When creating/ configuring an EC2 instance I need to specify the Domain join directory and IAM role as shown here in the console. How do I do this with pulumi?

The role is wrapped in an instance profile in the API/SDK, and Pulumi uses that. There's an

iamInstanceProfile

parameter that takes the ID of the profile.

Hmm, I can't see that @little-cartoon-10569.

It's on that page. https://www.pulumi.com/docs/reference/pkg/aws/ec2/instance/#iaminstanceprofile_nodejs

iam_instance_profile - got it

Good luck!

Cheers @little-cartoon-10569 - that definitely helps. If I have multiple instances, can I just supply them in the InstanceIds value array, or do I need discrete associations? (apols - I'm at the limit of my knowledge with SSM)

IDs in the array works. Or you can tag them and associate with a filter that matches the tag. Have a look in the SSM ui: the SDK (and Pulumi) supports everything that the UI does.

Cheers!

I use one association per instance, both in the instance's stack. That way when I destroy the instance (via its stack), the association can be easily destroyed. Don't need to worry about updating a shared association.

OK, that makes sense. At the moment VPN, Managed AD, Subnets, SSM Doc, Associations, EC2 Instances etc are all in the one project. How easy is it to refactor these later?

Quite easy. Read up on StackReferences and imports. https://www.pulumi.com/docs/intro/concepts/stack/#stackreferences https://www.pulumi.com/docs/intro/concepts/resources/#import To migrate a resource from one project to another, you would import it into the new project (and move the code from the old project to the new one), then use

pulumi state delete

to remove it from the old state. To use a resource in the new project but have it stay in the old project, you would use a StackReference.

Thanks @little-cartoon-10569. What's the python equivalent of your

pulumi.all().apply()

call above? I have the folllowing:

instance_startup_doc = aws.ssm.Document(
    f"{env}-{name}-ad-ec2-domain-join",
    document_type="Command",
    document_format="JSON",
    target_type="/AWS::EC2::Instance",
    content=json.dumps(
        {
            "schemaVersion": "2.2",
            "description": "Join a Windows machine to the domain",
            "parameters": {},
            "mainSteps": [
                {
                    "name": "joinDomain",
                    "action": "aws:domainJoin",
                    "inputs": {
                        "directoryId": managed_ad.id,
                        "directoryName": managed_ad.name,
                    },
                }
            ],
        }
    ),
    ...
)

... but pulumi up throws

TypeError: Object of type Output is not JSON serializable

, presumably because the managed_ad props are not yet realised.

Yes, you'd want to call

json.dumps()

inside an

apply()

. Your link is to the theory. This link goes to the API specs:https://www.pulumi.com/docs/reference/pkg/python/pulumi/

Brill... ta

Looks like you want

Output.all(managed_ad.id, managed_ad.name).apply()

. Very vague on how to pass a Callable into that though, sorry....

FWIW I was looking for that python doc in the Reference list on the left hand side and couldn't see it. I now see it's down the bottom of the API index page. Maybe a small UX doc improvement suggestion 🙂

Yes, they're working on the API specs right now, there's already been 2 or 3 improvements in the last few weeks.

🎉

And I really feel for C#, golang and Python users.. TS/JS layout isn't awesome but it's a lot better than the others...

Looks like Pulumi sets the associations up ok, but they're failing with this error: https://forums.aws.amazon.com/thread.jspa?messageID=966819

Haven't seen that before. Does it work sometimes and not other times? Looks like it might be adding an instance to the domain twice?

Yeah it fails reliably. Sadly the instance isn't actually added to the AD domain.

Maybe the bug is not only that it doesn't work, but also that the error message is wildly inaccurate. There's a few things to check when getting SSM working with EC2 instances. Odd ports need to be open. Same applies to getting them working with AD.

Cool - I'll check those out. Know this isn't AWS support, so thanks for the pointers!