https://pulumi.com logo
Docs
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
general
  • s

    stocky-spoon-28903

    08/08/2018, 6:38 PM
    Is the idiomatic thing to do for unmet pre-conditions in a ComponentResource’s inputs to throw an exception?
    m
    • 2
    • 1
  • s

    stocky-spoon-28903

    08/08/2018, 6:46 PM
    An AMI locator might be a nice abstraction for the Typescript SDK. Basically a priority selection between: - a specific AMI ID - an AMI name/owner pair + maybe additional filters - some default fallback (potentially)
  • s

    stocky-spoon-28903

    08/08/2018, 6:46 PM
    It’s a pattern I’ve had to use 2-3 times over the last day or two
  • s

    stocky-spoon-28903

    08/08/2018, 7:35 PM
    Also, is there a way to do a “targeted update”?
    m
    • 2
    • 3
  • s

    stocky-spoon-28903

    08/08/2018, 8:46 PM
    Another one; has anyone done an initial run of newly created lambda function from the pulumi program that created it?
    w
    • 2
    • 18
  • s

    stocky-spoon-28903

    08/08/2018, 10:38 PM
    Is there a way to arrange a component such that all resources it creates must be created before it is considered fully created, such that using the component in
    dependsOn
    works across other components?
    w
    • 2
    • 5
  • b

    bland-lamp-97030

    08/08/2018, 11:05 PM
    I'm trying to create a policy for SSM and need the accountId for the urn, but I can't seem to figure out a way to get it using the js lib. I see aws.getCallerIdentity, but that returns a promise. Any hints?
  • s

    stocky-spoon-28903

    08/08/2018, 11:05 PM
    @bland-lamp-97030 You can await the result of the promise
  • b

    bland-lamp-97030

    08/08/2018, 11:06 PM
    outside of a function?
  • s

    stocky-spoon-28903

    08/08/2018, 11:06 PM
    Not outside, no. Are you in the global scope at the moment?
  • b

    bland-lamp-97030

    08/08/2018, 11:07 PM
    yes, just creating resources in index.js
  • s

    stocky-spoon-28903

    08/08/2018, 11:08 PM
    One pattern I’ve used (as recommended by various people here) is an “async main” function, like this: https://gist.github.com/jen20/ccc91ab961843babf93b119fe67e1938
  • s

    stocky-spoon-28903

    08/08/2018, 11:08 PM
    (Note that that particular gist is reproducing a crash though, so probably not the best one to copy/paste - the pattern is there though)
  • m

    microscopic-florist-22719

    08/08/2018, 11:09 PM
    Do you just need to pass the account ID into the input of another resource?
  • b

    bland-lamp-97030

    08/08/2018, 11:09 PM
    right, thanks, that makes sense!
  • s

    stocky-spoon-28903

    08/08/2018, 11:09 PM
    I’m guessing for a policy it needs to go into a stringified object
  • b

    bland-lamp-97030

    08/08/2018, 11:09 PM
    Resource: aws.getCallerIdentity().then(resp => arn:aws:ssm:${region}:${resp.accountId}:parameter/myapp*)
  • b

    bland-lamp-97030

    08/08/2018, 11:10 PM
    basically that
  • b

    bland-lamp-97030

    08/08/2018, 11:10 PM
    within a policy json stringify
  • m

    microscopic-florist-22719

    08/08/2018, 11:10 PM
    Got it. Can you DM me the full stringify?
  • m

    microscopic-florist-22719

    08/08/2018, 11:10 PM
    (assuming that you don't want to post it here)
  • b

    bland-lamp-97030

    08/08/2018, 11:11 PM
    no, I don't mind, but I think the async func will work for my purposes
  • b

    bland-lamp-97030

    08/08/2018, 11:11 PM
    const policy = new aws.iam.RolePolicy("ksub-application-role-policy", {
      role: role.name,
      policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [
          {
            Action: ["ssm:GetParameters"],
            Effect: "Allow",
            Resource: aws.getCallerIdentity().then(resp => `arn:aws:ssm:${region}:${resp.accountId}:parameter/KSUB_*`), // how??
          },
          {
            Action: ["kms:Decrypt"],
            Effect: "Allow",
            Resource: kmsKey.arn,
          },
          {
            Action: [
              "autoscaling:Describe*",
              "ec2:Describe*",
              "ec2:Get*",
              "ecs:Describe*",
              "ecs:List*",
              "elasticache:Describe*",
              "elasticache:List*",
              "elasticloadbalancing:Describe*",
              "iam:Get*",
              "iam:List*",
              "ssm:DescribeParameters",
              "rds:Describe*",
              "rds:List*",
            ],
            Effect: "Allow",
            Resource: "*",
          },
        ],
      }),
    });
  • s

    stocky-spoon-28903

    08/08/2018, 11:11 PM
    Here’s a good example of using a promise value in a policy btw: https://github.com/jen20/lambda-cert/blob/master/pulumi/src/index.ts#L190-L253
  • b

    bland-lamp-97030

    08/08/2018, 11:11 PM
    I didn't think the promise.then would work, but I found it in an example and figured I'd try it out
  • b

    bland-lamp-97030

    08/08/2018, 11:12 PM
    I should just stick to the python libs 🙂
  • m

    microscopic-florist-22719

    08/08/2018, 11:12 PM
    The canonical way to achieve what you need is to lift the `.then`:
    const policy = new aws.iam.RolePolicy("ksub-application-role-policy", {
      role: role.name,
      policy: aws.getCallerIdentity().then(resp => JSON.stringify({
        Version: "2012-10-17",
        Statement: [
          {
            Action: ["ssm:GetParameters"],
            Effect: "Allow",
            Resource:  `arn:aws:ssm:${region}:${resp.accountId}:parameter/KSUB_*`,
          },
          {
            Action: ["kms:Decrypt"],
            Effect: "Allow",
            Resource: kmsKey.arn,
          },
          {
            Action: [
              "autoscaling:Describe*",
              "ec2:Describe*",
              "ec2:Get*",
              "ecs:Describe*",
              "ecs:List*",
              "elasticache:Describe*",
              "elasticache:List*",
              "elasticloadbalancing:Describe*",
              "iam:Get*",
              "iam:List*",
              "ssm:DescribeParameters",
              "rds:Describe*",
              "rds:List*",
            ],
            Effect: "Allow",
            Resource: "*",
          },
        ],
      })),
    });
  • s

    stocky-spoon-28903

    08/08/2018, 11:13 PM
    That’s quite a lot nicer.
  • b

    bland-lamp-97030

    08/08/2018, 11:13 PM
    oh, of course 👍
  • s

    stocky-spoon-28903

    08/08/2018, 11:14 PM
    The other important thing to know about there is
    pulumi.all
    for if you need to depend on multiple promised parameters
    👍 1
Powered by Linen
Title
s

stocky-spoon-28903

08/08/2018, 11:14 PM
The other important thing to know about there is
pulumi.all
for if you need to depend on multiple promised parameters
👍 1
View count: 2