I’m getting a lot of this kind of thing when modifying security group rules:

Do you want to perform this update? yes
Updating stack 'vault-dev'
Performing changes:

     Type                                      Name                         Status                  Info
 *   pulumi:pulumi:Stack                       pulumi-vault-test-vault-dev  done
 *   └─ operator-error:aws:vault:VaultServers  algo-vault-servers           unchanged
 ~      └─ aws:ec2:SecurityGroup               algo-vault-server-sg         **updating failed**     changes: ~ ingress, 2 errors

Diagnostics:
  aws:ec2:SecurityGroup: algo-vault-server-sg
    error: Plan apply failed: updating urn:pulumi:vault-dev::pulumi-vault-test::operator-error:aws:vault:VaultServers$aws:ec2/securityGroup:SecurityGroup::algo-vault-server-sg: Error revoking security group ingress rules: InvalidPermission.NotFound: The specified rule does not exist in this security group.
    	status code: 400, request id: 72b0d525-f31f-4fff-a0dc-7229cfb50af3

    error: update failed

info: no changes required:
      50 resources unchanged

IIRC this is why Terraform has separate

aws_security_group_rule

resources as well as the nested ones, and there is a storied history about those bits. Is this something others are commonly seeing?

Hmm, attempting to fix it by manual delete and refresh gives me an interesting state too:

Permalink: <https://app.pulumi.com/jen20/vault-dev/updates/45>
error: post-step event returned an error: failed to save snapshot: after mutation of snapshot: resource urn:pulumi:vault-dev::pulumi-vault-test::operator-error:aws:vault:BastionHost::algo-vault-bastion-host's dependency urn:pulumi:vault-dev::pulumi-vault-test::operator-error:aws:vault:VaultServers$aws:ec2/securityGroup:SecurityGroup::algo-vault-server-sg comes after it

Then did a stack export, removed the offending security group, imported (success), but then got a panic on the next refresh:

Hi! Probably a dumb question. Is there a way to pass the AWS_PROFILE to use as a parameter to

pulumi update

? The guide talks about setting is as an ENV but is quite annoying to have to change the ENV manually while jumping between different projects. Any tips? ^^

I believe there was something just merged that would allow you set provider config in code, but I’m not sure whether it’s hit a release yet. Right now I think you have to have AWS_PROFILE set in the environment

Setting if in the config yml is what I was just trying 😛 well i’m gonna use the env for now. thanks ^^

You should be able to do

pulumi config set aws:profile production

to set the profile to use via Pulumi config. This will take priority over anything from the environment.

Is there a good example of using the function capture and serialization with a plain

aws.lambda.Function

resource?

New bloggage from @colossal-beach-47527 https://twitter.com/PulumiCorp/status/1027696618680791042

I've hit the same issue as described by https://github.com/pulumi/pulumi-cloud/issues/145#issuecomment-341567911

I'm using cloud-aws to create a Service on fargate, but the task requires access to KMS

I've created the necessary policy, but there appears to be no way to add it to the task/service

I'm wondering if there's a work around possible, or if I should +1 the issue

is it possible to generate a random property in pulumi code and reuse it somehow on the next deploy instead of randomly generating it again?

@important-jackal-88836 in situations like that, I usually just embed the stack’s name. (e.g.

pulumi.getStackName()

IIRC.) That is a stable value that will remain constant across deployments. If that doesn’t work, you could specify a random number generator seed in your Pulumi config.

@bitter-oil-46081 has done some clever work on this recently.

Let me show you some code, @important-jackal-88836.

sweet

you should npm that

I think it may be exported from

@ellismg/pulumi-github-webhooks

? maybe import {RandomResource} from "@ellismg/pulumi-github-webhooks/random" works.

man my IAC is lookin so slick

if i've got a TypeScript cloud.Function, what's the best way to do a promises-friendly http POST?

Is there any good way to add new resources created by pulumi to existing resources that are managed in other ways? As a concrete example, say I wanted to add an allow rule for a new subnet I've created to an existing security group for an RDS database

can you "fetch" resources without pulumi trying to create them?