Pulumi Community #general

plain-rainbow-89145

05/06/2025, 2:12 PM

Hi everyone. We just converted from the free trial of Enterprise to a Team subscription and I realized our CI/CD errors out now due to the pulumi Github auth action using an organization token erroring out since we are not on an enterprise plan. What is the recommended alternative? Is there still a way to use the OIDC set up without the organization token?

acoustic-tiger-77630

05/06/2025, 7:48 PM

Hi All. I am doing some refactor in one of our providers due to API changes, and I am trying to regenerate the pulumi providers I am executing the command `$GOPATH/bin/upgrade-provider zscaler/pulumi-zpa --kind bridge`but then it returns the below errors whenever I attempt that. Does anyone have any guidance or other threads you can point me to where I can find a solution for it? Thank you

Copy code

warning: unable to convert HCL example for Pulumi entity '#/functions/%szpa:index/getPraConsoleController:getPraConsoleController'. The example will be dropped from any generated docs or SDKs: 1 error occurred:
	* [python] #-functions-%szpa:index-getPraConsoleController:getPraConsoleController.pp:2,5-7: unsupported attribute 'id'; unsupported attribute 'id', and 1 other diagnostic(s)


warning: unable to convert HCL example for Pulumi entity '#/functions/%szpa:index/getAppConnectorController:getAppConnectorController'. The example will be dropped from any generated docs or SDKs: 1 error occurred:
	* [python] #-functions-%szpa:index-getAppConnectorController:getAppConnectorController.pp:1,5-7: unknown property 'id' among [microtenantId microtenantName name]; , and 2 other diagnostic(s)


warning: unable to convert HCL example for Pulumi entity '#/functions/%szpa:index/getPRAApproval:getPRAApproval'. The example will be dropped from any generated docs or SDKs: 1 error occurred:
	* [python] failed to convert HCL for #/functions/%szpa:index/getPRAApproval:getPRAApproval to python: #-functions-%szpa:index-getPRAApproval:getPRAApproval.pp:0,57-2,2: cannot assign expression of type { emailIds: string } to location of type   {
    emailIds: list(output(string) | string) | output(list(string)) | output(list(string)?)?,
    id: output(string) | output(string?) | string?,
  }
| output({ emailIds: list(string)?, id: string? }): ;

brash-stone-71192

05/07/2025, 9:23 AM

Hello everyone, I am using pulumi postgresql provider 3.6.0 version and tried to update to latest one (3.15.1). I face the following issue: • I deploy a postgresql function with this provider, which is removed from pulumi state during pulumi refresh, after I upgrade to provider 3.15.1. • But function continues to exist inside postgresql itself Anyone faced similar issue? Is there some guide on how to properly upgrade a provider without issues?

brash-stone-71192

05/07/2025, 9:35 AM

Copy code

pgFunction, err := postgresql.NewFunction(ctx, "pg-function-test", &postgresql.FunctionArgs{
			Schema: pgSchema.Name,
			Name:   pulumi.String("pg_function_test"),
			Args: postgresql.FunctionArgArray{
				&postgresql.FunctionArgArgs{
					Name: pulumi.String("pid"),
					Type: pulumi.String("integer"),
				},
			},
			Returns: pulumi.String("boolean"),
			Language: pulumi.String("plpgsql"),
			SecurityDefiner: pulumi.Bool(true),
			Volatility: pulumi.String("VOLATILE"),
			Strict: pulumi.Bool(true),
			Body: pulumi.String(`AS $$
				...
				$$
					SET search_path = pg_catalog;`),
		}, pulumi.Provider(pgProvider))

bulky-oil-97030

05/08/2025, 8:15 AM

Heya everyone 👋 I have a really dumb question that has probably been asked before: Is there a way to enable dark mode on https://www.pulumi.com/registry and https://app.pulumi.com ? Easier on the old 👀 , ya know ...

many-furniture-46304

05/08/2025, 8:28 AM

Hello Pulumi enthusiasts 🙂 I have a question regarding the Random Provider. It states

Unless otherwise stated within the documentation of a specific resource, this provider's results are not sufficiently random for cryptographic use.

Looking at RandomString, the docs say

for sensitive random values please use random_password.

However, there is no mention on RandomPassword about using it for uniques as a random value for password. Can anyone support whether it is safe to use

Random Password

to create and manage passwords? Thanks in advance!

ancient-dream-54685

05/08/2025, 12:38 PM

Is there a limitation that output names cannot start with two underscores? e.g.

__my_output

adamant-autumn-75882

05/08/2025, 6:33 PM

what's the best way to import existing pulumi configuration in a github repo to pulumi cloud? ideally keeping some sort of sync

adamant-autumn-75882

05/08/2025, 6:33 PM

We have about 20-30 projects all with multiple env stacks all organized in various projects, and would want to have that come in

adamant-autumn-75882

05/08/2025, 6:53 PM

a one way sync would be absolutely fine(say pulumi cloud->github) but initially we need to do the opposite

famous-ambulance-44173

05/08/2025, 8:58 PM

hi team, I am building a comprehensive component for aws vpc and wanted your feedback about something. imagine you want to customize your route tables and you want to encode references to other objects inside your inputs. I want to support: • reference to objects defined as part of the same stack (e.g. other subnets, attachments, igw/vgw, etc.) • reference to arbitrary objects by id - this is simple, just put id • reference to an object based on tag(s) • reference to an object based on ssm value here is what I came up with (yaml):

Copy code

subnets:
  - name: ext-az1
    ...
  - name: ext-az2
    ...
attachments:
  - name: tgw-attachment
    # some parameters
  - name: cwan-attachment
    # some parameters
routeTables:
  - name: private
    routes:
      - destination: 0.0.0.0/0
        nextHop: igw
      - destination: ::/0
        nextHop: igw
      - destination: 10.0.0.0/8
        nextHop: tgw@tgw-attachment  # or cwan@cwan-attachment
      - destination: subnet@ext-az1.ipv4
        nextHop: vpce-123456
      - destination: subnet@ext-az1.ipv6
        nextHop: vpce-123456
      - destination: 10.1.0.0/24
        nextHop: pcx@tag:Name=MyPeering,Environment=Prod
      - destination: 10.2.0.0/24
        nextHop: pcx@ssm:/my/peering/id

what do you think about the syntax? how would you improve it / make clearer for the user?

sticky-translator-61903

05/08/2025, 9:50 PM

Wanted to share we are doing an in-person launch event for our new Seattle office June 11th 4-6pm for anyone in the area! https://www.meetup.com/pulumi-seattle/events/307677707

bored-vegetable-38523

05/09/2025, 10:50 AM

Hi all, am new to Pulumi and just getting started with evaluating a migration from Terraform to Pulumi. I know there is a #C01PF3E1B8V channel so will post in there for any any noobie gotchas but wondered if there were any posts, either on here or the blog, that share peoples experiences and architecture tips? Would be great to read a “if only I knew then what I know now” post or “what I would do differently” post. Thanks.

famous-ambulance-44173

05/11/2025, 6:02 PM

I need an advice as I can't get it to work. I am using aws-native provider for creating aws vpc component I create VPC, then create VpnGateway, then create VpcGatewayAttachment portion of code in question:

Copy code

vgw = awscc.ec2.VpnGateway(
            "vgw",
            tags=VPC.build_tags(
                config.common_tags,
                config.virtual_private_gateway.tags,
                Name=f"{config.name}-vgw",
            ),
            amazon_side_asn=config.virtual_private_gateway.asn,
            type="ipsec.1",
            **config.virtual_private_gateway.extra_args,
            opts=ResourceOptions(parent=self.vpc),
        )
        attachment = awscc.ec2.VpcGatewayAttachment(
            "vgw",
            opts=ResourceOptions(parent=vgw),
            vpc_id=self.vpc.id,
            vpn_gateway_id=vgw.id,
        )

so far so good, resources are created successfully. Then, I update ASN on VpnGateway, which should trigger replacement. here is what diff shows:

Copy code

└─ aws-native:ec2:Vpc                                 vpc                                    
 +-        ├─ aws-native:ec2:VpnGateway                       vgw                        replace     [diff: ~amazonSideAsn]
 ~         │  ├─ aws-native:ec2:VpcGatewayAttachment          vgw                        update      [diff: ~vpnGatewayId]

which is correct. however, if fails

Copy code

aws-native:ec2:VpnGateway (vgw):
    error: operation DELETE failed with "GeneralServiceException": Vpn Gateway is not in the correct state (Service: Ec2, Status Code: 400, Request ID: 34ada6f3-5619-4a5e-8dda-6d82916501ff) (SDK Attempt Count: 1)

because it must delete

VpcGatewayAttachment

first. how do I signal to pulumi that before attempting to delete

aws-native:ec2:VpnGateway

, it must delete its children, e.g.

aws-native:ec2:VpcGatewayAttachment

? I am pretty sure TF does it correctly. I tried playing around with

deleted_with

but I couldn't achieve the outcome I am looking for.

rhythmic-toothbrush-3026

05/12/2025, 7:51 AM

Hi, is this a bug or I'm doing something wrong: for the command: pulumi config --non-interactive set --plaintext --path "custom:sqlDatabase.maxSizeBytes" '-1' -s scus.stg I do get error message: error: unknown shorthand flag: '1' in -1 I do suppose you wrongly parse the value - or should I try something else? all I have tried ( "`"-1`"", "-1" ) has the same result. Only what works is: " -1" but the result is not what I do want - in configuration is:

Copy code

maxSizeBytes: ' -1'

instead of just -1

modern-spring-15520

05/12/2025, 6:51 PM

Reminder: there is an reddit AMA tomorrow with the IDP team. https://pulumi-community.slack.com/archives/CB36DSVSA/p1747045910977549

modern-spring-15520

05/12/2025, 6:51 PM

You can ask questions at any point or upvote qs that seem interesting here: https://www.reddit.com/r/pulumi/comments/1kiqtkc/pulumi_ama_tuesday_1_pm_pt_ask_us_about_idp/

colossal-jackal-46826

05/13/2025, 3:13 AM

hi, I need help. if I do something wrong or is that a bug? i want integrate one github organization with 2 pulumi organizations, but i cant. With document, https://www.pulumi.com/docs/iac/using-pulumi/continuous-delivery/github-app/ , the first integration works great. But in the second organization, I click the button 'Install the Pulumi Github App' in the deploy setting page of a stack, and got to github page allow all repository. And then back to pulumi, the button 'Install the Pulumi Github App' still there as the first screenshot I expect the button should disappear and there are some settings of repository for deploy, as the second screenshot. thank you.

bland-dinner-39530

05/13/2025, 6:50 PM

Hi all - QQ: when running pulumi locally, and adding secrets to my

Pulumi.stack.yaml

config, what key/phrase/secret is it using to encrypt the values in the yaml file? I have looked though

~/.config/pulumi

and i cant find anything that resembles a secret....would it be someone else on disk? is it a default? Thanks!

mammoth-memory-47255

05/13/2025, 11:01 PM

is it possible to add some custom validation to a pulumi stack? I'd like to be able to hook into various points: 1. Run a function over all defined resources. I was able to do this by registering a custom transformer that does some validation, but it's a bit of a hack and when I try to throw an error from the transformer it causes the entire pulumi process to hang (I literally have to kill it in task manager...) 2. Run a function over a proposed update plan.

mammoth-memory-47255

05/13/2025, 11:02 PM

(I'm using the Typescript SDK)

average-optician-67817

05/14/2025, 12:56 AM

Hello How you y'all use pulumi on a multi account environment with AWS? So far I have my root account Then I have my • production account • development account The idea is to re use my code across these account environments

mammoth-memory-47255

05/14/2025, 11:54 AM

Is it possible to add a custom resource to an existing provider? I want to make a custom resource that invokes a GCP CloudRun service, and uses the same credentials as the existing provider?

bumpy-plastic-18391

05/14/2025, 3:34 PM

Hi, we would like to opt out of pulumi to manage IaC lambdas on aws, i.e. we are managing more than 1k lambdas via pulumi, and we would like to migrate to the serverless framework ( org decision, not mine). is there an easy way to convert our pulumi IaC code to serverless framework? i have tried to find but dont seem to, any suggestions?

important-yak-39641

05/14/2025, 7:23 PM

hello everyone. i'm an ML engineer turned full stack engineer turned devops engineer since i'm the only engineer in my startup. pulumi has been an absolute godsend for someone like me. thanks! i'm using GCP for our infra. trying to set up a cloudbuild trigger to automate builds. here is my build trigger:

Copy code

frontend_trigger = gcp.cloudbuild.Trigger(
    "frontend-trigger",
    name="frontend-trigger",
    github={
        "owner": github_repo["owner"],
        "name": github_repo["repo"],
        "push": {
            "branch": "^main$",
        }
    },
    filename="frontend/infra/cloudbuild.yaml",
    substitutions={
        "_REGION": gcp_region, # set to us-west-1
        "_REPO": docker_repo, # set to frontend
    },
)

when i run pulumi up, i'm getting:

Copy code

Diagnostics:
  pulumi:pulumi:Stack (frontend-dev):
    error: update failed

  gcp:cloudbuild:Trigger (frontend-trigger):
    error:   sdk-v2/provider2.go:509: sdk.helper_schema: Error creating Trigger: googleapi: Error 400: Request contains an invalid argument.: provider=google-beta@8.25.0
    error: 1 error occurred:
    	* Error creating Trigger: googleapi: Error 400: Request contains an invalid argument.

i checked all the arguments for

frontend_trigger

against the Google source documentation and can't seem to find anything wrong. am i missing something dumb here?

lively-stone-61804

05/14/2025, 11:52 PM

Hello, I’m trying to run Pulumi inside of an AWS CodeBuild Runner, but it instantly hits rate limiting when trying to download Pulumi plugins from GitHub.

Copy code

E0514 22:00:43.551374     229 plugins.go:600] GitHub rate limit exceeded for <https://api.github.com/repos/pulumiverse/pulumi-time/releases/tags/v0.1.1>, try again in 6m52.448632995s. You can set GITHUB_TOKEN to make an authenticated request with a higher rate limit.
    pulumi:providers:time default_0_1_1_github_/api.github.com/pulumiverse/pulumi-time  error: Could not automatically download and install resource plugin 'pulumi-resource-time' at version v0.1.1, install the plugin using `pulumi plugin install resource time v0.1.1 --server <github://api.github.com/pulumiverse/pulumi-time>`: error downloading provider time to file: failed to download plugin: time-0.1.1: rate limit exceeded: 403 HTTP error fetching plugin from <https://api.github.com/repos/pulumiverse/pulumi-time/releases/tags/v0.1.1>

I’ve tried setting GITHUB_TOKEN to a PAT as the error message suggests, but that just gives an error that the PAT doesn’t have access to the repo. I configured the PAT to have permissions to public repos, but the public repo in this case would be Pulumi or Pulumiverse, not one under my user. I'm not seeing anything on GitHub for making a token that specifically has access to other people's public repos. Anyone know how to solve this?

Copy code

@ previewing update....E0514 23:35:54.453200     245 plugins.go:600] GitHub rate limit exceeded for <https://api.github.com/repos/pulumiverse/pulumi-time/releases/tags/v0.1.1>, try again in 26m47.546835696s. Your current GITHUB_TOKEN doesn't allow access to the repository, so we disabled it for this request. You can set GITHUB_TOKEN to a different token to make a request with a higher rate limit.
    pulumi:providers:time default_0_1_1_github_/api.github.com/pulumiverse/pulumi-time  error: Could not automatically download and install resource plugin 'pulumi-resource-time' at version v0.1.1, install the plugin using `pulumi plugin install resource time v0.1.1 --server <github://api.github.com/pulumiverse/pulumi-time>`: error downloading provider time to file: failed to download plugin: time-0.1.1: rate limit exceeded: 403 HTTP error fetching plugin from <https://api.github.com/repos/pulumiverse/pulumi-time/releases/tags/v0.1.1>

delightful-flower-9890

05/15/2025, 3:40 AM

hey guys, how would you recommend using pulumi if each service (nextjs, api, etc) has its own github repo? should I create a new repo for all my project's infrastructure, or should i put service-specific infra inside each service repo?

modern-nail-38649

05/15/2025, 12:54 PM

Hi everyone 👋 We just launched something I think many of you will appreciate — especially if you’ve ever tried

pulumi import

on a big GCP project 😅 It’s called StackForge — and it instantly converts a live GCP project into: ✅ A clean Pulumi YAML file (

Main.yaml

) ✅ A fully hydrated Pulumi state file (

stackName.json

) ✅ Optional GCS upload — no deploy or apply needed 🛑 No Terraformer 🛑 No dependency chaos 🛑 No manual reverse-IaC 🎥 Demo (2 min): http://x-itm.com/demo.mp4 🔐 Trial access: https://x-itm.com/stackforge-trial/ (Request access key) Would love to hear what you think — and open to early feedback or testing if anyone here wants to try it.

full-ability-261

05/16/2025, 11:41 AM

What happened with the Google Cloud native provider? I saw active dev was paused, while continues on the TF-derived provider, while AWS & Azure native providers are being updated. I really want to start supporting and writting content for GCP-Pulumi as a Google Developer Expert in cloud, but I'm unsure ATM at the Pulumi take for GCP Is there any announcement or public info about the GCP native provider approach, definition and build process, and reasons to continue or pause development? I think I could contribute to the project as SME OSS contributor

salmon-teacher-15783

05/16/2025, 4:10 PM

Hey all, Pulumi Alias question, I am having an issue migrating from an old version of https://github.com/pulumi/pulumi-snowflake to newer. A type of resource was removed (moved to another name) Type: snowflakeindexRole changed to snowflakeindexAccountRole Issue: I need to keep my Roles and was hoping I could use alias to shuffle these resources from Role into AccountRole Was hoping this would work but I see DELETE (Role) and CREATE (AccountRole) with same information. Go code:

Copy code

// Add pulumi Alias to move to the new Type -- <https://www.pulumi.com/docs/concepts/options/aliases/>
roleOpts := append(opts, pulumi.Aliases([]pulumi.Alias{
    // Combination of name and type is enough to be unique.
    {Name: pulumi.String(strings.ToLower(roleName)),
       // Previous to refactor - created the type snowflake:index:Role.
       Type: pulumi.String("snowflake:index:Role"),
    },
}))

role, err := snowflake.NewAccountRole(ctx, strings.ToLower(roleName), &snowflake.AccountRoleArgs{
    Name: pulumi.String(roleName),
}, roleOpts...)
if err != nil {
    return nil, nil, err
}

Is there something wrong with my Alias?