https://pulumi.com logo
Docs
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
general
  • c

    chilly-photographer-60932

    06/09/2019, 4:01 PM
    I am running into an error for
    aws
    vpc
    with
    AccessDenied
    . https://asciinema.org/a/XDK4ZRawRIDXYUEW8aNDGj5fZ and here is the sample code
    import * as awsx from '@pulumi/awsx';
    
    const vpc = new awsx.ec2.Vpc('custom', {
      cidrBlock: '10.0.0.0/16',
      numberOfAvailabilityZones: 3,
      subnets: [
        { type: 'public' },
        { type: 'private' },
        { type: 'isolated', name: 'db' },
        { type: 'isolated', name: 'redis' }
      ]
    });
    It is failing with this error
    invocation of aws:index/getAvailabilityZones:getAvailabilityZones returned an error: invoking aws:index/getAvailabilityZones:getAvailabilityZones: Error fetching Availability Zones: UnauthorizedOperation: You are not authorized to perform this operation.
    I am able to get the
    aws ec2 describe-availability-zones
    {
        "AvailabilityZones": [
            {
                "State": "available",
                "Messages": [],
                "RegionName": "us-east-1",
                "ZoneName": "us-east-1a",
                "ZoneId": "use1-az1"
            },
            {
                "State": "available",
                "Messages": [],
                "RegionName": "us-east-1",
                "ZoneName": "us-east-1b",
                "ZoneId": "use1-az2"
            },
            {
                "State": "available",
                "Messages": [],
                "RegionName": "us-east-1",
                "ZoneName": "us-east-1c",
                "ZoneId": "use1-az4"
            },
            {
                "State": "available",
                "Messages": [],
                "RegionName": "us-east-1",
                "ZoneName": "us-east-1d",
                "ZoneId": "use1-az6"
            },
            {
                "State": "available",
                "Messages": [],
                "RegionName": "us-east-1",
                "ZoneName": "us-east-1e",
                "ZoneId": "use1-az3"
            },
            {
                "State": "available",
                "Messages": [],
                "RegionName": "us-east-1",
                "ZoneName": "us-east-1f",
                "ZoneId": "use1-az5"
            }
        ]
    }
    Which permissions am I missing? Thanks
    s
    • 2
    • 4
  • a

    average-dream-51210

    06/09/2019, 8:37 PM
    Hmm, if I create an S3 Bucket Policy, that has cognito authorizers and cloudfront stuff in the policy, is there anyway to 'wait' for the output variables in cognito and cloudfront?
    w
    • 2
    • 4
  • a

    average-dream-51210

    06/09/2019, 8:37 PM
    Do I do a 'depends on'?
    l
    • 2
    • 3
  • t

    tall-librarian-49374

    06/10/2019, 7:59 AM
    While I'm working with a local version of pulumi/azure JS SDK with yarn link, how does it determine which plugin version to load? I believe I have all the latest, but it still tries to load 0.18.2:
    could not load plugin for azure provider 'urn:pulumi:dev::azure-play::pulumi:providers:azure::default': no resource plugin 'azure-v0.18.2' found in the workspace
    . Is this what the stack remembered to use? I seem to have reset it by unlinking, referencing the latest in package.json, running
    pulumi up
    , and then linking again. Is there an easier way?
  • b

    boundless-room-36997

    06/10/2019, 10:30 AM
    Hi guys, can I use pulumi to provide just bare metal hosted servers (without k8s, etc) ?
    j
    m
    s
    • 4
    • 15
  • l

    little-summer-88406

    06/10/2019, 12:00 PM
    How long does it take Pulumi release to incorporate actions that on a cli would be prefix with beta.. e.g.
    • 1
    • 1
  • b

    boundless-room-36997

    06/10/2019, 2:22 PM
    How pulumi copes with a team changing and applying the same infrastructure at the same moment ? So if a team have X members and they all are changing and applying changes at the same moment - how pulumi locks resources ?
  • s

    stocky-spoon-28903

    06/10/2019, 2:35 PM
    @boundless-room-36997 it doesn’t: it locks entire stacks
  • s

    stocky-spoon-28903

    06/10/2019, 2:35 PM
    So prevents concurrent modification like that
    b
    p
    • 3
    • 6
  • c

    chilly-photographer-60932

    06/10/2019, 3:19 PM
    import * as awsx from '@pulumi/awsx';
    
    export const vpc = new awsx.ec2.Vpc('custom', {
      cidrBlock: '10.0.0.0/16',
      numberOfAvailabilityZones: 3,
      subnets: [
        { type: 'public' },
        { type: 'private' },
        { type: 'isolated', name: 'db' },
        { type: 'isolated', name: 'redis' }
      ]
    });
    
    export const sg = new awsx.ec2.SecurityGroup('sg', { vpc });
    awsx.ec2.SecurityGroupRule.ingress(
      'https',
      sg,
      new awsx.ec2.AnyIPv4Location(),
      new awsx.ec2.TcpPorts(443),
      'allow https access'
    );
    awsx.ec2.SecurityGroupRule.ingress(
      'ssh',
      sg,
      new awsx.ec2.AnyIPv4Location(),
      new awsx.ec2.TcpPorts(22),
      'allow ssh access'
    );
    For this above code I am running into this error
    aws:ec2:SecurityGroup (sg):
        error: Plan apply failed: Error creating Security Group: InvalidParameterValue: Value (sg-34e72cd) for parameter GroupName is invalid. Group names may not be in the format sg-*.
        	status code: 400, request id: 5a65b4e8-298c-4b18-9e85-94c61d7e19b4
    Looks like the
    sg
    with an
    -
    is an issue. Am I doing something wrong? Or is it a bug?
    w
    • 2
    • 2
  • b

    boundless-monkey-50243

    06/10/2019, 6:31 PM
    I’m not sure if I’ve found a bug or not, but when I do
    pulumi login <s3://my-pulumi-bucket/something>
    (assuming that data will be stored in
    <s3://my-pulumi-bucket/something/.pulumi>
    ), instead everything ends up in
    <s3://my-pulumi-bucket/.pulumi>
    . This is really unexpected. Is it intentional behavior?
    b
    • 2
    • 10
  • b

    boundless-monkey-50243

    06/10/2019, 7:45 PM
    Related to a prior question - how does one tell a
    pulumi.StackReference
    to look at a stack in another S3 bucket, by stack name? i.e., I’m in
    bar-deploy
    , I need to access
    foo-deploy
    , but I need to specifically get outputs from the
    dev
    stack (use case: there might be multiple
    bar-deploy
    stacks using
    foo-deploy
    @
    dev
    as their backend). How can I express this?
    h
    w
    s
    • 4
    • 26
  • p

    proud-alarm-92546

    06/10/2019, 11:08 PM
    awsx.elasticloadbalancingv2.ApplicationLoadBalancer..... ipAddressType: config.ipAddressType,
    anyone want to help me type this properly? a config string isn't it... it seems to want:
    ipAddressType?: pulumi.Input<"ipv4" | "dualstack">;
    TSError: ⨯ Unable to compile TypeScript:
        index.ts(65,87): error TS2345: Argument of type '{ name: string; vpc: Vpc; external: true; ipAddressType: string; securityGroups: SecurityGroup[]; subnets: Output<string>[]; }' is not assignable to parameter of type 'ApplicationLoadBalancerArgs'.
          Types of property 'ipAddressType' are incompatible.
            Type 'string' is not assignable to type '"dualstack" | "ipv4" | Promise<"dualstack" | "ipv4"> | OutputInstance<"dualstack" | "ipv4"> | undefined'.
        index.ts(136,64): error TS7006: Parameter 'hostname' implicitly has an 'any' type.
  • b

    broad-dog-22463

    06/10/2019, 11:10 PM
    @proud-alarm-92546 how are you getting that, that PR isn't even merged in pulumi-aws yet for that type...
  • p

    proud-alarm-92546

    06/10/2019, 11:10 PM
    awsx
  • b

    broad-dog-22463

    06/10/2019, 11:10 PM
    @lemon-spoon-91807?
    l
    p
    • 3
    • 83
  • l

    little-summer-88406

    06/11/2019, 7:07 AM
    Is there a way to call out to gcloud operations like gcloud beta source project-configs update --add-topic=[TOPIC_NAME] --service-account=[SERVICE_ACCOUNT_NAME] which aren't incorporated into pulumi types yet? I guess it would need something like up/down like a db migration
    • 1
    • 1
  • l

    lively-coat-66786

    06/11/2019, 2:25 PM
    Hi, I'm trying to create Pulumi Node.js program in TypeScript to provision AWS services to multiple regions in one go, using @pulumi/awsx; I’m having trouble understanding what I’m doing wrong while trying to create VPCs in a loop. The regions get mixed while the program tries to create route tables and subnets, like this:
    aws:ec2:RouteTable (vpc-test-us-east-2-private-0):
        error: Plan apply failed: Error creating route table: InvalidVpcID.NotFound: The vpc ID 'vpc-03f05ae1180c62fd2' does not exist
    multiregion.zip
    g
    b
    l
    • 4
    • 8
  • w

    worried-engineer-33884

    06/11/2019, 5:33 PM
    Is it possible to change our organization name?
    g
    c
    p
    • 4
    • 4
  • l

    limited-rainbow-51650

    06/11/2019, 6:58 PM
    Are there already best practices to structure Pulumi code? Do we need multiple “stacks” like in TF land, using “remote state”? Any blog articles that could bootstrap me?
    n
    c
    • 3
    • 2
  • b

    boundless-monkey-50243

    06/11/2019, 7:12 PM
    [solved] Welp - seems like when it rains, it pours. I'm on a Fedora 29 machine; I decided to update to get rid of the version nag and I've just updated (using
    curl | sh
    ) to the most recent version of Pulumi; I now get a panic (listed in thread) whenever I try to run anything and on my side I've relogged in a new shell, run
    npm rebuild
    , etc. It seems so out of the ordinary that it seems likely to be an issue on my end of things, but perhaps somebody's seen it before (or has some "nuke it from orbit" advice)?
    • 1
    • 5
  • e

    elegant-crayon-4967

    06/11/2019, 7:46 PM
    [Solved] When using
    import * as aws from "@pulumi/aws";
    command, I get errors assigning values via a variable to my ec2 instanceType, but if I use the old format
    const aws = require("@pulumi/aws")
    the error goes away and my code runs just fine. Thoughts?
    g
    w
    • 3
    • 6
  • o

    orange-tailor-85423

    06/11/2019, 7:52 PM
    https://blog.pulumi.com/simplify-kubernetes-rbac-in-amazon-eks-with-open-source-pulumi-packages
  • o

    orange-tailor-85423

    06/11/2019, 7:52 PM
    Running the above example code and getting failures in EKS:
    n
    • 2
    • 13
  • t

    thankful-telephone-29600

    06/11/2019, 9:54 PM
    hey all - i stood up the eks example and i'm trying to deploy a helm chart like the example, except it's a different one. it's failing to start and i think it's my syntax.
    export const kubeconfig = cluster.kubeconfig;
    
    const myk8s = new k8s.Provider("myk8s", {
        kubeconfig: cluster.kubeconfig.apply(JSON.stringify),
    });
    
    const nginx = new helm.v2.Chart("rancher-nginx", {
        namespace: "rancher",
        repo: "stable",
        chart: "nginx-ingress",
        values: {
            "rbac.create": "true"
        },
     }, { providers: { kubernetes: myk8s }});
    h
    n
    • 3
    • 36
  • b

    busy-pizza-73563

    06/12/2019, 8:55 AM
    Hey there! I upgraded kubernetes from
    1.13.4
    to
    1.14.3
    and now when I do
    pulumi up
    on an existing stack I get
    error: Plan apply failed: 1 error occurred:
        * SchemaError(io.k8s.api.core.v1.PodAntiAffinity): invalid object doesn't have additional properties
    Ideas?
  • b

    busy-pizza-73563

    06/12/2019, 8:56 AM
    (worth mentioning I have no
    PodAntiAffinity
    references in my code)
  • b

    busy-pizza-73563

    06/12/2019, 10:35 AM
    Solved it by upgrading to latest versions (of
    @pulumi/pulumi
    ,
    @pulumi/kubernetes
    and the
    pulumi
    CLI).
  • w

    worried-engineer-33884

    06/12/2019, 2:29 PM
    Is there a way to poll for resource creation to reinforce a
    dependsOn
    relationship? We believe we are encountering an issue creating a resource that depends on an IAM RolePolicyAttachment that isn't quite ready when the dependent resource starts to create. https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
    w
    s
    • 3
    • 7
  • h

    hundreds-coat-15657

    06/12/2019, 2:32 PM
    hey all...my team is evaluating on using pulumi teams, i was trying to find more documentation/info regarding the pulumi cloud console---I was wondering, how does the console manage/handle AWS keys/secrets (if it does store aws keys)? thanks!
    n
    w
    • 3
    • 7
Powered by Linen
Title
h

hundreds-coat-15657

06/12/2019, 2:32 PM
hey all...my team is evaluating on using pulumi teams, i was trying to find more documentation/info regarding the pulumi cloud console---I was wondering, how does the console manage/handle AWS keys/secrets (if it does store aws keys)? thanks!
n

narrow-area-11460

06/12/2019, 2:34 PM
https://blog.pulumi.com/managing-secrets-with-pulumi -- should answer all your questions
h

hundreds-coat-15657

06/12/2019, 2:36 PM
thanks @narrow-area-11460! so if im reading this correctly, pulumi console CAN store AWS/cloud credentials but they are encrypted/hashed/other protections are applied to them?
w

white-balloon-205

06/12/2019, 2:37 PM
The Pulumi console does not need your AWS credentials. All of your deployments to AWS are done in the environments where you run the
pulumi
CLI - typically your CI/CD or deployment systems (or developer desktops). These credentials are used to talk to AWS, but never passed to Pulumi. The Pulumi console manages storage of the state file used to keep track of what resources are under management. Any secrets that may end up there (inputs or outputs to individual resources) can be fully encrypted as needed per the post @narrow-area-11460 references.
n

narrow-area-11460

06/12/2019, 2:44 PM
@hundreds-coat-15657 -- encryption is built-in in Pulumi service yes. I do not believe you need to bring your own custom key at this point for encryption? Did I understand that right?
h

hundreds-coat-15657

06/12/2019, 2:45 PM
@white-balloon-205 that makes sense, thanks so tldr is pulumi doesnt store creds directly but if creds are passed to the pulumi state files that end up on pulumis servers, those creds can be encrypted as needed
n

narrow-area-11460

06/12/2019, 2:51 PM
as @white-balloon-205 said AWS creds are not passed to the service and are not stored in the service. But if you pass a "secret" as part of the local configuration from the CLI, then it is encrypted and then this "secret" can be used in your Pulumi program to create resources in the cloud.
if you look through the example in the blog, this will make sense
👍 1
View count: 1