Yay, terraform recently implemented a long awaited feature “Add desired_status argument to google_compute_instance” (https://github.com/terraform-providers/terraform-provider-google/pull/5734). Which means you can create instances in a TERMINATED state (since you don’t pay for them then). What’s the process of bumping pulumi-gcp? Is that something I should make a PR for, happens on a timed schedule?

@thousands-london-78260 When it’s in a release it will get brought over

@broad-dog-22463 manages much of that, but it shouldn’t be too long following a release upstream

i'm using IAM STS temp credentials to run pulumi from my laptop. how would i run it in a gitlab job? i've tried setting up an access/secret key but it just tells me that it's invalid creds

do i have to

pulumi config set

? i'm just using the standard env vars right now

i figured pulumi would read them

Is there a doc on organizing your pulumi code? I am playing with the Auth0 sample and the API gateway sample (typescript) and am unsure if I should merge them into one big index.js or if there is a modular approach to applying them to the same stack.

is there any way to get properties of the provider being used? E.g. Determining if the AWS provider is using a

profile

or an assumed

role_arn

We’re publishing abstracted AWS/K8S providers for our software devs and using env vars or depending on the pulumi config isn’t viable because a user may be using an explicitly created provider in their IaC

hi, is there any workaround for https://github.com/pulumi/pulumi-aws/issues/814? It''s a real blocker for me. I can't deploy one of required Stacks (others stacks are deployed well).

Hello, I am getting started with an organization and a naive run of

pulumi new

creates a project and stack in my personal account rather than the org. I cannot find a switch or env var to instruct pulumi to use the org as the default account. Is this possible? Thanks!

Quick security question about key management practices: So far my keys for GitHub actions deploys into AWS accounts/environments have just been manually added to GitHub Secrets and used as environment variables for Pulumi's action to deploy with. It occurred to me that it would be possible to store those secrets as Pulumi config secrets. Is that considered a safe approach?

Can I rename a Pulumi project? If so, what are the steps to do it?

How does Pulumi Terraform Bridge deal with default values configured in a resource? I am running into an issue i.e. a resource is defined as this:

"list_policy": {
		(...)
				"allow": {
					(...)
							"all": {
								Type:         schema.TypeBool,
								Optional:     true,
############ --->		    	Default:      false,                 <-- Default Value #########
								ExactlyOneOf: []string{"list_policy.0.allow.0.all", "list_policy.0.allow.0.values"},
							},
							"values": {
								Type:         schema.TypeSet,
								Optional:     true,
								ExactlyOneOf: []string{"list_policy.0.allow.0.all", "list_policy.0.allow.0.values"},
								Elem:         &schema.Schema{Type: schema.TypeString},
								Set:          schema.HashString,
							},
						},
					},
				},

https://github.com/terraform-providers/terraform-provider-google/blob/1f9e0cb9c3cef1c65cfd2054ca8dfd2795ac42a6/google/resource_google_organization_policy.go#L55 And I created it like this:

new projects.OrganizationPolicy('Only allow resource in Europe', {
    constraint: 'gcp.resourceLocations',
    project: gcloud.project,
    listPolicy: {
        allow: {
            values: ['in:europe-west4-locations']
        }
    }
})

What would be the value of

resource.listPolicy.allow.all

?

Since resource creation is deferred with Pulumi, what's the process for updating an item before it gets created? Specifically, I've created two AWS SecurityGroup objects and want some of the egress rules in one to reference the other. The reason I'm breaking this up is that I don't want to manually define the order in which the groups get created. Creating each and maintaining a reference back seemed like a solution. However, when I pull up the object to modify it, I find the object seems to want a "resolved" value:

let thisGroup = createdSecGroups.get(thisGroupName);
                    if (item.allowed_other_sec_grps && item.allowed_other_sec_grps.length > 0) {
                        for (let allowed of item.allowed_other_sec_grps) {
                            let theOtherSecGrp = createdSecGroups.get(allowed + "_" + vpc);
                            if (theOtherSecGrp && thisGroup) {
                                thisGroup.egress.get().forEach(entry => {
                                    entry.securityGroups = theOtherSecGrp!.id;
                                });
                            }
                        }
                    }

This line is invalid:

entry.securityGroups = theOtherSecGrp!.id;

It looks like securityGroups wants a resolved string[] value. I'm guessing this is another case where I'm thinking about this all wrong... Suggestions are appreciated!

Just confirming: If a Pulumi user has access to a project, but NONE on a production stack, they should not be able to decrypt secrets associated with that stack, correct?

Is @pulumi/random deprecated? VSCode is not finding it

Hello, would Pulumi add TencentCloud to the cloud providers list? TencentCloud website: https://intl.cloud.tencent.com/ Terraform plugin: https://github.com/terraform-providers/terraform-provider-tencentcloud Any other informations I am glad to make addition.

We recently upgraded to use Pulumi Team Pro. My account has organizational Admin access, but I can't seem to create teams either manually or via GitHub. (we do have a GitHub Team setup in our organization) Any ideas as to why that could be?

Hi All, I'm provision an Azure storage account (ZRS) with management policy to move blob to Cool feature but got an error message 'tierToArchive is not supported for the account.' However, I'm able to set the rule manually on the portal. Could you please help?

Heyho, is there a way to disable secret encryption completely when using the local or bucket storage backend? The way I'm planning to use pulumi technically no secrets should end up in state therefore it would be convenient not having to bother with setting up a secret provider.

Hi everyone, I have a project with multiple stacks. There are some common configuration with the same values for some stacks. For example, I have 4 stacks:

#Pulumi.network.dev.yaml
encryptionsalt: ....
config:
  aws:region: us-east-2
  network:env.name: dev

#Pulumi.services.dev.yaml
encryptionsalt: ....
config:
  aws:region: us-east-2
  services:env.name: dev

#Pulumi.network.prod.yaml
encryptionsalt: ....
config:
  aws:region: us-east-1
  network:env.name: prod

#Pulumi.services.prod.yaml
encryptionsalt: ....
config:
  aws:region: us-east-1
  services:env.name: prod

Is this possible to extract common configurations to a file and import it when needed? For example, I would like to have something similar to this:

#Pulumi.common.dev.yaml
encryptionsalt: ....
config:
  aws:region: us-east-2
  common:env.name: dev

#Pulumi.network.dev.yaml
encryptionsalt: ....
config:
  aws:region: {{common.dev/aws:region}}
  network:env.name: {{common.dev/common:env.name}}

Or do you have other ideas to solve this issue?

Hi there, if I'm deploying a k8s cluster with pulumi and also what goes in to that cluster, should I use a single stack, or multiple? It would seem to make sense to have one, but would it be coupling infra to apps by doing that?

Also, if I want to test k8s deployments to a local instance, it would be nice to be able to run that separately from the aks deployment

is there a way to programmatically get all stacks in a project/account? use case: i'm replicating "prod" across several regions, and I want to create some origin groups for failover in the CDN, and it would be nice to simply aggregate all deployed replications

hi there. I’m loosing the focus on the word “stack”. The stack is mandatory the environment? (prod/stage/dev) ? I’m thinking about stack as “subproject” of a big project….a little like AWS cloudformation stacks. Am I on the wrong direction ?

is there a way to explicitly provide a passphrase for decoding secrets when doing a

StackReference

?

does importing s3 buckets not work? i get the error

invalid Amazon S3 ARN, unknown resource type, arn:aws:s3:::bucket-name

is it possible to import a resource and apply a diff on it? e.g. if i want to apply a replication config on several s3 buckets that i have in various stacks.

For organizations not in the Team Pro plan, users added have the “Member” role. What are the permissions of this role? The documentation mentions the ability to set default stack permissions for an organization but that does not seem to be visible in the settings view.