Is there a good equivalent for generating JWTs (and public/private key pairs) similar to the

tls

provider?

hi all! can i use pulumi to install softwares on vps (not from cloud providers). basically i want to do the equivalent with pulumi to what i can do with ansible: providing username and password(or ssh keys) so it can ssh into the host and do some software update.

hi everyone! 😄 do you have any example with Typescript for publishing a Websocket API (lambda + routes + integrations + dynamodb + ...) in AWS? Also, I have seen that the package pulumi-cloud seems like the perfect fit to have this kind of code, but I didn't find anything. any help would be welcome 😊

I am a bit lost on on

OutputInstance.get()

method. From the docs:

This function is only callable in code that runs in the cloud post-deployment. At this point all Output values will be known and can be safely retrieved.

But at 'cloud' time the Pulumi packages aren't available, for example for serialized lambdas. What am I missing? Is there any use case for it?

Aside from the Automation API, is it possible to create a stack programmatically within a project while still using the CLI?

This is more of a code organization question (in Go in this case) - is there a common pattern for how to organize the Pulumi code? Specifically, I’m managing quite a few Kubernetes resources, so everything is quite verbose, probably a couple of thousand lines of code. Typically I’d break different parts into functions (and maybe eventually a component resource), but they also have dependencies between them. As such, I’d have to ensure my functions return the created resources (which may be several in “function”) and also take in all the inputs they need. That’s a lot of overhead relative to just putting everything “inline/procedurally” in a single function. I’m just curious how folks manage this in terms of returning resources and passing them in dependencies between different parts.

I'm using

@pulumi/docker

to build an image and i always get this warning. Why is it a warning?

warning: #1 [internal] load build definition from Dockerfile

Has anyone tried creating a pulumi provider for grafana? As in opensource grafana rather than their cloud?

Anyone have a solution for writing an output to file. I am using the pulumi_rke to produce a Rancher cluster, then i need to use the kubernetes module to create a namespace and helm deployment. I cant figure out how to use the output kube_config_yaml from the RKE resource to write to the .kube/config file.

Hello everyone. I'm trying to do the following: • Create a postgres deployment using a helm chart ✅ • Create a new user / pass / database in the above helm chart❌ • Connect the database to an application❌ I got stuck with passing the superadmin password to the pulumi kubernetes provider:

const postgres = new k8s.helm.v3.Chart("postgres", {
    version: "10.4.6",
    chart: "postgresql",
    fetchOpts: {
        repo: "<https://charts.bitnami.com/bitnami>",
    },
});

// Cannot read property 'postgresql-password' of undefined
// kubectl get secret --namespace default postgres-postgresql -o jsonpath="{.data.postgresql-password}" | base64 --decode 
export const dbPassword = new k8s.core.v1.Secret('postgres-postgresql', { metadata: { namespace: 'default' } }).data.apply(data => data['postgresql-password'])
console.log(46, dbPassword)


postgresql.config.username = 'postgres'
postgresql.config.password = dbPassword // yields: Type 'Output<string>' is not assignable to type 'string'
const myDb = new postgresql.Database("my-database");

Any help appreciated!

What’s the best practice for working with expiration-type fields? Specifically, I am generating a JWT and want to fill in the

exp

field, which is in epoch time seconds. If I just do something like

time.Now().Add(time.Hour * 24 * 30)

(to make one that expires in a month), that seems bad as it would regenerate the JWT every time that the stack was updated, which could cause downstream things to restart (e.g. if it was in a Kubernetes

Secret

), even though there may be plenty of expiration left. I’m curious what others have done for similar cases. To give an example, here is how I am generating the JWT

jwtKey, err := tls.NewPrivateKey(ctx, "jwt-key", &tls.PrivateKeyArgs{
		Algorithm: pulumi.String("RSA"),
		RsaBits:   <http://pulumi.Int|pulumi.Int>(4096),
	})
	if err != nil {
		return err
	}

	systemToken := pulumi.ToSecret(pulumi.All(jwtKey.PrivateKeyPem).ApplyT(
		func(args []interface{}) (string, error) {
			privateKey := args[0].(string)

			privateKeyPem, err := decodePrivateKey([]byte(privateKey))
			if err != nil {
				return "", err
			}

			// Create the JWT claims, which includes the username, groups and expiry time
			claims := &claims{
				Username: "myusername",
				Issue:    "myissuer",
				Groups:   []string{"system"},
				StandardClaims: jwt.StandardClaims{
					// A 10 year token
					ExpiresAt: time.Now().Add(time.Hour * 24 * 30).Unix(),
				},
			}
			token := jwt.NewWithClaims(jwt.SigningMethodRS512, claims)
			tokenString, err := token.SignedString(privateKeyPem)

			return tokenString, err
		},
	))

	ctx.Export("jwt-public-key", jwtKey.PublicKeyPem)
	ctx.Export("jwt-private-key", jwtKey.PrivateKeyPem)
	ctx.Export("system-token", systemToken)

Wow, only 17 hits for vSphere in this community. (Well, now 18) anyone out there using for vSphere infrastructure development, testing, and deployments, either on-premise or VMware cloud? Pulumi is the newest tool in my kit, joining Ansible, Packer, and Jenkins, the trinity that does most of the heavy lifting. I'm trying to figure out if and where Pulumi fits into my multi-environment infra ci/cd scheme.

We have quite a few customers using our vSphere provider, including some very large enterprise customers 🙂

hi, can i use pulumi to provision a k8s cluster on bare metal machines or VPS? i don't want to create a managed service (like GKE or EKS)

I think this might be a bug or something else? Trying to use

get_subnet_ids

like so:

import pulumi
import pulumi_aws as aws
from pulumi_aws.ec2.get_subnet_ids import get_subnet_ids


vpc = aws.ec2.DefaultVpc(f'default-vpc')

get_subnet_ids(vpc_id=vpc.id)

It returns:

Exception: invoke of aws:ec2/getSubnetIds:getSubnetIds failed: Missing required argument: The argument "vpc_id" is required, but no definition was found. ()

All I want to do is get the subnets associated with the default VPC

hi, i have a question regarding best practices using pulumi to provision & manage infrastructure. say i have 300 bare metal machines or VPSs (not from cloud providers like GCP), i need to provide authentication credentials for pulumi to ssh into and manage those instances. then i need to manually generate 300 keypairs, right. now, what's the best way to pass those key pairs around the team?

Team, what’s going on with the registry?

error: no stack named '*' found

getting this for all my stacks, and now after some time even org is disappeared from app.pulumi.com

Hi Team, We are trying to export existing infrastructure resources by setting up "export PULUMI_IMPORT=True", however it's not working for few K8s cluster and for few of them it's working fine and getting the below error msg. It would be good If I can get some help on this issue?

azure:monitoring:ScheduledQueryRulesAlert (scheduledqueryrulesalert-0):
    error: Preview failed: transport is closing

  azure:monitoring:ScheduledQueryRulesAlert (scheduledqueryrulesalert-1):
    error: Preview failed: transport is closing

  azure:network:NetworkInterface (ClusterName-bastion-0-nic):
    error: Preview failed: transport is closing


panic: runtime error: invalid memory address or nil pointer dereference
    [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x3df0355]
    goroutine 349 [running]:

Has anyone had any issues recently with the typescript lambda closure system not including required packages? i.ve got an inline lambda that uses the apollo-graphql-server, was working perfectly fine, but now it keeps missing required packages when it uploads itself, mainly dependencies of the main packages, like 'core-js' or just now 'camel-case' - trying to track back through my changes to see what's borked it, maybe nx mono-repo upgrades, or pulumi updates, or typescript settings, not quite sure yet.

I'm struggling with handing outputs, I have

const proj = new gitlab.Project(...)

and I want to get

proj.id

to use in a string literal (typescript). The documentation seems to be indicating that I can do this: `console.log(proj.id.apply(v =>

${v}

));` however it doesn't like it

Hi all, about a week ago we started getting a failed build in AWS because of elastic load balancer target group not found, but we didn’t change anything:

creating urn:pulumi:deploy-ci-ap-1968-1974::deploy::aws:lb/targetGroup:TargetGroup::tg-34fffe08c9cdc8xx: error updating LB Target Group (arn:aws:elasticloadbalancing:us-west-2:9484287xxx:targetgroup/tg-34fffe08c9cdxxx-11dxx/be0f801aee3xxx) tags: error tagging resource (arn:aws:elasticloadbalancing:us-west-2:9484287xx:targetgroup/tg-34fffe08c9cdcxx/be0f801aee3xx): TargetGroupNotFound: Target groups 'arn:aws:elasticloadbalancing:us-west-2:9484287xx:targetgroup/tg-34fffe08c9cdc8xx-11dxx/be0f801aee3xx' not found
    status code: 400, request id: 3a8287xx-xx-xx-xx-a9a26466xx

Does anyone have any idea why this is happening? We are using Pulumi 2.19 right now

Is it possible to configure a resource to be “abandoned” on destroy (i.e. not deleted)? Specifically, I want the state for it to be gone if I do a

pulumi destroy

, but I don’t want the actual resource deleted. An example would be a per-tenant S3 bucket or a database in an RDS instance (where each tenant gets a stack) that houses some data, so that once it is created it won’t get removed, even if I destroy the stack, since this might have some user data that I want to not delete by default. Ideally this would be automatic, i.e. I wouldn’t have to do anything by hand (i.e. manually delete it from the state file). Looking through the docs and Slack history, I couldn’t see an answer, so thought I’d ask here.

Hey guys, I have an "base-infra" project which provisions base infrastructure: kubernetes cluster, database clusters, etc, and per service Pulumi project to deploy actual apps into the base infra.

I'm trying to deploy changes to k8s namespaces (added custom timeouts), and the pulumi planner wants to delete-replace the namespace, and that errors out - the Namespace gets stuck "Terminating" state in k8s. I think the reason is due to the fact there are deployments, etc, which depend on that namespace, and pulumi doesn't take those into account when planning

Hi all, I would like to check the length of an Output before using the value (in Python). Specifically, I’d like to write somthing like this, since if I don’t check, I get an index out of bounds when I create the service for the first time (this is for a GCP Cloud Run service):

if len(svc.statuses)>0:
        pulumi.export("url", Output.concat(svc.statuses[0].url))

But Output objects don’t have a length, and a try / catch doesn’t stop Pulumi from crashing. How would I check for that value to be available before exporting it?

Hi do I need to save the Pulumi.stackname.yaml file after deploys?

Hi, I have followed the code from here https://github.com/pulumi/cert-manager-examples to facilitate certs adding certs to a particular namespace. Everything works as expected. Now I am trying to add another ingress in a different namespace using a different subdomnain; the subdomains follow a pattern like this

*.<http://working.domain.com|working.domain.com>

and

*.<http://notworking.domain.com|notworking.domain.com>

The first issue I ran into was the clusterrole already existed and this was causing pulumi to fail. I fixed this by changing this line https://github.com/pulumi/cert-manager-examples/blob/master/examples/letsencrypt/index.ts#L56 so that

nginxName

is unqiue. this allows pulumi to successfully run but then I end up with the following error when describing the

<http://orders.acme.cert-manager.io|orders.acme.cert-manager.io>

that gets created

Warning  Solver  31s   cert-manager  Failed to determine a valid solver configuration for the set of domains on the Order: no configured challenge solvers can be used for this challenge

Any clues about what other changes might be required in order to make this work would be great? Thanks

Anyway to hide unchanged resources when using --non-interactive flag ? seems like it will print all resources. I try to avoid --diff as it's too verbose as well..

Are there plans to add a StatusPage integration/provider?

Hi, I have an issue with the basics and would appreciate any help… I have a project running on python on a docker image which runs a shell script using

subprocess.Popen

. This shell script does

gcloud auth

,

pulumi login

and

pulumi new

back in the python application I am trying to use pulumi auto and its complaining about missing google credentials. Note: I am using google storage as my managed backend… Am I doing anything fundamentally wrong ? how to address this ? I want my python application (using Flask) to create and destroy stacks using pulumi auto (using my gs backend url)