Hi, I have a question regarding provisioning secrets/credentials. Are there any guidelines for doing it in pulumi? Would you recommend an ‘get or create’ pattern for those (create if not exists, read if exists)? Is there any reference code for that?

I created an EKS cluster following https://github.com/pulumi/pulumi-eks/blob/master/nodejs/eks/examples/nodegroup/index.ts and got:

error: unable to recognize "/tmp/tmp-6861Tmql3TRQ88g0.tmp": Get <https://2B657DC438F30EA7CB5A8D2297BABFA3.sk1.us-west-2.eks.amazonaws.com/api?timeout=32s>: dial tcp 52.36.238.179:443: i/o timeout
 
    error: update failed
 
  pulumi-nodejs:dynamic:Resource (k8s-cluster-dev-vpc-cni):
    error: Plan apply failed: Command failed: kubectl apply -f /tmp/tmp-6861Tmql3TRQ88g0.tmp
    error: unable to recognize "/tmp/tmp-6861Tmql3TRQ88g0.tmp": Get <https://2B657DC438F30EA7CB5A8D2297BABFA3.sk1.us-west-2.eks.amazonaws.com/api?timeout=32s>: dial tcp 52.36.238.179:443: i/o timeout
 
  kubernetes:core:ConfigMap (k8s-cluster-dev-nodeAccess):
    error: Plan apply failed: Get <https://2B657DC438F30EA7CB5A8D2297BABFA3.sk1.us-west-2.eks.amazonaws.com/api?timeout=32s>: dial tcp 52.89.83.215:443: i/o timeout

Here's what I did:

const eksRole1 = iam.createRole(`eks-role`);
const eksInstanceProfile = new aws.iam.InstanceProfile("eks-instance-profile", {role: eksRole1});

const nodePolicy = new aws.iam.Policy("eks-node-policy", {
    namePrefix: `eks-node-${env}-`,
    policy: JSON.stringify({
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "pricing:*"
            ],
            "Resource": "*"
        }]
    })
});

new aws.iam.RolePolicyAttachment("eks-node-role-assignment", {
    policyArn: nodePolicy.arn,
    role: eksRole1
});


eksCluster = new eks.Cluster(`k8s-cluster-${env}`, {
    vpcId: vpc.id,
    subnetIds: vpc.publicSubnetIds,
    deployDashboard: false,
    skipDefaultNodeGroup: true,
    instanceRoles: [eksRole1]
});

eksCluster.createNodeGroup(`k8s-${env}-ng`, {
    instanceType: "t2.medium",
    desiredCapacity: 2,
    minSize: 1,
    maxSize: 2,
    instanceProfile: eksInstanceProfile,
});

Guessing the example code is missing something necessary.

quick question.. is it possible to populate the aws objects with the region programatically? or does it have to be set in the config as

aws:region

?

@brave-angle-33257 For first class providers (i.e. those made with

new aws.Provider(.....)

you can set it directly

Deploying this:

const k8sDashboardChart = new k8s.helm.v2.Chart("k8s-dashboard", {
    repo: "stable",
    chart: "kubernetes-dashboard",
    version: "1.5.2",
    namespace: "kube-system"
}, {providers: {kubernetes: k8sProvider}});

results in

error: Plan apply failed: 2 errors occurred:
    	* Timeout occurred for 'k8s-dashboard-kubernetes-dashboard'
    	* Service does not target any Pods. Selected Pods may not be ready, or field '.spec.selector' may not match labels on any Pods

Any idea why this would happen?

Changing the

values

for a

k8s.helm.v2.Chart

does not output that any resource was updated. Is this expected?

Hi, does anyone succeeded in deploying a k8s helm chart using Pulumi

python

code? it seems to have braking bugs in the code, that preventing me from adding custom values, or setting a specific namespace to deploy to its even hard to debug since its not possible to execute the python code not from the Pulumi CLI (or its not documented how) anyone with a success experience?

Hm, anybody have any suggestions on how to manage dev/stage/prod with Pulumi? I know there's the concept of stacks. How would it be integrated with git dev/stage/prod branches?

If git branch is switched from dev to stage, i'd use Pulumi to switch from dev to stage stack also?

Ah cool, there's good info on that in the docs 😄

Hm, if I used a git branch per pulumi stack for dev/stage/prod would it be wise to create a githook to execute a stack switch with pulumi upon git checkout to another branch?

I'm doing a quick 15min talk on Pulumi tomorrow at a meetup. When other people do this on Pulumi, what are the main things attendees go "uuuuhhhh" and "wooooow"? 🙂 Especially when comparing it to things like Azure ARM templates or AWS CloudFormation.

Loops ;-)

I’ll put up a better answer shortly

Wow goes for any non-trivial example in a familiar programming language. Questions are around high-level things like "but it's not from my cloud vendor", "how up-to-date is it going to be", "can I use it for free in a real project", "why do you use terraform".

Whenever I show someone this is example where all you need for an API Gateway that talks to Lambda that can add data to a DynamoDB table and it creates the resources 24 lines of non squashed perfectly normal code https://github.com/lindydonna/velocity-examples/blob/master/pulumi/pulumi-cloud/index.js

i’d say sourcing some values from terraform remote state into your kubernetes deployment (like some aws endpoints for prometheus exporter deployed in k8s) should get some

wows

.

I switched computers and ran

pulumi up

in a stack that has an existing EKS cluster running. I received a bunch of these errors:

error: Preview failed: unable to read kubectl config: invalid configuration: no configuration has been provided

I thought Pulumi automatically creates the config file for connecting the the cluster. Do I need to explicitly provide it? Reading through https://pulumi.io/quickstart/aws/tutorial-eks/, it does not appear that you need to set a k8s config file.

output/string issue.. looking for best-practice advice

Can you get the AWS LB Pulumi object from an

k8s.core.v1.Service

?

Hi, i’m attempting to create a single lambda that will serve an express app that renders individual javascript functions. I’m not entirely sure if the approach i’m taking is kosher. Would greatly appreciate any comments/advice! https://github.com/michaelnyu/next-pulumi-test

is there a way to test a dependsOn relationship?

Is there a way to get a k8sProvider from a newly created EKS cluster to be able to pass to a helm chart deployment in the same pulumi program?

Is it normal for upgrading a resource plugin to require both the old and new versions to be installed side-by-side? The following are short transcripts from a CI system log:

> @pulumi/kubernetes@v0.23.1 install /builds/[redacted-repo]/pulumi/node_modules/@pulumi/kubernetes
> node scripts/install-pulumi-plugin.js resource kubernetes v0.23.1

[resource plugin kubernetes-0.23.1] installing

...

Previewing update ([redacted-stack-name]):
error: could not load plugin for kubernetes provider 'urn:pulumi:[redacted-stack-name]::vendor-sync-pipeline::pulumi:providers:kubernetes::default': no resource plugin 'kubernetes-v0.22.0' found in the workspace or on your $PATH, install the plugin using `pulumi plugin install resource kubernetes v0.22.0`

It looks like it wants both the old version 0.22 and the new version 0.23.1 installed to use the stack. Is that right?

Passing

autoScalingGroupTags: myTags

to

eks.Cluster.createNodeGroup

will fail on an update with the following message in the CF console: "You cannot have multiple tags with the same key name."

anyone have suggestions on how to recover from this? s3 backed state, assume-role, my session token expired mid run. after that, everything results in a

failed to load checkpoint

Diagnostics:
  awsx:x:ec2:Subnet (new-test-vpc1-private-0):
    error: post-step event returned an error: failed to save snapshot: failed to load checkpoint: blob (code=Unknown): ExpiredToken: The provided token has expired.
      status code: 400, request id: C77A7470E00DFB92, host id: Rdn/3pvDB4Qc+R2/vKyqqdjycosJ8zROTd9A2JvIo/NudbxN/aU7NcwrbRteASkrGhg12TgGxqk=

  pulumi:pulumi:Stack (make-vpc-vpc-dev):
    error: update failed

  awsx:x:ec2:Vpc (new-test-vpc1):
    error: resource complete event returned an error: failed to save snapshot: An IO error occurred during the current operation: blob (code=Unknown): ExpiredToken: The provided token has expired.
      status code: 400, request id: D634E0AAE7B29B13, host id: FGLgu6SwARaLVmv6eFYt4G1LAtwPeADhZkq/i0j8QQ5J2mlFRLNvInrvBXLGFeDV0yMi0wKGZDc=

Resources:
    7 unchanged

error: failed to load checkpoint: blob (code=NotFound): NoSuchKey: The specified key does not exist.
  status code: 404, request id: 8FDFF4787E944F03, host id:

bailing for the evening, but I'll keep tabs on this in case someone has ideas. state handling during failures definitely seems to be in strong need of improvement, this is the second of this sort I've run into, effectively leaving me in a "delete it all by hand and start over" state.

I'm having an issue where I'm iterating over an array using for-of, instantiating a set of resources per iteration (resourceA, resourceB). An output value from resourceA is used for resourceB, but the output of resourceA.outputValue.apply() always returns the output of resourceA in the last iteration - for all iterations (as if the variables that hold references to the resources are overwritten each iteration, and the last value is used for all resources. If I instead of referring to variables created in the for-of iteration, push the instantiated resources to an array and do a resources[i].outputValue.apply(), everything works as one would expect. Is this a bug, or intended behavior?

@powerful-london-34081 can you post a snippet your code?