I’m a typescript user and new to pulumi. I see that the sample

index.ts

has certain things

clusterName, kubeconfig

exported, but there is no explanation why. I’m assuming pulumi needs these named exports, but feeling a bit in the dark. I’m expecting the ts to be strongly typed; I was expecting to export something conforming to an

interface

for example.

Hey everyone, I’ll be giving a webinar on using Pulumi with CircleCI today at 10AM PST (in an hour and a half). If you are interested in ⚡SUPERCHARGING⚡ the CD in CI/CD check it out. https://www2.circleci.com/CircleCI-Pulumi-Webinar.html

I’m seeing some weird behavior with k8s ingress annotations. I just recently added an aws security group to an annotation for a k8s ingress. However, using the

.apply

method causes all of the annotations to be planned for removal. I would expect Pulumi to wait until the security group is created to modify the Ingress (display the new annotation value as computed), is there a better way to go about this?

let Ingress = new k8s.extensions.v1beta1.Ingress("xxxxxxx-xxx", {
      metadata: {
        annotations: {
          '<http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>': 'alb',
          '<http://alb.ingress.kubernetes.io/certificate-arn|alb.ingress.kubernetes.io/certificate-arn>': awsCertificate.arn,
          '<http://alb.ingress.kubernetes.io/listen-ports|alb.ingress.kubernetes.io/listen-ports>': '[{"HTTPS": 443}]',
          '<http://alb.ingress.kubernetes.io/scheme|alb.ingress.kubernetes.io/scheme>': 'internet-facing',
          '<http://alb.ingress.kubernetes.io/target-type|alb.ingress.kubernetes.io/target-type>': 'ip',
          '<http://alb.ingress.kubernetes.io/security-groups|alb.ingress.kubernetes.io/security-groups>': securityGroup.id.apply(id => {return id})
        }
      },

~ kubernetes:extensions/v1beta1:Ingress: (update)
        [id=default/xxxx-xx-xxx]
        [urn=urn:pulumi:xxxxxx-staging::xxxxxxxxx::kubernetes:extensions/v1beta1:Ingress::xxxxxx-xxxxxxx]
      ~ metadata  : {
          ~ annotations: {
              - <http://alb.ingress.kubernetes.io/certificate-arn|alb.ingress.kubernetes.io/certificate-arn>        : "arn:aws:acm:xx-west-1:xxxxxxxxxxxx:certificate/xxxxxxxxxxxxx"
              - <http://alb.ingress.kubernetes.io/inbound-cidrs|alb.ingress.kubernetes.io/inbound-cidrs>          : "xxxxxxxxxxxxxx"
              - <http://alb.ingress.kubernetes.io/listen-ports|alb.ingress.kubernetes.io/listen-ports>           : "[{\"HTTPS\": 443}]"
              - <http://alb.ingress.kubernetes.io/scheme|alb.ingress.kubernetes.io/scheme>                 : "internet-facing"
              - <http://alb.ingress.kubernetes.io/target-type|alb.ingress.kubernetes.io/target-type>            : "ip"
              - <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>                      : "alb"
            }
        }

@colossal-beach-47527 - regarding blue/green question in the webinar: we have an integration tested set of images for services/pods that run behind traefik for routing. Given that these images are tested together, it would be preferable to stand them up as a group vs let individual services come on-line and have a heterogeneous set of versioned services for some amount of time. The thought for blue/green would be (assuming

blue

is currently running): 1. stand up a new set of integration tested images as

green

2. smoke test 3. apply update to the traefik service to route to the

green

stack 4. tear down the

blue

stack Am I overthinking this? In all likelihood the heterogeneous set of services will be fine but I am just trying to identify all potential points of failure for CD. Any thoughts welcome with regards to strategy and pulumi usage

Using pulumi config, and pulumi secrets, stored locally and encrypted. There is some help text that pops out that says

set PULUMI_CONFIG_PASSPHRASE to remember

but when I do that, it does't seem to work.

[git::secrets]$ echo ${PULUMI_CONFIG_PASSPHRASE}
secret
[git::secrets]$ p config --show-secrets
Enter your passphrase to unlock config/secrets
    (set PULUMI_CONFIG_PASSPHRASE to remember):
error: incorrect passphrase
[git::secrets]$

Ed. Note: I just pressed enter here, resulting in the 'incorrect passphrase' message. To show that it is the correct password stored in my config passphrase shell var:

[git::secrets]$ p config --show-secrets
Enter your passphrase to unlock config/secrets
    (set PULUMI_CONFIG_PASSPHRASE to remember):
KEY         VALUE
aws:region  us-east-1
info        useless
secrets     SuperSecret

Are there any plans to have an ability to do a CLI prompt based setting of config values? Like I could define questions to ask that are used to set config values to make it a bit easier to configure application options.

Instead of having to have the user RTFM and do several pulumi config set commands

hi, I got an error when running

pulumi update

on a stack to create RDS instances. Got

failed to complete update: [404] Not Found: Update '1ac5fad4-38d6-465e-9b21-742c277e252a' not found

error on one of the instances. It was actually created in AWS. Followed the steps in the troubleshooting guide (cancel update, export / import, refresh). This does not pick up the created instance. When I try to run

pulumi update

again, it fails because the instance already exists. Would be great if there were a better way to handle it - instead of cancelling update, resolving it manually by pointing at the created resource ARN, for example

If I want to debug the config and try the following in

index.ts

, should this work:

import { Config } from '@pulumi/pulumi'

const config = new Config()
export const dbUser = config.require('dbUser')

with

pulumi stack output dbUser

? Currently I get

error: current stack does not have output property 'dbUser'

Getting an optional string[] from the config seems more difficult than necessary - am I missing something?

let additionalZones: string[] = []
if (config.get('clusterAdditionalZones')) {
  additionalZones = config.get('clusterAdditionalZones')!.split(',')
}
export const clusterAdditionalZones = additionalZones

with config yml:

config:
  deployment:clusterAdditionalZones: us-central1-a,us-central1-b

I tried a string[] in the yaml and it rejected it with

line 7: cannot unmarshal !!seq into string

example seems wacky in this documentation: https://pulumi.io/reference/pkg/nodejs/@pulumi/aws/apigateway/#Method

A map of request query string parameters and headers that should be passed to the integration. For example:

import * as pulumi from "@pulumi/pulumi";
would define that the header X-Some-Header and the query string some-query-param must be provided on the request, or

Hi, I've created an S3 bucket with my stack. I want to to copy files from another bucket created outside my stack. Can this be done with Pulumi? (Easy to do with aws s3 cp cli)

I’m deploying a helm chart and I want to not include an object in the chart. Specifically in the istio helm chart there is an

istio-autogenerated-k8s-ingress

Gateway object that I don’t want to deploy. Can I use a transformation to achieve this? I tried using a

delete obj

and

obj = {}

but it still deploys the gateway.

I’m creating a

new gcp.container.Cluster

, having a few problems mapping the last few cli options. I tried

nodePools

but it doesn’t seem like the right thing based on the docs and it doesn’t typecheck. Where can I find these mappings or are they unsupported? doc: https://pulumi.io/reference/pkg/nodejs/@pulumi/gcp/container/#Cluster

gcloud beta container clusters create \
  --enable-autorepair \
  --enable-autoscaling \
  --enable-autoupgrade \
  --enable-cloud-logging \
  --enable-cloud-monitoring \

An innocuous mistake in

pulumi-kubernetes

package.json is preventing a green build for us. I have PR’d a fix. A hotfix release would be appreciated. https://github.com/pulumi/pulumi-kubernetes/pull/441

In case you missed yesterday’s presentation on how to ⚡SUPERCHARGE⚡ your CI/CD using Pulumi and CircleCI Orbs, the video has been posted on YouTube:

Hello, I created a Pulumi nginx service on fargate. The URL provided doesn't load because no internet gateway was setup

What's the correct way to get that all setup?

I just followed the example here

partypus 8bit Coming up partypus 8bit : Our first meetup at our Seattle HQ tomorrow night starting at

6:30pm

- join us for free food, drinks, swag, and most importantly - great talks! https://www.meetup.com/Pulumi-Seattle/events/258138687/

Hi, how do i attach persistent storage to a container? i have followed the tutorials and am able to successfully create a container running nginx (following: https://pulumi.io/quickstart/cloudfx/tutorial-service.html). but i am unable to find an example of how to attach a persistent volume. i can create a EFS (given in the example at: https://pulumi.io/reference/pkg/nodejs/@pulumi/aws/efs/), but i cant figure out how to attach it to the container. is anyone able to provide an example of how i do this? any help is appreciated.

I’m baaack with more api questions, I’m guessing for @lemon-spoon-91807… have you been able to get an IntegrationResponse working? I’m a little confused because in AWS, I expect to have to associate an integration response with the method response but there’s no argument for that 😕 I have

const _301_method = new aws.apigateway.MethodResponse("301Method", {
    httpMethod: demo_method_get.httpMethod,
    resourceId: demo_resource_with_params.id,
    restApi: demo_api.id,
    statusCode: "301",
    responseParameters: {"method.response.header.Location": true}
});

const _301_integration = new aws.apigateway.IntegrationResponse("301Integration", {
    httpMethod: demo_method_get.httpMethod,
    resourceId: demo_resource_with_params.id,
    restApi: demo_api.id,
    statusCode: _301_method.statusCode,
    responseParameters: {"method.response.header.Location": true}
}, {dependsOn: [demo_integration_get, _301_method]});

and get the response from AWS:

Plan apply failed: Error creating API Gateway Integration Response: BadRequestException: Invalid mapping expression specified: Validation Result: warnings : [], errors : [Invalid mapping expression specified: 1]

I seem to consistently get this "failure" when running

pulumi up

with my `FargateService`:

updating urn:pulumi:app-dev::app::awsx:x:ecs:FargateService$aws:ecs/service:Service::http-backend: timeout while waiting for state to become 'true' (last state: 'false', timeout: 10m0s)

Not sure what causes that because the service is correctly deployed and currently healthy. Any ideas?

Hello! I have a question regarding the stack name displayed during pulumi preview:

pulumi up
Previewing update (dev):

     Type                 Name               Plan     
     pulumi:pulumi:Stack  example-dev

where

example

is my project name and

dev

is my stack name

It’s a bit misleading that the name of the stack above is displayed in

<project>-<stack>

format

Also when I checked a Stack resource in the exported stack json file, for example for the project and stack names above its:

urn:pulumi:dev::example::pulumi:pulumi:Stack::example-dev

. Is this intended?

Anybody standing up private cluster in GKE and coming up with a good workflow for access to the masters?

Ideally master authorized network would be the IP/subnet of a bastion host(s) but in the meantime and during initial setup our CI/CD agent needs to access the cluster. Any subsequent cluster changes that require talking to the master API would need to be in the authorized networks too. Thoughts or ideas?

When creating an S3 event handler for a Lambda

const input = new aws.s3.Bucket('inputbucket')
input.onObjectCreated('testing',(event,context)=> {
  console.log(event)
},{keyPrefix: ".csv"},)

Is there a way to alter the IAM execution role?