I have a secret that I need to pass as a build arg to a

docker.Image

but I cannot get it to pass it decrypted Definition:

_export_ const sec = pulumiConfig.requireSecret("secKey");

I've tried

pulumi.all([sec]).apply(([secString])  => { return { ARG_NAME: secString }; });

and

{ ARG_NAME: sec.apply(v=>v) }

Neither of these works, the value is always either

[secret]

or

Calling [toString] on an [Output<T>] is not supported.\n\nTo get the value of an Output...

For what it's worth,

pulumi.all

works fine on a secret imported from another stack using a StackReference

hey there, this gets probably asked a lot, but I couldn't find an answer, so I wanted to try my luck here 🙂 Is there a way to export a plan from an

preview

stage to feed that into

up

or is there any other way to implement a review stage in CI without the posibility of a drift in the infrastructure in the mean time?

Hi there, is possible to create with a pulumi stack an azure ressource group and an azure storage to use this as the pulumi state backend and reference this in another stack ?

👋 Hi there, new Pulumi user here, great project! It's great to be able to unit test infra code with the same tooling as application code. I have a question regarding structured configuration in

pulumi.yaml

and

pulumi-stackname.yaml

. starting a thread so I don't turn general into pastebin 😄

I ran into a “feature” that was unfortunate for my use case, and I’m wondering how others have gone about solving it. Problem Statement: I have an RDS instance in a [pre-existing] VPC that I cannot connect to from CI, or locally.  The MySQL Provider needs this connectivity to provision databases on the instance.  I thought the first obvious solution might be to serialize a lambda with the MySQL Provider that can run in the VPC.  This is where I ran into the “feature” that strips out any dependencies that start with 

@pulumi/

  recursively, so even if I specify 

pulumi.runtimeDependencies

 in package.json, they’ll be removed. • https://www.pulumi.com/docs/tutorials/aws/serializing-functions/#determining-the-appropriate-node-modules-packages-to-include-with-a-lambda • https://github.com/pulumi/pulumi/blob/master/sdk/nodejs/runtime/closure/codePaths.ts#L296-L300 Being able to run the lambda with the mysql provider would be preferred, but it seems I’m forced to look into other possible solutions, which are more complex. Other Possible Solutions: 1. Publish a lambda with an external tool, and call it as an existing lambda with pulumi (messy, requires more than 

pulumi up

). 2. Use mysql nodejs package to create the database (that stinks, I have a MySQL provider). 3. In addition to GitHub Actions, use AWS Code Services so the pipeline can run in the VPC (redundant). 4. Run either a mysql, or pulumi container in fargate that can provision the databases (seems like a lot more infra and complexity to create databases). Maybe I’m missing something obvious here.  Hoping someone can shed some light on how I should approach this problem, and maybe other opportunities I’ve overlooked.  Thanks, loving Pulumi so far!

Hello seing a lot of this

node-pre-gyp WARN Using needle for node-pre-gyp https download 
node-pre-gyp WARN Pre-built binaries not installable for grpc@1.24.2 and node@12.16.3 (node-v72 ABI, glibc) (falling back to source compile with node-gyp) 
node-pre-gyp WARN Hit error bad download 
gyp WARN EACCES current user ("pulumi") does not have permission to access the dev dir "/root/.cache/node-gyp/12.16.3"

That increase the deployment time. I’m using the latest pulumi container image… any idea?

Hi everyone -- Is there a way to persist comments in the Pulumi.<stack>.yml? I'd like to give context to some of the variables. re-deploying removes the comments.

Hi there, i didn't find any opportunity yet to debug my pulumi programm (c#). I have visual studio 2019 and also visual studio code. When i start debugging it always tell me to start it via pulumi cli.

When defining a networkListener for an EC2Service, how do I create a security group rule to only allow inbound traffic coming from the load balancer listener port for the service?

return new awsx.ecs.EC2Service("myservice", {
    cluster,
    subnets: service.subnets,
    taskDefinitionArgs: {
        vpc,
        networkMode: "awsvpc",
        containers: [ 
           "myContainer": { image: '...',
             networkListener = {
                 port: 80,
                 sslPolicy: 'ELBSecurityPolicy-TLS-1-2-Ext-2018-06'
              } 
            } 
        ],
    }
...
}

Is there any way to have Pulumi target code outside of the current working directory? Something like a

--code-path "/some/path"

argument? Didn't see one in the docs.

Hi everyone! I'm curious, does Pulumi offer any "escape hatches" by which I can grab the underlying AWS API client (TypeScript) to perform some post-provisioning fixups on provisioned infrastructure?

I'm not really finding anything on this through docs and after digging through the source a bit. If I don't want to store the config in the repositories but do want to store them with the run, is there a reasonable way to approach that? My current thinking is in CircleCI, running

pulumi config refresh

to pull the config down from Pulumi - or maybe

pulumi config set

for every value in the config from environment variables. Are there any other approaches?

Hi, how do I construct s3 bucket using

Output<string>

variable? I retrieve the region as type

Output<string>

which I want to use as prefix in the bucket name. I want to either convert it to

string

or use the

Output<string>

directly in the bucket creation. I tried the

apply

and

interpolate

syntax but I can’t figure out how to use correctly.

const region = pulumi.output(aws.getRegion()).name;

`const devDataBucket = new aws.s3.Bucket(

${region}-dev-data

);` Appreciate the help!

Any idea what would cause these warning to be printed? They have to do with the Datadog helm chart.

coalesce.go:199: warning: destination for podLabels is a table. Ignoring non-table value <nil>
    coalesce.go:199: warning: destination for podLabelsAsTags is a table. Ignoring non-table value <nil>
    coalesce.go:199: warning: destination for podLabels is a table. Ignoring non-table value <nil>
    coalesce.go:199: warning: destination for podLabelsAsTags is a table. Ignoring non-table value <nil>

Hey Pulumi team - any chance you could add a "silent" flag to the linux install script (https://get.pulumi.com/) that if set would add

--silent

to the curl tarball download line? I can create a PR for this if it's in a public repo somewhere

is there a good example/doc somewhere on keeping Pulumi code in the same repo as an app, and using it to deploy from one environment to the next, ie: 1. dev/feature branch - CI builds image, and then runs Pulumi to deploy the new image to a dev kubernetes cluster (manual trigger of deployment if feature branch) 2. dev merged to staging branch via PR - CI deploys that same set of changes to the stg environment 3. stg branch merged to prd via PR - As above but stg->prd the progression through envs is easy enough for me to grapple with, just figuring out how to sanely only build the image in the dev/feature branches AND sanely add that image tag so the subsequent deploys push the right thing

Hey everyone! Quick Pulumi/AWS question. It is possible to have a single Pulumi stack create a resources in multiple AWS accounts? I've seen the docs on assume-role, but don't see if it's possible to use a different AWS account number in the ARN of the resource being created/modified. For example, we want to control DNS from our main pulumi stack, but it's in a different AWS account than our other resources.

This message was deleted.

Hi, I'm new to Pulumi and working on a POC with the Typescript Kubernetes Crosswalk guide for GKE. I'm currently receiving the following error from the Pulumi CLI:

error: resource 'urn:pulumi:dev::<OMITTED>::pulumi:pulumi:StackReference::<OMITTED>/<OMITTED>/dev' registered twice (read and read)

I'm not sure what I would need to do next to remedy this error. Any help would be greatly appreciated.

Hello, does anyone know what pulumi.InvokeOption are for data sources? ( golang )

How do we handle manipulating resources created as a side-effect? For example, if creating a cluster causes a default security group to be created, how do we reference that security group?

How do I add "AmazonEC2ContainerServiceFullAccess" to the ec2 instances created by a cluster / auto-scaling group?

Hello, just getting started with Pulumi on dotnet for AWS. Creating a VPC, with a NatGateway. Have EIPs created, and trying to reference the AllocationId. However, I'm getting this error: error: awsec2/natGatewayNatGateway resource 'Production' has a problem: Missing required property 'allocationId' My code is clearly setting the AllocationId property of the NatGatewayArgs using the EIP.AllocationId output property. Not sure what I'm doing wrong, any thoughts?

Will AmazonSSMManagedInstanceCore be added to the "ManagedPolicies" modules output?

Hello - I am configuring a GKE cluster. It seems the property

useIpAliases

is missing from

ipAllocationPolicy

when creating a

gcp.container.Cluster

. If I leave an empty

ipAllocationPolicy

the cluster is not VPC-native. The property is also missing from the docs. According to the Google documentation, creating a VPC-native cluster can be achieved with:

{
  "name": cluster-name,
  "description": description,
  ...
  "ipAllocationPolicy": {
    "useIpAliases": true,
    "createSubnetwork": true,
    "subnetworkName": subnet-name
  },
  ...
}

where

ipAllocationPolicy

is described in https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters#Cluster.IPAllocationPolicy.

Does anyone know if creating ipv6 ELBs for EKS is supported? pushing "::/0" into the cidr blocks for public access fails as it wants ipv4 only

Thanks @glamorous-intern-23812 for preseting on Pulumi tonight at Microsoft Automation Melbourne 🙂

Is there anyway to get pulumi/actions to cache docker layers or plugins for itself? It’s burning minutes just redownloading itself.

In the docs I'm not finding any detailed reference to how the state is actually organized. I know that with TF there's a good amount of up-front consideration necessary for how the code base is organized to avoid issues with blast radius when doing different operations (e.g. https://blog.gruntwork.io/how-to-manage-terraform-state-28f5697e68fa?gi=a302ddf41849). Is that still a necessary consideration in Pulumi?