General understanding on

pulumi preview

(delete-replace vs. in-place-update)

did anybody managed to use

pulumi.Config().getObject<T>()

? I get

error: getting secrets manager: could not unmarshal map: yaml: unmarshal errors:
  line 4: cannot unmarshal !!map into string

all the time 😞 Config is valid YAML:

config:
  gcp-gke:region: europe-west2
  gcp-gke:nodePools:
    ingress:
      roles: ["ingress"]
      nodeConfig:
        machineType: "g1-small"
        preemptible: true

Code:

type NodePoolConfig = Omit<
    gcp.container.NodePoolArgs,
    "cluster" | "location" | "name"
> & { roles: string[] };

const nodepools = new pulumi.Config().getObject<{
    [name: string]: NodePoolConfig;
}>("nodePools");

TIL that

StackReference

exists (why is it in the JS/TS API docs but not the Python ones?)

despite all the effort, TS is language of choice for pulumi

everything else looks more like attempt to attract devs

Hi, I have a question I want to provide a K8s provider that contains a roleArn. the secret & access key that are in the env vars only can assume roles. When I set them however I see this error

error: could not validate provider configuration: 1 error occurred:
    	* : invalid or unknown key: role_arn

This is my configuration

new k8s.Provider("myk8s", {
        kubeconfig: new terraform.state.RemoteStateReference("eks", {
            backendType: "s3",
            bucket: "XXXX-tfstate-backend-bucket",
            key: "XXXXXXX",
            workspace: "XXXXXXX",
            region: "us-east-1",
            roleArn: "arn:aws:iam::XXXXXXXXXXX:role/XXXX-XXXX-gitlab-terraform"
        }).getOutput("kubectl_config")});

Has anyone encountered this before?

if i make a kubernetes namespace, and then want to use that namespace later on resources, is there a way to make it show up in the diff on the resources? it just appears as

output<string>

, even though the namespace resource shows the actual string

Continuing my import experiments

const serviceAccount = new gcp.serviceAccount.Account("example", {
    displayName: "example",
    accountId: "example-service-account",
    project: "project"
}, { import: "projects/project/serviceAccounts/example-service-account@project.iam.gserviceaccount.com" })

const roles = new gcp.projects.IAMCustomRole("example", {
    roleId: "example",
    title: "example",
    description: "example roles",
    permissions: [
        'compute.addresses.list',
        'compute.instances.addAccessConfig',
        'compute.instances.deleteAccessConfig',
        'compute.instances.get',
        'compute.instances.list',
        'compute.projects.get',
        'container.clusters.get',
        'container.clusters.list',
        'resourcemanager.projects.get',
        'compute.networks.useExternalIp',
        'compute.subnetworks.useExternalIp',
        'compute.addresses.use',
    ]
}, { import: "projects/project/roles/example" })

const examplePolicyBinding = new gcp.serviceAccount.IAMBinding("example", {
    serviceAccountId: serviceAccount.accountId,
    members: ["serviceAccount:example-service-account@project.iam.gserviceaccount.com"],
    role: "projects/project/roles/example"
}, { import: "<mailto:example-service-account@project.iam.gserviceaccount.com|example-service-account@project.iam.gserviceaccount.com>" })

policy binding fails with

Wrong number of parts to Binding id [example-service-account@project.iam.gserviceaccount.com]; expected 'resource_name role'.

typescript drives me crazy 😕 what does it want??

config/gke01-london.ts:6:9 - error TS2322: Type '{ machineType: string; preemptible: boolean; }' is not assignable to type '"nodeConfig"'.

6         nodeConfig: {
          ~~~~~~~~~~

  node_modules/@pulumi/gcp/container/nodePool.d.ts:312:14
    312     readonly nodeConfig?: pulumi.Input<{
                     ~~~~~~~~~~
    The expected type comes from property 'nodeConfig' which is declared here on type 'NodePoolConfigArgs'

all I wanted is to check that provided config matches NodePoolArgs. Everything in

'NodePoolConfigArgs["nodeConfig"]'

is optional, yet even

{}

cannot be assigned to it.

Having trouble with the same issue as this: https://github.com/pulumi/pulumi/issues/3063 Switching from node 11 to 8 doesn’t help though

Neither does running

pulumi up -y || pulumi up -y

terraform providers have a nice property that they can be replaced with a custom compiled binary. Am I right that Pulumi pulls TF providers as a dependency and to achieve same result (== quick local bugfix), I'd need to recompile Pulumi provider ?

FYI guys most of the google search results for your API now result in 404 errors https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/awsx/elasticloadbalancingv2/

searching for “pulumi addListenerRule”

Hello, I am running into a spurious replace issue, is this a known problem? Pulumi believes that it needs to replace an ec2 instance to give it security group, but the instance already has the security group shown. It happens even after a

pulumi refresh

.

++aws:ec2/instance:Instance: (create-replacement)
        <snip>
      ~ securityGroups: [
          + [0]: "sg-082e7a6e007b182dc"
        ]
    +-aws:ec2/instance:Instance: (replace)
      ~ securityGroups: [
          + [0]: "sg-082e7a6e007b182dc"
        ]

Hello everyone. I worked through this example and it was probably the easiest lambda / api gateway deployment (complete with secrets management) that I've done so far: https://github.com/pulumi/examples/tree/master/aws-ts-apigateway-auth0 | However I have a question. Let's say that I wanted to only deploy that authorizer and attach it to an existing API gateway? Can this be done?

can someone please publish a new version of the docker image, so that

pulumi/pulumi:latest

matches what's

latest

in npm?

Hey everyone, I'm new on the slack. I'm having issues importing an instance because I can't get the userData to match what pulumi expects. seems to not be comparing the same things

How can I tell which of changes causes resource replace?

+-gcp:container/cluster:Cluster: (replace) 🔒
        [id=gke01-london]
        [urn=urn:pulumi:gke01-london::gcp-gke::gcp:container/cluster:Cluster::gke01-london]
        [provider=urn:pulumi:gke01-london::gcp-gke::pulumi:providers:gcp::default_1_0_0_beta_1::1a4df25a-af6f-4fda-80df-2c8bd047655a]
      + authenticatorGroupsConfig: {
          + securityGroup: "gke-security-groups@$corp"
        }
      + maintenancePolicy        : {
          + dailyMaintenanceWindow: {
              + startTime : "01:00"
            }
        }
      + podSecurityPolicyConfig  : {
          + enabled   : true
        }

Whats the reason URN doesn't include parent resource name, just a type? Including name would remove following requirement for users to think of:

Resources constructed as children of a component should make sure that their names will be unique across multiple instances of the component. In general, the name of the component instance itself (the name parameter passed in to the component constructor) shoud be used as part of the name of the child resources.

Is there some way to unprotect all resources for a specific

pulumi up

run?

We're basically trying to make an elevated process for CD that's different from the normal case when there are resources to be deleted

but having to unprotect resources one by one isn't ideal, having to leave them unprotected isn't awesome either

I'm having an issue with a GCP UptimeCheckConfig that wants to replace itself EVERY time I run pulumi. anyone got tips on how to debug this one?

nothing in the config should be dynamic

Hello, I’m seeing this error from the kubernetes provider:

kubernetes:extensions:Deployment (istio-system/istio-pilot):
    error: Plan apply failed: 1 error occurred:
        * resource istio-system/istio-pilot was successfully created, but the Kubernetes API server reported that it failed to fully initialize or become live: Timeout occurred for 'istio-pilot'

But the api shows 2/2 up. It showed this before the timeout too:

istio-pilot                     2/2     2            2           10m

does anyone have any thoughts on how I can further debug this? It appeared to deploy everything fine but pulumi timed out. @gorgeous-egg-16927 maybe?

@incalculable-angle-91273 I have been seeing those lately as well, and when I run again they seem to go away. It seems like a check of some sort was missed because my cluster will show it as done but Pulumi thinks it's still pending. It also might be a timing thing where it's a race issue. I didn't dig too deep because on my third attempt it worked as expected. But I have seen it occur again here and there, especially on a full-stack creation.

having hard time again with outputs.. in my VPC stack, i output the aws zones being used from a simple object property, it’s defined as:

subnet_zone_letters:string[] = ['a', 'b', 'c', 'd'];

I want to make sure the other stack uses the same values, so I pass them as an output:

export let vpc_subnet_zone_letters = vpc.subnet_zone_letters;

that shows up in my outputs like:

vpc_subnet_zone_letters: [
                [0]: "a"
                [1]: "b"
                [2]: "c"
                [3]: "d"
            ]

Finally, in another stack I want to load them and use them as part of a string input to another stack, and so far for the life of me I can’t get it to work:

var vpc_subnet_zone_letters = vpc.getOutput('vpc_subnet_zone_letters');
    ...
    availabilityZones: [
        `us-east-2${vpc_subnet_zone_letters.apply(x=>`${x[0]}`)}`,
        `us-east-2${vpc_subnet_zone_letters.apply(x=>`${x[1]}`)}`,
    ],

have a question relating to Gitlab for this group