https://pulumi.com logo
#aws
Title
# aws
c

clever-application-67149

03/01/2023, 4:35 PM
Greetings All. I'm trying to deploy a Pulumi upgrade and the build keeps complaining about the alias that we add on one of our certificates (
aws:acm/certificate:Certificate
). Specifically, we're getting the error:
Copy code
error: Error: No valid 'type' passed in for alias.
    at /home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/node_modules/@pulumi/resource.ts:516:19
    at /home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/node_modules/@pulumi/output.ts:383:31
    at Generator.next (<anonymous>)
    at /home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/node_modules/@pulumi/pulumi/output.js:21:71
    at new Promise (<anonymous>)
    at __awaiter (/home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/node_modules/@pulumi/pulumi/output.js:17:12)
    at applyHelperAsync (/home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/node_modules/@pulumi/pulumi/output.js:236:12)
    at /home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/node_modules/@pulumi/output.ts:302:65
    at dynatraceRegularInvoke (/opt/dynatrace/oneagent/agent/bin/1.259.304.20230210-081346/any/nodejs/nodejsagent.js:3093:20)
    at Object.a.safeInvoke (/opt/dynatrace/oneagent/agent/bin/1.259.304.20230210-081346/any/nodejs/nodejsagent.js:3168:41)
This error is down in the
resource.ts
file here: https://github.com/pulumi/pulumi/blob/24f0ae32f7c02bf1906a6081cab81217872c7d38/sdk/nodejs/resource.ts#L516 We created our own
CertificateManager
class, which has a
getCert(
) method for creating the necessary certs for our web properties. One of those certs (support) needs an Alias added to it, and our code in the
getCert()
method handles that. Here's the code:
Copy code
public getCert(
    name: string,
    zone: aws.route53.Zone,
    domainName?: string,
  ): aws.acm.CertificateValidation {
    let certAlias: CustomResourceOptions = {};
	//Add required alias for the support cert.
    if (name === "support") {
      certAlias = {
        aliases: [
          {
            name: this.config.getResourceName("supportability-cert"),
            type: "aws:acm/certificate:Certificate",
          },
        ],
      };
    }
    const cert = new aws.acm.Certificate(
      this.config.getResourceName(`${name}-cert`),
      {
        domainName: domainName ?? zone.name,
        tags: this.config.getTags(),
        validationMethod: "DNS",
      },
      certAlias,
    );

    const validationRecords = cert.domainValidationOptions.apply(
      (domainValidationOptions) => {
        return domainValidationOptions.map((domainValidationOption) => {
          return new aws.route53.Record(
            `validation-record-${domainValidationOption.domainName}`,
            {
              allowOverwrite: true,
              name: domainValidationOption.resourceRecordName,
              records: [domainValidationOption.resourceRecordValue],
              ttl: ONE_HOUR,
              type: domainValidationOption.resourceRecordType,
              zoneId: zone.zoneId,
            },
          );
        });
      },
    );

    let certValidationAlias: CustomResourceOptions = {};
	//Add required alias for the support cert.
    if (name === "support") {
      certValidationAlias = {
        aliases: [
          {
            name: this.config.getResourceName("certificate-validation"),
            type: "aws:acm/certificateValidation:CertificateValidation",
          },
        ],
      };
    }
    return new aws.acm.CertificateValidation(
      this.config.getResourceName(`${name}-certificate-validation`),
      {
        certificateArn: cert.arn,
        validationRecordFqdns: validationRecords.apply((records) =>
          records.map((record) => record.fqdn),
        ),
      },
      certValidationAlias,
    );
  }
Based on these select lines from the build output (running a Pulumi Preview), the cert handling is working for everything but the
support
cert that is supposed to get the alias.
Copy code
pulumi:pulumi:Stack pulumi-artemis-infrastructure running error: Error: No valid 'type' passed in for alias.
aws:acm:Certificate artemis-dev-artemis-dev-chat-proxy-cert  [diff: ~provider]
aws:acm:Certificate artemis-dev-search-cert  [diff: ~provider]
aws:acm:CertificateValidation artemis-dev-search-certificate-validation  [diff: ~provider]
So, the non-support cases, where we include an empty object for the
CustomResourceParameters
for the
new Certificate
, it works. When we add the alias and type for the support cert, it fails. In
resources.ts
on line 506, the
collapseAliasToUrn
function should be taking the explicit type that we're providing in favor of the passed
defaultType
, so how that type becomes
undefined
and triggers the error on line 516, I haven't a clue. This code had been working, but started causing problems when we updated Pulumi. Here are the version changes: @pulumi/aws from 5.10.0 to 5.30.0 @pulumi/awsx from 0.40.0 to 1.0.2 @pulumi/docker from 3.2.0 to 3.6.1 @pulumi/kubernetes from 3.19.4 to 3.24.1 @pulumi/pulumi from 3.35.3 to 3.55.0 Could this be a state problem? Do we need to sync from the deployed state before we run another build? I confess that I'm at a loss.
s

salmon-gold-74709

03/02/2023, 6:20 PM
Interesting idea, @clever-application-67149 - worth trying Pulumi 3.42.0 then 3.43.0, since latter is release where structured aliases were added: https://github.com/pulumi/pulumi/releases/tag/v3.43.0 (only a Python related fix in 3.43.1)
c

clever-application-67149

03/02/2023, 6:52 PM
@salmon-gold-74709, I had been downgrading Pulumi but had only gotten to 3.49.0. I downgraded to 3.42.0 and the
No valid 'type' passed in for alias
error is gone, but now I have a serialization error on the same `awsacm/certificateCertificate`:
Copy code
error: Error: failed to register new resource artemis-dev-support-cert [aws:acm/certificate:Certificate]: 13 INTERNAL: Request message serialization failure: Assertion failed: Expected string but got %s: %s.
        at Object.registerResource (/home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/node_modules/@pulumi/aws/node_modules/@pulumi/runtime/resource.ts:339:27)
        at new Resource (/home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/node_modules/@pulumi/aws/node_modules/@pulumi/resource.ts:398:13)
        at new CustomResource (/home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/node_modules/@pulumi/aws/node_modules/@pulumi/resource.ts:782:9)
        at new Certificate (/home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/node_modules/@pulumi/acm/certificate.ts:334:9)
        at CertificateManager.getCert (/home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/bazel-out/k8-fastbuild/bin/infrastructure/infrastructure/artemis/src/aws/certificate.ts:36:18)
        at new SupportCloudFront (/home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/bazel-out/k8-fastbuild/bin/infrastructure/infrastructure/artemis/src/aws/cloudfront/support.ts:64:44)
        at Injector.instantiateClass (/home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/bazel-out/k8-fastbuild/bin/infrastructure/node_modules/@nestjs/core/injector/injector.js:330:19)
        at callback (/home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/bazel-out/k8-fastbuild/bin/infrastructure/node_modules/@nestjs/core/injector/injector.js:48:41)
        at Injector.resolveConstructorParams (/home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/bazel-out/k8-fastbuild/bin/infrastructure/node_modules/@nestjs/core/injector/injector.js:122:24)
        at Injector.loadInstance (/home/labuser/.cache/bazel/_bazel_labuser/34360f705a4b3bbdc2679b46775386d6/execroot/artemis/bazel-out/k8-fastbuild/bin/infrastructure/node_modules/@nestjs/core/injector/injector.js:52:9)
Now what? Do I need to downgrade
@pulumi/aws
and
@pulumi/awsx
as well?
s

salmon-gold-74709

03/02/2023, 7:18 PM
Best to re-test with 3.43.0 - assuming that shows original error, I would log a GitHub issue about the aliases error
Not sure about the new error and other modules - if they have any dependencies on
pulumi
module you may need to update them, and hopefully any package.json constraints will figure this out (I'm not a Node person though)