Hello all. Please, anyone here familiar with ephemeral environments?

👋 Hey All, currently struggling to figure out why this vault database static role is failing... If I attempt to create it in the vault UI, it works correctly; but it doesn't want to go through via Pulumi: Source:

import * as pulumi from "@pulumi/pulumi";
import * as postgres from "@pulumi/postgresql";
import * as vault from "@pulumi/vault";
import { PostgresAdminProvider } from "../../providers/postgres";
import { VaultProvider } from "../../providers";

export const zipline = new pulumi.ComponentResource(
  "zipline",
  "zipline",
  {},
  {}
);

const ZiplineRole = new postgres.Role(
  "zipline-pg-role",
  {
    name: "zipline",
    password: "password",
    login: true,
  },
  { parent: zipline, provider: PostgresAdminProvider }
);

const ZiplineVaultRole = new vault.database.SecretBackendStaticRole(
  "zipline-vault-pg-role",
  {
    name: "consus-pg-zipline",
    username: ZiplineRole.name,
    rotationPeriod: 86400,
    backend: "database",
    dbName: "consus-pg-postgres",
  },
  { provider: VaultProvider, parent: zipline}
);

const ZiplineDb = new postgres.Database(
  "zipline-pg-db",
  {
    name: "zipline",
    owner: ZiplineRole.name,
  },
  { parent: zipline, provider: PostgresAdminProvider }
);

Error:

Updating (main)

View in Browser (Ctrl+O): <https://app.pulumi.com/ItsMeBrianD/NomadHomelab/main/updates/18>

     Type                                          Name                   Status                  Info
     pulumi:pulumi:Stack                           NomadHomelab-main      **failed**              1 error
 +   ├─ zipline                                    zipline                created (0.76s)         
 +   │  ├─ postgresql:index:Role                   zipline-pg-role        created (1s)            
 +   │  ├─ postgresql:index:Database               zipline-pg-db          created (3s)            
 +   │  └─ vault:database:SecretBackendStaticRole  zipline-vault-pg-role  **creating failed**     1 error
 ~   └─ pulumi:providers:postgresql                postgres-admin         updated (0.20s)         [diff: ~username]


Diagnostics:
  pulumi:pulumi:Stack (NomadHomelab-main):
    error: update failed

  vault:database:SecretBackendStaticRole (zipline-vault-pg-role):
    error: 1 error occurred:
        * error creating static role "consus-pg-zipline" for backend "database": Error making API request.
    
    URL: PUT <https://vault.i.hl1.io/v1/database/static-roles/consus-pg-zipline>
    Code: 500. Errors:
    
    * 1 error occurred:
        * "consus-pg-zipline" is not an allowed role

Resources:
    + 3 created
    ~ 1 updated
    4 changes. 4 unchanged

Duration: 8s

Hi, I am struggling a bit with the task to query the AWS region and account my code is operating in.

const account = aws.getCallerIdentity({}).then((a) => a.accountId);
const region = aws.getRegion({}).then((r) => r.name):

These values end up in an IAM policy to access parameters in the SystemManager’s Parameter Store:

{
  Action: ["ssm:GetParameter"],
  Effect: "Allow",
  Resource: [ `arn:aws:ssm:${region}:${account}:parameter/foo/bar/*` ],
}

But when I try to apply the code it will end in an error

error: 1 error occurred:
        * updating urn:pulumi:dev::foo::aws:iam/rolePolicy:RolePolicy::lambdaRoleSapDataProcessorPolicy: 1 error occurred:
        * putting IAM role policy lambdaRoleFooDataProcessorPolicy-681121b: MalformedPolicyDocument: The policy failed legacy parsing

To me, this looks like I am making a mistake in resolving the two promises? I am not very fluent with TypeScript

Or do I need to

resolve

the two promises with something like:

pulumi.all([account, region]).apply([accountId, regionName)) => {
... Generate policy document here
});

I thought this is what the

.then()

is for

Ok, the .all().apply() worked, just for the reference 🙂

I have used pulumi to create an S3 bucket and I attached a role to it without pulumi, now when I try to do

pulumi up

I am getting the following error:

Error putting S3 Grants: AccessControlListNotSupported: The bucket does not allow ACLs

const POC = new aws.s3.Bucket(
  POCS3BucketName,
  {
    bucket: POCS3BucketName,
    forceDestroy: false,
    grants: [
      {
        id: currentAwsUser.then((currentUser) => currentUser.id),
        type: "CanonicalUser",
        permissions: ["FULL_CONTROL"]
      }
    ],
    versioning: {
      enabled: true
    },
  
    lifecycleRules: archiveLogsLifecycleRules,
    serverSideEncryptionConfiguration: archiveBucketServerSideEncryption
  },
  {
    protect: true
  }
);

Did @pulumi/awxs v0.40.1 get pulled from npmjs? I haven't built this project in ages, but

npm install

is failing, trying to get ^0.40.1. I see 0.40.0 in there..

I have the following simplified resource:

new aws.s3.BucketPolicy("pulumi-infrastructure-bucket-policy", {
        bucket: bucket.bucket,
        policy: 
            `
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::infrastructure.pulumi.dev",
                "arn:aws:s3:::infrastructure.pulumi.dev/*"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}`,
    });

I would like to make those two Resource definitions dynamic, but when I switch to the

${bucket.arn}

notation I get an error that my string literal contains a

\n

somehow. Even though I am inside a backticks backed string.

Another question, this time regarding tagging of resources. I load a set of default tags for all my resources from the config like this:

const config = pulumi.Config();
const defaultTags = config.requireObject<{ [key: string]: string }>("defaultTags");

These defaultTags look like:

config:
  aws:region: eu-central-1
  my-application:defaultTags:
    - team: application-team
    - environment: dev
    - cost-center: "123456"

Now, when I create a resource I would like to merge these defaultTags with the resource specifig tags like Name or others

const route53Zone = new aws.route53.Zone("applicationZone", {
  name: fqdn,
  tags: {
    ...defaultTags,
    Name: fqdn,
  }
});

But this one fails with an error like:

'' expected type 'string', got unconvertible type 'map[string]interface {}', value: 'map[team:application-team]'.

Any ideas on how to fix this?

Hi, it might be a stupid question but any way to do top level await in a pulumi program (index.ts file). It compiles fine but failed when running it with pulumi up

How do I use assumeRoleWithWebIdentity to setup and access resources on AWS ?

const roleToAssumeARN = String(process.env.ROLE_ARN);
        const sessionName = String(`"GitLabRunner-${process.env.CI_PROJECT_ID}-${process.env.CI_PIPELINE_ID}"`);
        const webIdentityToken = String(process.env.GITLAB_OIDC_TOKEN);

        console.log(`Looking at ${roleToAssumeARN} with ${sessionName}`)
        const awsProvider = new aws.Provider("privileged", {
            assumeRoleWithWebIdentity: {
                roleArn: roleToAssumeARN,
                sessionName: sessionName,
                webIdentityToken: webIdentityToken,
                duration: "600",
            },
            region: aws.config.requireRegion(),
        });
        provider = { provider: awsProvider };
...
const contentBucket = new aws.s3.Bucket(`wwwBucket-${currentStack}`, {}, provider);

The error

pulumi:providers:aws (privileged):
    error: rpc error: code = Unknown desc = unable to validate AWS credentials.
    Details: no valid credential sources for Pulumi AWS Classic found.
    
    Please see <https://www.pulumi.com/registry/packages/aws/installation-configuration/>
    for more information about providing credentials.
    
    AWS Error: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, request canceled, context deadline exceeded

This is the nearest hit - https://github.com/pulumi/pulumi-aws/issues/2425 I am able to validate the token are correct from cli using aws sts.

I have a container-based lambda, and want to associate it to an API gateway in AWS. The article here assumes a standalone (non-container)-based lambda. Would anyone know how to do this? Now that I think about it, maybe it's as simple as assigning the reference from

new aws.lambda.Function()

to

eventHandler

https://www.pulumi.com/docs/clouds/aws/guides/api-gateway/#lambda-request-handling

Hi!

Could somebody help me?. I need to setup caseSensitive = false in aws cognito user pool, but I have not found the way to do that.

this is my pulumi cognito user pool configuration.

usernameAttributes: ["email"],

schemas: [

{

attributeDataType: "String",

name: "email",

mutable: false,

required: true,

caseSensitive: false,

stringAttributeConstraints: {

minLength: "1",

maxLength: "256",

},

},

but

caseSensitive: false,

seems not to be a part of schema..

image.png

Or

emailConfiguration: emailConfig,

autoVerifiedAttributes: ["email"],

usernameAttributes: ["email"],

CaseSensitive: false,

"Object literal may only specify known properties, and 'CaseSensitive' does not exist in type 'UserPoolArgs' "

I found the way to do it!

I keep getting this error. Anyone had an idea where this can come from?

digitalocean:index:Firewall (staging):
    error: error reading from server: EOF

  pulumi:pulumi:Stack (swarm-staging):
    panic: interface conversion: interface {} is string, not int

hey, does anybody knows if there is a problem with the yarn packages for pulumi? I keel getting error not found when performing yarn install registry.yarnpkg.com/@pulumi/datadog/-/datadog-4.17.1.tgz

@brave-alarm-22747 i'm facing similar issues with NPM just now. anyone else facing the same?

GET <https://registry.npmjs.org/@pulumi/mongodbatlas/-/mongodbatlas-3.9.0.tgz> - Not found

@shy-rain-22908 Yup. Was seeing the same thing on @pulumi/cloudamqp

hey folks, is it common practice to use Zod for validation/schemas with pulumi?

I'm running the pulumi CLI and I'm getting a validation error that I can't unpack and understand more.

Diagnostics:
  datadog:index:Monitor (pul_Release Draft Deploy Error):
    error: diffing urn:pulumi:staging::core-api::datadog:index/monitor:Monitor::pul_Release Draft Deploy Error: error validating monitor from <https://api.datadoghq.com/api/v1/monitor/124561428/validate>: 400 Bad Request: {"errors":["The value provided for parameter 'query' is invalid"]}

The output of

pulumi diff

puts Diagnostics including a 400 Bad Request. However I can't really understand how to unpack this better, I'd really like to see the full HTTP request and HTTP response for this 400 to understand what JSON payload did I send, and what part of

query

could be invalid, in fact there should be two

query

fields in the JSON payload so unclear which one it is. There's a lot of steps to reverse engineer how I can generate the correct raw JSON for

datadog.Monitor

from the

@pulumi/datadog

class.

I am stuck with a weird Typescript issue for Pulumi. Any assistance would be much helpful.. I have referred the official TS doc, googled various sources but didnt work out. I'd like to access a value outside its if block. Its always unassigned for me. Am I doing anything wrong?

I continually struggle with typing issues, probably as I learnt to code in a polymorphic language (perl) maybe someone who understands types can help: I want to set the number of tasks in a service to the number of subnets it is being deployed to, so that the Test stack, which is deployed to 1 subnet only runs one task, but Prod, which is more redundant, runs 2 or 3 depending on how many subnets I deploy to. But at the moment Test is deployed to 2 subnets, which I will fix soon, but in order to not incur additional costs whilst I shrink Test to 1 subnet I want to override that to be 1 in the case where we are in Test. So my code:

let numTasks = vpc.publicSubnets.apply(subnets => subnets.length);

// that will work when we only have 1 subnet in the Test-vpc but for now

if (nom === 'test'){
  numTasks = 1;
}

This gives the error: stack/service.ts(14,3): error TS2322: Type '1' is not assignable to type 'Output<any>'. from the line where I try and force it to be 1 inside the if I've tried

let numTasks: number = vpc.publicSubnets.apply(subnets => subnets.length);

making it a number in the declaration but that then errors with: stack/service.ts(9,5): error TS2322: Type 'Output<any>' is not assignable to type 'number'. I'm pretty sure my code is right and that on execution subnets.length will be a number, but the typing doesn't see what is obvious to me. Anyone got any pointers on how to fix this?

is there a easy way to convert swagger / open api spec into pulumi provider?

Please, is there any way how to import a resource and straight away modify it in one run? 🙂