(I'm trying to deploy to AWS)

guess depends on what cloud. in azure there is a location property on most resources, would think AWS has a region property with similar effect?

In an automation setup, I am trying to automate the following sequence with local state backend:

pulumi login file:///var/pulumi/state
pulumi stack init production --secrets-provider=passphrase
pulumi up --diff --yes

However, in my script, is there a way to have

pulumi stack init

not error on the second and subsequent runs? I could silence it with a shell construct, but then I could possibly mask a possible error on the first run.

@limited-rainbow-51650

pulumi stack select -c stack-name

will create it only if it doesn't exist. Would that work?

appears that it will work with the

--secrets-provider

flag as well

One of the main drawbacks of Pulumi is that working with TF after it is not fun anymore

Anyone tried deploying Nomad cluster with Pulumi? Any reliable resource to take as example? I need something basic - 3 server nodes, consul can be on same nodes, 10-20 client nodes running containers in batch jobs. Needs to be on Azure

How do you guys manage environment variables within your stacks? For example, I need to store a connection string to a database. Is this a good candidate for encrypted secrets? https://www.pulumi.com/docs/intro/concepts/config/#secrets

Seems like

pulumi up

isn't using the profile set in the config? Pulumi.prod.yaml:

secretsprovider: ....
encryptedkey: ...
config:
  aws:profile: prod-pa
  aws:region: us-east-1

I get this error:

error: getting secrets manager: secrets (code=Unknown): AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access.
        status code: 400, request id: 91f0ea5d-cd55-44b0-8f4f-1413547fb896

I can describe the KMS successfully using:

aws kms describe-key --key-id=65500644-e3e5-44be-b3ea-d3928b0af188 --profile=pa-prod

So this makes me think the profile isn't being provided?

How much work would it be to publish a true Github Action rather than using the

uses: <docker://pulumi/actions>

notation? I am using act (https://github.com/nektos/act/) to test my workflows locally and the

docker:

notation does not seem to be supported.

refusing to delete protected resource

, how can i override it or remove the protection? I am trying to do

pulumi destroy

because

pulumi up

is failing to update the vpc, due to another error.

How can I implement

createVPCAssociationAuthorization

using Pulumi? Any thoughts/ideas? https://aws.amazon.com/premiumsupport/knowledge-center/private-hosted-zone-different-account/

Hey,

pulumi

could you please help me with this?

pulumi:pulumi:Stack  infra-test1  running...  warning: resource plugin kubernetes is expected to have version >=2.2.0, but has 2.2.0-alpha.1589233905+gcf42dd90; the wrong version may be on your path, or this may be a bug in the plugin

Hi there, I’m trying to understand how

dependsOn

works and if it’s the solution to my problem. From what I understand here https://www.pulumi.com/docs/intro/concepts/programming-model/#dependson it should properly wait for a previous resource to be available for the one I’m referencing it in. In my usecase I provision postgresql with an helm chart and my migration service needs to wait in order to connect to it. Unfortunately, having inputs from the chart nor having it explicitly define in the

dependsOn

does not make my service wait for all the services in the chart available and of course it fails since the database service is not available yet. How am I supposed to properly define dependencies when pulumi fails to understand a specific case then ?

I have a secret that I need to pass as a build arg to a

docker.Image

but I cannot get it to pass it decrypted Definition:

_export_ const sec = pulumiConfig.requireSecret("secKey");

I've tried

pulumi.all([sec]).apply(([secString])  => { return { ARG_NAME: secString }; });

and

{ ARG_NAME: sec.apply(v=>v) }

Neither of these works, the value is always either

[secret]

or

Calling [toString] on an [Output<T>] is not supported.\n\nTo get the value of an Output...

For what it's worth,

pulumi.all

works fine on a secret imported from another stack using a StackReference

hey there, this gets probably asked a lot, but I couldn't find an answer, so I wanted to try my luck here 🙂 Is there a way to export a plan from an

preview

stage to feed that into

up

or is there any other way to implement a review stage in CI without the posibility of a drift in the infrastructure in the mean time?

Hi there, is possible to create with a pulumi stack an azure ressource group and an azure storage to use this as the pulumi state backend and reference this in another stack ?

👋 Hi there, new Pulumi user here, great project! It's great to be able to unit test infra code with the same tooling as application code. I have a question regarding structured configuration in

pulumi.yaml

and

pulumi-stackname.yaml

. starting a thread so I don't turn general into pastebin 😄

I ran into a “feature” that was unfortunate for my use case, and I’m wondering how others have gone about solving it. Problem Statement: I have an RDS instance in a [pre-existing] VPC that I cannot connect to from CI, or locally.  The MySQL Provider needs this connectivity to provision databases on the instance.  I thought the first obvious solution might be to serialize a lambda with the MySQL Provider that can run in the VPC.  This is where I ran into the “feature” that strips out any dependencies that start with 

@pulumi/

  recursively, so even if I specify 

pulumi.runtimeDependencies

 in package.json, they’ll be removed. • https://www.pulumi.com/docs/tutorials/aws/serializing-functions/#determining-the-appropriate-node-modules-packages-to-include-with-a-lambda • https://github.com/pulumi/pulumi/blob/master/sdk/nodejs/runtime/closure/codePaths.ts#L296-L300 Being able to run the lambda with the mysql provider would be preferred, but it seems I’m forced to look into other possible solutions, which are more complex. Other Possible Solutions: 1. Publish a lambda with an external tool, and call it as an existing lambda with pulumi (messy, requires more than 

pulumi up

). 2. Use mysql nodejs package to create the database (that stinks, I have a MySQL provider). 3. In addition to GitHub Actions, use AWS Code Services so the pipeline can run in the VPC (redundant). 4. Run either a mysql, or pulumi container in fargate that can provision the databases (seems like a lot more infra and complexity to create databases). Maybe I’m missing something obvious here.  Hoping someone can shed some light on how I should approach this problem, and maybe other opportunities I’ve overlooked.  Thanks, loving Pulumi so far!

Hello seing a lot of this

node-pre-gyp WARN Using needle for node-pre-gyp https download 
node-pre-gyp WARN Pre-built binaries not installable for grpc@1.24.2 and node@12.16.3 (node-v72 ABI, glibc) (falling back to source compile with node-gyp) 
node-pre-gyp WARN Hit error bad download 
gyp WARN EACCES current user ("pulumi") does not have permission to access the dev dir "/root/.cache/node-gyp/12.16.3"

That increase the deployment time. I’m using the latest pulumi container image… any idea?

Hi everyone -- Is there a way to persist comments in the Pulumi.<stack>.yml? I'd like to give context to some of the variables. re-deploying removes the comments.

Hi there, i didn't find any opportunity yet to debug my pulumi programm (c#). I have visual studio 2019 and also visual studio code. When i start debugging it always tell me to start it via pulumi cli.

When defining a networkListener for an EC2Service, how do I create a security group rule to only allow inbound traffic coming from the load balancer listener port for the service?

return new awsx.ecs.EC2Service("myservice", {
    cluster,
    subnets: service.subnets,
    taskDefinitionArgs: {
        vpc,
        networkMode: "awsvpc",
        containers: [ 
           "myContainer": { image: '...',
             networkListener = {
                 port: 80,
                 sslPolicy: 'ELBSecurityPolicy-TLS-1-2-Ext-2018-06'
              } 
            } 
        ],
    }
...
}

Is there any way to have Pulumi target code outside of the current working directory? Something like a

--code-path "/some/path"

argument? Didn't see one in the docs.

Hi everyone! I'm curious, does Pulumi offer any "escape hatches" by which I can grab the underlying AWS API client (TypeScript) to perform some post-provisioning fixups on provisioned infrastructure?

I'm not really finding anything on this through docs and after digging through the source a bit. If I don't want to store the config in the repositories but do want to store them with the run, is there a reasonable way to approach that? My current thinking is in CircleCI, running

pulumi config refresh

to pull the config down from Pulumi - or maybe

pulumi config set

for every value in the config from environment variables. Are there any other approaches?

Hi, how do I construct s3 bucket using

Output<string>

variable? I retrieve the region as type

Output<string>

which I want to use as prefix in the bucket name. I want to either convert it to

string

or use the

Output<string>

directly in the bucket creation. I tried the

apply

and

interpolate

syntax but I can’t figure out how to use correctly.

const region = pulumi.output(aws.getRegion()).name;

`const devDataBucket = new aws.s3.Bucket(

${region}-dev-data

);` Appreciate the help!