https://pulumi.com logo
Docs
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
general
  • b

    breezy-apartment-46543

    03/12/2021, 7:54 PM
    I am not comparing pulumi against something else. But I have too very similar projects, one for aws and one for azure and the azure one takes must longer to deploy and destroy
    w
    • 2
    • 3
  • w

    worried-knife-31967

    03/12/2021, 8:23 PM
    If it's got frontdoor or api management, that would explain it. They take a massive amount of time to return in my experience. AWS is generally faster at spinning things up in my experience. However, AWS always feels a bit premature in responding to "up" as it feels slow initially.
  • w

    worried-knife-31967

    03/12/2021, 8:24 PM
    As one of my colleagues put it today... "azure likes to delay things just long enough for you to think it's failed"
    šŸ˜‰ 1
  • c

    clever-plumber-29709

    03/12/2021, 8:40 PM
    when i read a pulumi config, that is an object, an some key, is a secret: Is there a way to know or differentiate the secret? ie:
    pulumi.stack.yml
    config:
      proj:data:
        services:
          foo: bar
          priv:
            secure: AAABAB+T(...)sEmx8=
    
    __main__.py
    import pulumi
    
    conf = pulumi_config.require_object("data")
    This conf, is a dict, but pulumi correctly recognizes that inside there is a secret. if i print it shows:
    {'foo': 'bar', 'priv': '[secret]'}
    So i want to iterate over this dic, and do something on the secrets, but i'm not sure how to know. python thinks it is a str.
    print(conf["services"]["priv"])
    print(type(conf["services"]["priv"]))
    
    [secret]
    <class 'str'>
    r
    • 2
    • 3
  • b

    better-shampoo-48884

    03/13/2021, 8:49 AM
    A bit of a random feature request - it would be nice if the blog had a 'search' option - since y'all are prolific in your writings, and there's so much good stuff in there, it's sometimes hard to find stuff that I know I've read in there - right now my best bet is google search with "site:pulumi.com/blog" but I doubt everyone who wants to find stuff knows about that, and tags don't always narrow it down enough šŸ™‚
    b
    • 2
    • 4
  • b

    better-shampoo-48884

    03/14/2021, 8:56 AM
    Is there any hidden flag or something that allows me to
    pulumi destroy
    in such a way that I destroy all the resources in the stack that are not protected (or for which protected is not dependent on)? As it stands now I've got 19 resources, of which there are 2 protected - the resource group itself and an azure KeyVault (such a pain to pingpong it up and down). I can't do pulumi destroy because it would delete the protected resources which is not permitted. I do not feel like finding and exporting the URNs of the remaining 17 resources and chaining a --target "urn". Any other way that anyone has figured out?
    āž• 1
    e
    • 2
    • 3
  • b

    better-shampoo-48884

    03/14/2021, 2:16 PM
    In other news, I'm trying to set up my newly created KeyVault as a backend - seeing as this is more to do with standard pulumi features than the azure provider, I figured it might be appropriate here rather than the azure channel.. Running:
    pulumiĀ newĀ azure-typescriptĀ --secrets-providerĀ <azurekeyvault://n00531.vault.azure.net/keys/pulumi-secrets>Ā --logflowĀ --logtostderrĀ --verboseĀ 9
    Results in a typical flow, and I have created the key "pulumi-secrets", and the KeyVault was created by a stack (with local secrets and backend), but trying to set up a new stack like the command above results in this:
    created stack 'sdfsf'
    Sorry, could not create stack 'sdfsf': secrets (code=Unknown): azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://(myvaultname).<http://vault.azure.net/keys/pulumi-secrets//encrypt?api-version=7.0|vault.azure.net/keys/pulumi-secrets//encrypt?api-version=7.0>: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = 'Get "<http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net>": dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable network.'
    I'm actually fairly curious as to where that IP for the refresh token is coming from.. I've had no such problems running
    pulumi up
    just by being logged in by virtue of az cli.. (Edit: resolved - I did the hard work of doing everything except reading the last line of https://www.pulumi.com/docs/intro/concepts/secrets/#azure-key-vault where it tells me that if I want to use az cli auth with keyvault secrets I need to set
    AZURE_KEYVAULT_AUTH_VIA_CLI
    to
    true
    .)
    āœ… 1
    • 1
    • 3
  • g

    gray-nail-14734

    03/14/2021, 4:00 PM
    Hi there - I've been looking at Pulumi for a while and finally have an opportunity to use it for a meaningful project. However, I'm stuck and am chalking it up to being new and hoping someone help show me the light. I'm using
    Azure-Native
    and trying to create an AKS cluster. All is good, until I try to set up my
    PodIdentityProfile
    . In the AZ CLI, PodIdentity is set up in a separate step, and the Pulumi Azure-Native resource seems to follow the same paradigm. However, I can't seem to figure out how to set up my
    UserAssignedIdentity
    after my
    ManagedCluster
    is created. I've tried
    GetManagedCluster
    , but the profile is an
    ImmutableArray
    . I've tried creating a new resource (using the same name and resource group) but get a conflict. Is there a recommended way to perform updates on existing resources? I'm looking through the Pulumi docs and don't really see this. I see how to create and destroy, but update isn't called out in many places. BTW, I'm using C# in my scripts. Thank you in advance for any guidance here!
    b
    • 2
    • 3
  • c

    clever-cartoon-41433

    03/14/2021, 5:16 PM
    Pulumi is hanging whenever I preview, and at the end of applies for 50+ minutes at a time šŸ˜•
  • b

    better-shampoo-48884

    03/14/2021, 5:20 PM
    try tracing by adding
    --logflow --tracing=file:./tracefile --verbose 9
    to the end of the command, then you can look through the tracefile with
    PULUMI_DEBUG_COMMANDS=1 pulumi view-trace ./tracefile
    to see where it might be hanging
    šŸ‘ 1
  • b

    better-shampoo-48884

    03/14/2021, 5:21 PM
    ..it might not solve the problem, but hopefully it will get closer to finding out what it is (and looking at those traces always makes me feel better at least ;))
  • c

    clever-cartoon-41433

    03/14/2021, 5:21 PM
    Any way to output that trace-file to stdout? I run these ups in a CI/CD pipeline
  • b

    better-shampoo-48884

    03/14/2021, 5:23 PM
    no, they're not easily readable - but you can dump them into an artifact in your pipeline and get it afterwards? Besides, hopefully the added logging verbosity gives you a clear indication of what's taking so long.. you can also add
    --logtostderr
    to get more logs in the console.
  • c

    clever-cartoon-41433

    03/14/2021, 5:23 PM
    I'll try an artifact
  • c

    clever-cartoon-41433

    03/14/2021, 5:23 PM
    Although the pipeline doesnt finish, so I'm not sure if it will be created
  • b

    better-shampoo-48884

    03/14/2021, 5:24 PM
    doesn't hurt.. but I agree, if the pipeline terminates before the artifact is created, it's kind of hard. In that case, --logtostderr with the other flags is the way to go to find out where it gets stuck
  • b

    better-shampoo-48884

    03/14/2021, 5:25 PM
    might also be worthwhile checking chat history here - searching for "hanging" shows 35 messages/threads, so it's not completely unheard of
  • b

    better-shampoo-48884

    03/14/2021, 5:26 PM
    Anyway, allll the way in the bottom left corner of docs is this as well: https://www.pulumi.com/docs/troubleshooting/ there might be stuff there that you can try.
  • b

    better-shampoo-48884

    03/14/2021, 5:56 PM
    Heh.. it's been a bit of a fun journey for me these past two days with pulumi, I finally got everything to a state I'm happy with, then decided I felt like cleaning it up a bit in preparation for sharing it with the rest of the org (who are desperate for some iaac love, and skeptical towards pulumi, but they'll take whatever works at this point - and my stack works <3). So queue my Nth project - it works, everything is fine, but I "can't call it that" before I push it to git.. so.. I decide to rename my stack. And while I'm at it, my project too (called it "modularity" which is fine, but means nothing to the company who needs to "love" it). Long story short - I lost my stack šŸ˜„ doesn't show up in pulumi ls anymore. I have the code, and I had just recently done a
    pulumi stack export
    as well for safety, so that was good..
  • b

    better-shampoo-48884

    03/14/2021, 5:57 PM
    Now I'm wondering: can I import this state into a project/stack with another name simply by doing a search+replace of project::stack references in the export & ensuring the secrets backend + key are identical?
  • b

    better-shampoo-48884

    03/14/2021, 5:57 PM
    luckily I actually have no secrets in there yet either.
  • b

    better-shampoo-48884

    03/14/2021, 6:10 PM
    (thank god for .bak files in the
    .pulumi\stacks
    directory ;))
  • c

    clever-cartoon-41433

    03/14/2021, 6:42 PM
    Hmmm... It's hanging even despite a pulumi destroy. This seems like some kind of problem with my stack itself? Edit: It's definitely due to there being something hanging in my code itself... I take out part of it and it successfully applies. Edit: node-redis is the most horrible library I've ever encountered and doesn't document this behavior, or pulumi is doing some sort of weird teardown stuff that makes it so that you have to client.Quit() in order for your program to stop running, or I'm an idiot and blind and can't see where it's stated that this is the case
    l
    • 2
    • 94
  • w

    wet-noon-14291

    03/14/2021, 10:09 PM
    How do I delete a stack in using automation?
    destroy
    doesn't seem to delete the stack, just the resources so I still see the empty stack in the UI.
    w
    • 2
    • 2
  • s

    straight-cartoon-24485

    03/15/2021, 2:21 AM
    Can't delete a child state due to a missing parent state (tried refreshing, and deleting resources out of band..., also tried recreating the missing namespace and
    pulumi refresh
    ing, but the same error pops up(!))
    $ pulumi up -fy
    [...]
      kubernetes:<http://helm.sh/v3:Chart|helm.sh/v3:Chart> (in):
        error: resource complete event returned an error: failed to verify snapshot: child resource urn:pulumi:omega::haze::kubernetes:core/v1:Namespace$kubernetes:core/v1:Namespace$kubernetes:core/v1:Namespace$kubernetes:core/v1:Namespace$kubernetes:<http://helm.sh/v3:Chart::mesh-viz|helm.sh/v3:Chart::mesh-viz> refers to missing parent urn:pulumi:omega::haze::kubernetes:core/v1:Namespace$kubernetes:core/v1:Namespace$kubernetes:core/v1:Namespace$kubernetes:core/v1:Namespace::linkerd-viz
    so it claims
    mesh-viz
    chart URN exists, yet it doesn't...
    $ pulumi state delete urn:pulumi:omega::haze::kubernetes:core/v1:Namespace$kubernetes:core/v1:Namespace$kubernetes:core/v1:Namespace$kubernetes:core/v1:Namespace$kubernetes:<http://helm.sh/v3:Chart::mesh-viz|helm.sh/v3:Chart::mesh-viz>
     warning: This command will edit your stack's state directly. Confirm? Yes
    error: No such resource "urn:pulumi:omega::haze::kubernetes:core/v1:Namespace:core/v1:Namespace:core/v1:Namespace:core/v1:Namespace:<http://helm.sh/v3:Chart::mesh-viz|helm.sh/v3:Chart::mesh-viz>" exists in the current state
    Not able to escape this race conditions. I also can't delete the inexistent parent either šŸ˜‚
    w
    • 2
    • 6
  • e

    eager-lion-7694

    03/15/2021, 5:24 AM
    i’m trying to destroy resources in my stack, but i get the error that I cant remove a protected resource. How can I bypass this and force delete? Or how can I get a list of all URNs that I can pass to the
    --target
    option of
    pulumi destroy
    ?
    w
    l
    b
    • 4
    • 3
  • b

    big-apartment-95438

    03/15/2021, 3:19 PM
    Hi! anyone know how to configure permissions of a private ECR registry? https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry-permissions-create.html
    b
    • 2
    • 10
  • w

    worried-knife-31967

    03/15/2021, 3:57 PM
    For a self-hosted backend (azure blob in this scenario), is it possible for a stack reference to access a different blob container and/or storage account for it's state? I'm thinking of "container" as "project" in comparison to the pulumi hosted state scenario, but obviously the syntax doesn't map across.
    p
    • 2
    • 2
  • w

    worried-knife-31967

    03/15/2021, 5:58 PM
    does a stack need to be init'd before it can be used? For context... If we have a storage container created in Azure, will I need to connect with the CLI in order to
    init
    a new stack in that solution I'm deploying?
    w
    p
    • 3
    • 12
  • p

    purple-salesclerk-87141

    03/15/2021, 6:12 PM
    HI! I'm deploying our Dockerfile in AWS ECS. I have the credentials configured in ~/.aws/credentials and everything is working šŸ™‚ Now I want to add my AWS credentials to the Dockerfile, as ARGs, because I want to download secrets during the build or the deployment. How can I get the key and the secret from the Pulumi config? Maybe something like this?
    new pulumi.Config("aws").require("aws-key")
    This is how I'm building my image now.
    image: awsx.ecs.Image.fromDockerBuild(stackName, {
       context: './..',
       dockerfile: './app/Dockerfile',
       args: {
         'APP_ENV': environment
       }
    }),
    f
    b
    • 3
    • 7
Powered by Linen
Title
p

purple-salesclerk-87141

03/15/2021, 6:12 PM
HI! I'm deploying our Dockerfile in AWS ECS. I have the credentials configured in ~/.aws/credentials and everything is working šŸ™‚ Now I want to add my AWS credentials to the Dockerfile, as ARGs, because I want to download secrets during the build or the deployment. How can I get the key and the secret from the Pulumi config? Maybe something like this?
new pulumi.Config("aws").require("aws-key")
This is how I'm building my image now.
image: awsx.ecs.Image.fromDockerBuild(stackName, {
   context: './..',
   dockerfile: './app/Dockerfile',
   args: {
     'APP_ENV': environment
   }
}),
f

faint-table-42725

03/15/2021, 7:10 PM
There’s a convenience built in if you want to use
aws.config.<var>
(where
aws
is
import * as aws from "@pulumi/aws"
)
p

purple-salesclerk-87141

03/16/2021, 1:00 AM
Hummm.... I am trying in and in local it recognizes the values but only if i add them in the config file, not if they are in the ~/.aws/credentials file
I need it as I'm using Github Actions to deploy it
Thanks for answering Lee!
b

busy-magazine-48939

03/16/2021, 6:29 AM
@purple-salesclerk-87141 have you tried to inject it from environment variables of the Github Action agent runtime itself?
## .github/pr.yml
- name: Preview pulumi infra
    uses: <docker://pulumi/actions>
    with:
        args: preview
    env:
        PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
        PULUMI_CI: pr
        PULUMI_ROOT: pulumi
        AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        AWS_REGION: ${{ secrets.AWS_REGION }}
image: awsx.ecs.Image.fromDockerBuild(stackName, {
   context: './..',
   dockerfile: './app/Dockerfile',
   args: {
     'APP_ENV': environment
   },
   environment: {
       'AWS_REGION': (process.env['AWS_REGION'] as string) || aws.config.region,
       'AWS_ACCESS_KEY_ID': (process.env['AWS_ACCESS_KEY_ID'] as string) || aws.config.accessKey,
       'AWS_SECRET_ACCESS_KEY': (process.env['AWS_SECRET_ACCESS_KEY'] as string) || aws.config.secretKey,
   }
})
p

purple-salesclerk-87141

03/16/2021, 9:04 AM
I tried something similar, with process.env.AWS_REGION but I will try with your configuration šŸ™‚ Thanks!
šŸ‘ 1
View count: 2