Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
p
purple-plumber-90981
11/17/2021, 11:54 PMcan someone link me some python code showing usage of stackreference/get_output to get the outputs from a previously created stack as input to another resource…. I have usecase of trying to create an AWS IAM policy in stack2 requiring an arn and url string exported in stack1
b
billowy-army-68599
11/17/2021, 11:56 PMhowever, if you're using if for an AWS IAM policy that won't work, it'll need to be done inside an apply, because an AWS IAM policy only takes a string
p
purple-plumber-90981
11/18/2021, 12:09 AMwhat is annoying about that is, stack1 is created and already exists so im referencing a resource that has current values for the bits that i need as strings
stack1 already has outputs created which have string values in the state file
b
billowy-army-68599
11/18/2021, 12:10 AMyeah, the value is going to be eventually resolved, because it needs to be grabbed from stack1, so it becomes an output
just because the values exist in the AWS console, doesn't mean the values exist in the context of the stack you're creating.
the path is:
• retrieve the values from stack1
• wait for that value to be returned
• then, do something with that value
p
purple-plumber-90981
11/18/2021, 12:11 AMbe nicer if there was a get_current_value_of_output_as_str() function
b
billowy-army-68599
11/18/2021, 12:12 AMthat's the thing, it can't ever be a string. Anything that is not known at runtime (ie, when the pulumi program runs) is always going to be an output
if you have to query some remote API value in Pulumi, it'll be an output
p
purple-plumber-90981
11/18/2021, 12:12 AMbut at runtime im referencing an external stack that already exists and has static values
so why the reason to wait for the result that is already there ?
b
billowy-army-68599
11/18/2021, 12:14 AMdoes the stack you're executing know the values that are in the remote stack?
p
purple-plumber-90981
11/18/2021, 12:15 AMthats what im trying to achieve…. i could just go read them from the stack1 statefile directly with python i guess as i know the config strings i need are in there
from an orchestration persoective i always build stack1 then build stack2
thus when stack2 is building, all stack1 resources already have static values
b
billowy-army-68599
11/18/2021, 12:16 AMI'm not really following what the desired outcome is here, is this to just avoid having to use an apply?
p
purple-plumber-90981
11/18/2021, 12:17 AMim seeking to understand why it is needed as i regularly have this issue with outputs that i need to be strings
my assumption is that it is catering to the situation where both stack1 and stack2 are being created at the same time and thus the values may not be ready for use yet in stack1
anyhow im wrapping it in an apply with still not a firm grasp on why this level of complexity is needed
b
billowy-army-68599
11/18/2021, 12:22 AMthat's not true, no. Any value that Pulumi has to retrieve from a remote API, whether it's the result of creating a resource, retrieving a stack reference or doing a
.getapplyp
purple-plumber-90981
11/18/2021, 12:23 AMappreciate the reading which i will review promptly once i have this code working with the apply 😉
b
billowy-army-68599
11/18/2021, 12:24 AMhappy to help if you want to share, based on what you've asked, I assume you're doing something EKS OIDC?
p
purple-plumber-90981
11/18/2021, 12:29 AMekscreate_stackref = pulumi.StackReference(f"{pulumi_stack_info['name']}-create")
longhorn_backup_role = aws.iam.Role(
f'longhorn-{pulumi_stack_info["region"]}-backup-role',
description = 'IAM role to allow longhorn to backup to s3 regional bucket',
force_detach_policies = True,
assume_role_policy=pulumi.Output.all(ekscreate_stackref.get_output('oidc_provider_arn'), ekscreate_stackref.get_output('oidc_provider_url')).apply(
lambda args: json.dumps(
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": args[0],
},thats the top of the current chunk for the role creation
the problem is in assume_role_policy which i need to reference the oidc bits created in the
-createaaaaand my pulumi deploy node just barfed with oome . . . might need to upsize memory
b
billowy-army-68599
11/18/2021, 12:48 AM@steep-sunset-89396 mind jumping in here to help out, I need to logout for the day.
you'll need to do:
ekscreate_stackref = pulumi.StackReference(f"{pulumi_stack_info['name']}-create")
ekscreate_stackref.get_output('oidc_provider_url'))
ekscreate_stackref.apply(
// create your role inside the apply
)s
steep-sunset-89396
11/18/2021, 12:56 AMHey folks, sorry I was catching up on the whole thread.
Hey Brett, how are you doing mate ?
p
purple-plumber-90981
11/18/2021, 1:07 AMhi buddy doing ok
except my ec2 node that i deploy pulumi from keeps barfing
Diagnostics:
pulumi:providers:aws (eu-west-1):
error: could not read plugin [/home/bmeehan/.pulumi/plugins/resource-aws-v4.28.0/pulumi-resource-aws] stdout: EOF
pulumi:pulumi:Stack (itplat-ipd-eks-use1-configure):
fatal error: runtime: out of memory
runtime stack:
runtime.throw(0x9606908, 0x16)time to scale up i think
s
steep-sunset-89396
11/18/2021, 1:08 AMWhat instance type are you using ?
p
purple-plumber-90981
11/18/2021, 1:08 AMi think its t3medium
s
steep-sunset-89396
11/18/2021, 1:13 AMI'm surprised you're running OOM. 4GB should be plenty. Do you have anything else running on it ?
p
purple-plumber-90981
11/18/2021, 1:19 AMyeah lots of mandatory environment stuff
i killed some and got a run in, . . . i guess my apply is almost right
Diagnostics:
aws:iam:Role (longhorn-us-east-1-backup-role):
error: 1 error occurred:
* 1 error occurred:
* creating inline policy (s3_policy): MalformedPolicyDocument: Actions/Condition can contain only one colon.
status code: 400, request id: 4eb8b37f-587a-4b92-a4b8-e8ee0b2fc29ajust checking the changeset
im using
"Condition": {
"StringLike": {f"{args[1]}:aud".replace('https://', ''): "<http://sts.amazonaws.com|sts.amazonaws.com>"},
},where args[1] is ekscreate_stackref.get_output(‘oidc_provider_url’)
results in
<snip>\"Condition\": {\"StringLike\": {\"<http://oidc.eks.us-east-1.amazonaws.com/id/<the_id_redacted>:aud\|oidc.eks.us-east-1.amazonaws.com/id/<the_id_redacted>:aud\>": \"<http://sts.amazonaws.com|sts.amazonaws.com>\"}}}]}"s
steep-sunset-89396
11/18/2021, 1:33 AMyes, the http 400 indicate the content of the policy is incorrect, but your logic seems right.
If someone reads this and wonders how this got solved...
"Action": ["s3:PutObject", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:DeleteObject" "s3:ListMultipartUploadParts"]"Action": ["s3:PutObject", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:DeleteObject", "s3:ListMultipartUploadParts"]Yes, there was a missing coma which is correct for Python and resulted in a string concatenation. Which generated the following policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GrantLonghornBackupstoreAccess0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:DeleteObjects3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::aureq-us-east-1/*",
"arn:aws:s3:::aureq-us-east-1"
]
}
]
}l
little-cartoon-10569
11/18/2021, 8:56 PMI blame AWS.
😂 1