Is there any way to use Pulumi’s config & secrets-management facility to securely manage and check in files that are a bit too large to comfortably fit in the config itself? I’m thinking of private keys, etc.

I'm having some difficulties with Pulumi update not being consistent. I have automated tests that run the same code each time but I'm starting to get errors and can only resolve them for about 12 hours before it fails again. Here's the latest such error (not, nothing has changed except for time):

$ node -v
v8.14.0
$ npm -v
6.4.1

Any ideas?

Latest code change was 17 hours ago and had 2 consecutive test successes over 6 hours, then failures started about 2 hours ago.

Separate question - is there an example of how to create a k8s ClusterRole?

I'd like to bootstrap a cluster with a few namespaces. I've configured them, pulumi says they're created, but I verified they are not. What's wrong with this code?

// Create some namespaces
for (let name of config.require("dev-namespaces").split(",")) {
  console.log(name);
  let ns = new k8s.core.v1.Namespace("mustang-"+name, {
    metadata: {
      name: name,
      labels: {
        name: name,
      },
    },
  }, {provider: cluster.provider});
}

Hey Pulumi folks, I'm running into an interesting problem. I've got a k8s cluster that I'm deploying some things to with Pulumi, and the pod has a volume claim for some block storage, provided by Rook/Ceph. The storage is ReadWriteOnce, which is a Rook limitation. Right now, when I update the stack, I'm seeing a new Replica Set created, which I believe is Pulumi-specific behavior--simply editing the deployment would not do this, IIRC. The end result is that the new pod can't create, because it can't get a volume mount--the existing pod isn't torn down first, so it keeps holding the volume. What's the right solution to this? Is there a way for me to tell Pulumi it's OK to tear down the existing pod/replica set?

Is it possible to use a different AWS profile for a specific stack?

I am trying to create a global

waf

rule in

aws

.

function wafRuleToAllowIpAddress(ipCIDRBlock: string, name: string) {
  const aws_waf_ipset_ipset = new aws.waf.IpSet("ipset", {
    ipSetDescriptors: [
      {
        type: "IPV4",
        value: ipCIDRBlock
      }
    ],
    name: "tfIPSet"
  });
  const aws_waf_rule_wafrule = new aws.waf.Rule(
    "wafrule",
    {
      metricName: "tfWAFRule",
      name: "tfWAFRule",
      predicates: [
        {
          dataId: aws_waf_ipset_ipset.id,
          negated: false,
          type: "IPMatch"
        }
      ]
    },
    { dependsOn: [aws_waf_ipset_ipset] }
  );

  return aws_waf_rule_wafrule;
}

This is to apply to the

Cloudfront

. But the issue is it is creating it in a region and the

cloudfront

is global.

Presented a 25-min Pulumi talk at FOSDEM / TypeScript room today. Based on the hallway discussion afterward, I think I got you at least two new trial customers 🙂 One IT-pro working with Terraform and a dev team with TypeScript-based stack, the other coming from AWS-cloudformation background. Good questions and nodding, so I'm satisfied.

Hello, doing a

brew upgrade pulumi

... and I'm getting upgraded to v0.16.12. So the warning error shows up on pulumi commands that v0.16.14 is available for upgrade.

I've noticed after deploying my app many, many times with Pulumi, I get a huge buildup of Docker images on my computer. Is there an easy way to clean the old ones up with Pulumi?

Hi. I wrote a high-level article about the role of pulumi as I see it, 3k words with pictures and code. Would somebody have time to read it and give me feedback before I publish? I would DM a link to google docs. Thanks!

Is there a way/plan to have a way to pass arguments that belong to aws.lambda.Function to classes like HttpServer?

Anyone seen this yet?

E0204 13:58:59.709463  351850 memcache.go:126] couldn't get current server API group list; will keep using cached value. (Unauthorized)

I'm currently blocked in using

pulumi up

,

destroy

, or

refresh

on a stack (as tracked in the thread above ^). Is there a way to force destroy all resources and skip any errors?

or just disregard errors and continue anyway?

Hey I'm working with go/aws and having trouble getting an EIP and NATGateway to work together. I have the EIP being created and the NATGateway taking the EIP's AllocationID as a param but pulumi is blowing up saying the AllocaitonID is a missing argument

Google KMS keys and keyrings:

How are y'all managing something like this

Can I use Pulumi to just build and deploy a docker image to ECR - no service attached?

Is there a way to convert pulumi stacks to Terraform? This is just for backup purposes ... as part of the transition migration to pulumi ...

@brainy-magician-83981 the code or the state?

The code you can use tf2pulumi, but I don’t think there’s a good answer for state right now.

thanks @stocky-spoon-28903! I'm actually looking for the other way around pulumi -> tf ... it may take to time to fully migrate to pulumi ... so some folks want a way should we encounter problems with pulumi ... to have the backup to tf

Ah, hmm I don’t even think that’s necessarily possible since a pulumi program and terraform config need not use the same naming format.

Is this for a one off “break glass emergency” type thing?

It's part of the adoption process ... for example, should my team decide after awhile that pulumi isn't better than terraform ... then they'd like to be able to easily go back to terraform .... tho IMO Pulumi is definitely a better than terraform 🙂

I think to do this effectively, you’d need to ensure the mapping between names is the same for both types of code. You can reconstitute terraform state with import and ID only refresh as a last resort