pulumi-community #general

Docs

Join the conversation Join Slack

Channels

general

worried-engineer-33884

08/05/2019, 4:08 PM

Is there support for tree shaking with inline lambda functions?

best-xylophone-83824

08/05/2019, 5:10 PM

how can I programmatically create project and stack in organisation? My current attempt is

PULUMI_ACCESS_TOKEN=.... pulumi new gcp-typescript --force --name gcp-bootstrap --stack prod

fails 😞

worried-engineer-33884

08/05/2019, 5:39 PM

Would it make sense to use

.appy

in a

lambda.CallbackFactory

worried-engineer-33884

08/05/2019, 6:09 PM

message has been deleted

bitter-island-28909

08/05/2019, 8:06 PM

Anyone have a pattern they like for installing database migrations to a database created by Pulumi? Right now I’m making an ECS task that runs my migration scripts, and a Pulumi Dynamic Resource to launch the task using the AWS CLI once the database is available. This is a lot of moving parts and rather gross.

salmon-morning-96600

08/05/2019, 8:09 PM

Hi guys, just wondering when we may see the final 3 parts of this lab series: https://github.com/pulumi/kubernetes-the-prod-way

cool-egg-852

08/05/2019, 8:41 PM

Untitled.txt

rich-easter-89163

08/06/2019, 12:34 AM

Hello, qq: is there a way to output preview details to a file? I'm having a pretty big diff and running out of scroll

full-dress-10026

08/06/2019, 12:57 AM

createNodeGroup

on a

eks.Cluster

takes an

instanceType

parameter which must be a

aws.ec2.InstanceType

. I'd like to pass in a string from a config file. How can I do this without Typescript complaining?

stale-autumn-24797

08/06/2019, 1:19 AM

I’m getting the following error when using the Pulumi Azure DevOps release task to run pulumi up:

2019-08-05T19:10:09.1841769Z ##[section]Starting: Run pulumi  
2019-08-05T19:10:09.1845138Z ==============================================================================
2019-08-05T19:10:09.1845233Z Task         : Pulumi Azure Pipelines Task
2019-08-05T19:10:09.1845346Z Description  : Azure Pipelines task extension for running Pulumi apps.
2019-08-05T19:10:09.1845410Z Version      : 0.1.19
2019-08-05T19:10:09.1845509Z Author       : Pulumi
2019-08-05T19:10:09.1845565Z Help         : Join us on Slack at <https://slack.pulumi.io>.
2019-08-05T19:10:09.1845633Z ==============================================================================
2019-08-05T19:10:09.3946841Z Downloading: <https://get.pulumi.com/releases/sdk/pulumi-v0.17.27-linux-x64.tar.gz>
2019-08-05T19:10:09.7313899Z Extracting archive
2019-08-05T19:10:09.7348031Z [command]/bin/tar xzC /home/vsts/work/_temp/1ad4480f-4b59-4fed-9e58-4f008e359445 -f /home/vsts/work/_temp/5888e3ed-db52-4523-9c13-87a924a0050d
2019-08-05T19:10:10.8380108Z Prepending PATH environment variable with directory: /home/vsts/work/_temp/1ad4480f-4b59-4fed-9e58-4f008e359445/pulumi
2019-08-05T19:10:10.8388818Z [command]/home/vsts/work/_temp/1ad4480f-4b59-4fed-9e58-4f008e359445/pulumi/pulumi version
2019-08-05T19:10:10.9270755Z v0.17.27
2019-08-05T19:10:10.9325912Z [command]/home/vsts/work/_temp/1ad4480f-4b59-4fed-9e58-4f008e359445/pulumi/pulumi login
2019-08-05T19:10:11.4999524Z Logged into <http://pulumi.com|pulumi.com> as mike (<https://app.pulumi.com/mike>)
2019-08-05T19:10:11.5044407Z [command]/home/vsts/work/_temp/1ad4480f-4b59-4fed-9e58-4f008e359445/pulumi/pulumi stack select mike/microservice-aks-deploy/mapper
2019-08-05T19:10:12.3840915Z [command]/home/vsts/work/_temp/1ad4480f-4b59-4fed-9e58-4f008e359445/pulumi/pulumi up --yes
2019-08-05T19:10:13.3621045Z Previewing update (mapper):
2019-08-05T19:10:14.2525744Z error: could not load plugin for kubernetes provider 'urn:pulumi:mapper::microservice-aks-deploy::pulumi:providers:kubernetes::inflation_provider': no resource plugin 'kubernetes' found in the workspace or on your $PATH
2019-08-05T19:10:14.2611968Z ##[error]Pulumi command exited with code '255' while trying to run 'up --yes'.
2019-08-05T19:10:14.2686239Z ##[section]Finishing: Run pulumi

Any ideas on how to fix this?

astonishing-finland-20071

08/06/2019, 6:30 AM

I'm using pulumi to create aws cognito user pool and associate it with lambda trigger. But every time the lambda function update, it'll re-create cognito user pool and all users store in it will gone. Does anyone knows how to fix it ?

glamorous-waitress-51149

08/06/2019, 9:47 AM

Does pulumi run in its own shell? For example

AWS_PROFILE=lykke ./build-local.sh && cd ./artifacts/infra && pulumi up --yes

fails with an error about aws access key yet if i run each command separately it works fine

jolly-egg-4894

08/06/2019, 10:58 AM

If I create a script called `test.sh`:

#!/bin/sh
echo "_$BOB"

And run

./test.sh && BOB="a" ./test.sh && ./test.sh

The output is:

_
_a
_

jolly-egg-4894

08/06/2019, 11:01 AM

If you really don’t want to

export

AWS_PROFILE

so it’s available to all the subsequent commands you can do this instead:

AWS_PROFILE=lykke sh -c './build-local.sh && cd ./artifacts/infra && pulumi up --yes'

billions-lock-80282

08/06/2019, 11:46 AM

Hi, Google raised a security issue with us regarding a GCP service account which had been compromised and the key had been found here: https://www.bountysource.com/teams/pulumi/issues. The issue no longer exists so I need some assistance understanding what the issue was. This service account is encrypted in my Pulumi scripts but I use GCP storage for backend.

worried-engineer-33884

08/06/2019, 2:49 PM

is there a way to bypass serialization of the callback in

lambda.CallbackFunction

in test mode? still digging, but it looks like adding that resource is increasing our test run time by 7x

best-xylophone-83824

08/06/2019, 2:56 PM

People, how do you run pulumi in CI/CD? Examples given in docs are unpractical, no way I am installing nodejs and rebuilding node-grpc on every pulumi run 🙂

best-xylophone-83824

08/06/2019, 2:57 PM

I think I'll commit node-modules to git and call it a day

cool-egg-852

08/06/2019, 2:57 PM

You can always use the pulumi docker image.

cool-egg-852

08/06/2019, 2:58 PM

Or setup caching in your CI system.

cool-egg-852

08/06/2019, 2:58 PM

I know many of them will support caching specific directories between runs

best-xylophone-83824

08/06/2019, 2:59 PM

pulumi docker image have just pulumi runtime, but project code like

@pulumi/gcp

is in node_modules.

best-xylophone-83824

08/06/2019, 3:06 PM

Interestingly Pulumi's own blog post (https://www.pulumi.com/blog/day-2-kubernetes-migrating-eks-nodegroups-with-zero-downtime/) shows exact problem with current infrastructure as a code tools,but doesn't admit it. No matter what you do, you fall back to bash 😞

bitter-island-28909

08/06/2019, 5:10 PM

Getting the output of a DynamicResource doesn’t seem to work as expected in dynamically typed javascript. I’m setting

myProperty

in the

outs

key of the return value of the provider’s

create

method, but calling

resource.myProperty

returns undefined. Inspecting the resource object itself, I don’t see any values pertaining to

myProperty.

best-xylophone-83824

08/06/2019, 6:12 PM

is there a reason why pulumi/pulumi docker doesn't come with all plugins installed? Or maybe having pulumi-full image is something you might be open to?

high-translator-22614

08/06/2019, 6:13 PM

i think the assumption is that, in addition to the pulumi language packages, you'll be pulling in third-party packages

jolly-lifeguard-22556

08/06/2019, 6:16 PM

I'm a little stuck at the moment.

pulumi up

is convinced it needs to finish deleting resources from a previous update on 4 AWS ACM SSL certs. I don't want these resources to be deleted and I can't find any way to tell Pulumi to abort the previous delete attempt

jolly-lifeguard-22556

08/06/2019, 6:17 PM

They're all showing up as

completing deletion from previous update

but I'm not seeing any way to modify this using

stack export

best-xylophone-83824

08/06/2019, 6:54 PM

@bitter-oil-46081, in https://github.com/pulumi/pulumi/issues/2788 you write

2: For previews and updates where we also plan to run user code, we as the language host if it knows of any plugins that may be needed. Only NodeJS >implements this today, and does so by walking all the package.json's and looking for pulumi specific metadata.

For (2), we now support the language host to communicate an optional server.

how can I change, if possible, package.json so that

pulumi plugin install

pulls plugins from a custom --server?

handsome-actor-1155

08/06/2019, 8:27 PM

Just curious, do you (Pulumi folks) see the use of CD tools like Harness or Spinnaker to take over the deployment of applications as complementary? Do you feel that Pulumi can handle those tasks just as well and as such there is no need for those tools? Or are they services you can see Pulumi integrating with?

Title

handsome-actor-1155

08/06/2019, 8:27 PM

high-translator-22614

08/06/2019, 8:39 PM

As an outsider: Harness looks like another k8s/helm product? So useful in it's own realm, but pulumi has more flexibility. Spinnaker looks like it might have more flexibility? It's not super clear how it defines infrastructure or what it can/can't do?

I am looking forward to a pulumi service: manages deployment environments, integrates with gitub/etc, gives a web interface to pulumi CLI commands, etc

bitter-island-28909

08/06/2019, 8:44 PM

I’m not on k8s, but I can tell you that my application deployments currently consist of entering a new version number in a Pulumi config and running

pulumi up

I like it so far.

high-translator-22614

08/06/2019, 8:45 PM

yeah, i should try pulumi with gitlab's environment features (especially the feature deployment configurations). Problem is permissions--pulumi effectively needs to run as super-root

like, that's a lot of trust on a third-party service

bitter-island-28909

08/06/2019, 8:47 PM

Definitely. I use an on-site CI server for that reason.

high-translator-22614

08/06/2019, 8:50 PM

like, even when I wrote my CI/CD for SaltStack (SpiroFS), it only gave the server permissions to just upload new state, and that's still scare af

bitter-island-28909

08/06/2019, 8:55 PM

I wish it was easier to give Pulumi a more limited permissions set (i.e: you can create anything, but you can’t read or touch any resources that weren’t created by you.). But that is very hard if not impossible to express in IAM (I haven’t used the others much.)

high-translator-22614

08/06/2019, 8:57 PM

yeah.... the user/resource/permissions model makes that impossible unless each resource has an owner (from what I've seen, neither AWS or GCP have this concept)

bitter-island-28909

08/06/2019, 8:58 PM

you can sort of using tags and conditions

but it gets messy fast

cool-egg-852

08/06/2019, 9:31 PM

The way we’re handling it via GitOps. So you can use whatever tool you want, but it’s deployment operation should be limited to changing a value in Pulumi.production.yaml for example. In our case,

linio:appRevision

. So the tool (in our case Jenkins) clones our infrastructure repository, makes the appropriate change, commits and pushes it up. This triggers another build, this time in the infrastructure repository that actually handles the deployment. If you follow this, you can have pulumi running on a separate server than the one doing your CI for testing and such.

It can be much more locked down, but still be permissive to avoid having to deal with all of the permissions.

high-translator-22614

08/06/2019, 9:45 PM

yeah, but that mostly just hides your godbox

and my point of the problem of pulumi-as-a-service is that you're trusting a 3rd party to be your godbox (this is the same problem that SaltStack has)

cool-egg-852

08/06/2019, 9:46 PM

I’m not saying to use a third party, my suggestion is to have an “on-premise/on-cloud” private CI server such as Jenkins or whatever run pulumi, and use whatever other application wherever it is that you want it to be.

high-translator-22614

08/06/2019, 9:47 PM

(for the record, I don't consider the single-point-of-failure problem to be that big of a deal for most people--your pulumi/salt server is control plane, not application serving, so if it goes down, it only effects your engineering, not customers)

oh, right

that's easy enough (use drone/jenkins, cirrus has a "bring your own infra" option, i consider this a major feature of gitlab ci, etc)

handsome-actor-1155

08/06/2019, 10:41 PM

Ah sorry, wasn't getting notifications. Let me catch up lol

Good insights. I like the idea of GitOps. Have any of you used the Github actions for Pulumi?

cool-egg-852

08/06/2019, 10:58 PM

I refuse to due to it being a PITA to configure in my opinion.

Configuring it for a hundred repos does not seem fun.

handsome-actor-1155

08/06/2019, 11:14 PM

Good point. Wonder if there is an easier way to configure it like via an API?

cool-egg-852

08/07/2019, 1:04 PM

There may be, not sure given that actions is in beta. If the API isn’t there now, it may be there tomorrow after the live stream.

high-translator-22614

08/07/2019, 1:59 PM

Also, same problem: Do you trust github with the root of your entire infrastructure?

View count: 1