Hello, community. I have usage where each client gets their own schema in RDS DB. I managed to create all that with Pulumi (create user, create database, grant permissions). Everything is working nice with

pulumi up -s <stack_name>

. But the question is - what would be preferable way (or is it possible at all), not to tear down everything (schema, user data) when doing

pulumi down

?

I’m getting a “Your authorization token has expired” message when pulumi attempts to push an image to ecr, anyone else see this? Happens both on my laptop and in google actions. Sampling of messages from the log:

I0414 08:41:28.471215    5148 log.go:69] computeDefaultProviderPlugins(): summary of default plugins:
I0414 08:41:28.471219    5148 log.go:75]   command         = 0.7.1
I0414 08:41:28.471221    5148 log.go:75]   awsx            = 1.0.2
I0414 08:41:28.471222    5148 log.go:75]   docker          = 4.1.2
I0414 08:41:28.471224    5148 log.go:75]   aws             = 5.35.0
I0414 08:41:36.755674    5148 log.go:75] Explicitly ignoring and discarding error: no git repository found from /Users/[...]
I0414 08:41:37.246940    5148 log.go:75] newUpdateSource(): failed to install missing plugins: could not get latest version for plugin pulumi: 404 HTTP error fetching plugin from <https://api.github.com/repos/pulumi/pulumi-pulumi/releases/latest>. If this is a private GitHub repository, try providing a token via the GITHUB_TOKEN environment variable. See: <https://github.com/settings/tokens>
I0414 08:41:50.086882    5148 log.go:75] eventSink::Info(<{%reset%}>Pushing Image to the registry<{%reset%}>)
I0414 08:41:50.195317    5148 log.go:75] eventSink::Info(<{%reset%}>The push refers to repository [....<http://dkr.ecr.us-east-2.amazonaws.com/...|dkr.ecr.us-east-2.amazonaws.com/...>]<{%reset%}>)
I0414 08:41:50.912196    5148 log.go:75] provider received rpc error `Unknown`: `denied: Your authorization token has expired. Reauthenticate and try again.`
I0414 08:41:50.912203    5148 log.go:75] rpc error kind `Unknown` may not be recoverable
I0414 08:41:50.912265    5148 log.go:75] eventSink::Error(<{%reset%}>denied: Your authorization token has expired. Reauthenticate and try again.<{%reset%}>)
I0414 08:41:51.056814    5148 log.go:75] StepExecutor worker(19): step update on urn:pulumi:dev::[...]::docker:index/image:Image::[...] failed with an error: denied: Your authorization token has expired. Reauthenticate and try again.

Hi friends - I wrote a blog post about using pulumi to deploy a secure static site. It builds upon the pulumi example static site code with some lessons learned using this in production. It’s not behind a paywall or anything. You can read it on Medium. Does pulumi publish articles from its community? https://medium.com/@dmegbert/deploying-a-production-grade-static-site-on-aws-using-route53-cloudfront-and-s3-with-pulumi-17d95f9a283a

did someone had issue like this importing SQS? pulumi import "awssqs/queueQueue" eyal_sqs arnawssqseu west 1225051786593:eyal_sqs Previewing import (eyal) View in Browser (Ctrl+O): https://app.pulumi.com/cliotechweb/backend-stacks/eyal/previews/ca8f591c-7a61-4d18-9594-4dcb3ebc02c0 Type Name Plan Info pulumipulumiStack backend-stacks-eyal 1 error = └─ awssqsQueue eyal_sqs import 1 error Diagnostics: pulumipulumiStack (backend-stacks-eyal): error: preview failed awssqsQueue (eyal_sqs): error: Preview failed: refreshing urnpulumieyal:backend stacksawssqs/queueQueueeyal sqs 1 error occurred: * error reading SQS Queue (arnawssqseu west 1225051786593:eyal_sqs): InvalidAddress: The address arnawssqseu west 1225051786593:eyal_sqs is not valid for this endpoint. status code: 404, request id: 8a8abd60-01d8-5f15-aecb-e1cf2f027da8

Hi community, Has anyone ever had an issue with adding new GSI to the existing DynamoDb table which is "provisioned with auto-scalling" and has at least 1 replica ? I'm already ignoring update for "readCapacity" and "writeCapacity" as recommended on the pulumi site. Error message: "updating Amazon DynamoDB Table (table name): creating GSI (GSI name): ResourceInUseException: The resource which you are attempting to change is in use." I manage to deploy the change successfully on one of the regions but doing the same on another one isn't letting me do that change.

It seems that an update to Pulumi means that now AWS Lambda functions require code as part of the definition. When I import an existing lambda function that has an uploaded ZIP, I get a bunch of errors. Does this mean it's no longer possible to use

pulumi import

on AWS Lambdas? (when I use the AWS client, I see that there is a path to the current version definied, so there is already code...)

For those who keep separate workloads in separate AWS accounts, what do you do for Route53 when basically your entire set of application lives in a single domain?

I have the following function that creates a container-based lambda. It succeeds in building the image and tagging it with “latest” as well as a hash, but somehow the lambda is not being updated. Any ideas what’s wrong here?

This isn’t totally a pulumi question, but I’m looking to set up a new account under pulumi management with Route53 zone/domain, CloudFormation distribution, ACM certificate, and S3 bucket website…. I’m trying to migrate this from a legacy account. Does anyone have any suggestions on how to smoothly migrate the zone-domain/cf dist/cert? I can easily create all the resources in the new account, but it obviously hangs on the cert validation because I haven’t updated the top-level NS records to the new zone yet… Is it possible/advisable to temporarily set the validation record in the legacy hosted zone to get the validation across the finish line? Will that cause any trouble for my legacy certificate? Or my new one when I eventually delete the legacy hosted zone?

Hi, I’m trying to understand why

securityGroupIds

is a required field in the `vpcConfig` for AWS Lambdas. In my architecture, I have a lambda defined in the private subnet of a VPC and already attached a security group to the VPC. So when I’m associating the lambda with the subnet using

subnetIds

in

vpcConfig

, why do I necessarily have to respecify the securityGroupId too?

Hi, I was under the impression that

pulumi login s3://<bucket-name>

is going to create the self-managed backend automatically as bootstrap/initialization. Is this a wrong expectation or something I am missing here https://www.pulumi.com/docs/intro/concepts/state/#aws-s3 ?

we’ve recently migrated from an in environment where we’d run

AWS_PROFILE=admin pulumi up -s <org>/<stack>

(locally) to an environment where the instances we run on have the permissions the admin profile had as part of their instance profile. Now when we run

pulumi up -s <org>/<stack>

we get the following printed to our terminal:

The config profile (admin) could not be found

. At no point have we done

pulumi config set aws:profile admin -s <org>/<stack>

- so I’m pretty confused as to why this is showing up in the terminal. The message itself is definitely from the AWS SDK (this is well documented on the web). What’s not clear to me what part of pulumi is informing the SDK that the profile

admin

(specifically) is the correct profile. I’ve run

pulumi config get -s <org>/<stack>

for all of our stacks that use the AWS provider and I can confirm

aws:profile

is not present in any of them. Is anyone able to point me in the right direction to either silence this message, or determine whether it is a problem?

Hi all, Does Pulumi support EventBridge Pipe? https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-pipes.html it seems to be exactly what I need but I can’t seem to find any info… seems like it’s not supported, but wanted to confirm.

Hi, I'm trying to work around an issue where EC2 instances launched by an EKS Node Group don't have names, because AWS doesn't propagate the Node Group name through to the instances. Someone has provided a workaround that involves adding a "Name" tag to the Auto-Scaling Group (ASG) that goes with the Node Group, and setting that to propagate to the EC2 instances. Unfortunately I cannot figure out how to do this in Pulumi. There doesn't seem to be a way to create a GroupTag, as it doesn't have a constructor. I think that's what the Terraform workaround is doing, but I am unfamiliar with reading Terraform.

Oh I may have found it - there's

aws.autoscaling.Tag

...

Hi. I'm using the

publicSubnetIds

property of awsx.ec2.DefaultVpc, but I realized that's returning all my subnet ids, both public and private. Is there a reason for that and a way to get around that?

Hi, I’m unable to upgrade to

@pulumi/aws

to a version >= 5.35.0 (changelog) on an existing stack because I get the following error:

panic: interface conversion: interface {} is nil, not map[string]interface {}

(full error message in thread 🧵) Does anyone know what I can do to remedy this?

Hi. I'm trying to attach a CrossWalk created ECS fargate service to share an ALB that's been created, but I'm struggling to get it to work. I've manually created a test service in management and tried to import that into my Pulumi stack to learn how it's wired up, but the import failed. Guidance is appreciated!

I am attempting to retrieve a VPC by its ID from a different stack, but I am encountering issues because the

fromExistingIds

method is no longer available in the latest version of the

awsx

library. Additionally, the

aws.ec2.getVpc()

method returns a different type than what is accepted as an argument when creating an

awsx.ecs.Cluster

resource.

Hey all ! I’ve been working on trying to get a Kubernates Cluster on AWS, but I’m having some issue resolving DNS names from there.

Does anyone know how to configure the

default_cache_behavior

for a CloudFront Distribution to use one of the AWS managed cache policies?

Has anyone tried implementing a dynamodb restore/import from s3, while doing a zero-downtime without data loss? I'm trying this now, by creating two Table's in my pulumi stack (blue green). and then having a seperate table deployer that manages the rollout, but it's getting very complicated. Are there any pointers out there for how this can be done?

Hello, I'm attempting to create a new EKS cluster, and I would like that the worker nodes have an extra security group that already exists as part of the old infrastructure. I've tried setting it in the field extra_node_security_groups, which is part of the node_group_options parameter, as shown in the snippet below. The cluster is instantiated, but the nodes aren't assigned the extra security group.

cluster = peks.Cluster(
  f"cluster-{project_name}-{stack_name}",
  vpc_id=vpc.vpc_id,
  subnet_ids=kube_subnets,
  node_associate_public_ip_address=False,
  enabled_cluster_log_types=[
    "api",
    "audit",
    "authenticator",
  ],
  tags=tags,
  node_group_options=peks.ClusterNodeGroupOptionsArgs(
    extra_node_security_groups=[db_security_group.id],
    min_size=config.get("min_size"),
    max_size=config.get("max_size"),
    desired_capacity=config.get("desired_capacity"),
    instance_type=config.get("instance_type")
  ),
  instance_role=cluster_node_role,
  provider_credential_opts=peks.KubeconfigOptionsArgs(profile_name="pulumi")
)

I also tried setting the security group as a parameter of the pulumi_eks.NodeGroupV2 constructor, but it didn't work either. In that case, I got an error message saying the security group didn't exist. Any ideas on what to try next?

I updated from

pulumi/awsx

from

0.40.0

to

1.0.2

and now preview that it wants to tear down all resources and recreate them 😱 Inspecting the diff I see the urn in the newer package is

awsx:ec2:Vpc

and for the old one:

awsx:x:ec2.Vpc

. Is there some way to lock the urn or avoid the replacement? I tried adding retainOnDelete and import .. but I can seem to get it to work

Hello everyone! Do you know if there is a way to configure some default tags (maybe written in an external config file) and then easily apply them to new project?

Hey guys, I set up some EC2 boxes with Pulumi and I noticed that when I updated the SSH key on them via Pulumi, the EC2 volume was totally wiped and I had to reinstall everything. How can I avoid this happening in the future? For reference, here is my Pulumi code:

interface CreateEc2InstanceArgs {
    name: string;
    stackName: string;
    instanceType: string;
    vpcId: pulumi.Output<string>;
    isPublic: boolean;
    enableHttp: boolean;
    sshPublicKey: string;
    rootBlockDevice: aws.types.input.ec2.InstanceRootBlockDevice;
    amiName?: string;
    userData?: string;
    useEip?: boolean;
  }    

const instance = new aws.ec2.Instance(instanceName, {
      instanceType,
      // For now we are assuming that if the EC2 instance is public then we want a public IP.
      // This may not necessarily be true if we put it behind a load balancer.
      subnetId,
      iamInstanceProfile,
      keyName: keyPair.keyName,
      associatePublicIpAddress: isPublic,
      rootBlockDevice: {
        ...rootBlockDevice,
        tags: { Name: volumeName, Stack: stackName },
      },
      vpcSecurityGroupIds: [securityGroup.id],
      ...(userData && { userData }),
      ami: ami.id,
      tags: { Name: instanceName, Stack: stackName },
    });

My understanding is it looks like Pulumi terminated the instance when I made an SSH key change. I tried setting

deleteOnTerminate

to

false

but that didn't seem to do anything

I am trying to get docker images with layer caching to work with Github actions. My understanding is that using the

cacheFrom

option is the solve: https://www.pulumi.com/blog/build-images-50x-faster-docker-v4/ What I don't fully understand is the behavior. If I just set

cacheFrom

to

true

is this sufficient if all my images are tagged with

latest

? Will this only pull the cached image if nothing has changed? Or will this know to pull the last image and start from the latest layer that invalidates the cache?

I was able to get it working with the pulumi docker package as such:

const image = new docker.Image(`${stackName}-image`, {
        build: {
          cacheFrom: {
              images: [pulumi.interpolate`${repo.repositoryUrl}:latest`],
          },
          context: `../../../${project}`,
          ...(dockerfileName && {
            dockerfile: `../../../${project}/${dockerfileName}`,
          }),
          args: dockerArgs,
          platform: "linux/amd64",
        },
        imageName: pulumi.interpolate`${repo.repositoryUrl}:latest`,
        registry: {
            password: pulumi.secret(authToken.password),
            server: repo.repositoryUrl,
            username: authToken.userName,
        },
    });

    return image.repoDigest as pulumi.Output<string>;

Anyone know what to pass in to fargate service? I tried the image name and it didn't work because it doesn't change (all the latest images have the same image name)