I'm trying to use the rolename which is the cluster.instanceRole of an EKS cluster which is of type OutputInstance<Role>..is it very misleading that when i do:

cluster.instanceRole.apply(role => role.arn)

This fails as empty or undefined in case of console.log(role.arn) It shows me all the aws.iam.Role properties fields but none of them exist other than the role itself which is actually a string. So I'm wondering If it's wrongly characterized and just should be a string ?

Figured it out when I did :

clusterInstanceRole.apply(role =>
    console.log(role)
);

FYI: https://github.com/pulumi/pulumi-eks/issues/83

I seem to be running into this failure a lot:

error: Plan apply failed: [WARN] A duplicate Security Group rule was found on (sg-002c2846717345a56). This may be
    a side effect of a now-fixed Terraform issue causing two security groups with
    identical attributes but different source_security_group_ids to overwrite each
    other in the state. See <https://github.com/hashicorp/terraform/pull/2376> for more
    information and instructions for recovery. Error message: the specified rule "peer: 0.0.0.0/0, TCP, from port: 8880, to port: 8880, ALLOW" already exists

It has something to do with

awsx.elasticloadbalancingv2.ApplicationLoadBalancer

, passing in

securityGroups

, and changing said security groups.

any one-liner pulumi commands that will give me just the stack name?

not all the output, resources etc … just stack name

I’m not good with grep etc. but it comes out in columns etc so not sure

If you’re OK with `jq`…

▶ p stack ls --json | jq '.[] | select(.current == true) | .name'
"webs"

ok nice - sorry, missed the json output option

no worries! 🙂

i love JQ, it’s great.

I want to make a little powerlevel9k snippet so I can see what stack I’m operating on at my prompt

im trying to use pulumi while also following along to this gke tutorial (https://cloud.google.com/kubernetes-engine/docs/tutorials/connect-to-cloud-pubsub-via-service-broker), which relies on a service catalog. I see a service catalog for aws (https://pulumi.io/reference/pkg/python/pulumi_aws/servicecatalog/), but im not sure if that'd work for this tutorial from google

Any idea whether these warnings are expected?

Diagnostics:
  pulumi:pulumi:Stack (aws-infra-aws-infra-dev):
    Method handler checkConfig for /pulumirpc.ResourceProvider/CheckConfig expected but not provided
    Method handler diffConfig for /pulumirpc.ResourceProvider/DiffConfig expected but not provided

Everything's working fine, they're just a bit annoying. 🙂

Also, shouldn't

k8s.Provider

have a

kubeconfig

field? I'm now forced to do

const cluster = new eks.Cluster('cluster', { ... });
export const kubeconfig = (<any>cluster.provider).kubeconfig;

Any way to get the URI for a ECR image if it was created with

awsx.ecs.Image.fromDockerBuild

?

Just wondering if Helm resource honours "helm.sh" helm hooks annotations, like "crd-install" to install crds before any other resources in the chart?

it uses helm template. so mostly yes.

My understanding that besides generating templates, helm will wait until resource with helm.sh/hook: crd-install" annotations are successfully created before creating other resources, eg it defines implicit dependency:

Hooks allow you, the chart developer, an opportunity to perform operations at strategic points in a release lifecycle

This is done on Tiller - is pulumi doing the same?

helm kind of does this but it's almost unusably immature. I'm on phone but I can link to docs in a bit. we do something stupider, but more effective: we retry cr creates when they fail to give operators time to create crds.

Do you retry deletes as well? I noticed that CRD deletion fails quite often

we've tested this on many thorny helm charts and at this point the sorts of bugs we encounter are basically all with charts themselves.

I believe we do. but most of the time crd deletes fail it's a bug in the chart.

eg the chart does not attempt to clean up. Prometheus operator is a good example.

if you have a counterexample I'd be happy to take a look

AWS noob here, is there a way to pin resources in a sub-zone? E.g. if I have

aws:region

set to

eu-central-1

, how can I pin resources to

eu-central-1b

, specifically?

@bored-dusk-76298 That depends on the resource.

Many are not zone or region specific - things like IAM policies. The primary way you constrain things to individual AZs is via placement into subnets which are in those AZs