But cannot shake the

The template validation failed: 'The workflow parameters '$connections' are not valid; they are not declared in the definition and therefore cannot be provided. The only declared parameters for this definition are ''.'.

error… and cannot find a way to define

$connections

as a parameter for my workflow

Hi, We are trying to use the import feature to import a AWS RouteTableAssociation resource, but are getting the following error:

warning: A new version of Pulumi is available. To upgrade from version '0.17.28' to '1.0.0-beta.2', run 
   $ brew upgrade pulumi
or visit <https://pulumi.com/docs/reference/install/> for manual instructions and release notes.
Previewing update (peopleticker/qa):

     Type                              Name             Plan       Info
     pulumi:pulumi:Stack               peopleticker-qa             1 error
 =   └─ aws:ec2:RouteTableAssociation  tf-qa-front-0    import     1 error
 
Diagnostics:
  aws:ec2:RouteTableAssociation (tf-qa-front-0):
    error: Preview failed: resource 'subnet-098fd854/rtb-ac9d63d0' does not exist
 
  pulumi:pulumi:Stack (peopleticker-qa):
    error: preview failed

We are pretty sure the ID of that resource exists and we are using latest pulumi-aws package which has the provider code from terraform to import such a resource.

@lemon-spoon-91807 I am setting up a awsx.FargateService and it looks like there is no way to pass

dependsOn

for the containers configs? Not to be confused with the pulumi

dependsOn

, I am referring to https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_definition_parameters.html#container_definition_dependson It looks like this parameter is not inside the pulumi-aws package either, so not sure how to workaround this, since

links

doesn't work with

awsvpc

network mode.

While developing my AWS RDS setup, I forgot a few attributes so it created an Aurora MySQL cluster. I updated the setup to include the Postgres specific and ran

pulumi up

again. But the wrong cluster is not replaced by the correct cluster:

Previewing update (production):

     Type                 Name                         Plan        Info
     pulumi:pulumi:Stack  infra-02-storage-production              
 +-  └─ aws:rds:Cluster   safeimage-rds-cluster        replace     [diff: ~dbClusterParameterGroupName,engine]
 
Resources:
    +-1 to replace
    4 unchanged

Do you want to perform this update? yes
Updating (production):

     Type                 Name                         Status                   Info
     pulumi:pulumi:Stack  infra-02-storage-production  **failed**               1 error
 +-  └─ aws:rds:Cluster   safeimage-rds-cluster        **replacing failed**     [diff: ~dbClusterParameterGroupName,engine]; 1 error
 
Diagnostics:
  pulumi:pulumi:Stack (infra-02-storage-production):
    error: update failed
 
  aws:rds:Cluster (safeimage-rds-cluster):
    error: Plan apply failed: error creating RDS cluster: DBClusterAlreadyExistsFault: DB Cluster already exists
        status code: 400, request id: fa019735-d4a7-4ad1-a887-e6fc4c64f761
 
Resources:
    4 unchanged

Why is the wrong cluster not deleted first?

Having an issue - build the EKS cluster but when deploying helm charts for services that create an ingress (looking at you Istio)…. it appears to fail on creating the ELB’s. Something about permissions to create a load balancer? Or perhaps an underlying issue with tagging?

Only similar-ish references I could find:

What's the right way to import a gke managed certificate? I have been trying

new k8s.apiextensions.CustomResource("service-dev-certificate", {
    apiVersion: "<http://networking.gke.io/v1beta1|networking.gke.io/v1beta1>",
    kind: "ManagedCertificate",
    metadata: {
        labels: {
            app: "networking",
            stage: "service-dev",
        },
        namespace: "namespace",
        name: "service-dev-certificate",
    },
    spec: {
        domains: ["<http://service-dev.example.com|service-dev.example.com>"]
    },
}, { provider: k8sProvider, import: "service-dev-certificate" })

but that doesn't seem to find it

fyi https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/gcp/serviceAccount is 404

also need some advice on importing service accounts, eg:

<mailto:name@project.iam.gserviceaccount.com|name@project.iam.gserviceaccount.com>

wouldn't that be

new gcp.serviceAccount.Account("name", {
    displayName: "name",
    accountId: "name",
    project: "project"
}, { import: "111111111111111111111" }) // id from url of gcp console

? (lemme know if these import questions become annoying ;)

Is there any equivalent to the terraform 'remote-exec' and 'file' provisioners in pulumi? I want to run a script when I create an ec2 instance and ec2 userData is painful to debug.

I discovered JS tagged templates, quite cool, allows to do things like:

projectNumber`service-${"gke01-london"}@container-engine-robot.iam.gserviceaccount.com`

where project id is replaced by project number without hiding overall value behind function

How should I implement canary deployments for API Gateway?

is there a way to get a resource's kubernetes name? for instance, to glue together a service and an ingress

when i do e.g.

this.service.metadata.name

, i get nothing

oh, i guess it's working, it's just the preview shown was incorrect

Would be cool to get a release of

pulumi-docker

when ya'll have a chance, can't wait for https://github.com/pulumi/pulumi-docker/pull/95

Hi, I suspect the

pulumi up

fails with OOM. Is there a way to specify max-old-space-size ?

What I am doing wrong? test.ts file:

import * as gcp from "@pulumi/gcp";
const x = {} as gcp.container.NodePoolArgs["nodeConfig"]["labels"];

Then

$ node_modules/.bin/tsc --noEmit --noErrorTruncation test.ts
test.ts:2:58 - error TS2339: Property 'labels' does not exist on type 'Input<{ diskSizeGb?: .....; labels?: Input<{ [key: string]: Input<string>; }>;'

how come?

labels

is clearly there 🙂

Hello, I was thrown in the world of Kubernetes, Helm, Google Cloud Engine, and Terraform/Pulumi and so on, so maybe I'm really in the wrong channel now to ask my question, please be nice. 🙂 We have a so called

nginx-ingress

which does basic authentication for one domain. Currently the basic authentication data is done manually via:

htpasswd -c auth <username> && kubectl create secret generic docs-basic-auth --from-file=auth

I want to automate this for the future. The helm chart looks like this:

ingress:
  domain: <domain>
  tlsSecretName: <name>-de-tls
  annotations:
    <http://nginx.ingress.kubernetes.io/auth-type|nginx.ingress.kubernetes.io/auth-type>: basic
    # # The name of the secret which contains the HTTP basic auth configuration
    # # See: <https://github.com/kubernetes/ingress-nginx/blob/6d2400ee0fcd29390db24091edef07ccee73c881/docs/examples/auth/basic/README.md>
    <http://nginx.ingress.kubernetes.io/auth-secret|nginx.ingress.kubernetes.io/auth-secret>: docs-basic-auth
    <http://nginx.ingress.kubernetes.io/auth-realm|nginx.ingress.kubernetes.io/auth-realm>: "Name"
deployment:
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0

I have a file which contains this code where, at least I think, I need to start:

import * as k8s from "@pulumi/kubernetes";
import * as affinities from "../../../affinities";

interface ICreateNginxIngressOpts {
  isPrivateNetworkIngress: boolean;
  tls: { defaultTlsSecretName: string };
  context: {
    provider: k8s.Provider;
  };
}

const createNginxIngress = ({
  isPrivateNetworkIngress,
  tls,
  context: { provider }
}: ICreateNginxIngressOpts) => {
  let annotations: any = {};

  if (isPrivateNetworkIngress) {
    // Only allow traffic from the external subnet
    annotations["<http://cloud.google.com/load-balancer-type|cloud.google.com/load-balancer-type>"] = "Internal";
  }

  return new k8s.helm.v2.Chart(
    "nginx-ingress",
    {
      repo: "stable",
      chart: "nginx-ingress",
      version: "1.6.0",
      values: {
        defaultBackend: {
          affinity: affinities.defaultPool
        },
        controller: {
          extraArgs: {
            "default-ssl-certificate": tls.defaultTlsSecretName
          },
          publishService: { enabled: true },
          affinity: affinities.defaultPool,
          service: {
            annotations
          }
        }
      }
    },
    { dependsOn: [provider], providers: { k8s: provider } }
  );
};

export { createNginxIngress };

Any hints where I have to look at? Basically: I want to automate this steps: https://github.com/kubernetes/ingress-nginx/blob/6d2400ee0fcd29390db24091edef07ccee73c881/docs/examples/auth/basic/README.md

https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/gcp/container/#NodePoolArgs-nodeConfig has no optional fields, yet example shows many fields omitted: https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/gcp/container/#example-usage-with-a-separately-managed-node-pool-recommended , how does it work?

General understanding on

pulumi preview

(delete-replace vs. in-place-update)

did anybody managed to use

pulumi.Config().getObject<T>()

? I get

error: getting secrets manager: could not unmarshal map: yaml: unmarshal errors:
  line 4: cannot unmarshal !!map into string

all the time 😞 Config is valid YAML:

config:
  gcp-gke:region: europe-west2
  gcp-gke:nodePools:
    ingress:
      roles: ["ingress"]
      nodeConfig:
        machineType: "g1-small"
        preemptible: true

Code:

type NodePoolConfig = Omit<
    gcp.container.NodePoolArgs,
    "cluster" | "location" | "name"
> & { roles: string[] };

const nodepools = new pulumi.Config().getObject<{
    [name: string]: NodePoolConfig;
}>("nodePools");

TIL that

StackReference

exists (why is it in the JS/TS API docs but not the Python ones?)

despite all the effort, TS is language of choice for pulumi

everything else looks more like attempt to attract devs

Hi, I have a question I want to provide a K8s provider that contains a roleArn. the secret & access key that are in the env vars only can assume roles. When I set them however I see this error

error: could not validate provider configuration: 1 error occurred:
    	* : invalid or unknown key: role_arn

This is my configuration

new k8s.Provider("myk8s", {
        kubeconfig: new terraform.state.RemoteStateReference("eks", {
            backendType: "s3",
            bucket: "XXXX-tfstate-backend-bucket",
            key: "XXXXXXX",
            workspace: "XXXXXXX",
            region: "us-east-1",
            roleArn: "arn:aws:iam::XXXXXXXXXXX:role/XXXX-XXXX-gitlab-terraform"
        }).getOutput("kubectl_config")});

Has anyone encountered this before?

if i make a kubernetes namespace, and then want to use that namespace later on resources, is there a way to make it show up in the diff on the resources? it just appears as

output<string>

, even though the namespace resource shows the actual string