This message was deleted.
s
sparse-intern-71089
03/30/2023, 11:56 AMThis message was deleted.
r
refined-printer-82490
03/30/2023, 12:42 PM Copy code
const role = new aws.iam.Role("my-role", {
assumeRolePolicy: policy,
inlinePolicies: [{
name: "name",
policy: {
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"s3:*",
"ecs:RegisterTaskDefinition",
"ecs:DeregisterTaskDefinition",
"ecs:DescribeTasks",
"ecs:RunTask",
"logs:GetLogEvents",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
],
Resource: "*",
}]
}
}]
});refined-printer-82490
03/30/2023, 12:54 PM Copy code
Diagnostics:
aws:iam:Role (prefect-ecs-task-role):
error: aws:iam/role:Role resource 'prefect-ecs-task-role' has a problem: Expected Object Type: Expected object, got string. Examine values at 'Role.InlinePolicies'.refined-printer-82490
03/30/2023, 1:07 PMHere's the full script:
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";
const config = new pulumi.Config();
const cpu = config.getNumber("cpu") || 512;
const memory = config.getNumber("memory") || 128;
const image = config.get("image") || "prefecthq/prefect:2-python3.9";
const prefectApiUrl = config.require("prefect-api-url")
const prefectApiKey = config.require("prefect-api-key")
const prefectQueue = config.get("prefect-queue") || "default";
// An ECS cluster to deploy into
const cluster = new aws.ecs.Cluster("prefect-cluster", {});
const assumeRolePolicy: aws.iam.PolicyDocument = {
Version: "2012-10-17",
Statement: [
{
Action: "sts:AssumeRole",
Principal: {
Service: "<http://ecs-tasks.amazonaws.com|ecs-tasks.amazonaws.com>"
},
Effect: "Allow",
Sid: "",
},
],
};
const executionPolicy = new aws.iam.Policy("prefect-ecs-execution-policy", {
policy: {
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"ssm:GetParameters",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents",
],
Resource: "*",
}]
}
}
);
const executionRole = new aws.iam.Role("prefect-ecs-execution-role", {
assumeRolePolicy: assumeRolePolicy,
inlinePolicies: [executionPolicy]
});
const taskPolicy = new aws.iam.Policy("prefect-ecs-task-policy", {
policy: {
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"s3:*",
"ecs:RegisterTaskDefinition",
"ecs:DeregisterTaskDefinition",
"ecs:DescribeTasks",
"ecs:RunTask",
"logs:GetLogEvents",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
],
Resource: "*",
}]
}
}
);
const taskRole = new aws.iam.Role("prefect-ecs-task-role", {
assumeRolePolicy: assumeRolePolicy,
inlinePolicies: [taskPolicy]
});
// Deploy an ECS Service on Fargate to host the application container
const service = new awsx.ecs.FargateService("prefect-ecs-service", {
cluster: cluster.arn,
taskDefinitionArgs: {
container: {
image: image,
cpu: cpu,
memory: memory,
essential: true,
entryPoint: [
"bash",
"-c",
],
stopTimeout: 120,
environment: [
{
name: "PREFECT_LOGGING_LEVEL",
value: "INFO",
},
{
name: "AWS_RETRY_MODE",
value: "adaptive",
},
{
name: "AWS_MAX_ATTEMPTS",
value: "10",
},
],
command: [`prefect agent start -q ${prefectQueue}`],
// logConfiguration: {
// logDriver: "awslogs",
// options: {
// "awslogs-region": awsRegion,
// "awslogs-group": prefectLogGroup.id,
// "awslogs-stream-prefix": project,
// },
// },
secrets: [
{
name: "PREFECT_API_URL",
valueFrom: prefectApiUrl,
},
{
name: "PREFECT_API_KEY",
valueFrom: prefectApiKey
},
],
},
// The execution role that the Amazon ECS container agent and the Docker daemon can assume.
executionRole: {
roleArn: executionRole.arn
},
// IAM role that allows your Amazon ECS container task to make calls to other AWS services.
taskRole: {
roleArn: taskRole.arn
},
},
});pulumi up Copy code
❯ pulumi up
Previewing update (dev)
View in Browser (Ctrl+O): <https://app.pulumi.com/markns/my-container-service/dev/previews/6403bdbc-ea02-4240-8407-bdbd6d17de44>
Type Name Plan
+ pulumi:pulumi:Stack my-container-service-dev create
+ ├─ aws:ecs:Cluster prefect-cluster create
+ ├─ aws:iam:Policy prefect-ecs-task-policy create
+ ├─ aws:iam:Policy prefect-ecs-execution-policy create
+ ├─ aws:iam:Role prefect-ecs-task-role create
+ ├─ aws:iam:Role prefect-ecs-execution-role create
+ └─ awsx:ecs:FargateService prefect-ecs-service create
+ ├─ awsx:ecs:FargateTaskDefinition prefect-ecs-service create
+ │ ├─ aws:cloudwatch:LogGroup prefect-ecs-service create
+ │ └─ aws:ecs:TaskDefinition prefect-ecs-service create
+ ├─ aws:ec2:SecurityGroup prefect-ecs-service-sg create
+ └─ aws:ecs:Service prefect-ecs-service create
Resources:
+ 12 to create
Do you want to perform this update? yes
Updating (dev)
View in Browser (Ctrl+O): <https://app.pulumi.com/markns/my-container-service/dev/updates/16>
Type Name Status Info
+ pulumi:pulumi:Stack my-container-service-dev created (1s)
+ ├─ aws:ecs:Cluster prefect-cluster created (12s)
+ ├─ aws:iam:Policy prefect-ecs-execution-policy created (3s)
+ ├─ aws:iam:Policy prefect-ecs-task-policy created (3s)
└─ aws:iam:Role prefect-ecs-task-role **failed** 1 error
Diagnostics:
aws:iam:Role (prefect-ecs-task-role):
error: aws:iam/role:Role resource 'prefect-ecs-task-role' has a problem: Expected Object Type: Expected object, got string. Examine values at 'Role.InlinePolicies'.
Resources:
+ 4 created
Duration: 18srefined-printer-82490
03/30/2023, 1:08 PMStrange that the preview succeeds, but the actual calls to the AWS api fail
refined-printer-82490
03/30/2023, 2:13 PM Copy code
const executionPolicy = new aws.iam.Policy("prefect-ecs-execution-policy", {
name: "prefect-ecs-execution-policy",
policy: {
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"ssm:GetParameters",
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:PutLogEvents",
],
Resource: "*",
}]
}
}
);
const executionRole = new aws.iam.Role("prefect-ecs-execution-role", {
assumeRolePolicy: assumeRolePolicy,
// inlinePolicies: [executionPolicy]
});
const rolePolicyAttachment = new aws.iam.RolePolicyAttachment("prefect-ecs-execution-rpa", {
role: executionRole,
policyArn: executionPolicy.arn,
});inlinePolicies29 Views
Pulumi Community
No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.
Powered by