I am not comparing pulumi against something else. But I have too very similar projects, one for aws and one for azure and the azure one takes must longer to deploy and destroy

If it's got frontdoor or api management, that would explain it. They take a massive amount of time to return in my experience. AWS is generally faster at spinning things up in my experience. However, AWS always feels a bit premature in responding to "up" as it feels slow initially.

As one of my colleagues put it today... "azure likes to delay things just long enough for you to think it's failed"

when i read a pulumi config, that is an object, an some key, is a secret: Is there a way to know or differentiate the secret? ie:

pulumi.stack.yml
config:
  proj:data:
    services:
      foo: bar
      priv:
        secure: AAABAB+T(...)sEmx8=

__main__.py
import pulumi

conf = pulumi_config.require_object("data")

This conf, is a dict, but pulumi correctly recognizes that inside there is a secret. if i print it shows:

{'foo': 'bar', 'priv': '[secret]'}

So i want to iterate over this dic, and do something on the secrets, but i'm not sure how to know. python thinks it is a str.

print(conf["services"]["priv"])
print(type(conf["services"]["priv"]))

[secret]
<class 'str'>

A bit of a random feature request - it would be nice if the blog had a 'search' option - since y'all are prolific in your writings, and there's so much good stuff in there, it's sometimes hard to find stuff that I know I've read in there - right now my best bet is google search with "site:pulumi.com/blog" but I doubt everyone who wants to find stuff knows about that, and tags don't always narrow it down enough 🙂

Is there any hidden flag or something that allows me to

pulumi destroy

in such a way that I destroy all the resources in the stack that are not protected (or for which protected is not dependent on)? As it stands now I've got 19 resources, of which there are 2 protected - the resource group itself and an azure KeyVault (such a pain to pingpong it up and down). I can't do pulumi destroy because it would delete the protected resources which is not permitted. I do not feel like finding and exporting the URNs of the remaining 17 resources and chaining a --target "urn". Any other way that anyone has figured out?

In other news, I'm trying to set up my newly created KeyVault as a backend - seeing as this is more to do with standard pulumi features than the azure provider, I figured it might be appropriate here rather than the azure channel.. Running:

pulumi new azure-typescript --secrets-provider <azurekeyvault://n00531.vault.azure.net/keys/pulumi-secrets> --logflow --logtostderr --verbose 9

Results in a typical flow, and I have created the key "pulumi-secrets", and the KeyVault was created by a stack (with local secrets and backend), but trying to set up a new stack like the command above results in this:

created stack 'sdfsf'
Sorry, could not create stack 'sdfsf': secrets (code=Unknown): azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://(myvaultname).<http://vault.azure.net/keys/pulumi-secrets//encrypt?api-version=7.0|vault.azure.net/keys/pulumi-secrets//encrypt?api-version=7.0>: StatusCode=0 -- Original Error: adal: Failed to execute the refresh request. Error = 'Get "<http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net>": dial tcp 169.254.169.254:80: connectex: A socket operation was attempted to an unreachable network.'

I'm actually fairly curious as to where that IP for the refresh token is coming from.. I've had no such problems running

pulumi up

just by being logged in by virtue of az cli.. (Edit: resolved - I did the hard work of doing everything except reading the last line of https://www.pulumi.com/docs/intro/concepts/secrets/#azure-key-vault where it tells me that if I want to use az cli auth with keyvault secrets I need to set

AZURE_KEYVAULT_AUTH_VIA_CLI

to

true

.)

Hi there - I've been looking at Pulumi for a while and finally have an opportunity to use it for a meaningful project. However, I'm stuck and am chalking it up to being new and hoping someone help show me the light. I'm using

Azure-Native

and trying to create an AKS cluster. All is good, until I try to set up my

PodIdentityProfile

. In the AZ CLI, PodIdentity is set up in a separate step, and the Pulumi Azure-Native resource seems to follow the same paradigm. However, I can't seem to figure out how to set up my

UserAssignedIdentity

after my

ManagedCluster

is created. I've tried

GetManagedCluster

, but the profile is an

ImmutableArray

. I've tried creating a new resource (using the same name and resource group) but get a conflict. Is there a recommended way to perform updates on existing resources? I'm looking through the Pulumi docs and don't really see this. I see how to create and destroy, but update isn't called out in many places. BTW, I'm using C# in my scripts. Thank you in advance for any guidance here!

Pulumi is hanging whenever I preview, and at the end of applies for 50+ minutes at a time 😕

try tracing by adding

--logflow --tracing=file:./tracefile --verbose 9

to the end of the command, then you can look through the tracefile with

PULUMI_DEBUG_COMMANDS=1 pulumi view-trace ./tracefile

to see where it might be hanging

..it might not solve the problem, but hopefully it will get closer to finding out what it is (and looking at those traces always makes me feel better at least ;))

Any way to output that trace-file to stdout? I run these ups in a CI/CD pipeline

no, they're not easily readable - but you can dump them into an artifact in your pipeline and get it afterwards? Besides, hopefully the added logging verbosity gives you a clear indication of what's taking so long.. you can also add

--logtostderr

to get more logs in the console.

I'll try an artifact

Although the pipeline doesnt finish, so I'm not sure if it will be created

doesn't hurt.. but I agree, if the pipeline terminates before the artifact is created, it's kind of hard. In that case, --logtostderr with the other flags is the way to go to find out where it gets stuck

might also be worthwhile checking chat history here - searching for "hanging" shows 35 messages/threads, so it's not completely unheard of

Anyway, allll the way in the bottom left corner of docs is this as well: https://www.pulumi.com/docs/troubleshooting/ there might be stuff there that you can try.

Heh.. it's been a bit of a fun journey for me these past two days with pulumi, I finally got everything to a state I'm happy with, then decided I felt like cleaning it up a bit in preparation for sharing it with the rest of the org (who are desperate for some iaac love, and skeptical towards pulumi, but they'll take whatever works at this point - and my stack works <3). So queue my Nth project - it works, everything is fine, but I "can't call it that" before I push it to git.. so.. I decide to rename my stack. And while I'm at it, my project too (called it "modularity" which is fine, but means nothing to the company who needs to "love" it). Long story short - I lost my stack 😄 doesn't show up in pulumi ls anymore. I have the code, and I had just recently done a

pulumi stack export

as well for safety, so that was good..

Now I'm wondering: can I import this state into a project/stack with another name simply by doing a search+replace of project::stack references in the export & ensuring the secrets backend + key are identical?

luckily I actually have no secrets in there yet either.

(thank god for .bak files in the

.pulumi\stacks

directory ;))

Hmmm... It's hanging even despite a pulumi destroy. This seems like some kind of problem with my stack itself? Edit: It's definitely due to there being something hanging in my code itself... I take out part of it and it successfully applies. Edit: node-redis is the most horrible library I've ever encountered and doesn't document this behavior, or pulumi is doing some sort of weird teardown stuff that makes it so that you have to client.Quit() in order for your program to stop running, or I'm an idiot and blind and can't see where it's stated that this is the case

How do I delete a stack in using automation?

destroy

doesn't seem to delete the stack, just the resources so I still see the empty stack in the UI.

Can't delete a child state due to a missing parent state (tried refreshing, and deleting resources out of band..., also tried recreating the missing namespace and

pulumi refresh

ing, but the same error pops up(!))

$ pulumi up -fy
[...]
  kubernetes:<http://helm.sh/v3:Chart|helm.sh/v3:Chart> (in):
    error: resource complete event returned an error: failed to verify snapshot: child resource urn:pulumi:omega::haze::kubernetes:core/v1:Namespace$kubernetes:core/v1:Namespace$kubernetes:core/v1:Namespace$kubernetes:core/v1:Namespace$kubernetes:<http://helm.sh/v3:Chart::mesh-viz|helm.sh/v3:Chart::mesh-viz> refers to missing parent urn:pulumi:omega::haze::kubernetes:core/v1:Namespace$kubernetes:core/v1:Namespace$kubernetes:core/v1:Namespace$kubernetes:core/v1:Namespace::linkerd-viz

so it claims

mesh-viz

chart URN exists, yet it doesn't...

$ pulumi state delete urn:pulumi:omega::haze::kubernetes:core/v1:Namespace$kubernetes:core/v1:Namespace$kubernetes:core/v1:Namespace$kubernetes:core/v1:Namespace$kubernetes:<http://helm.sh/v3:Chart::mesh-viz|helm.sh/v3:Chart::mesh-viz>
 warning: This command will edit your stack's state directly. Confirm? Yes
error: No such resource "urn:pulumi:omega::haze::kubernetes:core/v1:Namespace:core/v1:Namespace:core/v1:Namespace:core/v1:Namespace:<http://helm.sh/v3:Chart::mesh-viz|helm.sh/v3:Chart::mesh-viz>" exists in the current state

Not able to escape this race conditions. I also can't delete the inexistent parent either 😂

i’m trying to destroy resources in my stack, but i get the error that I cant remove a protected resource. How can I bypass this and force delete? Or how can I get a list of all URNs that I can pass to the

--target

option of

pulumi destroy

?

Hi! anyone know how to configure permissions of a private ECR registry? https://docs.aws.amazon.com/AmazonECR/latest/userguide/registry-permissions-create.html

For a self-hosted backend (azure blob in this scenario), is it possible for a stack reference to access a different blob container and/or storage account for it's state? I'm thinking of "container" as "project" in comparison to the pulumi hosted state scenario, but obviously the syntax doesn't map across.

does a stack need to be init'd before it can be used? For context... If we have a storage container created in Azure, will I need to connect with the CLI in order to

init

a new stack in that solution I'm deploying?