nutritious-shampoo-16116
10/27/2020, 11:34 AMdef setup_s3_read_write_policy(buckets: List[pulumi.Output], project_name: str, instance_role: iam.Role):
"""
Create a policy to access a list of buckets in R/W mode
"""
def create_and_attach_policy(args: List) -> None:
policy = json.dumps(
{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": [f"arn:aws:s3:::{arg}" for arg in args],
},
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [f"arn:aws:s3:::{arg}/*" for arg in args],
},
],
}
)
S3_POLICY_NAME = create_unique_name(f'{project_name}-buckets-policy')
s3_policy = iam.Policy(S3_POLICY_NAME, policy=policy)
S3_ROLE_POLICY_ATTACHMENT = create_unique_name(
f'{project_name}-buckets-role-policy-attachment'
)
iam.RolePolicyAttachment(
S3_ROLE_POLICY_ATTACHMENT, role=instance_role, policy_arn=s3_policy.arn
)
pulumi.Output.all(*[bucket.id for bucket in buckets]).apply(
lambda args: create_and_attach_policy(args)
)
def setup_s3_read_write_policy(buckets: List[pulumi.Output], project_name: str, instance_role: iam.Role):
"""
Create a policy to access a list of buckets in R/W mode
"""
def create_and_attach_policy(args: List) -> None:
policy = json.dumps(
{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": [f"arn:aws:s3:::{arg.id}" for arg in args],
},
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [f"arn:aws:s3:::{arg.id}/*" for arg in args],
},
],
}
)
S3_POLICY_NAME = create_unique_name(f'{project_name}-buckets-policy')
s3_policy = iam.Policy(S3_POLICY_NAME, policy=policy)
S3_ROLE_POLICY_ATTACHMENT = create_unique_name(
f'{project_name}-buckets-role-policy-attachment'
)
iam.RolePolicyAttachment(
S3_ROLE_POLICY_ATTACHMENT, role=instance_role, policy_arn=s3_policy.arn
)
pulumi.Output.all(*[buckets]).apply(
lambda args: create_and_attach_policy(args)
)
nutritious-shampoo-16116
10/27/2020, 11:35 AMpulumi.Output.all
works if I tell to wait explicitly for the id but not for the s3.Bucket objectdamp-elephant-82829
10/30/2020, 9:12 AMdamp-elephant-82829
10/30/2020, 9:13 AMgorgeous-spoon-23700
11/02/2020, 9:00 AMpulumi stack export
command and extracting the relevant info from the JSON data:
jq = local["/usr/local/bin/jq"]
pulumi = local["pulumi"]
chain = pulumi["stack", "export"] | jq['.deployment.resources[] | select(.type == "pulumi:pulumi:Stack") | .outputs.netcams']
netcams = json.loads(chain())
Should I wait for the python implementation of the Automation API? πred-glass-80261
11/02/2020, 11:29 AMred-glass-80261
11/06/2020, 9:30 PMclever-nest-47198
11/10/2020, 7:11 PMclever-nest-47198
11/10/2020, 7:12 PMaverage-school-38756
11/11/2020, 10:21 PMpulumi up
. Is there a resource which will run a bash script or something, so that pulumi.FileArchive
could run after?purple-arm-63328
11/16/2020, 9:07 PMpurple-arm-63328
11/16/2020, 9:09 PMaws.ec2.getSubnetIds
, how do I get the result? I tried to run_until_completion
the Awaitable but the loop is already running. Is there a way to have the main be an async function?purple-arm-63328
11/16/2020, 9:12 PMgroup = aws.ec2.SecurityGroup.get('sg-0dfd33cdac25b1ec9')
but the signature of that very function takes a resource_name
and an id
as positional arguments. What am I missing?clean-dentist-2515
11/16/2020, 9:17 PMaws.ec2.SecurityGroup.get
the resource_name
is a name that you choose (a label used to identify the resource in Pulumi) and the id
is the actual security group id from EC2purple-arm-63328
11/16/2020, 9:18 PMclean-dentist-2515
11/16/2020, 9:20 PMpurple-arm-63328
11/16/2020, 9:29 PMget
of a resource does not import. Am I wrong?gentle-diamond-70147
11/16/2020, 9:30 PM.get()
does not import the resource, only gets a reference to it. The resource name is still required for Pulumi to track its usage internally, but does not change or affect the real resource.purple-arm-63328
11/16/2020, 9:31 PMgentle-diamond-70147
11/16/2020, 9:32 PMmy_sg = aws.ec2.SecurityGroup.get('my_sg', 'sg-0dfd33cdac25b1ec9')
purple-arm-63328
11/16/2020, 9:32 PMpurple-arm-63328
11/16/2020, 9:32 PMnutritious-shampoo-16116
11/17/2020, 9:46 AMnutritious-shampoo-16116
11/17/2020, 11:16 AMpowerful-art-3002
11/20/2020, 2:07 PMdry-engine-17210
11/20/2020, 6:48 PMpubsub_topic = pubsub.Topic(
"{}-topic".format(PUBSUB_TOPIC_PREFIX)
)
and...
logging_sink = logging.ProjectSink(
resource_name="{}-sink".format(LOGGING_SINK_PREFIX),
destination="<http://pubsub.googleapis.com/{}|pubsub.googleapis.com/{}>".format(pubsub_topic.id),
filter='LOG_ID("<http://cloudaudit.googleapis.com/activity|cloudaudit.googleapis.com/activity>") OR LOG_ID("<http://externalaudit.googleapis.com/activity|externalaudit.googleapis.com/activity>") OR LOG_ID("<http://cloudaudit.googleapis.com/system_event|cloudaudit.googleapis.com/system_event>") OR LOG_ID("<http://externalaudit.googleapis.com/system_event|externalaudit.googleapis.com/system_event>") OR LOG_ID("<http://cloudaudit.googleapis.com/access_transparency|cloudaudit.googleapis.com/access_transparency>") OR LOG_ID("<http://externalaudit.googleapis.com/access_transparency|externalaudit.googleapis.com/access_transparency>")',
opts=ResourceOptions(
depends_on=[pubsub_topic]
),
)
Pulumi fails with:
gcp:logging:ProjectSink (dev-sink):
error: 1 error occurred:
* googleapi: Error 400: Cloud Pub/Sub URL is missing projects/[PROJECT_ID], badRequest
When I look at "details" view, I see this:
pulumi:pulumi:Stack: (same)
[urn=urn:pulumi:dev::infrastructure::pulumi:pulumi:Stack::infrastructure-dev]
+ gcp:logging/projectSink:ProjectSink: (create)
[urn=urn:pulumi:dev::infrastructure::gcp:logging/projectSink:ProjectSink::dev-sink]
[provider=urn:pulumi:dev::infrastructure::pulumi:providers:gcp::default_4_3_0::4d0f3a00-dc97-4725-b036-499ca6b7f522]
destination : "<http://pubsub.googleapis.com/<pulumi.output.Output|pubsub.googleapis.com/<pulumi.output.Output> object at 0x112b44640>"
filter : "LOG_ID(\"<http://cloudaudit.googleapis.com/activity\|cloudaudit.googleapis.com/activity\>") OR LOG_ID(\"<http://externalaudit.googleapis.com/activity\|externalaudit.googleapis.com/activity\>") OR LOG_ID(\"<http://cloudaudit.googleapis.com/system_event\|cloudaudit.googleapis.com/system_event\>") OR LOG_ID(\"<http://externalaudit.googleapis.com/system_event\|externalaudit.googleapis.com/system_event\>") OR LOG_ID(\"<http://cloudaudit.googleapis.com/access_transparency\|cloudaudit.googleapis.com/access_transparency\>") OR LOG_ID(\"<http://externalaudit.googleapis.com/access_transparency\|externalaudit.googleapis.com/access_transparency\>")"
name : "dev-sink-bf1e116"
uniqueWriterIdentity: false
When I see <pulumi.output.Output object at 0x112b44640>
in the destination
, it makes me think Pulumi hasn't deserialized the actual name, or there is some deferred evaluation that isn't happening?
Any suggestions on how to troubleshoot?dry-engine-17210
11/20/2020, 8:02 PMdry-engine-17210
11/20/2020, 8:39 PMpubsub_topic = pubsub.Topic(
"{}-topic".format(PUBSUB_TOPIC_PREFIX)
)
pubsub_topic_url = pubsub_topic.id.apply(
lambda id: "<http://pubsub.googleapis.com/|pubsub.googleapis.com/>" + id
)
logging_sink = logging.ProjectSink(
resource_name="{}-sink".format(LOGGING_SINK_PREFIX),
destination=pubsub_topic_url,
filter='LOG_ID("<http://cloudaudit.googleapis.com/activity|cloudaudit.googleapis.com/activity>") OR LOG_ID("<http://externalaudit.googleapis.com/activity|externalaudit.googleapis.com/activity>") OR LOG_ID("<http://cloudaudit.googleapis.com/system_event|cloudaudit.googleapis.com/system_event>") OR LOG_ID("<http://externalaudit.googleapis.com/system_event|externalaudit.googleapis.com/system_event>") OR LOG_ID("<http://cloudaudit.googleapis.com/access_transparency|cloudaudit.googleapis.com/access_transparency>") OR LOG_ID("<http://externalaudit.googleapis.com/access_transparency|externalaudit.googleapis.com/access_transparency>")'
)
dry-engine-17210
11/20/2020, 8:40 PMdry-engine-17210
11/20/2020, 8:40 PM