Does Pulumi support AWS profiles set with a role_arn (example, i.e., AssumeRole)? I'd assume yes since it just calls out to AWS using Go & the default creds chain, but I'd just like to confirm. The note in the Pulumi AWS docs seems to hint Pulumi may not support this flow by default, "If you are using temporary security credentials, you will also have to supply an 

AWS_SESSION_TOKEN

 value before you can use Pulumi to create resources on your behalf."

Any ideas why this happens?

error: check failed because malformed resource inputs: malformed RPC secret: missing value

Hi everybody! - I started using pulumi and I not sure how to do it, maybe if anyone can help it will be great. I'm creating a IAM Role and I need to attach to an existent  aws policy

const roleES = new aws.iam.Role(`es-role-test`, {
   name: `CognitoAccessForAmazonES`,
   assumeRolePolicy: {
   Version: '2012-10-17',
   Statement: [
   {
     Effect: 'Allow',
     Principal: {
        Service: '<http://es.amazonaws.com|es.amazonaws.com>',
     },
     Action: 'sts:AssumeRole',
     Sid: '',
   },
 ],
}

  I wanna add the 

AmazonESCognitoAccess

Hi All - Is there any other way to interact with Pulumi like Rest API other than its CLI?

Question: Is there a way of overriding the role assumption stored in state for a

destroy

operation? Context: Suppose I create a stack with this snippet of provider configuration:

config:
  aws:assumeRole:
    externalId: some/value
    roleArn: arn:aws:iam::123456789012:role/my_deployment_role

This gets stored in the state file:

"type": "pulumi:providers:aws",
                "inputs": {
                    "assumeRole": "{\"externalId\":\"some\/value\",\"roleArn\":\"arn:aws:iam::123456789012:role/my_deployment_role\"}",

Let’s say that role has a limited set of permissions that doesn’t allow removing resources. At some point I want to destroy that stack. So I assume an

administrator

role that can do anything and run

pulumi destroy

. The current behaviour is that Pulumi assumes the role stored in state (even if I’ve removed it from the stack configuration) and try to delete the stack’s resources, which fails. I can work around this by removing the

assumeRole

from the stack config, run

pulumi up

, which removes the role assumption from the state file. Then I can run

pulumi destroy

. It would be nice if

destroy

had a

ignore_state_role

option so that admins can destroy resources regardless of the role assumed to create them. Is there a reason for the current behaviour that I’m not thinking of? Should I raise a bug or feature request for this? NB: If I rely on environment variables for AWS authentication (which are picked up by the underlying Go AWS SDK), I don’t have this problem at all. It’s only when I define the role assumption in the stack configuration.

Hello what are the allowed characters and length for the

ResourceName

? is there any restriction to it?

Hey everyone, I'm running Pulumi in Azure Pipelines, using Google Cloud Storage as state backend. The code works fine when executed from the terminal, but in Azure I get errors:

/azp/_work/_temp/0b544aa4-92cf-435d-8251-f13c7d45afb7/pulumi/pulumi login gs://***-pulumi-state
Logged in to ado-agent-7f5785674-jk6mj as root (gs://***-pulumi-state)

/azp/_work/_temp/0b544aa4-92cf-435d-8251-f13c7d45afb7/pulumi/pulumi stack select base -c
error: failed to load checkpoint: blob (key ".pulumi/stacks/base.json") (code=Unknown): Get "<https://storage.googleapis.com/***-pulumi-state/.pulumi/stacks/base.json>": oauth2: cannot fetch token: 400 Bad Request
Response: {"error":"invalid_grant","error_description":"Invalid grant: account not found"}

##[error]Failed to select the stack 'base'.

I saw a similar thread for a case where developer was using Azure Blob Storage and it turned out that he had to set some additional env vars, is this the same case here?

What is the correct way to get nested config value? I set the value like this:

pulumi config set-all --path \
  --secret passwords.pw1=Secret

How do I call this in the code? I cannot see to wrap my head around strange paths in the yaml file

cfg = pulumi.Config()
# Neither of these worked:
cfg.require_secret('passwords.pw1')
cfg.require_secret('["passwords"].["pw1"]') # does not work

Hi All, I am trying to deploy some CRDs on AWS EKS Kubernetes and getting following error:

hello! Is there any way to pass an output into aws.s3.BucketObject source? Examples:

const bucketObject = new aws.s3.BucketObject("index.html", {
    acl: "public-read",
    contentType: "text/html",
    bucket: bucket,
    source: new pulumi.asset.FileAsset(pulumi.interpolate`${yarnBuild.path}/index.html`)
});

☝️this fails because FileAsset don't accept an output

const bucketObject = new aws.s3.BucketObject("index.html", {
    acl: "public-read",
    contentType: "text/html",
    bucket: bucket,
    source: pulumi.all([yarnBuild.path]).apply(([p]) => new pulumi.asset.FileAsset(`${p}/index.html`))
});

☝️this fails because p is undefined...

What's the point of calling

this.registerOutputs

(https://www.pulumi.com/docs/intro/concepts/resources/#registering-component-outputs)? Everything seems to work fine without it, and I don't see any immediate benefit.

Why is a

dependsOn

needed here?

export class CertManager extends pulumi.ComponentResource {
  constructor(name: string, {}: CertManagerArgs, opts?: pulumi.ComponentResourceOptions) {
    super('foo::bar::CertManager', name, {}, opts);

    const certManagerNamespace = new k8s.core.v1.Namespace(
      'cert-manager',
      {metadata: {name: 'cert-manager'}},
      {parent: this},
    );

    const helmChart = new k8s.helm.v3.Chart(
      'cert-manager',
      {
        namespace: certManagerNamespace.metadata.name, // I thought this would create a dependency between the two resources
        // ...
      },
      {parent: this, dependsOn: [certManagerNamespace]}, // Why is this needed?
    );
  }
}

what's the command for outputting the stack state to the console? i totally forget and google and

--help

isn't being helpful

Hello everyone, wondering if someone can point me in the right direction with

<http://awsx.lb|awsx.lb>

. I am trying to deploy an ECS/Fargate service with an AppLb accesible only in the private subnets. It works just fine with

external: true

but if I change it to

false

the provisioning fails with:

aws:lb:LoadBalancer (alb):
    error: 1 error occurred:
        * error creating application Load Balancer: ValidationError: At least two subnets in two different Availability Zones must be specified
        status code: 400, request id: 4a7dd444-54b3-4952-8aa2-e26200f5fdef

I have tried injecting the

subnet

to the LoadBalancer and the Listener explicitely with no success. Assumed

external

handled that just fine with the default vpc. Here is the code:

const cluster = new awsx.ecs.Cluster("cluster");
const alb = new awsx.lb.ApplicationLoadBalancer("alb", { external: false });
const web = alb.createListener("web", { port: 80 });
const img = awsx.ecs.Image.fromPath("node-web", "../app");
const appService = new awsx.ecs.FargateService("ecs-fargate", {
    cluster,
    taskDefinitionArgs: {
        container: {
          environment: [{"name": "foo", "value": "bar"}],
          image: img,
          cpu: 102 /*10% of 1024*/,
          memory: 50 /*MB*/,
          portMappings: [web],
        },
    },
    desiredCount: 1,
});

Trying to get the VPC value with Go, what am I doing wrong?

vpc, err *:=* ec2.GetVpc(ctx, "DefaultVPC", pulumi.IDInput(vpc*-123456*))

Running automation api in celery workers and getting some errors. The actual work gets done but errors out:

[2021-06-24 19:00:35,818: WARNING/ForkPoolWorker-1] +  pulumi:pulumi:Stack notebook creating error: python inline source runtime error:
[2021-06-24 19:00:35,818: WARNING/ForkPoolWorker-1] +  pulumi:pulumi:Stack notebook creating error: an unhandled error occurred: python inline source runtime error:
[2021-06-24 19:00:36,677: WARNING/ForkPoolWorker-1] +  pulumi:pulumi:Stack notebook **creating failed** 2 errors
[2021-06-24 19:00:36,677: WARNING/ForkPoolWorker-1] Diagnostics:
[2021-06-24 19:00:36,677: WARNING/ForkPoolWorker-1] pulumi:pulumi:Stack (notebook):
[2021-06-24 19:00:36,677: WARNING/ForkPoolWorker-1] error: python inline source runtime error:
[2021-06-24 19:00:36,677: WARNING/ForkPoolWorker-1] Traceback (most recent call last):
[2021-06-24 19:00:36,677: WARNING/ForkPoolWorker-1] File "/usr/local/lib/python3.7/site-packages/pulumi/automation/_server.py", line 65, in Run
[2021-06-24 19:00:36,677: WARNING/ForkPoolWorker-1] loop.run_until_complete(run_in_stack(self.program))
[2021-06-24 19:00:36,677: WARNING/ForkPoolWorker-1] File "/usr/local/lib/python3.7/asyncio/base_events.py", line 587, in run_until_complete
[2021-06-24 19:00:36,678: WARNING/ForkPoolWorker-1] return future.result()
[2021-06-24 19:00:36,678: WARNING/ForkPoolWorker-1] concurrent.futures._base.CancelledError
[2021-06-24 19:00:36,678: WARNING/ForkPoolWorker-1] error: an unhandled error occurred: python inline source runtime error:
[2021-06-24 19:00:36,678: WARNING/ForkPoolWorker-1] Traceback (most recent call last):
[2021-06-24 19:00:36,678: WARNING/ForkPoolWorker-1] File "/usr/local/lib/python3.7/site-packages/pulumi/automation/_server.py", line 65, in Run
[2021-06-24 19:00:36,678: WARNING/ForkPoolWorker-1] loop.run_until_complete(run_in_stack(self.program))
[2021-06-24 19:00:36,678: WARNING/ForkPoolWorker-1] File "/usr/local/lib/python3.7/asyncio/base_events.py", line 587, in run_until_complete
[2021-06-24 19:00:36,678: WARNING/ForkPoolWorker-1] return future.result()
[2021-06-24 19:00:36,678: WARNING/ForkPoolWorker-1] concurrent.futures._base.CancelledError

Any pointers?

Looks similar - https://github.com/pulumi/pulumi/issues/6561

Using stack references and having one stack exporting a k8s cluster it created, do i export the kubeconfig, or the provider?

GCP/getSecretVersion function, looks like a possible bug - documentation says that it's supposed to get the 'project' value from the provider. I have it configured in my stack config file, but the function fails if I don't provide the name explicitly. Any suggestions?

I know I've asked this before, but I think I have to give it another go (and I've tried looking around history as well). I'll just ask succinctly here and provide some more background in comments for those insterested: I need to rename every single resource in my stack (pulumi name, not actual deployment name) to avoid conflict. Previously I would just create one of each in a single region, but now my pulumi program needs to handle multiple regions/clusters in the same run. For example:

new k8s.core.yaml("my-string",{..})

needs now to be `new k8s.core.yaml(

${region}-my-string

,{..)` There are ~180 resources created in my stack so far, and each of them needs a new name. Ideas?

Hi, is there a way to suppress showing Outputs at the end of a Pulumi run?

Is there any way to have multi-line messages attached to various Pulumi operations? I'm looking to add a bit of metadata to the automated runs we're doing just to add a bit more visibility on what's going on in our pipelines. As it is, whenever my

--message

value is too long, it's truncated in the Pulumi webapp, and there doesn't appear to be any way to see the full value. Is there anything I'm missing? Thanks!

Is there something in

@pulumi/kubernetes

that behaves more like

kubectl apply -f

? I found

ConfigFile/ConfigGroup

, but it doesn’t play well with existing objects in the cluster. While it may be doing things the right pulumi-way, I can’t quite marry it with our existing infra (e.g.

import

doesn’t work). We’re currently using

kubectl apply

to rollout app updates and rely on its forgiving behavior with regard to existing objects. I was wondering if it’s possible to achieve something similar with Pulumi. In Terraform we used a third-party provider which gave us the

kubectl_manifest

resource. It would simply store the last applied configuration as the state and re-trigger kubectl apply whenever manifest (supplied yaml) changes.

Please let me know if pulumi provides any implementation of adding arn:aws:states:::lambda:invoke.waitForTaskToken in state machine AWS. Thanks

Hi, is there any plan on the roadmap to add handy enums like CDK has? https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.ViewerProtocolPolicy.html My guess this is the goal of

awsx

?

Anyone has any ideas how to solve this error?

Error reading file 'infra/package.json' when computing package dependencies. Error: ENOENT: no such file or directory, open '/infra/package.json'

My dir:

- project
    ...
    - infra
        - Pulumi.yaml
        - tsconfig.json
        ...
    - src
       ...
   - package.json
   - tsconfig.json

I need to have the package.json at that place in my directory. Any help or alternatives to solve the problem will be welcome. I'm using

@pulumi/pulumi: "^3.4.0"

this error occurs when i run

pulumi preview --cwd infra

I run that command in the root of my project

Are there any guides to how to use pulumi in a mono repo setup? I have a core infra package which creates my vpc and ecs cluster that i need to reference in order to create fargate services in other stacks. I can't find any way to reference these resources to create a service, even using stack reference I am only able to access outputs, not resources

does Pulumi Crosswalk for AWS only expose NodeJS libraries?

having trouble finding the Go libs