Channels
#general
- s
stocky-spoon-28903
08/08/2018, 6:46 PMAn AMI locator might be a nice abstraction for the Typescript SDK. Basically a priority selection between: - a specific AMI ID - an AMI name/owner pair + maybe additional filters - some default fallback (potentially) - s
stocky-spoon-28903
08/08/2018, 6:46 PMIt’s a pattern I’ve had to use 2-3 times over the last day or two - s
stocky-spoon-28903
08/08/2018, 7:35 PMAlso, is there a way to do a “targeted update”?m- 2
- 3
- s
stocky-spoon-28903
08/08/2018, 8:46 PMAnother one; has anyone done an initial run of newly created lambda function from the pulumi program that created it?w- 2
- 18
- s
stocky-spoon-28903
08/08/2018, 10:38 PMIs there a way to arrange a component such that all resources it creates must be created before it is considered fully created, such that using the component in
works across other components?dependsOnw- 2
- 5
- b
bland-lamp-97030
08/08/2018, 11:05 PMI'm trying to create a policy for SSM and need the accountId for the urn, but I can't seem to figure out a way to get it using the js lib. I see aws.getCallerIdentity, but that returns a promise. Any hints? - s
stocky-spoon-28903
08/08/2018, 11:05 PM@bland-lamp-97030 You can await the result of the promise - b
bland-lamp-97030
08/08/2018, 11:06 PMoutside of a function? - s
stocky-spoon-28903
08/08/2018, 11:06 PMNot outside, no. Are you in the global scope at the moment? - b
bland-lamp-97030
08/08/2018, 11:07 PMyes, just creating resources in index.js - s
stocky-spoon-28903
08/08/2018, 11:08 PMOne pattern I’ve used (as recommended by various people here) is an “async main” function, like this: https://gist.github.com/jen20/ccc91ab961843babf93b119fe67e1938 - s
stocky-spoon-28903
08/08/2018, 11:08 PM(Note that that particular gist is reproducing a crash though, so probably not the best one to copy/paste - the pattern is there though) - m
microscopic-florist-22719
08/08/2018, 11:09 PMDo you just need to pass the account ID into the input of another resource? - b
bland-lamp-97030
08/08/2018, 11:09 PMright, thanks, that makes sense! - s
stocky-spoon-28903
08/08/2018, 11:09 PMI’m guessing for a policy it needs to go into a stringified object - b
bland-lamp-97030
08/08/2018, 11:09 PMResource: aws.getCallerIdentity().then(resp => arn:aws:ssm:${region}:${resp.accountId}:parameter/myapp*) - b
bland-lamp-97030
08/08/2018, 11:10 PMbasically that - b
bland-lamp-97030
08/08/2018, 11:10 PMwithin a policy json stringify - m
microscopic-florist-22719
08/08/2018, 11:10 PMGot it. Can you DM me the full stringify? - m
microscopic-florist-22719
08/08/2018, 11:10 PM(assuming that you don't want to post it here) - b
bland-lamp-97030
08/08/2018, 11:11 PMno, I don't mind, but I think the async func will work for my purposes - b
bland-lamp-97030
08/08/2018, 11:11 PMCopy codeconst policy = new aws.iam.RolePolicy("ksub-application-role-policy", { role: role.name, policy: JSON.stringify({ Version: "2012-10-17", Statement: [ { Action: ["ssm:GetParameters"], Effect: "Allow", Resource: aws.getCallerIdentity().then(resp => `arn:aws:ssm:${region}:${resp.accountId}:parameter/KSUB_*`), // how?? }, { Action: ["kms:Decrypt"], Effect: "Allow", Resource: kmsKey.arn, }, { Action: [ "autoscaling:Describe*", "ec2:Describe*", "ec2:Get*", "ecs:Describe*", "ecs:List*", "elasticache:Describe*", "elasticache:List*", "elasticloadbalancing:Describe*", "iam:Get*", "iam:List*", "ssm:DescribeParameters", "rds:Describe*", "rds:List*", ], Effect: "Allow", Resource: "*", }, ], }), }); - s
stocky-spoon-28903
08/08/2018, 11:11 PMHere’s a good example of using a promise value in a policy btw: https://github.com/jen20/lambda-cert/blob/master/pulumi/src/index.ts#L190-L253 - b
bland-lamp-97030
08/08/2018, 11:11 PMI didn't think the promise.then would work, but I found it in an example and figured I'd try it out - b
bland-lamp-97030
08/08/2018, 11:12 PMI should just stick to the python libs 🙂 - m
microscopic-florist-22719
08/08/2018, 11:12 PMThe canonical way to achieve what you need is to lift the `.then`:Copy codeconst policy = new aws.iam.RolePolicy("ksub-application-role-policy", { role: role.name, policy: aws.getCallerIdentity().then(resp => JSON.stringify({ Version: "2012-10-17", Statement: [ { Action: ["ssm:GetParameters"], Effect: "Allow", Resource: `arn:aws:ssm:${region}:${resp.accountId}:parameter/KSUB_*`, }, { Action: ["kms:Decrypt"], Effect: "Allow", Resource: kmsKey.arn, }, { Action: [ "autoscaling:Describe*", "ec2:Describe*", "ec2:Get*", "ecs:Describe*", "ecs:List*", "elasticache:Describe*", "elasticache:List*", "elasticloadbalancing:Describe*", "iam:Get*", "iam:List*", "ssm:DescribeParameters", "rds:Describe*", "rds:List*", ], Effect: "Allow", Resource: "*", }, ], })), }); - s
stocky-spoon-28903
08/08/2018, 11:13 PMThat’s quite a lot nicer. - b
bland-lamp-97030
08/08/2018, 11:13 PMoh, of course 👍 - s
stocky-spoon-28903
08/08/2018, 11:14 PMThe other important thing to know about there is
for if you need to depend on multiple promised parameterspulumi.all👍 1 - s
stocky-spoon-28903
08/09/2018, 11:25 AMI’m getting a lot of this kind of thing when modifying security group rules:Copy codeDo you want to perform this update? yes Updating stack 'vault-dev' Performing changes: Type Name Status Info * pulumi:pulumi:Stack pulumi-vault-test-vault-dev done * └─ operator-error:aws:vault:VaultServers algo-vault-servers unchanged ~ └─ aws:ec2:SecurityGroup algo-vault-server-sg **updating failed** changes: ~ ingress, 2 errors Diagnostics: aws:ec2:SecurityGroup: algo-vault-server-sg error: Plan apply failed: updating urn:pulumi:vault-dev::pulumi-vault-test::operator-error:aws:vault:VaultServers$aws:ec2/securityGroup:SecurityGroup::algo-vault-server-sg: Error revoking security group ingress rules: InvalidPermission.NotFound: The specified rule does not exist in this security group. status code: 400, request id: 72b0d525-f31f-4fff-a0dc-7229cfb50af3 error: update failed info: no changes required: 50 resources unchanged