect-no-changes

in combination with feature flags to confirm that no changes will happen in

prod

when I enable a feature flag in

dev

. This is mostly successful apart from aws.dms.ReplicationTask which always detects an update even if the code has not changed, regardless of whether the tasks are stopped. Is that the expected behaviour? I’ve pasted the code in the thread if helpful.

I’m running into an issue creating a role with the AWS Native. The code I’m using is:

const clusterRole = new aws_native.iam.Role("clusterRole", {
  assumeRolePolicyDocument: {
  statements: [{
      effect: "Allow",
      principals: [{
          type: "Service",
          identifiers: ["<http://eks.amazonaws.com|eks.amazonaws.com>"],
      }],
      actions: ["sts:AssumeRole"],
  }],
  managedPolicyArns: [
    "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
    "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController",
  ]
}});

And I’m getting the error:

aws-native:iam:Role (clusterRole):
    error: resource partially created but read failed. read error: reading resource state: operation error CloudControl: GetResource, https response error StatusCode: 400, RequestID: ced5d4bf-8b4a-4987-a829-5d1a8ff2b2d5, ResourceNotFoundException: AWS::IAM::Role Handler returned status FAILED: The role with name clusterRole-88a77e3 cannot be found. (Service: Iam, Status Code: 404, Request ID: f31de7e3-6ebd-4082-b42b-4d0aa68d664b) (HandlerErrorCode: NotFound, RequestToken: 8c119a29-e230-499c-90e8-bb99b44bacc0), create error: operation CREATE failed with "InvalidRequest": Unknown field managedPolicyArns (Service: Iam, Status Code: 400, Request ID: 4fbfb53c-1468-4390-9503-1c624f6012ec)

Is

managedPolicyArns

not supported?

It looks like this might be a bug? pulumi is making a request with the field

managedPolicyArns

, but according to the AWS docs it should be

ManagedPolicyArns

" target type instance, which is incompatible with the awsvpc network mode specified in the task definition" , i got this issue when deploying ecs EC2 launch type , why its come when using network mode awsvpc ?

I’m trying to set up an eks cluster using

@pulumi/eks

and I consistently get these errors when it’s trying to install the nodeAccess config map and vpc-cni plugin:

kubernetes:core/v1:ConfigMap (supaglue-production-nodeAccess):
    error: configured Kubernetes cluster is unreachable: unable to load schema information from the API server: Get "<https://31D666DA6474E04F6D9BF247B0C4A017.gr7.us-west-2.eks.amazonaws.com/openapi/v2?timeout=32s>": getting credentials: decoding stdout: couldn't get version/kind; json parse error: json: cannot unmarshal array into Go value of type struct { APIVersion string "json:\"apiVersion,omitempty\""; Kind string "json:\"kind,omitempty\"" }

  eks:index:VpcCni (supaglue-production-vpc-cni):
    error: Command failed: kubectl apply -f /var/folders/5p/wkr3ydl163jg9b0t7vf_7h080000gn/T/tmp-31472OyZMmul3goiI.tmp
    Unable to connect to the server: getting credentials: decoding stdout: couldn't get version/kind; json parse error: json: cannot unmarshal array into Go value of type struct { APIVersion string "json:\"apiVersion,omitempty\""; Kind string "json:\"kind,omitempty\"" }

Is the kubeconfig that is generated incorrect? It seems like it may be? Has anyone seen this before?

Question regarding using the AWS Crosswalk ALB and attempting to use multiple AWS managed certificates for

443

listener. It is unclear to me the correct way to add multiple SSL CERTs for a

443

listener. I wrote some code below, however I suspect i might be misunderstanding how to use pulumi inputs/outputs correctly so If anyone can point me to the right direction that would be greatly appreciated. Example code in 🧵 .

Hello. I'm trying to major version upgrade a Postgres RDS resources in AWS (13.8 to 14.6) and am seeing an error. I haven't been finding much on the error via google, but I did find this slack channel so I thought I'd ask here! I changed this

aws.rds.Cluster(engine_version="14.6")

and am getting this message

Failed to modify RDS Cluster (cluster-name) InvalidParameterCombination: The current DB cluster parameter group parameter-group-name is custom. You must explicitly specify a new DB cluster parameter group, either default or custom, for the engine version upgrade.

the error suggested creating a new cluster parameter group, so I changed this original code:

pg_name = "parameter-group-name"
parameter_group = ClusterParameterGroup(
    pg_name,
    name=pg_name,...)

Cluster(...
    db_cluster_parameter_group_name=parameter_group.name,...)

I only changed

pg_name="parameter_group-name-versioned"

and now pulumi shows it wants to create the new parameter group but still get the same error. what else is needed?

I am trying to create a ALB that forces users to use HTTPS when serving. I thought this would be how to solve it, but it doesn't seem like it is working. Has anyone had success in doing this?

const lb = new awsx.lb.ApplicationLoadBalancer(`${prefix}-lb`, {
  listeners: [
    {
      protocol: 'HTTPS',
      port: 443,
      sslPolicy: 'ELBSecurityPolicy-2016-08',
      certificateArn: sslCertificateArn,
    },
    {
      protocol: 'HTTP',
      port: 80,
      defaultActions: [
        {
          type: 'redirect',
          redirect: {
            port: '443',
            protocol: 'HTTPS',
            statusCode: 'HTTP_301',
          },
        },
      ],
    },
  ],
  defaultTargetGroup: {
    port: 80,
    protocol: 'HTTP',
  },
});

Getting the following error when attempting to create a single network policy for AWS OpenSearch Serverless

error: resource partially created but read failed

. This is using aws-native (0.55.0). I didn't see any support elsewhere. Any thoughts?

Dear all, I am setting up an AWS Lambda with internet access to make a request to an API. I am not sure if the following configuration works as expected. Is this the right place to ask for feedback?

I see both •

pulumi:providers:aws                                    default_5_30_0

and •

pulumi:providers:aws                                    default_5_33_0

in a single

pulumi stack -i

output. Should I be worried about them? I'm troubleshooting some mysterious flip-flop between empty and stale values of AWS default tags on my resources, and I'm wondering if the duplicated providers are the culprit (though I know little about them)

Hi all! Is there any way to deploy containers to EC2 instance using pulumi_aws.ec2.Instance without using user_data?

👋 Hi, Is there a way to fetch the EBS default encryption key using the the

@pulumi/aws-native

provider?

Anyone else migrating from

awsx.ecr.Image

to

docker.Image

?

Good morning. I've been looking at an issue with AWS Crosswalk and using IPAM with VPCs. While that's an issue, it seems that the project has been stale for about a month. Is there anyone keeping an eye on this within Pulumi? https://github.com/pulumi/pulumi-awsx

Hi folks. I'm trying to import an ACM cert defined in the

us-east-1

region, but keeps getting a

resource does not exist

error, despite having explicitly defined the provider. This is how I'm doing it:

pulumi import 'aws:acm/certificate:Certificate' cert arn:aws:acm:us-east-1:<account id>:certificate/<cert id> --provider '<name>=<arn>'

My program code is using another default region, but I've defined a

us-east-1

provider explicitly for this

Hello! I'm trying to get a kms key using its alias, basically the first line of this example: https://www.pulumi.com/registry/packages/aws/api-docs/kms/getkey/#example-usage I get the following error: Exception: invoke of awskms/getKeygetKey failed: invalid value for key_id (must be a KMS Key ID) () I'm using pulumi 3.60.1 with python. Thanks in advance for your help!

Hello, I'm a long time CDK user and I want to give Pulumi a try. Is there any benchmark/comparison on the deployment speed between CDK and Pulumi (which is basically Cloudformation vs Terraform?)

As you know, S3 is a "global" service; for example, if I arbitrarily pick

eu-west-3

aka Paris region which I've never used before,

aws s3 --region eu-west-3 ls

can enumerate all my buckets from all AWS regions. This Python script does the same:

import logging
import pprint

import boto3
import boto3.session


boto3.set_stream_logger('', 0)
s = boto3.session.Session(region_name='eu-west-3')
s3 = s.client('s3')
pprint.pprint(s3.list_buckets()['Buckets'], width=200)

However when I ran

GetBucket.Invoke(GetBucketInvokeArgs(Bucket="my-bucket"))

(I'm using .NET & AWS Classic provider) I got this error

Failed getting S3 bucket (my-bucket): BucketRegionError: incorrect region, the bucket is not in 'ap-northeast-1' region at endpoint '', bucket is in 'ap-southeast-1' region

For now, I'm going to set up a

Provider

object for each cross-regional reference to an S3 bucket, as I believe that will unblock me. But I can't help but feel that this is an unnecessary chore. Did I overlook anything?

I'm trying to use the AWS Native module to make an ECS Task Definition and service. I gave up on the service because I kept getting. error: unrecognized resource type (Check): aws-nativeecsService and now I'm getting error: unrecognized resource type (Check): aws-nativeecsTaskDefinition for one of my task definitions, but not the other, both of which use similar code. Can anyone help me understand what this error means?

Anyone know how to create an MSK cluster and manage its topics with Pulumi? Can't seem to find any documentation or examples for combining those two things.

Dear Pulumi people 🙂 I have manually created an EC2 instance and have created all other resources (S3, Lambda, IAM, ...) with pulumi. Next, I would like to set up the EC2 instance with pulumi and add an autoscaling behavior. I guess EC2 is the right choice because we need GPU power. Which workflows or articles do you recommend to set it up such, that I get 0 or more EC2 instances, depending on the load? How should the load be detected? By AWS or via some other measurement (e.g. a metric derived from prefect 2 workflow orchestration). Thanks in advance 🙏