Audit examples for default AWS VPC assumptions

[joeduffy]

Some of our AWS examples assume you have a default VPC, and break if you do not. It is often common security practice to delete an account's default VPC upon creation to avoid accidental ingress/egress exposure of private endpoints. And us-east-1 accounts created before a certain date don't have one. I don't have the exact failure information but speaking as someone who had such an account, the failure mode was not pleasant. We should audit our examples for those that depend on default VPCs and call this out in the instructions and/or code as a comment. I wish the error here was much better too.

[mikemaccana]

Just ran into this bug now - how would you advise a potential customer to work around this and get the examples running?

(without having to set a default VPC if possible)

~/Code/mycompany/pulumi-examples/aws-ts-hello-fargate$ pulumi stack init dev
Created stack 'dev'
~/Code/mycompany/pulumi-examples/aws-ts-hello-fargate$ pulumi config set aws:region us-east-2
~/Code/mycompany/pulumi-examples/aws-ts-hello-fargate$ pulumi up
Previewing update (dev)

View Live: https://app.pulumi.com/mikemaccana/aws-ts-hello-fargate/dev/previews/65dad80e-a460-47a9-8121-d58c9345f580

     Type                 Name                      Plan     Info
     pulumi:pulumi:Stack  aws-ts-hello-fargate-dev           1 message

Diagnostics:
  pulumi:pulumi:Stack (aws-ts-hello-fargate-dev):
    error: It looks like the Pulumi SDK has not been installed. Have you run npm install or yarn install?

error: failed to load language plugin nodejs: could not read plugin [/home/mike/.pulumi/bin/pulumi-language-nodejs] stdout: EOF
~/Code/mycompany/pulumi-examples/aws-ts-hello-fargate$ npm i
npm WARN deprecated uuid@3.3.2: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.

added 119 packages, and audited 120 packages in 19s

26 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
~/Code/mycompany/pulumi-examples/aws-ts-hello-fargate$ pulumi up
Previewing update (dev)

View Live: https://app.pulumi.com/mikemaccana/aws-ts-hello-fargate/dev/previews/6994f5e3-0e40-41d6-bfca-9567881c64a3

     Type                                          Name                        Plan       Info
 +   pulumi:pulumi:Stack                           aws-ts-hello-fargate-dev    create     1 error
 +   ├─ awsx:x:ecs:Cluster                         cluster                     create
 +   │  ├─ awsx:x:ec2:SecurityGroup                cluster                     create
 +   │  │  ├─ awsx:x:ec2:EgressSecurityGroupRule   cluster-egress              create
 +   │  │  ├─ awsx:x:ec2:IngressSecurityGroupRule  cluster-containers          create
 +   │  │  └─ awsx:x:ec2:IngressSecurityGroupRule  cluster-ssh                 create
 +   │  └─ aws:ecs:Cluster                         cluster                     create
 +   ├─ awsx:x:ecs:FargateTaskDefinition           app-svc                     create
 +   │  ├─ aws:iam:Role                            app-svc-task                create
 +   │  ├─ aws:ecr:Repository                      app-img                     create
 +   │  ├─ aws:iam:Role                            app-svc-execution           create
 +   │  ├─ aws:cloudwatch:LogGroup                 app-svc                     create
 +   │  ├─ aws:ecr:LifecyclePolicy                 app-img                     create
 +   │  ├─ aws:iam:RolePolicyAttachment            app-svc-task-0cbb1731       create
 +   │  ├─ aws:iam:RolePolicyAttachment            app-svc-task-b5aeb6b6       create
 +   │  ├─ aws:iam:RolePolicyAttachment            app-svc-execution-9a42f520  create
 +   │  └─ aws:iam:RolePolicyAttachment            app-svc-execution-58ed699a  create
 +   ├─ awsx:x:ecs:FargateService                  app-svc                     create
 +   └─ aws:lb:ApplicationLoadBalancer             net-lb                      create
 +      ├─ awsx:lb:ApplicationTargetGroup          web                         create
 +      └─ awsx:lb:ApplicationListener             web                         create
 +         ├─ awsx:x:ec2:IngressSecurityGroupRule  web-external-0-ingress      create
 +         └─ awsx:x:ec2:EgressSecurityGroupRule   web-external-0-egress       create

Diagnostics:
  pulumi:pulumi:Stack (aws-ts-hello-fargate-dev):
    error: Running program '/home/mike/Code/mycompany/pulumi-examples/aws-ts-hello-fargate' failed with an unhandled exception:
    Error: invocation of aws:ec2/getVpc:getVpc returned an error: invoking aws:ec2/getVpc:getVpc: 1 error occurred:
      * no matching VPC found

        at Object.callback (/home/mike/Code/mycompany/pulumi-examples/aws-ts-hello-fargate/node_modules/@pulumi/pulumi/runtime/invoke.js:139:33)
        at Object.onReceiveStatus (/home/mike/Code/mycompany/pulumi-examples/aws-ts-hello-fargate/node_modules/@grpc/grpc-js/src/client.ts:338:26)
        at Object.onReceiveStatus (/home/mike/Code/mycompany/pulumi-examples/aws-ts-hello-fargate/node_modules/@grpc/grpc-js/src/client-interceptors.ts:426:34)
        at Object.onReceiveStatus (/home/mike/Code/mycompany/pulumi-examples/aws-ts-hello-fargate/node_modules/@grpc/grpc-js/src/client-interceptors.ts:389:48)
        at /home/mike/Code/mycompany/pulumi-examples/aws-ts-hello-fargate/node_modules/@grpc/grpc-js/src/call-stream.ts:276:24
        at processTicksAndRejections (internal/process/task_queues.js:75:11)

[sarink]

This renders the "get started with pulumi!" examples useless. What's the workaround?

[mkyukov]

Facing the same issue.

[scottslowe]

@sarink @mkyukov Can you clarify which "Get Started with Pulumi" examples are affected by this issue?

Also, the workaround is to create your own VPC, either using AWSX (Crosswalk for AWS) or the standard AWS resources.

[scottslowe]

The following examples appear to be affected:

aws-cs-eks aws-py-ecs-instances-autoapi aws-go-eks aws-py-fargate aws-cs-fargate aws-ts-pulumi-miniflux

This list is not necessarily complete.

[antdking]

An additional problem is the default security group can be changed to be less permissive. This will allow Pulumi to run, but will result in services failing.

For example, aws-py-ecs-instances-autoapi will fail health checks, preventing the instances going live in the LB Target Group ref: https://pulumi-community.slack.com/archives/C84L4E3N1/p1693386835875179