What's the best way in Pulumi to manage internal TLS certificates for something like Vault? https://www.pulumi.com/registry/packages/command/ looks promising, but I'm not sure if there's a more standard way

Hi folks! I have some trouble using transformations on a K8s config file. It's essentially the same as in this [Example](https://www.pulumi.com/docs/guides/adopting/from_kubernetes/) (under Configuration Transformations). I check for the kind of the resource and if it is a certain type I change a value. But I get the error:

TypeError: 'ResourceTransformationArgs' object is not subscriptable

. I could not find any mention of this error specific to this class. I also could't find any helpful examples of how to use transformations other than the mentioned one. Anyone have a clue why it does not work and how to fix it?

HI, we want to try to use pulumi, I've read some compression for pulumi vs teraform , we need to write iaas code for gcp azure and aws, what as the benefit of using pulumi against the native iaas sdk's?

Hey guys, has anyone here successfully passed an Azure

UserAssignedIdentity

into a

WebApp

before in TS? I am having a lot of trouble. The example I have here, shows I can add a UAI to a webapp when I hardcode the id as the property, with a value of

{}

as stated by the documentation here: https://www.pulumi.com/registry/packages/azure-native/api-docs/web/webapp/#managedserviceidentity _(I found that even the docs mentions that the second property should be

user_assigned_identities

but that doesnt work even with hardcoding, so ive fallen back to the ARM template output from a pre-created resource which seems to work)_ The entire string looks like this:

let identity: any = {
            type: "UserAssigned",
            userAssignedIdentities: {
                "/subscriptions/<sub-id>/resourcegroups/<rg>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<uai-name>" : {}
            }
        }

However, I cannot get the actual UAI id into the identity object due to the property of

userAssignedIdentities

not accepting an

Output<string>

as a property type. Using

[UAI]: {}

to try cast the identity does not work either as it tries to cast it to a string. How does everyone else do it?

Hi, I’m currently searching for a possibility to create enrollmentgroups for a azure device provisioning service (dps). It’s possible to create the dps and dps certificates, but I can’t find the enrollment configuration in the pulumi API docs. (REST API: https://docs.microsoft.com/en-us/rest/api/iot-dps/service/enrollment-group/create-or-update) Has anyone an idea how to achieve this?

Hi folks, I am trying to connect to docker which is running on GCP - VM using docker provider. But its getting failed to due to connection establishment. Is there anyway we can pass remote connection args to it or is there anyway I can establish the connection ?

const remoteInstance = new docker.Provider(
  "remote",
  {
    host: interpolate`<ssh://user>@${externalIP}:22`,
  },
  { dependsOn: dockerInstallation }
);

Is there a way to get the generated code from the

import

command without actually importing the resource into the stack?

Hello guys! Related question to import above: If I want to rollback an import of a resource, the way I have worked out is to use

pulumi state delete urn:of:resource

, but what is the easiest way to find that urn from ideally the cli? I can use the somewhat unwieldy

pulumi stack --show-ids --show-urns | grep 'resource_name'

but is there a better way?

Is there any formal way to annotate stack inputs and outputs with documentation strings to add additional context for their intention and purpose?

getting

an unhandled error occurred: Program exited with non-zero exit code: 1

from a stack that hasn’t changed in months. identical stack is working in our other account. made sure to update pulumi as well as the nodejs provider and all other dependencies, seeing absolutely nothing in verbose output to indicate what the problem is. indeed, seeing “Planner decided not to update after diff”, so no idea what could have broken here. how should i proceed?

Hello folks, I'm trying to import some databases grants created using Terraform. We have a MySQL instance running on GCP, to which I'm connecting using

cloud_sql_proxy

that handles TLS. My provider point to localhost:3307 where cloud_sql_proxy is listening.

new mysql.Grant(
  'applications',
  {
    user: 'applications',
    host: '%',
    database: 'applications',
    privileges: ['ALL'],
  },
  {
    provider: new mysql.Provider(`import-applications-grant`, {
      username: 'root',
      endpoint: '127.0.0.1:3307',
      password: config.requireSecret('MY_SQL_APPLICATIONS_SECRET'),
    }),
    import: 'applications@%:applications',
    protect: true,
  }
);

But then I get the following error:

Diagnostics:
  pulumi:pulumi:Stack (env-staging):
    error: preview failed
 
  mysql:index:Grant (applications@%:applications):
    error: Preview failed: refreshing urn:pulumi:staging::env::mysql:index/grant:Grant::applications@%:applications: user with host or a role is required

Any ideas?

Hello! We're currently in the process of evaluating Pulumi to see if it fits our use case and came upon an issue and i can't find anything in the documentation on this. Basically, we have a resource (On azure, if that matters) that we're trying to update. However this update requires the resource to be recreated. The output says to destroy the component first. But just like how you would 'Taint' something in terraform - Is there an equivelant in Pulumi? TL;DR - Is there any way to force 'pulumi up' to recreate/destroy a specific resource? - Similiar to Terraforms taint function

Hi, is there some sort of document/pattern etc about how Dependency Tracking works? @tall-librarian-49374

Hello Pulumi friends! I am trying to move our AWS SecretManager values into Pulumi so we can manage them with code! The secrets would be encrypted using pulumi secret foo 'bar' in the config file. Since we are reading them in from the config file they become an Output<T> which makes things a bit of a pain. To do a key/pair with secrets manager you have to pass it as json however you can't JSON.stringify a type of Output<T>, and there doesn't seem any way to convert it into anything else example:

interface appsecrets {
    auth0clientid: string,
}
const appsecrets = config.requireSecretObject<appsecrets>("appsecrets")
const auth0client = appsecrets.auth0clientid
const example1 = {
    auth0clientid1: auth0client
}

const exampleSecretVersion = new aws.secretsmanager.SecretVersion("exampleSecretVersion", {
    secretId: example.id,
    secretString: JSON.stringify(example1)
})

I have tried all sorts of things like

appsecrets.auth0clientid.apply(v => JSON.stringify(v))

but it still is going to be a type of Output<T> and it sets the value in secrets manager as Calling [toJSON] on an [Output<T>] is not supported. To get the value of an Output as a JSON value or JSON string consider either: 1: o.apply(v => v.toJSON()) 2: o.apply(v => JSON.stringify(v)) See https://pulumi.io/help/outputs for more details. This function may throw in a future version of @pulumi/pulumi.

I'm sure I'm missing something obvious, but I'm struggling with circular dependencies. I'm using the EKS package to make a kluster The cluster needs a security group. The security group needs to allow access from the node pool security group The node pool security is created by the cluster and is an output from it. So essentially I have

sg, err := ec2.NewSecurityGroup(ctx, "EKS", &ec2.SecurityGroupArgs{
                        Description: pulumi.String("Group for the EKS cluster"),
                        VpcId: pulumi.String(vpcid),
                        Ingress: ec2.SecurityGroupIngressArray{
                                &ec2.SecurityGroupIngressArgs{
                                      Description: pulumi.String("https in from the nodes"),
                                      FromPort: <http://pulumi.Int|pulumi.Int>(443),
                                      ToPort: <http://pulumi.Int|pulumi.Int>(443),
                                      Protocol: pulumi.String("tcp"),
                                      SecurityGroups: pulumi.StringArray{
                                              pulumi.String(cluster.NodeSecurityGroup),
                                      },
                                },
                        },
                        Egress:  ec2.SecurityGroupEgressArray{
                                // allow https out to anywhere
                                &ec2.SecurityGroupEgressArgs{
                                        FromPort: <http://pulumi.Int|pulumi.Int>(443),
                                        ToPort:   <http://pulumi.Int|pulumi.Int>(443),
                                        Protocol: pulumi.String("tcp"),
                                        CidrBlocks: pulumi.StringArray{
                                                pulumi.String("0.0.0.0/0"),
                                        },
                                        Ipv6CidrBlocks: pulumi.StringArray{
                                                pulumi.String("::/0"),
                                        },
                                },
                        },
                }, nil)
                if err != nil {
                        return err
                }
                // Create an EKS cluster
                cluster, err := eks.NewCluster(ctx, "Test", &eks.ClusterArgs{
                        VpcId: pulumi.String(vpcid),
                        PrivateSubnetIds: pulumi.StringArray{
                                pulumi.String(private[0]),
                                pulumi.String(private[1]),
                                pulumi.String(private[2]),
                        },
                        PublicSubnetIds: pulumi.StringArray{
                                pulumi.String(public[0]),
                                pulumi.String(public[1]),
                                pulumi.String(public[2]),
                        },
                        ClusterSecurityGroup: sg,
                        EndpointPrivateAccess: pulumi.Bool(true),
                        EndpointPublicAccess: pulumi.Bool(false),
                })
                if err != nil {
                        return err
                }

and if I put it that way round I get

./main.go:150:21: undefined: cluster

and if I put the cluster before the sg I get

undefined: sg

How do I do this properly?

Hi All, What is the best way to use an Output<string> in the name of a new resource. Context: I am trying to use an output from a previous resource to create deterministic naming of pulumi resources down the chain.

Team team = new Team("<name here built using an Output<string> from a previous resource>", new TeamArgs());

Hello! I am new to Pulumi and apologize if this might be a stupid question Just trying Pulumi out with aws and having trouble with getting nested configuration in the code So I have below in my stack yaml file

autoscaling:environment:
  testEnv: testEnv

and I want to get it in typescript code

let config = new pulumi.Config();
let test = config.get("environment.testEnv");

console.log(`Environment Variable: ${test}`);

When I run

pulumi up

I get

Environment Variable: undefined

rather than the environment variable

How does Pulumi decide which provider to use in the

providers

map (in the opt object)?

Feature request: allow users on the Resources page https://app.pulumi.com/org/project/stack/resources to refresh the Graph View without having to click back to it after refreshing.

Hi! Has anyone used the Kong Pulumi Provider before? Having issues authentication with Kong, issue is detailed here: https://github.com/pulumi/pulumi-kong/issues/89

Hi, anyone got any idea how i can workaround this issue? https://github.com/pulumi/pulumi-azure-native/issues/1431 Its a huge blocker for us, since i effectively can't run my configuration 😞

Is there any easy way to use a local stack without having to logout of my remote backend and login to the local one?

Heya, so we build our stacks with automation in gitlab CI. When we do this, obviously the files for the stack do not get "saved" back into the branch when this happens. They are created on the builder and deleted seconds after the build is complete. Do any of you have this problem? How have you solved it? What I have been doing is pulling the code and doing a pulumi refresh to bring it in when I need it. I have thought about letting the builder commit the new files, but that feels like a really bad idea in most cases.

Hi，i'm following the code to create new aws eks cluter, after

pulumi up

, i got this error:

Diagnostics:
  eks:index:VpcCni (relation-aws-eks-cluter-vpc-cni):
    error: Command failed: kubectl apply -f C:\Users\Matrix\AppData\Local\Temp\tmp-6800oi250Aa7ZzSV.tmp
    error: You must be logged in to the server (the server has asked for the client to provide credentials)

  pulumi:pulumi:Stack (relation-aws-eks-cluter-dev):
    error: You must be logged in to the server (the server has asked for the client to provide credentials)

    error: update failed

how to fix?

Is there a way (ts) to register events for resources when they are created/updated within the runtime? Ie. to publish on a sns topic when a certain resource is updated or created. Concrete example: publish sns topic when a Migration resource fails.

Hello everyone. I have all my env values set in pulumi config as I want pulumi stack to be the source of truth. I can list all the values by running

pulumi config -j

or get them one by one using

pulumi config <config_name>

but I want it in env. Is there a way to export all config from

pulumi config

to env? I have to set all of the config as env for a github action

Is there any way to change the provider without Pulumi wanting to do a replace? Specifically, I am changing from the default AWS provider to an explicit one (configured with all the same values), but running

pulumi up

wants to do a wholesale replace (of VPCs, EKS cluster, etc), which would be very sad.

I am trying out the new Pulumi 3.23.0 capability of disabling the default providers, and have this in my stack:

pulumi:disable-default-providers:
  - aws
  - kubernetes

This seems to work well for AWS, but I am having an odd issue with the Kubernetes one. Specifically, I have the following resource:

_, err = yaml.NewConfigFile(ctx, "certmanager-deploy-file", &yaml.ConfigFileArgs{
		File: "./cert-manager.yaml",
		Transformations: []yaml.Transformation{
			// We need to make two modifications:
			// 1. Add the role ARN for IRSA
			// 2. Set the fsGroup for IRSA token mapping
			// Docs here: <https://cert-manager.io/docs/configuration/acme/dns01/route53/#eks-iam-role-for-service-accounts-irsa>
			func(state map[string]interface{}, opts ...pulumi.ResourceOption) {
				metadata := state["metadata"].(map[string]interface{})
				name := metadata["name"]
				if state["kind"] == "ServiceAccount" && name == "cert-manager" {
					var annotations map[string]interface{}
					if v, ok := metadata["annotations"]; !ok {
						annotations = make(map[string]interface{})
						metadata["annotations"] = annotations
					} else {
						annotations = v.(map[string]interface{})
					}
					annotations["<http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>"] = irsaRole.Arn
				}
				if state["kind"] == "Deployment" && name == "cert-manager" {
					deploymentSpec := state["spec"].(map[string]interface{})
					template := deploymentSpec["template"].(map[string]interface{})
					podSpec := template["spec"].(map[string]interface{})
					podSpec["securityContext"] = map[string]interface{}{
						"fsGroup": 1001,
					}
				}

			},
		},
	}, pulumi.DependsOn([]pulumi.Resource{irsaRole}), pulumi.Provider(eksConfig.Provider))
	if err != nil {
		return nil, err
	}

Where

eksConfig.Provider

is constructed as the result of an

eks.Cluster

creation:

k8sProvider, err := providers.NewProvider(ctx, "k8s-ssa-provider", &providers.ProviderArgs{
		Kubeconfig: kubeconfig,
	})
	if err != nil {
		return nil, err
	}

When I run this with the default Kubernetes one disabled, I get this error:

error: program failed: 1 error occurred:
    	* decoding YAML: rpc error: code = Unknown desc = unknown provider ''
    exit status 1

There is not any more info in the logs even if I set logging to 9. If I enable the Kubernetes default provider, it works just fine, even though I am passing an explicit provider here. Is this a bug or am I doing something unexpected here?

Is there a way to interact with the pulumi engine programmatically? Like a pulumi cli api