I have similar concerns regarding the ability for specific team members to deploy particular stacks, like locking down prod stacks to senior members

Hi Jarshwah! Yes - we will be adding richer Role Based Access Control for teams in the coming weeks, and both of these are things we’ll allow you to grant or deny based on role applied to an individual or group. cc @square-apartment-28429

Yup, what Luke said! We have a lot of plans in this area and I am eagerly working out the details to get them launched. @bland-lamp-97030 I’ll follow up with a PM soon with the details and ways you can accomplish that today. (And post it to Pulumi.io, too.

Looking forward to seeing what comes out of that!

Is there a way to expand the graph view on app.pulumi.com to include the internals of components?

This is all I currently see

Assuming you have more than just that automatic Stack resource, this looks like a bug to me. We should show components (e.g., cloud:Table, et al enjoy this). If you have your checkpoint file handy -- via

pulumi stack export

-- and it doesn't contain sensitive info, would you mind sharing and/or filing an issue with it?

I can put it in a secret gist but would rather not post it in an issue.

Sure thing. The main thing I would need to see is the resource URNs and their parent fields, so feel free to strip out the rest.

I found another interesting issue here too actually - there may be a good explanation but it was somewhat surprising.

I changed the LambdaCert component with this commit: https://github.com/jen20/lambda-cert/pull/2/commits/e0b5fd2bf5766efdb4777ff330b208fa54a70715 and ensured that

inputs. generateJavaKeyStore

was false. However, running

pulumi update

didn’t show an update to

environment

on the function.

I see the problem; the

urn:pulumi:vault-test-dev::pulumi-vault-test::operator-error:aws:LambdaCert::algo-vault-lambda-cert

resource has an empty

parent

property. This should never happen except for the top-level stack resource. I vaguely remember some bug a while back where if the resource got created "late" in the asynchronous evaluation of a script, it would get mis-parented, but I thought we fixed this. I'll file an issue on our side and take a look.

Hmm,

aws.iam.PolicyDocument::merge

would be a useful thing. Basically something that would go through statements in several policy fragments and find the intersection.

Thanks for the info Luke and Chris, I'm just experimenting at this stage but anticipating questions from the team

I’ve opened up a bunch of issues on

pulumi-aws

about cases where objects could be passed instead of IDs in some of the less-used areas of the SDK. I intend to address all of them at some point this week but thought I’d open issues to refer back to as I come across specifics. Please let me know if you’d rather have an omnibus issue for these to reduce noise etc

I found another fun issue today with

aws.autoscaling.Group

. The following property value:

tags: [
                {
                    key: "Name",
                    value: "Vault Server",
                    propagateAtLaunch: true,
                },
            ],

gives an error when updating:

Previewing update of stack 'vault-test-dev'
Previewing changes:

     Type                                      Name                              Plan          Info
 *   pulumi:pulumi:Stack                       pulumi-vault-test-vault-test-dev  no change     1 error
 ~   ├─ operator-error:aws:vault:VaultServers  algo-vault-servers                update        changes: + physicalStorageTableName,serverCount,ser
 +   │  └─ aws:ec2:PlacementGroup              algo-vault-placement-group        create
 *   └─ global                                 global                            no change     1 error

Diagnostics:
  global: global
    error: aws:autoscaling/group:Group resource 'algo-vault-autoscaling-group' has a problem: tag.0: expected object, got slice

  pulumi:pulumi:Stack: pulumi-vault-test-vault-test-dev
    error: One or more resource validation errors occurred; refusing to proceed

error: an error occurred while advancing the preview

I’m using the

dev

dependency of

@pulumi/aws

, so the type definition is:

readonly tags?: pulumi.Input<{
        key: pulumi.Input<string>;
        propagateAtLaunch: pulumi.Input<boolean>;
        value: pulumi.Input<string>;
    }[]>;

I’m guessing this might be related to the discussion here: https://github.com/pulumi/pulumi-aws/pull/277#issuecomment-406806336

Setting it via

tagsCollection

doesn’t work either (which makes sense given the above):

Diagnostics:
  aws:autoscaling:Group: algo-vault-autoscaling-group
    error: Plan apply failed: creating urn:pulumi:vault-test-dev::pulumi-vault-test::operator-error:aws:vault:VaultServers$aws:autoscaling/group:Group::algo-vault-autoscaling-group: algo-vault-autoscaling-group-dae2d47: invalid tag attributes: key missing

    error: update failed

@stocky-spoon-28903 Not sure exactly what's going on there - I've opened https://github.com/pulumi/pulumi-aws/issues/293 so we can take a look.

I think

aws.elasticloadbalancingv2.Listener

is missing a

MaxItemsOne: boolRef(true)

on the

defaultActions

property

Another shameless plug in case you missed the first announcement: Hi everyone! I’m looking into adding “workflow features” to the Pulumi.com service. For example, showing the results of

pulumi preview

ran in your CI/CD system on GitHub. Or optionally requiring another project member to review and approve infrastructure changes to a stack. If you are interested in providing feedback on the design and/or would like early access to prototypes, please send me a direct message. I’d love to get your input and will follow up with the details for how to get started!

If I see:

~   ├─ pulumi:providers:aws                        default                               update        changes: ~ version

and

warning: resource plugin aws is expected to have version >=0.14.6-dev-1533615635-g36bed34, but has 0.14.6-dev-1533603906-g1e50892; the wrong version may be on your path, or this may be a bug in the plugin

Will that resolve itself on update? (If so, it might be a good warning to make less severe!)

Actually have a new problem with ASG tags - if any of the values are computed I get a “required value not set”. I have a reproduction (slight modification of the last one) here: https://gist.github.com/jen20/ccc91ab961843babf93b119fe67e1938

Is there a way in the Terraform bridge to override the type of something in but define a conversion function or similar?

Hm, I don't think so. Can you share a brief example of what you're thinking?

e.g. Health Check on an NLB is defined in the terraform provider as a string because it could either be a number or

"traffic"