Stepped away from a project for a while, and now when running my update I get the following error regarding my applicaiton load balancer and listener:

Diagnostics:
  aws:ec2:SecurityGroupRule (https-external-0-ingress):
    error: aws:ec2/securityGroupRule:SecurityGroupRule resource 'https-external-0-ingress' has a problem: "description" cannot be longer than 255 characters: "Externally available at port Calling [toString] on an [Output<T>] is not supported.\n\nTo get the value of an Output<T> as an Output<string> consider either:\n1: o.apply(v => `prefix${v}suffix`)\n2: pulumi.interpolate `prefix${v}suffix`\n\nSee <https://pulumi.io/help/outputs> for more details.\nThis function may throw in a future version of @pulumi/pulumi."

Here is the code for this specific piece:

const appListener = loadBalancer
    .createTargetGroup(`probot-target-${env}`, {
        port: 3000,
        protocol: 'HTTP',
        healthCheck: { path: '/probot' },
        deregistrationDelay: 30,
    })
    .createListener('https', {
        certificateArn: secretsCert.arn,
        protocol: 'HTTPS',
        port: 443,
        sslPolicy: 'ELBSecurityPolicy-2016-08',
    });

Does pulumi use/read

$HOME/.kube/config

? Or use the

gcloud

config? I had and old set of configs from an infrastructure yesterday and I could not

pulumi up

some things today - failed with:

Diagnostics:
  kubernetes:core:Namespace (development):
    error: Plan apply failed: Get <https://104.154.180.226/api?timeout=32s>: x509: certificate signed by unknown authority

Once I used my script to re-setup the

gcloud config

and kube config,

pulumi up

worked. Thoughts?

It uses ~/.kube/config.

Unless you configure pulumi so it knows which kubectl context to use, it uses whatever is defaulted to

Question: When I create a namespace using this:

const ns = new k8s.core.v1.Namespace("test", {}, { provider: cluster.provider });

Why does it create it as

test-zu7jbnvc

Is it possible to keep it as test only ?

Hi all, I'd like to get the floating IP of an OpenStack instance to be used in my own Python function, but I fail to get it in string format. I only get

pulumi.output.Output object

. I do get the

pulumi up

to print them to outputs. So how to do this?

Are there any resources to simplify the build and push of an image to an ECR repository? There is some great stuff here https://github.com/pulumi/pulumi-cloud/blob/master/aws/service.ts, but it is embedded within

@pulumi/cloud.Service

.

When I write a

Component

, do I need to propagate the

providers

in

opts

to the children or is that handled automatically? I’m testing locally with an empty

$HOME/.kube/config

to expose these areas where I have mishandled providers.

Hi, I ran into a problem with aws IAM resources. Sometimes a resource (Role or Policy) may be recreated on AWS with the same name (ARN). Pulumi update won't detect any changes in this case. However, if on AWS console pulumi created resources that reference this ARN now show internal AWS id instead of ARN. A scenario - a role is created by one stack (kiam). Another stack (an app) creates another role with trusted policy to give the first role permission to assume the app role. If the first stack is destroyed and deployed again, updating the second stack does not do any update, however the policy does not reference the correct ARN anymore.

Does anyone have any idea why I'd be getting this exception after running

pulumi up

?

Error: Failed to load gRPC binary module because it was not installed for the current system
    Expected directory: node-v48-linux-x64-glibc
    Found: [node-v57-linux-x64-glibc]
    This problem can often be fixed by running "npm rebuild" on the current system
    Original error: Cannot find module '/home/kenny/compute_software/infrastructure/pulumi-datomic-src/node_modules/grpc/src/node/extension_binary/node-v48-linux-x64-glibc/grpc_node.node'
        at Object.<anonymous> (/home/kenny/compute_software/infrastructure/pulumi-datomic-src/node_modules/grpc/src/grpc_extension.js:53:17)
        at Module._compile (module.js:541:32)
        at Object.Module._extensions..js (module.js:550:10)
        at Module.load (module.js:458:32)
        at tryModuleLoad (module.js:417:12)
        at Function.Module._load (module.js:409:3)
        at Module.require (module.js:468:17)
        at require (internal/module.js:20:19)
        at Object.<anonymous> (/home/kenny/compute_software/infrastructure/pulumi-datomic-src/node_modules/grpc/src/client_interceptors.js:144:12)
        at Module._compile (module.js:541:32)

Running

pulumi up

again results in the same error. As the exception says, I can run

npm rebuild

. After that,

pulumi up

will work as expected. However, if I open a new terminal and run

pulumi up

I get that exception again. This started happening recently and I'm not sure why. I'm on Node 8 installed with nvm, Pulumi 0.17.1. Any ideas on what could cause this?

Is there a way to add

tags

to an

awsx.Cluster

? I don't see a param for that currently but you can do it in the console.

When deploying a new EKS cluster, I see two default storage classes created. One of them is from pulumi..other is from AWS I think. I had to patch the storage class to make it non default by hand. Do I need to do something in the config to ensure only one default exists ?

mac-nshah:nshah-pulumi-eks nshah$ kubectl get <http://storageclasses.storage.k8s.io|storageclasses.storage.k8s.io>
NAME                                           PROVISIONER             AGE
gp2 (default)                                  <http://kubernetes.io/aws-ebs|kubernetes.io/aws-ebs>   52m
nshah-test-eks-pulumi-gp2-dtx905hi (default)   <http://kubernetes.io/aws-ebs|kubernetes.io/aws-ebs>   50m

@lemon-spoon-91807 I’ve got another question about outputs/inputs. I want to use a stack Output

domain

as an input to a

Component

. What is the recommended type for the

Component

args? Resolve before or resolve in the component? This gist works but is messy. It is similarly messy with usage of a

Namespace

. I’m looking for a ts best-practice review of https://gist.github.com/rosskevin/075cd7a8fc691e549d55835bdf68d75b before I move all of our app components over and follow this as an example. Note that some of this code is a shared library for multiple apps/stacks, so I want to make the arg types versatile.

When using a

StackReference

, how do you get the output as an array? I tried this:

let subnetIds = myStack.getOutput("subnetIds") as pulumi.Output<string[]>;

but Typescript fails with:

TS2740: Type 'Output<any>' is missing the following properties from type 'Input<string>[]': length, pop, push, concat, and 26 more..

. I'm fairly certain the type of

getOutput

is correct.

Is there an easy way to add a CloudWatch event rule to a lambda function not created by pulumi?

hello 🙂 I am looking at google cloud sql https://pulumi.io/reference/pkg/nodejs/@pulumi/gcp/sql/ and I am trying to enable high availability; not sure how to do this... my db instance looks like this:

export const instance = new gcp.sql.DatabaseInstance("fleetgrid-sql", {
  region: 'us-central1',
  databaseVersion: "POSTGRES_9_6",
  settings: {
    tier: "db-f1-micro",
    ipConfiguration: {
      authorizedNetworks: [{ value: "0.0.0.0/0" }],
    },
  },
});

any way to suppress metadata diffs on a

pulumi preview --diff

would just like to see resource changes/updates

Is there a way to add code to a ComponentResource that runs only when the resources are actually being created (and not during preview)? The use case is: I would like to run some “pre-install” checks when I create my Kubernetes resources. Sometimes the Kubernetes cluster will be created with the same Pulumi app, but sometimes it will do the installation into an already existing Kubernetes cluster. When it is an already existing cluster I would like to check if certain pre-requisites are correctly installed.

Is it possible to configure "Authentication / Authorization" tab of an Azure Web App with pulumi or do I have to use the graph api?

Is it possible to annotate an existing k8s namespace ("kube-system") with pulumi?

Having a problem adding a ClusterRoleBinding - not sure if it is with my gcp identities setup or in k8s. Error:

<http://clusterrolebindings.rbac.authorization.k8s.io|clusterrolebindings.rbac.authorization.k8s.io> is forbidden: User "<mailto:ci-infrastructure@xxx.iam.gserviceaccount.com|ci-infrastructure@xxx.iam.gserviceaccount.com>" cannot create resource "clusterrolebindings" in API group "<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>" at the cluster scope

I verified this roleRef/subjects from a manually created one:

const name = 'cluster-admin-binding'
export const clusterAdminBinding = new k8s.rbac.v1.ClusterRoleBinding(
  name,
  {
    metadata: { name },
    roleRef: {
      apiGroup: '<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>',
      kind: 'ClusterRole',
      name: 'cluster-admin',
    },
    subjects: [
      {
        apiGroup: '<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>',
        kind: 'User',
        name: stack.identity.getOutput('ciInfrastructure').apply(v => v.email),
      },
    ],
  },
  optsC({ dependsOn: [cluster] }),
)

What am I missing?

I need to write a transformation for a

k8s.yaml.ConfigFile

that removes a Namespace declaration from a raw yaml manifest provided by cert-manager. Given the ts definition, this looks not possible. How can I do it?

How do I switch of validation in the same way I do: kubectl apply -f file.yaml --validate=false

As of now just have this:

new k8s.yaml.ConfigFile()

Trying this in typescript but can't figure out where the validation flag can be turned off

@creamy-potato-29402 https://github.com/pulumi/pulumi-kubernetes/issues/219 Is this being actively worked on ?

Would it be possible to get https://www.terraform.io/docs/providers/datadog/index.html added to Pulumi?

Hi, I would like to try to create a ECS cluster like this link https://containersonaws.com/architecture/private-load-balanced-service/, any good example or tutorial recommended ? thanks!

Hey y'all, I'm trying to model something from Rook in Pulumi and I'm not sure the best way to do it. Rook's object storage CRDs have a

CephObjectStoreUser

CRD that the operator will use to create a user, and the access key/secret key for the user (object store = S3 API) are created in a Secret--can I/how do I get that secret/link it to the Pulumi object? See https://rook.github.io/docs/rook/v0.9/ceph-object.html#create-a-user for the CRD and explanation of the CRD -> Secret chain.

Hi, is there a way to import existing terraform state into pulumi stack? Or what is the recommended way to migrate from terraform?