https://pulumi.com logo
Docs
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
general
  • f

    full-dress-10026

    06/22/2021, 6:06 PM
    Does Pulumi support AWS profiles set with a role_arn (example, i.e., AssumeRole)? I'd assume yes since it just calls out to AWS using Go & the default creds chain, but I'd just like to confirm. The note in the Pulumi AWS docs seems to hint Pulumi may not support this flow by default, "If you are using temporary security credentials, you will also have to supply an 
    AWS_SESSION_TOKEN
     value before you can use Pulumi to create resources on your behalf."
    a
    1 reply · 2 participants
  • i

    icy-jordan-58549

    06/22/2021, 7:29 PM
    Any ideas why this happens?
    error: check failed because malformed resource inputs: malformed RPC secret: missing value
  • v

    victorious-megabyte-32350

    06/22/2021, 8:38 PM
    Hi everybody! - I started using pulumi and I not sure how to do it, maybe if anyone can help it will be great. I'm creating a IAM Role and I need to attach to an existent  aws policy
    const roleES = new aws.iam.Role(`es-role-test`, {
       name: `CognitoAccessForAmazonES`,
       assumeRolePolicy: {
       Version: '2012-10-17',
       Statement: [
       {
         Effect: 'Allow',
         Principal: {
            Service: '<http://es.amazonaws.com|es.amazonaws.com>',
         },
         Action: 'sts:AssumeRole',
         Sid: '',
       },
     ],
    }
      I wanna add the 
    AmazonESCognitoAccess
    l
    2 replies · 2 participants
  • i

    incalculable-printer-98305

    06/22/2021, 9:27 PM
    Hi All - Is there any other way to interact with Pulumi like Rest API other than its CLI?
    l
    3 replies · 2 participants
  • p

    prehistoric-london-9917

    06/23/2021, 1:06 AM
    Question: Is there a way of overriding the role assumption stored in state for a
    destroy
    operation? Context: Suppose I create a stack with this snippet of provider configuration:
    config:
      aws:assumeRole:
        externalId: some/value
        roleArn: arn:aws:iam::123456789012:role/my_deployment_role
    This gets stored in the state file:
    "type": "pulumi:providers:aws",
                    "inputs": {
                        "assumeRole": "{\"externalId\":\"some\/value\",\"roleArn\":\"arn:aws:iam::123456789012:role/my_deployment_role\"}",
    Let’s say that role has a limited set of permissions that doesn’t allow removing resources. At some point I want to destroy that stack. So I assume an
    administrator
    role that can do anything and run
    pulumi destroy
    . The current behaviour is that Pulumi assumes the role stored in state (even if I’ve removed it from the stack configuration) and try to delete the stack’s resources, which fails. I can work around this by removing the
    assumeRole
    from the stack config, run
    pulumi up
    , which removes the role assumption from the state file. Then I can run
    pulumi destroy
    . It would be nice if
    destroy
    had a
    ignore_state_role
    option so that admins can destroy resources regardless of the role assumed to create them. Is there a reason for the current behaviour that I’m not thinking of? Should I raise a bug or feature request for this? NB: If I rely on environment variables for AWS authentication (which are picked up by the underlying Go AWS SDK), I don’t have this problem at all. It’s only when I define the role assumption in the stack configuration.
    l
    g
    9 replies · 3 participants
  • g

    great-sunset-355

    06/23/2021, 7:44 AM
    Hello what are the allowed characters and length for the
    ResourceName
    ? is there any restriction to it?
  • b

    bright-truck-37455

    06/23/2021, 9:19 AM
    Hey everyone, I'm running Pulumi in Azure Pipelines, using Google Cloud Storage as state backend. The code works fine when executed from the terminal, but in Azure I get errors:
    /azp/_work/_temp/0b544aa4-92cf-435d-8251-f13c7d45afb7/pulumi/pulumi login gs://***-pulumi-state
    Logged in to ado-agent-7f5785674-jk6mj as root (gs://***-pulumi-state)
    
    /azp/_work/_temp/0b544aa4-92cf-435d-8251-f13c7d45afb7/pulumi/pulumi stack select base -c
    error: failed to load checkpoint: blob (key ".pulumi/stacks/base.json") (code=Unknown): Get "<https://storage.googleapis.com/***-pulumi-state/.pulumi/stacks/base.json>": oauth2: cannot fetch token: 400 Bad Request
    Response: {"error":"invalid_grant","error_description":"Invalid grant: account not found"}
    
    ##[error]Failed to select the stack 'base'.
    I saw a similar thread for a case where developer was using Azure Blob Storage and it turned out that he had to set some additional env vars, is this the same case here?
    b
    7 replies · 2 participants
  • g

    great-sunset-355

    06/23/2021, 9:51 AM
    What is the correct way to get nested config value? I set the value like this:
    pulumi config set-all --path \
      --secret passwords.pw1=Secret
    How do I call this in the code? I cannot see to wrap my head around strange paths in the yaml file
    cfg = pulumi.Config()
    # Neither of these worked:
    cfg.require_secret('passwords.pw1')
    cfg.require_secret('["passwords"].["pw1"]') # does not work
    b
    48 replies · 2 participants
  • b

    boundless-angle-56560

    06/23/2021, 2:05 PM
    Hi All, I am trying to deploy some CRDs on AWS EKS Kubernetes and getting following error:
    b
    22 replies · 2 participants
  • a

    agreeable-tomato-43927

    06/23/2021, 2:50 PM
    hello! Is there any way to pass an output into aws.s3.BucketObject source? Examples:
    const bucketObject = new aws.s3.BucketObject("index.html", {
        acl: "public-read",
        contentType: "text/html",
        bucket: bucket,
        source: new pulumi.asset.FileAsset(pulumi.interpolate`${yarnBuild.path}/index.html`)
    });
    ☝️this fails because FileAsset don't accept an output
    const bucketObject = new aws.s3.BucketObject("index.html", {
        acl: "public-read",
        contentType: "text/html",
        bucket: bucket,
        source: pulumi.all([yarnBuild.path]).apply(([p]) => new pulumi.asset.FileAsset(`${p}/index.html`))
    });
    ☝️this fails because p is undefined...
    b
    b
    26 replies · 3 participants
  • b

    bumpy-summer-9075

    06/23/2021, 8:20 PM
    What's the point of calling
    this.registerOutputs
    (https://www.pulumi.com/docs/intro/concepts/resources/#registering-component-outputs)? Everything seems to work fine without it, and I don't see any immediate benefit.
    b
    b
    4 replies · 3 participants
  • b

    bumpy-summer-9075

    06/23/2021, 10:45 PM
    Why is a
    dependsOn
    needed here?
    export class CertManager extends pulumi.ComponentResource {
      constructor(name: string, {}: CertManagerArgs, opts?: pulumi.ComponentResourceOptions) {
        super('foo::bar::CertManager', name, {}, opts);
    
        const certManagerNamespace = new k8s.core.v1.Namespace(
          'cert-manager',
          {metadata: {name: 'cert-manager'}},
          {parent: this},
        );
    
        const helmChart = new k8s.helm.v3.Chart(
          'cert-manager',
          {
            namespace: certManagerNamespace.metadata.name, // I thought this would create a dependency between the two resources
            // ...
          },
          {parent: this, dependsOn: [certManagerNamespace]}, // Why is this needed?
        );
      }
    }
    l
    b
    26 replies · 3 participants
  • s

    steep-toddler-94095

    06/23/2021, 10:49 PM
    what's the command for outputting the stack state to the console? i totally forget and google and
    --help
    isn't being helpful
    l
    8 replies · 2 participants
  • s

    stale-photographer-81807

    06/24/2021, 2:04 AM
    Hello everyone, wondering if someone can point me in the right direction with
    <http://awsx.lb|awsx.lb>
    . I am trying to deploy an ECS/Fargate service with an AppLb accesible only in the private subnets. It works just fine with
    external: true
    but if I change it to
    false
    the provisioning fails with:
    aws:lb:LoadBalancer (alb):
        error: 1 error occurred:
            * error creating application Load Balancer: ValidationError: At least two subnets in two different Availability Zones must be specified
            status code: 400, request id: 4a7dd444-54b3-4952-8aa2-e26200f5fdef
    I have tried injecting the
    subnet
    to the LoadBalancer and the Listener explicitely with no success. Assumed
    external
    handled that just fine with the default vpc. Here is the code:
    const cluster = new awsx.ecs.Cluster("cluster");
    const alb = new awsx.lb.ApplicationLoadBalancer("alb", { external: false });
    const web = alb.createListener("web", { port: 80 });
    const img = awsx.ecs.Image.fromPath("node-web", "../app");
    const appService = new awsx.ecs.FargateService("ecs-fargate", {
        cluster,
        taskDefinitionArgs: {
            container: {
              environment: [{"name": "foo", "value": "bar"}],
              image: img,
              cpu: 102 /*10% of 1024*/,
              memory: 50 /*MB*/,
              portMappings: [web],
            },
        },
        desiredCount: 1,
    });
    g
    d
    7 replies · 3 participants
  • r

    red-football-97286

    06/24/2021, 10:01 AM
    Trying to get the VPC value with Go, what am I doing wrong?
    vpc, err *:=* ec2.GetVpc(ctx, "DefaultVPC", pulumi.IDInput(vpc*-123456*))
    b
    6 replies · 2 participants
  • b

    bright-dawn-60437

    06/24/2021, 7:53 PM
    Running automation api in celery workers and getting some errors. The actual work gets done but errors out:
    [2021-06-24 19:00:35,818: WARNING/ForkPoolWorker-1] +  pulumi:pulumi:Stack notebook creating error: python inline source runtime error:
    [2021-06-24 19:00:35,818: WARNING/ForkPoolWorker-1] +  pulumi:pulumi:Stack notebook creating error: an unhandled error occurred: python inline source runtime error:
    [2021-06-24 19:00:36,677: WARNING/ForkPoolWorker-1] +  pulumi:pulumi:Stack notebook **creating failed** 2 errors
    [2021-06-24 19:00:36,677: WARNING/ForkPoolWorker-1] Diagnostics:
    [2021-06-24 19:00:36,677: WARNING/ForkPoolWorker-1] pulumi:pulumi:Stack (notebook):
    [2021-06-24 19:00:36,677: WARNING/ForkPoolWorker-1] error: python inline source runtime error:
    [2021-06-24 19:00:36,677: WARNING/ForkPoolWorker-1] Traceback (most recent call last):
    [2021-06-24 19:00:36,677: WARNING/ForkPoolWorker-1] File "/usr/local/lib/python3.7/site-packages/pulumi/automation/_server.py", line 65, in Run
    [2021-06-24 19:00:36,677: WARNING/ForkPoolWorker-1] loop.run_until_complete(run_in_stack(self.program))
    [2021-06-24 19:00:36,677: WARNING/ForkPoolWorker-1] File "/usr/local/lib/python3.7/asyncio/base_events.py", line 587, in run_until_complete
    [2021-06-24 19:00:36,678: WARNING/ForkPoolWorker-1] return future.result()
    [2021-06-24 19:00:36,678: WARNING/ForkPoolWorker-1] concurrent.futures._base.CancelledError
    [2021-06-24 19:00:36,678: WARNING/ForkPoolWorker-1] error: an unhandled error occurred: python inline source runtime error:
    [2021-06-24 19:00:36,678: WARNING/ForkPoolWorker-1] Traceback (most recent call last):
    [2021-06-24 19:00:36,678: WARNING/ForkPoolWorker-1] File "/usr/local/lib/python3.7/site-packages/pulumi/automation/_server.py", line 65, in Run
    [2021-06-24 19:00:36,678: WARNING/ForkPoolWorker-1] loop.run_until_complete(run_in_stack(self.program))
    [2021-06-24 19:00:36,678: WARNING/ForkPoolWorker-1] File "/usr/local/lib/python3.7/asyncio/base_events.py", line 587, in run_until_complete
    [2021-06-24 19:00:36,678: WARNING/ForkPoolWorker-1] return future.result()
    [2021-06-24 19:00:36,678: WARNING/ForkPoolWorker-1] concurrent.futures._base.CancelledError
    Any pointers?
  • b

    bright-dawn-60437

    06/24/2021, 8:03 PM
    Looks similar - https://github.com/pulumi/pulumi/issues/6561
    r
    1 reply · 2 participants
  • p

    proud-pizza-80589

    06/25/2021, 5:15 AM
    Using stack references and having one stack exporting a k8s cluster it created, do i export the kubeconfig, or the provider?
    b
    2 replies · 2 participants
  • b

    bright-truck-37455

    06/25/2021, 10:36 AM
    GCP/getSecretVersion function, looks like a possible bug - documentation says that it's supposed to get the 'project' value from the provider. I have it configured in my stack config file, but the function fails if I don't provide the name explicitly. Any suggestions?
    b
    1 reply · 2 participants
  • b

    better-shampoo-48884

    06/25/2021, 12:42 PM
    I know I've asked this before, but I think I have to give it another go (and I've tried looking around history as well). I'll just ask succinctly here and provide some more background in comments for those insterested: I need to rename every single resource in my stack (pulumi name, not actual deployment name) to avoid conflict. Previously I would just create one of each in a single region, but now my pulumi program needs to handle multiple regions/clusters in the same run. For example:
    new k8s.core.yaml("my-string",{..})
    needs now to be `new k8s.core.yaml(
    ${region}-my-string
    ,{..)` There are ~180 resources created in my stack so far, and each of them needs a new name. Ideas?
    b
    l
    +1
    22 replies · 4 participants
  • a

    ambitious-father-68746

    06/25/2021, 1:39 PM
    Hi, is there a way to suppress showing Outputs at the end of a Pulumi run?
    b
    b
    8 replies · 3 participants
  • f

    full-artist-27215

    06/25/2021, 1:57 PM
    Is there any way to have multi-line messages attached to various Pulumi operations? I'm looking to add a bit of metadata to the automated runs we're doing just to add a bit more visibility on what's going on in our pipelines. As it is, whenever my
    --message
    value is too long, it's truncated in the Pulumi webapp, and there doesn't appear to be any way to see the full value. Is there anything I'm missing? Thanks!
    b
    s
    9 replies · 3 participants
  • o

    orange-byte-86458

    06/25/2021, 9:57 PM
    Is there something in
    @pulumi/kubernetes
    that behaves more like
    kubectl apply -f
    ? I found
    ConfigFile/ConfigGroup
    , but it doesn’t play well with existing objects in the cluster. While it may be doing things the right pulumi-way, I can’t quite marry it with our existing infra (e.g.
    import
    doesn’t work). We’re currently using
    kubectl apply
    to rollout app updates and rely on its forgiving behavior with regard to existing objects. I was wondering if it’s possible to achieve something similar with Pulumi. In Terraform we used a third-party provider which gave us the
    kubectl_manifest
    resource. It would simply store the last applied configuration as the state and re-trigger kubectl apply whenever manifest (supplied yaml) changes.
    b
    m
    4 replies · 3 participants
  • a

    alert-cartoon-12389

    06/25/2021, 10:05 PM
    Please let me know if pulumi provides any implementation of adding arn:aws:states:::lambda:invoke.waitForTaskToken in state machine AWS. Thanks
  • g

    great-sunset-355

    06/26/2021, 9:09 AM
    Hi, is there any plan on the roadmap to add handy enums like CDK has? https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-cloudfront.ViewerProtocolPolicy.html My guess this is the goal of
    awsx
    ?
    b
    r
    4 replies · 3 participants
  • e

    echoing-zebra-28421

    06/26/2021, 10:53 PM
    Anyone has any ideas how to solve this error?
    Error reading file 'infra/package.json' when computing package dependencies. Error: ENOENT: no such file or directory, open '/infra/package.json'
    My dir:
    - project
        ...
        - infra
            - Pulumi.yaml
            - tsconfig.json
            ...
        - src
           ...
       - package.json
       - tsconfig.json
    I need to have the package.json at that place in my directory. Any help or alternatives to solve the problem will be welcome. I'm using
    @pulumi/pulumi: "^3.4.0"
    this error occurs when i run
    pulumi preview --cwd infra
    I run that command in the root of my project
    1 reply · 1 participant
  • b

    breezy-lunch-69325

    06/27/2021, 12:44 AM
    Are there any guides to how to use pulumi in a mono repo setup? I have a core infra package which creates my vpc and ecs cluster that i need to reference in order to create fargate services in other stacks. I can't find any way to reference these resources to create a service, even using stack reference I am only able to access outputs, not resources
  • b

    bright-sandwich-93783

    06/27/2021, 11:52 PM
    does Pulumi Crosswalk for AWS only expose NodeJS libraries?
    l
    2 replies · 2 participants
  • b

    bright-sandwich-93783

    06/27/2021, 11:52 PM
    having trouble finding the Go libs
  • s

    straight-magician-37467

    06/28/2021, 12:57 AM
    I just created a new API project. After committing the initial code, I tried to run
    pulumi new gcp-typescript
    in that folder, but it errored out:
    </path/to/project> is not empty; rerun in an empty directory, pass the path to an empty directory to --dir, or use --force
    Am I misunderstanding how Pulumi is intended to be used? Would I not want to keep my Pulumi config in the same folder/repo as my actual code?
    l
    a
    20 replies · 3 participants
Powered by Linen
Title
s

straight-magician-37467

06/28/2021, 12:57 AM
I just created a new API project. After committing the initial code, I tried to run
pulumi new gcp-typescript
in that folder, but it errored out:
</path/to/project> is not empty; rerun in an empty directory, pass the path to an empty directory to --dir, or use --force
Am I misunderstanding how Pulumi is intended to be used? Would I not want to keep my Pulumi config in the same folder/repo as my actual code?
l

little-cartoon-10569

06/28/2021, 12:59 AM
What is "actual code" in this case? Your Pulumi application, or another application that you want to deploy using Pulumi?
s

straight-magician-37467

06/28/2021, 1:03 AM
Another application that I want to deploy using Pulumi.
l

little-cartoon-10569

06/28/2021, 1:04 AM
Then generally, no, you wouldn't want to keep them in the same place. You can keep them in the same monorepo, which is what I do. There are a few gotchas, but it's mostly fine.
But for most node.js and go apps, whether Pulumi or not, the path of least resistance seems to be one repo each, or at least one top-level dir and separately-managed node_modules each.
Your Pulumi app and your deployed app will have completely unrelated dependencies, so they shouldn't have the same pacakges.json or node_modules.
s

straight-magician-37467

06/28/2021, 1:06 AM
Is there a convention for where a given (non-Pulumi) project’s corresponding Pulumi code should live and be named, in relation to it? I’m trying to get the mental model right.
And then would you keep the Pulumi code in its own git repo?
l

little-cartoon-10569

06/28/2021, 1:08 AM
That all depends on where you want your node_modules directory / directories to do. You don't need to have separate git repos (I think they should be in the same repo, because the coupling is so high) but separate git repos is the default (especially for golang).
My repo is set out with a top-level directory that has almost nothing in it, just a readme.md explaining other dirs. Then the various app dirs, Pulumi dirs, SQL-code dirs and all that are off the one top-level directory.
But whatever works for you. Just be aware of each language's preferences wrt project directories, dependency management, config-file locations, etc.
Almost nothing is imposed by Pulumi; just the location of some yaml files, which might not even apply in your case since it's an autoamtion-api project.
Each language imposes its own set of constraints that you need to be aware of.
s

straight-magician-37467

06/28/2021, 1:11 AM
So there would be nothing preventing me from having a
/pulumi
folder at the root of my repo? It’s an Elixir project, so there’s no concern about
node_modules
collision, but when I get around to creating the repo for the front-end project, that would apply.
l

little-cartoon-10569

06/28/2021, 1:12 AM
Yes, you would want different directories for your front-end javascript and Pulumi typescript code, so they can run npm independently, or whatever.
Having
/pulumi
is a good way to manage that.
s

straight-magician-37467

06/28/2021, 1:13 AM
Cool, that seems pretty clean. Thanks for your insight 🙂
l

little-cartoon-10569

06/28/2021, 1:14 AM
(Though from the point of view of conveying meaning through naming, pulumi isn't helpful for people who don't know what Pulumi is. Maybe deployment or infra or something with more "behaviour" in the name...)
s

straight-magician-37467

06/28/2021, 1:15 AM
Fair point! I’m going to be the sole dev, so that won’t be an issue, but I totally see what you’re saying.
a

agreeable-eye-87399

06/28/2021, 2:17 AM
I think that
/infra
is the convention for a pulumi program in a subfolder that way
(This is implied in the example here: https://www.pulumi.com/docs/reference/pulumi-yaml/)
👀 1
View count: 1