pulumi-community #general

Channels

general

busy-dusk-74339

01/17/2020, 2:32 PM

when i run

pulumi preview --diff

it highlights

securityGroups

as having changes, but the contents of the object are identical to the instance above that it wants to delete …

busy-dusk-74339

01/17/2020, 2:33 PM

- aws:ec2/instance:Instance: (delete)
    [id=i-0b024d1ad4cb75dba]
    [urn=urn:pulumi:dev::talend_poc::aws:ec2/instance:Instance::talend_poc_instance]
    [provider=urn:pulumi:dev::talend_poc::pulumi:providers:aws::default_1_8_0::90aafd96-3c4a-4649-9def-fb795391f334]
    ami                  : "ami-04bfa3d65c8508b02"
    disableApiTermination: true
    getPasswordData      : false
    iamInstanceProfile   : "talend_poc_profile-1f0f54b"
    instanceType         : "m4.xlarge"
    keyName              : "ops"
    rootBlockDevice      : {
        deleteOnTermination: true
        volumeSize         : 300
    }
    securityGroups       : [
        [0]: "sg-095e0af0371379410"
        [1]: "sg-078d2ef15a737ac03"
    ]
    sourceDestCheck      : true
    subnetId             : "subnet-08d1f41a5bd97f622"
    tags                 : {
        Name       : "talend-poc"
        application: "talend-poc"
    }
    userData             : "IyEvYmluL2Jhc2gKCnN..."

busy-dusk-74339

01/17/2020, 2:33 PM

pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:dev::talend_poc::pulumi:pulumi:Stack::talend_poc-dev]
    > pulumi:pulumi:StackReference: (read)
        [id=PLOS/iam/dev]
        [urn=urn:pulumi:dev::talend_poc::pulumi:pulumi:StackReference::PLOS/iam/dev]
        name: "PLOS/iam/dev"                                                                                                                                                                                                                                                                                                                                      +-aws:ec2/instance:Instance: (replace)
        [id=i-099b9ef2206465ee3]
        [urn=urn:pulumi:dev::talend_poc::aws:ec2/instance:Instance::talend_poc_instance]
        [provider: urn:pulumi:dev::talend_poc::pulumi:providers:aws::default_1_8_0::90aafd96-3c4a-4649-9def-fb795391f334 => urn:pulumi:dev::talend_poc::pulumi:providers:aws::default_1_18_0::output<string>]
      ~ securityGroups: [
          + [0]: "sg-095e0af0371379410"
          + [1]: "sg-078d2ef15a737ac03"
        ]

helpful-kitchen-78641

01/17/2020, 7:44 PM

is it possible to read the value of the aws config keys? i.e. I have this in my

Pulumi.stack.yaml

config:
  aws:profile: StagingAdmin

and in my

index.ts

code I would like to do something like:

const prof = config.require('aws:profile');

helpful-kitchen-78641

01/17/2020, 7:50 PM

ah, found it:

const prof = aws.config.profile;

busy-dusk-74339

01/17/2020, 10:39 PM

any ideas how to troubleshoot changes to a stack?

busy-dusk-74339

01/17/2020, 10:40 PM

pulumi is convinced that it needs to add 2 security groups to my ec2 instance, but when i view the instance in the console, both of the SGs it wants to add are already there

loud-nest-15724

01/18/2020, 1:41 PM

Hi all, I've been digging into how Pulumi stores secrets when using S3 for state management It seems like secret values are being store in plain text in the outputs section of the state. here's a example of the program I am running - https://gist.github.com/Jmen/27f1eaafe3660f384c34b65af6b13d4f and an example of what is stored in the state - https://gist.github.com/Jmen/343468cfe680e12d3613bda9b8378b2b is there currently a limitation in the .net implementation, or the S3 support?

mysterious-egg-7415

01/18/2020, 4:27 PM

Can we get the Terraform ACME provider added to Pulumi: https://www.terraform.io/docs/providers/acme/index.html

steep-toddler-94095

01/19/2020, 3:17 AM

`docker.Image`'s

build.cacheFrom

parameter does not seem to allow me to use an image with a different name as the cache source. It's different from how

docker --cache-from

works. Am I out of luck on this if i want to use another image for the build cache?

broad-dog-22463

01/20/2020, 10:50 AM

Just thought I'd throw this piece of code out there - it's for multiple region deployments of resources in Pulumi - this specific example is for Lambdas

const providers: {[key: string]: aws.Provider} = {
    "us-east-1": new aws.Provider("us-east-1", {region: "us-east-1"}),
    "us-east-2": new aws.Provider("us-east-2", {region: "us-east-2"}),
    "us-west-2": new aws.Provider("us-west-2", {region: "us-west-2"})
};

for (const providerKey of Object.keys(providers)) {
    const provider = providers[providerKey];

    const lambda = new aws.lambda.Function(`my-lambda-function-${providerKey}`, {
        name: "lambda-for-account-cleanup",
        runtime: aws.lambda.Go1dxRuntime,
        timeout: 900,
        role: iamRoleArn,
        handler: "main",
        code: new pulumi.asset.FileArchive("../deployment.zip"),
        environment: {
            variables: {
                "DESTROY_ENABLED": "false"
            }
        },
        tags: {
            "Owner": "Stack72",
            "Purpose": "AccountCleanup",
        }
    }, {provider: provider});
}

💯 1

👍 1

limited-rainbow-51650

01/20/2020, 11:09 AM

If I’m not mistaken, the provider code for the various languages supported by Pulumi is mostly generated from TF providers by the bridge support, or from e.g. an OpenAPI/Swagger. Am I correct that higher level abstractions (e.g. Crosswalk) are implemented separately by hand each language at a time?

limited-rainbow-51650

01/20/2020, 11:10 AM

Or do you use “tricks” to keep the implementation of such abstractions between the various programming languages in sync?

cuddly-smartphone-89735

01/20/2020, 2:03 PM

Hi. I’m trying to initialize the k8s provider's

kubeconfig

parameter with the output of a Azure

KubernetesCluster

resource. But for some reason, when I run

pulumi up

before even provisioning anything, it fails because the

k8s

resource already tries to connect to the cluster (which doesn't exist at this point in time). I thought that a missing dependency was the issue, but even when I specify the dependency explicitly, it will fail with the connection error. Any ideas? Basically I just want to provision a cluster (with azure provider) and then configure that same cluster (with k8s provider).

nutritious-judge-27316

01/20/2020, 2:12 PM

When doing development with Pulumi, How many state files do you have? One for Local and One for CI/CD? Or create the stacks on local PC for all CICD Pipeline in backend state file?

red-football-97286

01/20/2020, 2:47 PM

Can you delete a default VPC in AWS with pulumi? Trying to do this with Python.

limited-rain-96205

01/20/2020, 7:18 PM

Is there a way to change the S3 backend URL, so we can use MinIO instead?

fresh-summer-65887

01/20/2020, 8:57 PM

I have a stack with ~1000 resources. Adding a single route53 record resource to this stack and

pulumi up

takes 6 to 7 minutes. Is this typical? Seems a bit long....

bored-river-53178

01/20/2020, 9:16 PM

is it possible to set pulumi config option (e.g. pulumi:noSyncCalls) globally for all stacks?

eager-gold-58845

01/21/2020, 1:22 AM

Had a question similar to: https://pulumi-community.slack.com/archives/C84L4E3N1/p1572604898043200?thread_ts=1572604898.043200 where I would like to assign tags to all aws resources that are created through Pulumi. Started down the path of doing this:

runtime.registerStackTransformation(args => {
    return {
        ...args,
        props: {
            ...args.props,
            tags: {
                owner: "stewartnoll"
            }
        }
    }
});

but ran into the problem pointed out in the question's thread where not all aws resources support a tag resulting in a failure at

pulumi up

. Followed up by moving to a more explicit approach that sets tags on those things I specifically care about:

runtime.registerStackTransformation(args => {
    if (args.type === 'aws:lambda/function:Function' || args.type === '<ANOTHER TYPE HERE>') {
        return {
            ...args,
            props: {
                ...args.props,
                tags: {
                    owner: "stewartnoll"
                }
            }
        }
    }
    return undefined;
});

Although this has the benefit of reducing cognitive load on future devs adding functions to the stack, there's still the issue of adding a different resource to the stack that supports tags but isn't captured in the condition. If this were dot net I'd use reflection to map

args.type

to the dot net Type and check if the Type has the property

Tags

which would cover all resource types (including those that haven't been created by aws yet). I've been Googling a bunch on how to do something similar in TypeScript but haven't had any luck. Does anyone know of a way to do this or a better approach?

flat-insurance-25294

01/21/2020, 1:37 AM

Is there any chance the pulimi team would rethink stacks? I mean, why can’t a stack be created as part of pulimi itself? Why is it an outside resource? Let me run pulumi up and define/create/use a stack directly before creating all the AWS resources. I feel like this is a missed opportunity. Now I gotta wrap all my Pulumi call in a CI build script (in Ruby) before actually calling pulimi up, would be nicer to do that as part of pulimi (in TS/Go whatever)

better-rainbow-14549

01/21/2020, 10:40 AM

can anybody give me a pointer on how to best deploy a yaml.ConfigFile then wait until a particular deployment has replicas ready? i can see how to do it for a pod but that pod's autonamed so not sure how best to query for it. it's for cert-manager and I keep getting an error creating a DNS issuer because the webhook hasnt become ready so I want to try and wait until that's done

cold-motorcycle-78950

01/21/2020, 4:30 PM

It appears that pulumi has started disregarding my local changes to a stack. Instead, it appears to be stuck at the head of our teams integration branch. Any tips on how to resolve this would be greatly appreciated

big-potato-91793

01/21/2020, 4:31 PM

Hey, I’m trying to do some unit testing for a small pulumi module we are making for our apps in our compagnie. Just wondering how that is possible. We are using jasmine + typescript. We always getting this error when running it

Error: ENOENT: no such file or directory, open '/Users/alexandrelemieux/tm/pulumi/ticketmaster/node_modules/grpc/node_modules/needle/test/keys/ssl.cert'
    at Object.openSync (fs.js:448:3)
    at Object.readFileSync (fs.js:348:35)
    at Object.<anonymous> (/Users/alexandrelemieux/tm/pulumi/ticketmaster/node_modules/grpc/node_modules/needle/test/helpers.js:9:13)
    at Module._compile (internal/modules/cjs/loader.js:738:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:749:10)
    at Module.load (internal/modules/cjs/loader.js:630:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:570:12)
    at Function.Module._load (internal/modules/cjs/loader.js:562:3)
    at Module.require (internal/modules/cjs/loader.js:667:17)
    at require (internal/modules/cjs/helpers.js:20:18)
npm ERR! Test failed.  See above for more details.

flat-insurance-25294

01/21/2020, 5:06 PM

@big-potato-91793 Are you trying to read a file? Try logging your current working dir from pulumi and also try absolute path first.

broad-boots-45639

01/21/2020, 6:21 PM

Having trouble passing in values to a Helm chart via Pulumi. The chart is failing to install because an access id I am passing in as a value isn’t valid. I know it is valid because I can install the helm chart manually, passing in the secret with

--set

. Pulumi looks to be writing these values into a yaml file in tmp, but they’re cleaned up as soon as the command fails: Command failed: helm template /tmp/tmp-2518liO6nRLE4N1X/sumologic --name-template sumobundle --values /tmp/tmp-2518liO6nRLE4N1X/sumologic/values.yaml --values /tmp/tmp-25188Uk68Vj0j9UB.yaml --namespace sumologic I’d like to validate the values in these files and confirm that the secrets are being passed in. Before I do something hacky, is there a better way I could go about troubleshooting this problem or maybe force Pulumi to retain its artifacts from the preview?

incalculable-engineer-92975

01/21/2020, 8:21 PM

Anyone know of Pulumi support for Kafka's Schema Registry?

fast-dinner-32080

01/21/2020, 8:39 PM

Hello, I am looking into using Pulumi for our Kubernetes infra and wondered if there is a way to run a script when a node/vm resource is being destroyed? The idea is we would drain and cordon nodes before destroying. Then if possible run a command after the destroy to remove the node from kubernetes. Looking at the docs so far I cannot find any logic that can do this and am thinking it would have to be done manually which defeats one of the purposes 😕

cool-egg-852

01/21/2020, 9:41 PM

Anyone able to upgrade istio from 1.4.0 to 1.4.3 without failure? Failed for us because a cluster role binding was missing.

elegant-dress-88912

01/22/2020, 5:30 AM

pulumi up

shows secure outputs in plain text, is it a known issue? I am using pulumi random:

import * as random from "@pulumi/random";
...
const redisPassword = new random.RandomPassword("redis", {
  length: 10,
  special: false
});

export const redisStgPassword = redisPassword.result;

Per docs, pulumi should display at as`[secret]` : https://www.pulumi.com/docs/intro/concepts/programming-model/#stack-outputs and https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/random/#RandomPassword while in my case it displays it in plaintext every invocation of

pulumi up

pulumi stack output

I am using pulumi 1.8.1 and random 1.4.0

Title

elegant-dress-88912

01/22/2020, 5:30 AM

pulumi up

shows secure outputs in plain text, is it a known issue? I am using pulumi random:

import * as random from "@pulumi/random";
...
const redisPassword = new random.RandomPassword("redis", {
  length: 10,
  special: false
});

export const redisStgPassword = redisPassword.result;

pulumi up

pulumi stack output

I am using pulumi 1.8.1 and random 1.4.0

white-balloon-205

01/22/2020, 5:32 AM

Right now - you need to specifiy

additionalSecretOutputs

to ensure outputs are secret (unless they were also inputs which were provided a secret value). https://github.com/pulumi/pulumi-terraform-bridge/issues/10 will make it so that this additional annotation is not required, and "Sensitive" outputs from upstream providers will automatically be marked as secret.

elegant-dress-88912

01/22/2020, 5:33 AM

thanks @white-balloon-205 !

@white-balloon-205, this worked well for

random.RandomPassword

and

tls.PrivateKey

(which are from terraform modules), but didn't work for k8s.Secret. Any idea? Code:

const vaultAuthAccount = new k8s.core.v1.ServiceAccount(
...

// read from created account token secret
export const vaultAuthToken64 = k8s.core.v1.Secret.get(
  "vault-auth-token",
  pulumi.interpolate`${vaultAuthAccount.metadata.namespace}/${vaultAuthAccount.secrets[0].name}`,
  {
      additionalSecretOutputs: ["data"]
  }
).data.apply(d => (d as { token: string }).token);

looks like static method

get

of https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/kubernetes/core/v1/#Secret does not honor this option

mb there is some way to create secure

Output

from non-secure

Output

? I could use this as w/a.

white-balloon-205

01/22/2020, 5:53 AM

Hmm - that doesn't sound right. Could you open an issue with a report of that? (

get

not respecting this option).

elegant-dress-88912

01/22/2020, 5:53 AM

sure

white-balloon-205

01/22/2020, 5:54 AM

mb there is some way to create secure
Output
from non-secure
Output
?

Yeah -

pulumi.secret(output)

should work.

elegant-dress-88912

01/22/2020, 5:54 AM

thanks !

https://github.com/pulumi/pulumi-kubernetes/issues/956

👍 1

View count: 1