Hi there! I am starting with Pulumi. Trying to use the Python wrapper to do a small exercise on GCP. My question is: How do I programmatically access the

config: gcp:region

and

gcp:project

values from the configuration file?

Hello everyone. I'm new to Pulumi. I wonder if I could use Pulumi to mange my vps or dedicated server (which is outside of supported clouds)?

I would like to thank every team member of Pulumi. You are building amazing tools and amazing communities.

Unfortunately I am not as smart as their dev team nor am i a dev ops ninja ...yet.. and i hit a snaguu, I have a simple issue deploying a java app-engine custom flex environment. I have built wars of the java app and saved them to storage. I believe my config for the deployment section is malconfigured. any advice?

const myappV1 = new gcp.appengine.FlexibleAppVersion("myappV1", {
  versionId: "v1",
  project: gaeApi.project,
  service: "default",
  runtime: "java",
  servingStatus: "STOPPED",
  deployment: {
    zip: {
      sourceUrl: pulumi.interpolate`<https://storage.googleapis.com/${bucket.name}/${war.name}>`,
    },
  },
  livenessCheck: {
    path: "/v2b/recommendations/liveness_check",
    timeout: "4s",
    checkInterval: "30s",
    failureThreshold: 4,
    successThreshold: 2,
  },
  readinessCheck: {
    path: "/v2b/recommendations/readiness_check",
    timeout: "5s",
    checkInterval: "8s",
    failureThreshold: 3,
    successThreshold: 2,
    appStartTimeout: "300s",
  },
  handlers: [],
  automaticScaling: {
    maxTotalInstances: 1,
    coolDownPeriod: "120s",
    cpuUtilization: {
      targetUtilization: 0.5,
    },
  },
  noopOnDestroy: true,
});

Looking at pulumi examples, I see

import { config } from "./config";

and

const config = new pulumi.Config();

fairly often. The first seems to be for passing module outputs, and the second is for the stack config. Is there a best practice for how people combine those two? Obviously I could just rename one something else, but I'm curious as to common patterns that other users have found. Should I be loading

pulumi.Config()

in my config.ts and combining other modules outputs into a merged config object?

If anyone is interested in GitHub Actions with AWS, I just pushed a first version of a step that creates a temporary session with an assumed role for subsequent steps. https://github.com/mowat27/aws-session-action https://hub.docker.com/r/mowat27/aws-session-action

Use it something like this

name: Provision and deploy
on: [push]

jobs:
  deployment:
    runs-on: ubuntu-latest
    name: Deploy
    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 1
      - name: Make temp session on AWS
        id: aws-session
        uses: <docker://mowat27/aws-session-action>
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_ASSUME_ROLE_ARN: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
          AWS_DEFAULT_REGION: eu-west-1
      - uses: <docker://pulumi/actions>
        with:
          args: up --yes
        env:
          AWS_ACCESS_KEY_ID: ${{ steps.aws-session.outputs.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ steps.aws-session.outputs.AWS_SECRET_ACCESS_KEY }}
          AWS_SESSION_TOKEN: ${{ steps.aws-session.outputs.AWS_SESSION_TOKEN }}
          AWS_REGION: eu-west-1
          PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
          PULUMI_CI: up

I’m kinda just finding my feet with Pulumi and GH Actions so any feedback would be greatly appreciated.

Apologies for the lack of docs. It’s getting late so I’ll tidy things up tomorrow

Anyone know of a good way to validate a stack config? The

require

is great if your configuration is small, but my configuration has multiple elements that can be nested two or three times. Just curious if there is something provided by the Pulumi library before I go off and write my own.

Hi there, Could someone maybe point me in a direction We're trying to import existing aws resources such as vpc and nsg into our project stack and it runs until it eventually time out. I've tried it couple of times with the same result.

config looks like so

config:
  aws:profile: ...
  aws:region: eu-west-1
  aws:sharedCredentialsFile: ...
  aws:skipCredentialsValidation: "true"
  aws:skipRequestingAccountId: "true"
  clt-resource-base:data:
    networks:
      virtual_private_cloud:
        name: mmawseuclientdevVPC
        imp_res: true
        id: ....
        owner_id: ...
        cidr_block: ...
        enable_dns_support: true
        enable_dns_hostnames: true
        tags:
          - ...

and

the actual code

import pulumi
import pulumi_aws as aws
from pulumi import ResourceOptions

config = pulumi.Config()

config_data = config.require_object("data")

print (f'{config_data}')

mmawseuclientdev_vpc_config = config_data['networks']['virtual_private_cloud']
mmawseuclientdev_vpc_res_imp = ResourceOptions(import_=mmawseuclientdev_vpc_config['id']) if mmawseuclientdev_vpc_config['imp_res'] else None

mmawseuclientdev_vpc = aws.ec2.Vpc(
    mmawseuclientdev_vpc_config['name'],
    cidr_block=mmawseuclientdev_vpc_config['cidr_block'],
    enable_dns_support=mmawseuclientdev_vpc_config['enable_dns_support'],
    enable_dns_hostnames=mmawseuclientdev_vpc_config['enable_dns_hostnames'],
    tags=mmawseuclientdev_vpc_config['tags'],
    opts=mmawseuclientdev_vpc_res_imp
)

Anyone know how to recover from a corrupt state file, after running pulumi refresh, a few parent resources were deleted, now pulumi complains about no parent resource for child resource, state file is corrupt. I understand there is an ongoing GitHub issue regarding it, but just wondering if there's a quick workaround for this.

===

rename a pulumi project

===

I created a

RandomPassword

resource, assigned it to a service principal for an ACR but forgot to set

additionalSecretOutputs

in the first place. Performing this change afterwards doesn’t have an effect on the output (and thus also not on the pulumi state). Is there a way to trigger this without modifying the resource? (I’m aware that if the password was unencrypted once, it needs to be changed, too). Just wondering if this is intended, that adding the

additionalSecretOutputs

doesn’t affect the state…

Hello guys! 👋 I have a question about security & organizing projects with stacks. In our company, we have 6 different environments, from which 1 is production of course. I've read in docs here (organizing-projects-and-stacks) about possible solutions to organize the projects & stacks.... but I'm wondering if I'm not missing something. Our problem is, that we would like 1 project in which we would have 6 stacks (one per every environment as suggested in docs). As far as I understand, the

CLI

itself, the authorization to pulumi service & to azure is targeted for the project. But we want to be absolutely sure, that nobody can touch the production except our deployment pipelines. But we find having 6 different projects in codebase quite ugly to accomplish only that one thing. Am I missing something? Can we achieve the restriction for given stack in some other way? Through some special environment variable or something?

If you have multiple projects and use cloud storage provider as backend, can you use the same location (eg: same S3 bucket) for multiple projects or will you end up having conflicts with stacks that have the same name, even though they are from different projects?

If I would like to create a Pulumi provider from a Terraform one (I’m thinking about Civo): what would be the correct way to do it?

Hi! I am trying to install the nginx ingress helm chart and having problems with the settings for the service monitor. According to https://github.com/helm/charts/tree/master/stable/nginx-ingress for prometheus operator I need to set

controller.metrics.serviceMonitor.additionalLabels

to one label in particular, but I don't know in which format. If I try just setting that property to an object with the label as a property, pulumi fails because the manifest is not in the expected format or something like that. If I set is as a string, like

"{ release: 'prometheus-operator' }"

it errors with

error converting YAML to JSON: yaml: line 12: could not find expected ':'

. You can see how

additionalLabels

is used in the service monitor template at https://github.com/helm/charts/blob/master/stable/nginx-ingress/templates/controller-servicemonitor.yaml. Any idea of how to get it working? Thanks!

hello! i successfully imported an AWS MSK cluster into my Pulumi stack now whenever i try to update the MSK cluster (eg just changing tags), i get the following error:

panic: fatal: An assertion has failed: Expected diff to not require deletion or replacement during Update of urn:pulumi:production::bos::aws:msk/cluster:Cluster::kafka
    goroutine 30 [running]:
    <http://github.com/pulumi/pulumi/sdk/v2/go/common/util/contract.failfast(...)|github.com/pulumi/pulumi/sdk/v2/go/common/util/contract.failfast(...)>
    	/home/travis/gopath/pkg/mod/github.com/pulumi/pulumi/sdk/v2@v2.1.1-0.20200508232528-aa313aecf8a0/go/common/util/contract/failfast.go:23
    <http://github.com/pulumi/pulumi/sdk/v2/go/common/util/contract.Assertf(0xc0008d3200|github.com/pulumi/pulumi/sdk/v2/go/common/util/contract.Assertf(0xc0008d3200>, 0x69d26e0, 0x48, 0xc00066f728, 0x1, 0x1)
    	/home/travis/gopath/pkg/mod/github.com/pulumi/pulumi/sdk/v2@v2.1.1-0.20200508232528-aa313aecf8a0/go/common/util/contract/assert.go:33 +0x197
    <http://github.com/pulumi/pulumi-terraform-bridge/v2/pkg/tfbridge.(*Provider).Update(0xc000501680|github.com/pulumi/pulumi-terraform-bridge/v2/pkg/tfbridge.(*Provider).Update(0xc000501680>, 0x73307c0, 0xc000fbd200, 0xc000212000, 0xc000501680, 0x5d1e201, 0xc000282440)
    	/home/travis/gopath/pkg/mod/github.com/pulumi/pulumi-terraform-bridge/v2@v2.3.1/pkg/tfbridge/provider.go:825 +0x81d
    <http://github.com/pulumi/pulumi/sdk/v2/proto/go._ResourceProvider_Update_Handler.func1(0x73307c0|github.com/pulumi/pulumi/sdk/v2/proto/go._ResourceProvider_Update_Handler.func1(0x73307c0>, 0xc000fbd200, 0x67272a0, 0xc000212000, 0x671dca0, 0xaec2240, 0x73307c0, 0xc000fbd200)
    	/home/travis/gopath/pkg/mod/github.com/pulumi/pulumi/sdk/v2@v2.1.1-0.20200508232528-aa313aecf8a0/proto/go/provider.pb.go:1920 +0x89
    <http://github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc.OpenTracingServerInterceptor.func1(0x73307c0|github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc.OpenTracingServerInterceptor.func1(0x73307c0>, 0xc000fbc1e0, 0x67272a0, 0xc000212000, 0xc000ef8240, 0xc000ef8260, 0x0, 0x0, 0x72785e0, 0xc0003eb220)
    	/home/travis/gopath/pkg/mod/github.com/grpc-ecosystem/grpc-opentracing@v0.0.0-20180507213350-8e809c8a8645/go/otgrpc/server.go:57 +0x2f9
    <http://github.com/pulumi/pulumi/sdk/v2/proto/go._ResourceProvider_Update_Handler(0x67d2d80|github.com/pulumi/pulumi/sdk/v2/proto/go._ResourceProvider_Update_Handler(0x67d2d80>, 0xc000501680, 0x73307c0, 0xc000fbc1e0, 0xc0004641e0, 0xc000858060, 0x73307c0, 0xc000fbc1e0, 0xc000c7ca80, 0x952)
    	/home/travis/gopath/pkg/mod/github.com/pulumi/pulumi/sdk/v2@v2.1.1-0.20200508232528-aa313aecf8a0/proto/go/provider.pb.go:1922 +0x14b
    <http://google.golang.org/grpc.(*Server).processUnaryRPC(0xc0002d56c0|google.golang.org/grpc.(*Server).processUnaryRPC(0xc0002d56c0>, 0x7355b00, 0xc000501b00, 0xc000214300, 0xc00090d860, 0xae94738, 0x0, 0x0, 0x0)
    	/home/travis/gopath/pkg/mod/google.golang.org/grpc@v1.28.0/server.go:1082 +0x4fd
    <http://google.golang.org/grpc.(*Server).handleStream(0xc0002d56c0|google.golang.org/grpc.(*Server).handleStream(0xc0002d56c0>, 0x7355b00, 0xc000501b00, 0xc000214300, 0x0)
    	/home/travis/gopath/pkg/mod/google.golang.org/grpc@v1.28.0/server.go:1405 +0xd23
    <http://google.golang.org/grpc.(*Server).serveStreams.func1.1(0xc0008dd100|google.golang.org/grpc.(*Server).serveStreams.func1.1(0xc0008dd100>, 0xc0002d56c0, 0x7355b00, 0xc000501b00, 0xc000214300)
    	/home/travis/gopath/pkg/mod/google.golang.org/grpc@v1.28.0/server.go:746 +0xbb
    created by <http://google.golang.org/grpc.(*Server).serveStreams.func1|google.golang.org/grpc.(*Server).serveStreams.func1>
    	/home/travis/gopath/pkg/mod/google.golang.org/grpc@v1.28.0/server.go:744 +0xa1

    error: update failed

any clue what might be happening?

am I correct in my understanding that the only way to unwrap? an

Output<string>

is to

apply

it?

Are there any troubleshooting steps or known limitations (private repos?) for the Github App integration? I've added the App and gave access to all repos and added the PR workflow and it is working, but I get no comment or second check from the app.

Is there a way to

apply

the entire stack?

I have been working on wiring up my pulumi stack to deploy via GitHub actions. I've had this working perfectly locally, but when running pulumi up using the Github Action, I now consistently get the error:

updating urn:pulumi:dev::infra::awsx:x:ecs:FargateService$aws:ecs/service:Service::backend: timeout while waiting for state to become 'true' (last state: 'false', timeout: 10m0s)

All other steps run just fine, and ultimately the service does finish deploying in AWS and end up on the right state.

How do I add a cloudwatch event so that my codepipeline triggers on an ECR image change/upload?

Just downloaded and installed pulumi 2.5 but the cli is still complaining that 2.4 is installed..

This message was deleted.

New questions: I have a security group with an empty ingress and egress, attached to a load balancer. It appears default rules are being created: How do I prevent this?

const loadbalancer_sg = new awsx.ec2.SecurityGroup(`lb-${region}-${environment}-${service.name}-sg`, {
                vpc: vpc,
                ingress: [],
                egress: [],
            })

 listener = new awsx.elasticloadbalancingv2.ApplicationLoadBalancer(`lb-${region}-${environment}-${service.name}`, {
                name: `lb-use1-${environment}-${service.name}`,
                vpc: vpc,
                subnets: vpc.getSubnetsIds('public'),
                external: true,
                securityGroups: [loadbalancer_sg.id]
            })