pulumi-community #general

general

fresh-summer-65887

08/13/2019, 12:33 PM

How do I tell Pulumi to not complete a deletion from a previous state? Cloud is AWS and the resource is a aws:acm:Certificate. Deleting / recreating it has ramifications (can't be used until validations pass for example) - I'm not sure why it wanted to delete it in the first place. - I don't want the resource to be deleted (and recreated). It exists, leave it alone. - I've exported, edited and imported the stack to remove the

pendingOperations

section. -

pulumi refresh

states "No resources will be modified as part of this refresh" -

pulumi preview

wants to

delete

then

create

with a knock effect for other resources -

pulumi up

hangs trying to complete the delete operation so I have to do a

pulimi cancel

Really scratching my head with this one. Any ideas?

best-xylophone-83824

08/13/2019, 2:12 PM

how to debug TF provider? I suspect it makes wrong API calls, but got no proof yet 🙂

thankful-optician-22583

08/13/2019, 3:21 PM

Hi, I have registered a gitlab kubernetes runner through their gui (no helm chart so vanilla). My index.ts looks like this:

const repository = new awsx.ecr.Repository(config.require("ecr-server"));
const image = repository.buildAndPushImage("../../");

const provider = env == "dev" ?
    new k8s.Provider("myk8s", {context: kubernetesConfig.get("context")}) :
    new k8s.Provider("myk8s", {
        kubeconfig: new terraform.state.RemoteStateReference("eks", {
            backendType: "s3",
            bucket: "XXXXXXXt",
            key: "XXXXXXX",
            workspace: "XXXXX",
            region: "us-east-1"
        }).getOutput("kubectl_config")});

My Pulumi preview stage looks like this:

image:
    name: pulumi/pulumi:v0.17.10
    entrypoint:
      - '/usr/bin/env'
      - 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
  services:
    - docker:stable-dind
  variables:
    DOCKER_HOST: <tcp://localhost:2375/>
    DOCKER_DRIVER: overlay2
    DOCKER_TLS_CERTDIR: "/certs"
  before_script:
    - printenv
    - docker info
  script:
    - cd $working_dir
    - echo $DOCKER_HOST
    - npm install
    - pulumi stack select staging
    - pulumi preview
  only:
    refs:
      - branches
      - tags

When I run CI pipeline it fails here:

Diagnostics:
  awsx:ecr:Repository (<http://XXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/python-building-block|XXXXXXXXX.dkr.ecr.us-east-1.amazonaws.com/python-building-block>):
    error: read tcp 127.0.0.1:33706->127.0.0.1:2376: use of closed network connection
    2019/08/13 15:12:14 http2: server: error reading preface from client 127.0.0.1:2376: bogus greeting "Client sent an HTTP requ"
 
    error: Error: 'docker build ../../ -t 7cb86392-container' failed with exit code 1
    
        at /builds/karauctionservices/traderev/python-building-block/python_building_block/pulumi/node_modules/@pulumi/docker.ts:536:15
        at Generator.next (<anonymous>)
        at fulfilled (/builds/karauctionservices/traderev/python-building-block/python_building_block/pulumi/node_modules/@pulumi/docker/docker.js:17:58)
 
Permalink: <https://app.pulumi.com/calvin.raveenthran/python-building-block/staging/previews/f7fb9ae7-4f1a-4361-b831-56dd49b0c51e>

Did anyone encounter this error?

Client sent a http request to a https server

best-xylophone-83824

08/13/2019, 3:23 PM

yeah, thats 19.03.1 docker problem

orange-policeman-59119

08/13/2019, 4:01 PM

I'm not far from answering this question myself, as soon as I deploy this next set of artifacts, but how does

k8s.scope.resource.get

behave if the resource specified is absent? Is it a fallible operation? I ask because I would like to deploy an operator in one (shared) place, which defines CRDs. Then, if and only if the CRDs exist, in other stacks use them to deploy additional components. Example: Prometheus Operator chart defines a ServiceMonitor CRD, the service monitor object defines a set of targets to scrape for metrics. Other stacks should deploy ServiceMonitor resources in their namespaces, but only if the CRD exists.

bitter-dentist-28132

08/13/2019, 5:05 PM

if i install the nginx ingress controller by using

k8s.helm.v2.Chart

, what's the "best" way to grab the ip for the service?

bitter-dentist-28132

08/13/2019, 5:12 PM

oh, there's a

getResource

function.... i guess that's how 🙂

orange-tailor-85423

08/13/2019, 5:23 PM

So when’s the first PulumiCon!?

💯 3

orange-tailor-85423

08/13/2019, 5:23 PM

I think a 1.0 launch deserves it 🙂

bitter-dentist-28132

08/13/2019, 5:32 PM

dang,

getResourceProperty

results in errors 😞

modern-bear-85657

08/13/2019, 6:02 PM

I’ve read, and employed, the instructions for unit testing from the recent blog post. That is not a sufficient solution. Especially so when developing custom components and functions. A mock runtime would be a step in the right direction. Requiring us to build a stack when none is needed just to test reusable components is not the answer.

elegant-crayon-4967

08/13/2019, 6:19 PM

trying to get a secret from

aws.secretsmanager

but the documentation has me confused on how I actually pass the secret into my resource. Anybody have an example?

thankful-optician-22583

08/13/2019, 7:35 PM

Hello what permissions in RBAC do I need to create watchers for ReplicaSet’s in pulumi. I am using EKS and I see this error

Could not create watcher for ReplicaSet objects associated with Deployment

bitter-island-28909

08/13/2019, 8:44 PM

Say I have a resource B, that depends on resource A via one of its outputs. Is there any straightforward way to force B to update any time A updates, even if the change in A is not one of the outputs that B depends on?

bitter-dentist-28132

08/13/2019, 8:46 PM

@bitter-island-28909 I believe you can use

dependsOn

for that

bitter-dentist-28132

08/13/2019, 10:10 PM

will pulumi reorder resources when importing yaml? i.e. can i simply slurp up https://github.com/jetstack/cert-manager/releases/download/v0.9.1/cert-manager.yaml or will that break?

bitter-dentist-28132

08/13/2019, 10:10 PM

i get a bunch of failed creations when i try just importing the yaml 😞

worried-engineer-33884

08/13/2019, 11:16 PM

I moved all of our resources to other modules imported by index.ts and pulumi wants to delete everything 😬 — what am I missing?

index_ts.ts

square-ability-48831

08/14/2019, 12:51 AM

looking for any examples or pointers on how to get a Resource for an existing dynamodb table and then use that in a role+policy pair for a lambda. getting held up on if

aws.dynamodb.getTable({name: 'mytablename'})

is what i need to get the resource. tried wrapping in an async function but it seems to just not build the resource at all.

cool-egg-852

08/14/2019, 4:53 AM

Is there any way to always have a resource imported if it doesn’t exist? The scenario is that we have the GKE Istio addon enabled. We want to be able to change the HPA minReplicas to 2 (from 1). In order to be able to do this, we have to have the resource in pulumi. The only way I know of being able to do this is to import the resource. However, let’s say we create a new stack, then obviously the resource won’t be created by Pulumi but by GKE. Thus the resource will be attempted to be created by pulumi as well as it doesn’t know to import the created resource created by GKE.

billions-fall-36374

08/14/2019, 9:50 AM

Anybody got some more resources on how to get started writing a custom provider? I find the kubernetes one a bit daunting to get started

helpful-afternoon-80621

08/14/2019, 11:13 AM

Any reason why the example from the typescript ec2.SecurityGroup source fails to typecheck?

const allowTls = new aws.ec2.SecurityGroup('allowTls', {
  description: 'Allow TLS inbound traffic',
  ingress: [
    {
      cidrBlocks: '', 
      fromPort: 443,
      protocol: 'tcp',
      toPort: 443
    }
  ],
  tags: {
    Name: 'allowAll'
  }
});

I'm getting a long cryptic typescript error that isn't much use in indicating what is actually wrong.

Error:(12, 56) TS2345: Argument of type '{ description: string; ingress: { cidrBlocks: string; fromPort: number; protocol: string; toPort: number; }[]; tags: { Name: string; }; }' is not assignable to parameter of type 'SecurityGroupArgs'.
  Types of property 'ingress' are incompatible.
    Type '{ cidrBlocks: string; fromPort: number; protocol: string; toPort: number; }[]' is not assignable to type 'Input<{ cidrBlocks?: Input<string>[] | Promise<Input<string>[]> | OutputInstance<Input<string>[]> | undefined; description?: string | Promise<string> | OutputInstance<string> | undefined; ... 6 more ...; toPort: Input<...>; }>[] | Promise<...> | OutputInstance<...> | undefined'.
      Type '{ cidrBlocks: string; fromPort: number; protocol: string; toPort: number; }[]' is not assignable to type 'Input<{ cidrBlocks?: Input<string>[] | Promise<Input<string>[]> | OutputInstance<Input<string>[]> | undefined; description?: string | Promise<string> | OutputInstance<string> | undefined; ... 6 more ...; toPort: Input<...>; }>[]'.
        Type '{ cidrBlocks: string; fromPort: number; protocol: string; toPort: number; }' is not assignable to type 'Input<{ cidrBlocks?: Input<string>[] | Promise<Input<string>[]> | OutputInstance<Input<string>[]> | undefined; description?: string | Promise<string> | OutputInstance<string> | undefined; ... 6 more ...; toPort: Input<...>; }>'.
          Type '{ cidrBlocks: string; fromPort: number; protocol: string; toPort: number; }' is not assignable to type '{ cidrBlocks?: Input<string>[] | Promise<Input<string>[]> | OutputInstance<Input<string>[]> | undefined; description?: string | Promise<string> | OutputInstance<string> | undefined; ... 6 more ...; toPort: Input<...>; }'.
            Types of property 'cidrBlocks' are incompatible.
              Type 'string' is not assignable to type 'Input<string>[] | Promise<Input<string>[]> | OutputInstance<Input<string>[]> | undefined'.

Running v0.17.28. Thanks

best-xylophone-83824

08/14/2019, 1:01 PM

What is analyzers/Policy?

busy-pizza-73563

08/14/2019, 1:06 PM

Started getting this since this morning:

Found incompatible versions of @pulumi/pulumi.  Differing major or minor versions are not supported.
      Version 0.17.28 referenced at node_modules\@pulumi\kubernetes\node_modules\@pulumi\pulumi\package.json
      Version 1.0.0-beta.2 referenced at node_modules\@pulumi\pulumi\package.json

Is this known / expected?

best-xylophone-83824

08/14/2019, 1:22 PM

Our org was renamed per our requests, but now stacks don't work:

Previewing update ($NEWORG/prod):
error: could not deserialize deployment: decrypting secret value: [404] Not Found: Organization '$OLDORG' not found

best-xylophone-83824

08/14/2019, 3:59 PM

What do I miss?

pulumi.output(new gcp.compute.Subnetwork("z", {ipCidrRange: "111", network: "zzz"})).name;

Error on `tsc --noEmit`:

Property 'name' does not exist on type 'OutputInstance<Subnetwork>'.

16 pulumi.output(new gcp.compute.Subnetwork("z", {ipCidrRange: "111", network: "zzz"})).name;

little-energy-64187

08/14/2019, 5:55 PM

ok one more import related:

const dbUser = new gcp.sql.User("myuser", {
    instance: dbInstance.name,
    name: "project/instancename/myuser"
}, { import: "project/instancename/myuser" })

ends up in

Preview failed: reading resource urn:pulumi:projectname::stackname::gcp:sql/user:User::project/instancename/myuser yielded an unexpected ID; expected project/instancename/myuser, got myuser//instancename

little-energy-64187

08/14/2019, 5:59 PM

anyone faced this before?

billowy-laptop-45963

08/14/2019, 6:13 PM

aws.acm.CertificateValidation deletes the cert after it is issued

adamant-dress-73325

08/14/2019, 7:48 PM

I created a new stack for a new project, without using

pulumi new

but now the project name is not showing up on the dashboard. I made sure that the project name in Pulumi.yaml was set correct, any reason why

stack init

wouldn't name these correctly?

Title

adamant-dress-73325

08/14/2019, 7:48 PM

I created a new stack for a new project, without using

pulumi new

but now the project name is not showing up on the dashboard. I made sure that the project name in Pulumi.yaml was set correct, any reason why

stack init

wouldn't name these correctly?

cool-egg-852

08/14/2019, 8:05 PM

The white space there is not the project name, it’s the repository name IIRC

So if you do not have repository integration, I believe it will be empty like that

The project name is the title in the 2 blocks that are cutoff in your screenshot

clever-sunset-76585

08/14/2019, 9:07 PM

So if you do not have repository integration, I believe it will be empty like that

Yes, I believe this is the case. cc @colossal-beach-47527 to keep me honest here.

colossal-beach-47527

08/14/2019, 9:12 PM

Yes. There are several pieces of data that power the stacks view. Every stack is associated with various pieces of metadata which we use to render that page. The large “gray background” widgets are how we organize stacks by their repository. The repository information isn’t available when you run

pulumi stack init

, but will be available after you run

pulumi up

. (Since as part of the update, we look if you are running within a

git

repo, and if so, inspect the origin if it is a GitHub repo, etc.) So it makes sense that the repo would be blank for a newly created stack. The project name and stack name should be set when you run

pulumi stack init

. The project name is what is found in

Pulumi.<stack-name>.yaml

, and is at the top of the “card with a white background”. The individual stack name is the label on each of those “purple rectangles” found on the project-card.

adamant-dress-73325

08/14/2019, 9:59 PM

I see, does the tool lookup recursively from

Pulumi.yaml

location for the repo? because for 1 of those shown, I've already run an update and it is located inside a git repo

colossal-beach-47527

08/14/2019, 10:52 PM

does the tool lookup recursively from
Pulumi.yaml
location for the repo?

Yes, I believe that is the case. Depending on the specific repo is configured though, we may not be pulling your repository information. We only check for a remote named

origin

, and only then IFF the URI matches certain well-known forms. (i.e. we err on the side of only persisting data we can parse/extract rather than just including the raw remote URI.) The specific code is here. If something seems amiss, and we should be pulling the repo information but are not, please file an issue and I can update the logic to detect your specific SCC provider, etc. https://github.com/pulumi/pulumi/blob/952b6d0d89f73c41bba57cf08f81847c0295c22d/cmd/util.go#L424 https://github.com/pulumi/pulumi/blob/952b6d0d89f73c41bba57cf08f81847c0295c22d/pkg/util/gitutil/git.go#L133

best-xylophone-83824

08/15/2019, 9:24 AM

interesting information, what do we miss on that page or elsewhere when we use private gitlab ?

adamant-dress-73325

08/15/2019, 4:06 PM

Ok, that explains our issues, we are using Phabricator for the

origin

remotes on those. We are switching to github either way so no big deal just have to change our origin remotes there.

colossal-beach-47527

08/15/2019, 5:25 PM

@best-xylophone-83824, @adamant-dress-73325 I filed issue https://github.com/pulumi/pulumi/issues/3093, could you do me a huge favor and just add the URL for the

origin

of your

git

remote (change the domain/values if they are sensitive). Knowing the domain and/or URL structure, I can add support for those systems in Pulumi so things “just work” for you in the future. As far as what you are missing out on, only two things come to mind. - Like you called out at the beginning of this thread, we won’t be able to group your Pulumi Projects by their source repo when on your organization’s dashboard. That can be helpful to filter stacks, e.g. just hone in on the projects/stacks within your “website” or “data-tier” repository. - On the “stack activity page”, we link to the repo commit that the update was deployed at in some cases. (Since e.g. for GitHub repos, if we know the branch, repo, and commit we can build the right URL to send you to.) So it’s possible we could do something similar and link to a private GitLab instance or Phabricator instance.

best-xylophone-83824

08/15/2019, 5:29 PM

So it’s possible we could do something similar and link to a private GitLab instance or Phabricator instance.

you can see gitlab URL structure on Gitlab itself it matches private Gitlab URLs, for instance

<https://gitlab.com/gitlab-org/gitlab-ce>

. You probably wont be able to reliably detect SCM , so if it was exposed somehow for us to set it can help

maybe most flexible way would be to provide a regexp with named capture groups to match against origin url

adamant-dress-73325

08/15/2019, 5:41 PM

I gave our particular remote URL format in the issue for phab, it should be pretty common case for phab. But like Maxim says, reliably detecting SCM might be pretty hard since Phab/Gitlab can be self hosted/configured differently. From UX perspective the dashboard page perhaps can instead, change its info hierarchy from

Repo Name > Project Name > Stack Name

Project Name > Stack Name

and keep the repo icon around as a nice to have for common SCMs.

View count: 1