The problem AWS account

arn:aws:sts::228886564947:assumed-role/AmazonLightsailInstanceRole/i-04f5fe371a036054d

seems to be an account that running the light sail, It's even not my account. I am running the deployment on a light sail instance. My understanding is instance role is of lower priority than the configuration in the

.aws

folder. What makes the project on the right side to choose the instance role?

Thank you Tenwit, please see my new post in the channel

Hi all - I'm still new to Pulumi, and probably getting over my head a bit. But, I'm looking for a way to use Pulumi to drive my setup of cloud based software such as FiveTran. My approach was to extend ResourceProvider and implement the create method, calling a REST API using the python "requests" library. However, when I do this, I get an exception:

RuntimeWarning: coroutine 'invoke.<locals>.do_rpc' was never awaited

Here's the question on stackoverflow, in case anyone has an answer or suggestion as to what I'm doing wrong here: https://stackoverflow.com/questions/67335936/how-do-you-write-a-pulumi-provider-that-makes-a-rest-api-request-in-pytyon

Hey folks, I am interested in evaluating Pulumi for my organization, but have a question surrounding provider credentials. In my ideal workflow I would like to provision a very capable IAM role for Pulumi but prevent those credentials from being used/abused outside of the Pulumi plan/apply workflow. Does anyone know if there is a simple way to provide a remote-run/remote-execute environment for Pulumi? Or any way to shield/hide these powerful provider credentials? Thanks in advance! 🙏

Hi guys, wondering how to get existing ALB in Pulumi

<https://www.pulumi.com/docs/guides/crosswalk/aws/elb/>

# what is the equivalent code for existing ALB?
const alb = new awsx.lb.ApplicationLoadBalancer("web-traffic");

Is there a way to enable

ephemeral containers

in a kubernetes cluster created using eks?

hello

Just wanted to check , when pulumi will start supporting Java ?

hello. i'm not getting invitation emails, email verification mails from pulumi. when i click on the resend verification email button on my email address in pulumi, i never receive any email. how do i fix this?

I have a lot of

dangling

Pulumi resources in my (TypeScript) stacks, resources which are created but not used as input to any other resource and which are neither added to any output nor returned from the main inline function (using the automation api). Looking at many Pulumi examples this seems to be a common pattern. Think of something like this:

function createBucket() {
   // Create AWS S3 Bucket but do neither output nor return it. It is also not used 
   // as input to any other resource.
   new Bucket("myBucket", {...});
}

However, rather often I observe that such resources are not created on first stack deployment resp. are delete on later stack updates. It looks like it depends on some “race condition” (timing issue) whether those resources are registered by the Pulumi runtime or not. Usually adding such

dangling

resources as dependency to another resource (using

dependsOn

), or alternatively making it a stack output resp. returning it from the main inline function resolves that (racy) problem. Now I am wondering, is this expected behaviour when using Pulumi with TypeScript/NodeJs or is this a bug in Pulumi?

Is there a tool already that given a state file will generate the code for it?

Hey, how do i use an existing ecs cluster by cluster id?

My heretofore fully-working project is now complaining that Error: The root stack resource was referenced before it was initialized. What sort of thing should I be looking for in diagnosing this?

when using integration tests, how do I decode stack outputs that are secrets?

nm I have to upgrade my testing library

Who can help me setting Azure pipeline with self-hosted Pulumi state in Azure blob ?

Hi, let's say I have a part of my infrastructure provisioned by Pulumi while the rest is not. Some services from the non-provisioned part need to access resources that are Pulumi-managed (e.g. they need to call Lambdas). What's the best / most aligned way how to reference those provisioned resources? What comes to my mind: • Name those Pulumi-provisioned resources explicitly (i.e. don't use auto-naming). • Use auto-naming but then store the names somewhere (e.g. SSM Parameter Store, but then I'd need to name the parameters' paths explicitly). • Maybe just stick to knowing which project/stack the resources are managed by and somehow ask for the outputs (but I don't know how to achieve this at the moment). Thanks for hints!

Hello there - I am using aws-typescript. Doing first basic provisioning of EC2 instances, and the name of the instances is not getting set on creation? I would assume the resource name is used as the VM name? no other args to tap into to be able to set the EC2 instances name either as far as I can tell.

Hi, had one question about AWS ECS. According to this article, it is possible on ECS to run a standalone task. But it seems that pulumi only supports attaching task to a service. Does anybody know if Pulumi can do that ?

message has been deleted

Is yarn 2 supported?

Hey all, is there a Pulumi module available somewhere for setting up all the required GCS resources to host your own state?

👋 hello! qq: what’s the recommended approach of reading a secret from another project? context: my project

infra

exports a

kubeconfig

for a kubernetes cluster (and it’s a secret), and my project

services

reads it, creates a

k8s.Provider

and uses that to provision my services in the cluster. I cannot use

StackReference.getOutputValue()

because the output is a secret. If I use

StackReference.getOutput()

, then I have to do

Output.apply()

to transform it into a

Output<k8s.Provider>

. But the k8s resources only takes `k8s.Provider`s, not `Output<k8s.Provider>`s… so.. I guess one option is to put everything inside the

apply()

call.. but that’s undesirable. I’m wondering if there’s a cleaner way

Hi there! I just got burned on something that was entirely my own fault, but I feel like Pulumi could have handled better. Long story short, in a single

pulumi up

I tried to both 1. rename a resource using

aliases

2. make a change to that same resource which caused it to be

replace

d This failed with

pending_operations

in the state file because I ended up with two different resources with the same alias at the same time. I guess the GCP and Kubernetes providers perform a

replace

by first creating the new resource and then deleting the old one? If so, I believe this will hit any resource which has any

aliases

defined, i.e., you don’t necessarily have to rename the resource at the same time as replacing it. I tried reproducing it in a local stack using the

@pulumi/random

provider, but I think that one replaces resources by deleting the old resource before creating the new one. For what it’s worth, I managed to make Pulumi show me this kind-of-strange diff:

pulumi preview
Previewing update (dev):
     Type                            Name                           Plan        Info
     pulumi:pulumi:Stack             pulumi-alias-replace-test-dev
 +-  ├─ random:index:RandomPassword  something_else                 replace     [diff: ~length]
 +-  └─ random:index:RandomPassword  pw                             replace

Resources:
    +-1 to replace
    1 unchanged

Here I’ve renamed the resource

pw

to

something_else

, added an alias, and at the same time changed the

length

of the RandomPassword which requires a

replace

operation. Does this ring a bell with anyone and/or is it worth a GitHub issue even though I haven’t been able to reproduce it (yet)?

I have a broken stack that's in between updates that I just want to destroy but it's stuck on trying to delete a vpc with resources. Is there a something like

pulumi nuke

which is a more forceful destroy? There are a lot of resources to delete by hand....

Had a general question about config/secrets. Is there any intention of supporting hashivault via direct secret lookup as opposed to the transit backend? We're using a combination of the transit (encrypted in the yaml) and a helper method to lookup things that might not necessarily be able to be encrypted in the YAML file (e.g. something from an existing K/V mount) without having to duplicate that secret into the YAML file. The secrets-as-local-configs is great and all, until you realize it just doesn't scale very well when a secret needs to be re-used multiple times across multiple stacks. Obviousliy there are a ton of ways to implement this.. For example, since we're using Python, I have a quick and dirty hvac implementation that does something like this:

def get_kv2_secret(self, mount_point: str, path: str) -> pulumi.Output:
        """
        Retrieve a KV2 secret based on the given path.

        This method actually returns a Pulumi Output future representing a
        secret so that the actual value is obscured until apply time.
        """

        output_secret = pulumi.Output.secret(
            self.hvac_client.secrets.kv.v2.read_secret_version(
                mount_point=mount_point, path=path
            )
        )

        return output_secret

But it would be nice to know what pulumi's roadmap is for supporting placeholder config values which are just references to the "real" K/V path in vault (similar to above^).

I have an issue where Pulumi hangs when I attempt to run

pulumi up

. It prints the

View Live: URL

but then it hangs. Any idea why?

Apparently it is not stuck, it is just unbearably slow. That’s a relatively small project. Is that how it is for everyone?

Also having trouble with a hang during a preview. Was on a late 2.x version, now on 3.2.1. Running a trace indicates it's stuck in planning. It didn't complete, it was cancelled. I may try just letting it run, but clearly something is wrong. Any suggestions on diagnosing?