pulumi-community #general

Channels

general

chilly-photographer-60932

06/09/2019, 4:01 PM

I am running into an error for

aws

vpc

with

AccessDenied

. https://asciinema.org/a/XDK4ZRawRIDXYUEW8aNDGj5fZ and here is the sample code

import * as awsx from '@pulumi/awsx';

const vpc = new awsx.ec2.Vpc('custom', {
  cidrBlock: '10.0.0.0/16',
  numberOfAvailabilityZones: 3,
  subnets: [
    { type: 'public' },
    { type: 'private' },
    { type: 'isolated', name: 'db' },
    { type: 'isolated', name: 'redis' }
  ]
});

It is failing with this error

invocation of aws:index/getAvailabilityZones:getAvailabilityZones returned an error: invoking aws:index/getAvailabilityZones:getAvailabilityZones: Error fetching Availability Zones: UnauthorizedOperation: You are not authorized to perform this operation.

I am able to get the

aws ec2 describe-availability-zones
{
    "AvailabilityZones": [
        {
            "State": "available",
            "Messages": [],
            "RegionName": "us-east-1",
            "ZoneName": "us-east-1a",
            "ZoneId": "use1-az1"
        },
        {
            "State": "available",
            "Messages": [],
            "RegionName": "us-east-1",
            "ZoneName": "us-east-1b",
            "ZoneId": "use1-az2"
        },
        {
            "State": "available",
            "Messages": [],
            "RegionName": "us-east-1",
            "ZoneName": "us-east-1c",
            "ZoneId": "use1-az4"
        },
        {
            "State": "available",
            "Messages": [],
            "RegionName": "us-east-1",
            "ZoneName": "us-east-1d",
            "ZoneId": "use1-az6"
        },
        {
            "State": "available",
            "Messages": [],
            "RegionName": "us-east-1",
            "ZoneName": "us-east-1e",
            "ZoneId": "use1-az3"
        },
        {
            "State": "available",
            "Messages": [],
            "RegionName": "us-east-1",
            "ZoneName": "us-east-1f",
            "ZoneId": "use1-az5"
        }
    ]
}

Which permissions am I missing? Thanks

average-dream-51210

06/09/2019, 8:37 PM

Hmm, if I create an S3 Bucket Policy, that has cognito authorizers and cloudfront stuff in the policy, is there anyway to 'wait' for the output variables in cognito and cloudfront?

average-dream-51210

06/09/2019, 8:37 PM

Do I do a 'depends on'?

tall-librarian-49374

06/10/2019, 7:59 AM

While I'm working with a local version of pulumi/azure JS SDK with yarn link, how does it determine which plugin version to load? I believe I have all the latest, but it still tries to load 0.18.2:

could not load plugin for azure provider 'urn:pulumi:dev::azure-play::pulumi:providers:azure::default': no resource plugin 'azure-v0.18.2' found in the workspace

. Is this what the stack remembered to use? I seem to have reset it by unlinking, referencing the latest in package.json, running

pulumi up

, and then linking again. Is there an easier way?

boundless-room-36997

06/10/2019, 10:30 AM

Hi guys, can I use pulumi to provide just bare metal hosted servers (without k8s, etc) ?

little-summer-88406

06/10/2019, 12:00 PM

How long does it take Pulumi release to incorporate actions that on a cli would be prefix with beta.. e.g.

boundless-room-36997

06/10/2019, 2:22 PM

How pulumi copes with a team changing and applying the same infrastructure at the same moment ? So if a team have X members and they all are changing and applying changes at the same moment - how pulumi locks resources ?

stocky-spoon-28903

06/10/2019, 2:35 PM

@boundless-room-36997 it doesn’t: it locks entire stacks

stocky-spoon-28903

06/10/2019, 2:35 PM

So prevents concurrent modification like that

chilly-photographer-60932

06/10/2019, 3:19 PM

import * as awsx from '@pulumi/awsx';

export const vpc = new awsx.ec2.Vpc('custom', {
  cidrBlock: '10.0.0.0/16',
  numberOfAvailabilityZones: 3,
  subnets: [
    { type: 'public' },
    { type: 'private' },
    { type: 'isolated', name: 'db' },
    { type: 'isolated', name: 'redis' }
  ]
});

export const sg = new awsx.ec2.SecurityGroup('sg', { vpc });
awsx.ec2.SecurityGroupRule.ingress(
  'https',
  sg,
  new awsx.ec2.AnyIPv4Location(),
  new awsx.ec2.TcpPorts(443),
  'allow https access'
);
awsx.ec2.SecurityGroupRule.ingress(
  'ssh',
  sg,
  new awsx.ec2.AnyIPv4Location(),
  new awsx.ec2.TcpPorts(22),
  'allow ssh access'
);

For this above code I am running into this error

aws:ec2:SecurityGroup (sg):
    error: Plan apply failed: Error creating Security Group: InvalidParameterValue: Value (sg-34e72cd) for parameter GroupName is invalid. Group names may not be in the format sg-*.
    	status code: 400, request id: 5a65b4e8-298c-4b18-9e85-94c61d7e19b4

Looks like the

sg

with an

is an issue. Am I doing something wrong? Or is it a bug?

boundless-monkey-50243

06/10/2019, 6:31 PM

I’m not sure if I’ve found a bug or not, but when I do

pulumi login <s3://my-pulumi-bucket/something>

(assuming that data will be stored in

<s3://my-pulumi-bucket/something/.pulumi>

), instead everything ends up in

<s3://my-pulumi-bucket/.pulumi>

. This is really unexpected. Is it intentional behavior?

boundless-monkey-50243

06/10/2019, 7:45 PM

Related to a prior question - how does one tell a

pulumi.StackReference

to look at a stack in another S3 bucket, by stack name? i.e., I’m in

bar-deploy

, I need to access

foo-deploy

, but I need to specifically get outputs from the

dev

stack (use case: there might be multiple

bar-deploy

stacks using

foo-deploy

dev

as their backend). How can I express this?

proud-alarm-92546

06/10/2019, 11:08 PM

awsx.elasticloadbalancingv2.ApplicationLoadBalancer..... ipAddressType: config.ipAddressType,

anyone want to help me type this properly? a config string isn't it... it seems to want:

ipAddressType?: pulumi.Input<"ipv4" | "dualstack">;

TSError: ⨯ Unable to compile TypeScript:
    index.ts(65,87): error TS2345: Argument of type '{ name: string; vpc: Vpc; external: true; ipAddressType: string; securityGroups: SecurityGroup[]; subnets: Output<string>[]; }' is not assignable to parameter of type 'ApplicationLoadBalancerArgs'.
      Types of property 'ipAddressType' are incompatible.
        Type 'string' is not assignable to type '"dualstack" | "ipv4" | Promise<"dualstack" | "ipv4"> | OutputInstance<"dualstack" | "ipv4"> | undefined'.
    index.ts(136,64): error TS7006: Parameter 'hostname' implicitly has an 'any' type.

broad-dog-22463

06/10/2019, 11:10 PM

@proud-alarm-92546 how are you getting that, that PR isn't even merged in pulumi-aws yet for that type...

proud-alarm-92546

06/10/2019, 11:10 PM

awsx

broad-dog-22463

06/10/2019, 11:10 PM

@lemon-spoon-91807?

little-summer-88406

06/11/2019, 7:07 AM

Is there a way to call out to gcloud operations like gcloud beta source project-configs update --add-topic=[TOPIC_NAME] --service-account=[SERVICE_ACCOUNT_NAME] which aren't incorporated into pulumi types yet? I guess it would need something like up/down like a db migration

lively-coat-66786

06/11/2019, 2:25 PM

Hi, I'm trying to create Pulumi Node.js program in TypeScript to provision AWS services to multiple regions in one go, using @pulumi/awsx; I’m having trouble understanding what I’m doing wrong while trying to create VPCs in a loop. The regions get mixed while the program tries to create route tables and subnets, like this:

aws:ec2:RouteTable (vpc-test-us-east-2-private-0):
    error: Plan apply failed: Error creating route table: InvalidVpcID.NotFound: The vpc ID 'vpc-03f05ae1180c62fd2' does not exist

multiregion.zip

worried-engineer-33884

06/11/2019, 5:33 PM

Is it possible to change our organization name?

limited-rainbow-51650

06/11/2019, 6:58 PM

Are there already best practices to structure Pulumi code? Do we need multiple “stacks” like in TF land, using “remote state”? Any blog articles that could bootstrap me?

boundless-monkey-50243

06/11/2019, 7:12 PM

[solved] Welp - seems like when it rains, it pours. I'm on a Fedora 29 machine; I decided to update to get rid of the version nag and I've just updated (using

curl | sh

) to the most recent version of Pulumi; I now get a panic (listed in thread) whenever I try to run anything and on my side I've relogged in a new shell, run

npm rebuild

, etc. It seems so out of the ordinary that it seems likely to be an issue on my end of things, but perhaps somebody's seen it before (or has some "nuke it from orbit" advice)?

elegant-crayon-4967

06/11/2019, 7:46 PM

[Solved] When using

import * as aws from "@pulumi/aws";

command, I get errors assigning values via a variable to my ec2 instanceType, but if I use the old format

const aws = require("@pulumi/aws")

the error goes away and my code runs just fine. Thoughts?

orange-tailor-85423

06/11/2019, 7:52 PM

https://blog.pulumi.com/simplify-kubernetes-rbac-in-amazon-eks-with-open-source-pulumi-packages

orange-tailor-85423

06/11/2019, 7:52 PM

Running the above example code and getting failures in EKS:

thankful-telephone-29600

06/11/2019, 9:54 PM

hey all - i stood up the eks example and i'm trying to deploy a helm chart like the example, except it's a different one. it's failing to start and i think it's my syntax.

export const kubeconfig = cluster.kubeconfig;

const myk8s = new k8s.Provider("myk8s", {
    kubeconfig: cluster.kubeconfig.apply(JSON.stringify),
});

const nginx = new helm.v2.Chart("rancher-nginx", {
    namespace: "rancher",
    repo: "stable",
    chart: "nginx-ingress",
    values: {
        "rbac.create": "true"
    },
 }, { providers: { kubernetes: myk8s }});

busy-pizza-73563

06/12/2019, 8:55 AM

Hey there! I upgraded kubernetes from

1.13.4

1.14.3

and now when I do

pulumi up

on an existing stack I get

error: Plan apply failed: 1 error occurred:
    * SchemaError(io.k8s.api.core.v1.PodAntiAffinity): invalid object doesn't have additional properties

Ideas?

busy-pizza-73563

06/12/2019, 8:56 AM

(worth mentioning I have no

PodAntiAffinity

references in my code)

busy-pizza-73563

06/12/2019, 10:35 AM

Solved it by upgrading to latest versions (of

@pulumi/pulumi

@pulumi/kubernetes

and the

pulumi

CLI).

worried-engineer-33884

06/12/2019, 2:29 PM

Is there a way to poll for resource creation to reinforce a

dependsOn

relationship? We believe we are encountering an issue creating a resource that depends on an IAM RolePolicyAttachment that isn't quite ready when the dependent resource starts to create. https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency

hundreds-coat-15657

06/12/2019, 2:32 PM

hey all...my team is evaluating on using pulumi teams, i was trying to find more documentation/info regarding the pulumi cloud console---I was wondering, how does the console manage/handle AWS keys/secrets (if it does store aws keys)? thanks!

Title

hundreds-coat-15657

06/12/2019, 2:32 PM

narrow-area-11460

06/12/2019, 2:34 PM

https://blog.pulumi.com/managing-secrets-with-pulumi -- should answer all your questions

hundreds-coat-15657

06/12/2019, 2:36 PM

thanks @narrow-area-11460! so if im reading this correctly, pulumi console CAN store AWS/cloud credentials but they are encrypted/hashed/other protections are applied to them?

white-balloon-205

06/12/2019, 2:37 PM

The Pulumi console does not need your AWS credentials. All of your deployments to AWS are done in the environments where you run the

pulumi

CLI - typically your CI/CD or deployment systems (or developer desktops). These credentials are used to talk to AWS, but never passed to Pulumi. The Pulumi console manages storage of the state file used to keep track of what resources are under management. Any secrets that may end up there (inputs or outputs to individual resources) can be fully encrypted as needed per the post @narrow-area-11460 references.

narrow-area-11460

06/12/2019, 2:44 PM

@hundreds-coat-15657 -- encryption is built-in in Pulumi service yes. I do not believe you need to bring your own custom key at this point for encryption? Did I understand that right?

hundreds-coat-15657

06/12/2019, 2:45 PM

@white-balloon-205 that makes sense, thanks so tldr is pulumi doesnt store creds directly but if creds are passed to the pulumi state files that end up on pulumis servers, those creds can be encrypted as needed

narrow-area-11460

06/12/2019, 2:51 PM

as @white-balloon-205 said AWS creds are not passed to the service and are not stored in the service. But if you pass a "secret" as part of the local configuration from the CLI, then it is encrypted and then this "secret" can be used in your Pulumi program to create resources in the cloud.

if you look through the example in the blog, this will make sense

👍 1

View count: 1