• w

    wide-xylophone-60952

    4 months ago
    Hello All
  • q

    quick-telephone-15244

    4 months ago
    Hi all, I'm running up against an issue using the AWS EKS package from the repo, specifically that I need to modify the policyArn of a
    aws:iam/rolePolicyAttachment:RolePolicyAttachment
    however when i attempt to apply a transformation at the stack level via
    pulumi.runtime.register_stack_transformation
    I'm not seeing the
    type_
    aws:iam/rolePolicyAttachment:RolePolicyAttachment
    within my transformation function?
    q
    1 replies
    Copy to Clipboard
  • q

    quick-telephone-15244

    4 months ago
    FWIW this is the
    <http://pulumi.info|pulumi.info>
    output of every
    type_
    I see within the function:
    TYPE: aws:ec2/securityGroup:SecurityGroup
        TYPE: aws:kms/key:Key
        TYPE: aws:iam/role:Role
        TYPE: eks:index:Cluster
        TYPE: aws:ec2/securityGroup:SecurityGroup
        TYPE: aws:eks/cluster:Cluster
        TYPE: kubernetes:core/v1:ConfigMap
        TYPE: aws:ec2/securityGroupRule:SecurityGroupRule
        TYPE: aws:ec2/securityGroup:SecurityGroup
        TYPE: aws:ec2/securityGroup:SecurityGroup
        TYPE: pulumi:providers:kubernetes
        TYPE: aws:eks/cluster:Cluster
        TYPE: eks:index:VpcCni
        TYPE: aws:iam/openIdConnectProvider:OpenIdConnectProvider
        TYPE: aws:ec2/securityGroup:SecurityGroup
        TYPE: aws:ec2/securityGroupRule:SecurityGroupRule
        TYPE: pulumi:providers:kubernetes
  • q

    quick-telephone-15244

    4 months ago
    this is the plan created from pulumi preview --logtostderr:
    +   pulumi:pulumi:Stack                   
     +   ├─ aws:ec2:SecurityGroup             
     +   ├─ aws:kms:Key                       
     +   ├─ aws:iam:Role                      
     +   └─ eks:index:Cluster                 
     +      ├─ eks:index:ServiceRole          
     +      │  ├─ aws:iam:Role                 
     +      │  ├─ aws:iam:RolePolicyAttachment 
     +      │  ├─ aws:iam:RolePolicyAttachment 
     +      │  └─ aws:iam:RolePolicyAttachment 
     +      ├─ aws:eks:Cluster                 
     +      ├─ pulumi:providers:kubernetes     
     +      ├─ pulumi:providers:kubernetes     
     +      ├─ aws:ec2:SecurityGroup           
     +      ├─ eks:index:VpcCni                
     +      ├─ aws:ec2:SecurityGroupRule       
     +      ├─ aws:ec2:SecurityGroupRule       
     +      ├─ aws:ec2:SecurityGroupRule       
     +      ├─ aws:ec2:SecurityGroupRule       
     +      ├─ aws:ec2:SecurityGroupRule       
     +      ├─ aws:iam:OpenIdConnectProvider   
     +      └─ kubernetes:core/v1:ConfigMap
  • q

    quick-telephone-15244

    4 months ago
    the other thing that i'm kinda scratching my head about is even though i'm specifying
    service_role
    as a cluster creation arg. along with
    skip_default_node_group=True
    , those managed policies are still attempting to be attached.. shouldn't the
    service_role=<aws.iam.Role obj.>
    arg. prevent default role/managed policy attachment in favor of what was provided by
    service_role
    ? Or am I misunderstanding
    service_role
    entirely?
  • b

    brave-processor-54742

    4 months ago
    Hi everyone! 👋 Would someone have an idea on how to call a bash script in the
    user_data
    parameter, instead of writing a long string inside the code? I would like to use this bash script to add key pairs to my instances, because writing those inside the code looks tidy. Thanks! 🤸‍♂️
    b
    b
    2 replies
    Copy to Clipboard
  • g

    great-sunset-355

    4 months ago
    Hi I think I hit some weird bug with
    rolePolicyAttachment:RolePolicyAttachment
    I had a role assigned to 2 ECS tasks and it had 3 policy attachments
    import pulumi_aws as aws
    
    role = iam.Role("role")  # dummy role
    
    for idx, arn in enumerate(
            [
                "arn:aws:iam::aws:policy/AmazonSESFullAccess",
                "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",
                "arn:aws:iam::aws:policy/AmazonS3FullAccess",
            ]
        ):
            aws.iam.RolePolicyAttachment(
                f"{self._config.name}-{idx}-app-role-extension",
                args=aws.iam.RolePolicyAttachmentArgs(policy_arn=arn, role=role.id),
                opts=self._opts,
            )
            aws.iam.RolePolicyAttachment(
                f"{self._config.name}-{idx}-scheduler-role-extension",
                args=aws.iam.RolePolicyAttachmentArgs(
                    policy_arn=arn, role=role.id
                ),
                opts=self._opts,
            )
    Later on I decided to add 1 more Policy attachment and limit some Full access policies to necessary permissions.
    import pulumi_aws as aws
    
    role = iam.Role("role")  # dummy role
    ses_policy = aws.iam.Policy("ses-pol")
    s3_policy = aws.iam.Policy("s3-pol")
    lambda_invoke_policy = aws.iam.Policy("lambda-pol")
    
    for idx, arn in enumerate(
            [
                ses_policy.arn,
                lambda_invoke_policy.arn,
                "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",
                s3_policy.arn,
            ]
        ):
            aws.iam.RolePolicyAttachment(
                f"{self._config.name}-{idx}-app-role-extension",
                args=aws.iam.RolePolicyAttachmentArgs(policy_arn=arn, role=role.id),
                opts=self._opts,
            )
            aws.iam.RolePolicyAttachment(
                f"{self._config.name}-{idx}-scheduler-role-extension",
                args=aws.iam.RolePolicyAttachmentArgs(
                    policy_arn=arn, role=role.id
                ),
                opts=self._opts,
            )
    This has caused a weird state, that Pulumi state shows that the
    PolicyAttachment
    of
    "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",
    exists but the final IAM role did not have the policy. After changing the order to cause an update, IAM role gained the policy. And after deploying to another environment the problem was back. What is going on here? Am I being tricked by some async anomaly? Note:
    pulumi up
    is running in a CI pipeline, do I need to run
    pulumi refresh
    there as well?
    g
    b
    3 replies
    Copy to Clipboard
  • b

    brave-processor-54742

    4 months ago
    Hi all! 👋 When doing pulumi up i am getting this error:
    ImportError: dlopen(/infrastructure/venv/lib/python3.10/site-packages/grpc/_cython/cygrpc.cpython-310-darwin.so, 0x0002): tried: '/infrastructure/venv/lib/python3.10/site-packages/grpc/_cython/cygrpc.cpython-310-darwin.so' (mach-o file, but is an incompatible architecture (have 'x86_64', need 'arm64e'))
        It looks like the Pulumi SDK has not been installed. Have you run pip install?
        If you are running in a virtualenv, you must run pip install -r requirements.txt from inside the virtualenv.
    Someone experienced that also? Thanks a lot!
    b
    q
    +1
    7 replies
    Copy to Clipboard
  • s

    strong-intern-84363

    4 months ago
    Hey lovely community ! Can someone help me to understand this ? Let’s imagine that I have a piece of code that creates a GCP service account, a custom role (both works fine) and a IAM Binding to assign this role to this service account (this one fails) Here is my IAM binding call
    sarolebinding = gcp.projects.IAMBinding(
                f"sa-role-binding-{self.projectName}-owner",
                role=self.role,
                project=self.project.name,
                members=[f"serviceAccount:{self.service_account.email}"],
            )
            return sarolebinding
    This fails with the following error
    Request `Set IAM Binding for role "projects/app-burger-nonprod-wzj/roles/projectOwner" on "project \"app-burger-nonprod-wzj\""` returned error: Error applying IAM policy for project "app-burger-nonprod-wzj": Error setting IAM policy for project "app-burger-nonprod-wzj": googleapi: Error 400: Invalid service account (<pulumi.output.Output object at 0x7fbf29648640>)., badRequest
    Looks like the service_account.email field is wrong. How can I refer to the email of the newly created service account and use it as the value of the members arguments ? Thanks for reading, have a nice day.
    s
    b
    8 replies
    Copy to Clipboard
  • h

    hallowed-australia-10473

    4 months ago
    I’m trying to use Python to instantiate some resources on DigitalOcean. The problem is that I’m using an M1 Mac. When I try to import pulumi, I get an error:
    ImportError: dlopen(/blah/venv/lib/python3.9/site-packages/grpc/_cython/cygrpc.cpython-39-darwin.so, 0x0002): tried: '/blah/venv/lib/python3.9/site-packages/grpc/_cython/cygrpc.cpython-39-darwin.so' (mach-o file, but is an incompatible architecture (have 'x86_64', need 'arm64e'))
    How do I get past this?
    h
    b
    19 replies
    Copy to Clipboard