Hi Folks, not sure if this is the right channel to ask but I'm trying to use Pulumi on AWS to create Fargate container and came across the problem when deploying multiple times from GH action. I'm getting:

TargetGroupAssociationLimit: The following target groups cannot be associated with more than one load balancer

when running

const listener = new awsx.lb.NetworkLoadBalancer(nameFor("lb"))
        .createTargetGroup(nameFor("group"), { port: 80, protocol: "TCP" })
        .createListener(nameFor("listener"), { port: 443, protocol: "TLS", certificateArn: certificate.arn})

It work locally when ran pulumi up but not via GH action with same command. GH Action version: 3.15.0 Pulumi version on GH action: v3.25.1 Local Pulumi version: v3.25.1

Hi everyone! I'm relatively new to Pulumi and ran into an issue with left over pending_operations. I have fixed them in the past but when reading up more on how to do it "correctly" I ran across what I think is conflicting instructions. "pulumi up" tells me that I need to look for any completed operations on AWS and then clear them from pending_operations, see attached image with my yellow highlight. It doesn't say what to do with uncompleted operations though...? The online documentation however says that I should clear the pending_operations and then for each item in it look for it on AWS and remove it:

You should then export and import your stack. This will clear your state's stack of all pending operations.
[...]
For every [pending_operation] you should verify with your cloud provider whether or not this operation was successful. If the operation was successful, and a resource was created, you should delete that resource using your cloud provider's console, CLI, or SDK.

https://www.pulumi.com/docs/troubleshooting/#interrupted-update-recovery To me this sounds like one source saying I should remove any created resources listed in pending_operations while the other source says that I should leave them be. Or am I misreading it?

Hi everyone, i have a question related to pulumi setting up a AWS EKS. Currently i have the issue that the EKS fails to setup the VPC CNI with following error: “You must be logged in to the server (the server has asked for the client to provide credentials)“. When i manually get a kubeconfig from aws-cli for the pulumi created EKS i can use kubectl just fine. We use temporary credentials since we have SSO enabled. Maybe there is an issue with that and how kubectl tries to generate EKS tokens?

Hey guys, pulumi.apply is running asynchronously while i need to make it run synchronously Scenario, i am trying to get the state of an existing service account

let resourceId : pulumi.Input<string> = "thx/".concat(sharedSecret.name); //"namespace/shared-keystore-jks-ksa" ;
let secrets: pulumi.Output<output.core.v1.ObjectReference[]> = k8s.core.v1.ServiceAccount.get("ksa-".concat(sharedSecret.name),resourceId).secrets;

Post retrieving the secret, i am trying to find the secret name and use the name to supply for further use

//works asynchronously
secrets.apply(v => {
            console.log("Secret Name ", v[0].name);
secretName_list.push(v[0].name);
        });
console.log(secretName);//print secret name

Complete program

1. var serviceAccountArray = [];
2. var secretName_list=[];
3. 
4. serviceAccountArray.forEach(ksa => {
5.     let resourceId : pulumi.Input<string> = "thx/".concat(ksa.name); //"namespace/shared-keystore-jks-ksa" ;
6.     let secrets: pulumi.Output<output.core.v1.ObjectReference[]> = k8s.core.v1.ServiceAccount.get("ksa-".concat(ksa.name),resourceId).secrets;
7. //running asynchronously
8. secrets.apply(v => {
9.          console.log("Secret Name ", v[0].name);
10.         secretName_list.push(v[0].name);
11.      });
12.  console.log(secretName_list); //print secret name empty because of apply
13. });

Line no. 10 get executed after line no. 12 at the end of the program while i wanted to wait for the execution to get it complete. Any idea how this can be sort out. Thanks!

Hello everyone. I've encountered behavior with the state file that I can't explain. We're working with Amazon RDS, so the example below uses RDS params. I'm almost certain RDS isn't directly to blame. Background: Due to limitations within RDS, in order to create an instance in a different db subnet group in the same regions as the primary host the

replicate_source_db

must be provided in ARN format. e.g.

arn:aws:rds:us-east-1:12345890:db:my-primary-database-1

. However, once the instance is created, RDS stores the

replicate_source_db

as a simple name.

arn:aws:rds:us-east-1:12345890:db:my-primary-database-1

->

my-primary-database-1

. Any further attempts to modify the instance will fail because

arn:aws:rds:us-east-1:12345890:db:my-primary-database-1

!=

my-primary-database-1,

RDS interprets this as an attempt to change the replicate database (which isn't allowed). Our attempt to work around this: 1. Create instance with ARN 2. Manually refresh Pulumi state to capture the short name from RDS 3. Update Pulumi to use short name. 4. Manage instance via Pulumi as usual. The problematic scenario that is what actually happens and brought me here. 1. Create instance with ARN 2. Manually refresh Pulumi state to capture the short name from RDS 3. Update Pulumi to use short name. 4. An attempt to manage the instance (pulumi up) fails with the

arn:aws:rds:us-east-1:12345890:db:my-primary-database-1

!=

my-primary-database-1

mismatch despite that fact that the ARN doesn't exist in the state file or in RDS at the time of execution. 5. The Pulumi state file value goes back to the ARN. 6. Cycle continues Any ideas how this is happening?

Hello Everyone, is it possible to run pulumi up with compiled C# code? Currently we create a docker image from our C# pulumi source code which we run in our pipelines to deploy our environment. The problem we have is that the image for dotnet sdk and other dependencies makes the image size close to 3GB so we are thinking to build compiled executable in the images with pulumi cli and run it in our pipeline.

Is it intentional that this provider binary continues to live / run when no pulumi CLI command is in the middle of executing;

pulumi-resource-azure-native.exe

?? I couldn't figure out why I couldn't rename a folder. Process Explorer found that this .exe was running and in the folder in question. I killed the process, and then I was able to rename the folder. Just wondering. Thanks.

Am I the only one that gets the error message truncated on my terminal when running a Pulumi up that fails?

Hi all, it looks like the

version

command of

3.26.0

is not returning a version number. Since updating to

3.26.0

, Homebrew thinks the version is

0.0.0

and keeps prompting for an update.

hi all. happy to be here. i'm trying to get crosswalk with ECS working but i can't quite get the port mappings right. i want two listeners on my ALB: 80 and 443, and I want 80 to redirect. got that part right. now i want 443 to be forwarded to a target group ON PORT 80 (not 443). however, i can't quite figure out how to do this without manually declaring the target group. it's currently forwarding everything to port 443 on the target group, which is not what i want. is this possible? code:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";

// Create an ECS cluster explicitly, and give it a name tag.

const vpc = awsx.ec2.Vpc.getDefault();
const cluster = new awsx.ecs.Cluster("cluster", {
  vpc,
});

const zone = aws.route53.getZone({ name: "zone." });

// Create a load balancer on port 80 and spin up two instances of Nginx.
const lb = new awsx.lb.ApplicationLoadBalancer("alb");
const httpListener = lb.createListener("http", {
  port: 80,
  protocol: "HTTP",
  defaultAction: {
    type: "redirect",
    redirect: { protocol: "HTTPS", port: "443", statusCode: "HTTP_301" },
  },
});

const httpsListener = lb.createListener("https", {
  port: 443,
  protocol: "HTTPS",
  certificateArn,
});

const record = new aws.route53.Record("api-route", {
  zoneId: zone.then((zone) => zone.id),
  name,
  type: "A",
  aliases: [
    {
      name: lb.loadBalancer.dnsName,
      zoneId: lb.loadBalancer.zoneId,
      evaluateTargetHealth: false,
    },
  ],
});

const app = new awsx.ecs.FargateService("service", {
  cluster,
  taskDefinitionArgs: {
    containers: {
      nginx: {
        image: "nginx",
        portMappings: [httpsListener]
      },
    },
  },
  desiredCount: 2,
});

this makes all the requests go to the target group on port 443, but the target group is a service listening on port 80, so it 502s

What do you do in the case of a stuck update job? A fairly simple update of mine is stuck on deleting an AWS SG and has been for 14 minutes

hah it just timed out as I said that

Hi! I still have not found a solution to this problem. Is there anyone who can shed some light on a possible workaround? I am using pulumi azure classic. Have a good day!

Hi, from my understanding

kubernetes.helm.v3.Release

does the same API calls as

helm

. So my expectation is that, after a pulumi deployment, I should be able to list the helm deployments with

helm list

. Am I wrong? Thanks

Great video on the bit.ly dynamic provider @quiet-wolf-18467 🎉

Thanks, @wonderful-twilight-70958 😄

just out of curiousity, how do I export Swagger JSON from my APIGatewayV2 objects in Python?

How can one ensure that the

[org]/prod

stack for a project never gets deleted (or has some relatively difficult guard against it)?

Hi again! I got a strange issue when doing a "pulumi refresh" against AWS. It looks like the source in a BucketObject is replaced with a absolute reference to a pulumi temp-file on my local computer, see attached image. It looks very similar to this issue: https://github.com/pulumi/pulumi-aws/issues/1521 ...but it persists for me even after updating to the latest Pulumi packages with Yarn. I read in some other threads linked via that issue hints that this might be because we are doing something unexpected, but it is a bit too technical for me. Any help would be appreciated since I assume this is not how it should work? Update: Using TypeScript

Hi. I'm trying to setup error actions for IoT topic rules, the Pulumi console shows me that everything was successfully updated, But when I go to IoT Rule detail I do not see the error action configured, ¿any idea?, sample code below

export const iotRule = new aws.iot.TopicRule("sampleRule", {
    enabled: true,
    sqlVersion: "2016-03-23",
    sql: config.require("query"),
    kinesis: {
        streamName: stream.name,
        roleArn: role.arn,
        partitionKey: '${partitionKey}'
    },
    errorAction: {
        republish: {
            topic: 'stage/iot/errors',
            roleArn: iotErrorRole.arn,
        }
    },
})

I just saw https://pulumi-community.slack.com/archives/C84L4E3N1/p1635911681308500?thread_ts=1635911465.307800&cid=C84L4E3N1 So, just to be clear, if I see a Python example online which has

import pulumi_docker as docker

I need to follow both below two steps? Step One:

pulumi plugin install package docker 3.1.0

Step Two:

source venv/bin/activate
pip install pulumi_docker

It's not clear from Lee's message how the automatic thing can happen for Node/Python. He points to a Go script which I can't interpret.

Anybody facing this issue https://github.com/pulumi/pulumi-kubernetes/issues/1925

Any folks having a similar problem with the Fastly provider? https://github.com/pulumi/pulumi-fastly/issues/119

Is something up with the cloudflare provider? After working for over a year, i suddenly get the following (3.26.1 + 4.4.0 cloudflare)

Diagnostics:
  cloudflare:index:Record (staging-upload-1-1cd4):
    error: could not validate provider configuration: 1 error occurred:
    	* invalid value for api_key (API key must only contain characters 0-9 and a-f (all lowercased))

The config is set in the automation api with these values:

'cloudflare:accountId': {
    value: config.cloudflareAccountId,
  },
  'cloudflare:apiKey': {
    value: config.cloudflareApiKey,
    secret: true,
  },
  'cloudflare:email': {
    value: config.cloudflareEmail,
  },

and config.cloudflareApiKey contains the correct key.

Hi Everyone, I have opened the ticket for pulumi-fastly https://github.com/pulumi/pulumi-fastly/issues/159. I am getting an error when trying to add logging for Fastly service. Would appreciate any help or ideas. Thank you

I’m a bit confused by this AWS “getter”:

// GetOpenIdConnectProvider gets an existing OpenIdConnectProvider resource's state with the given name, ID, and optional
// state properties that are used to uniquely qualify the lookup (nil if not required).
func GetOpenIdConnectProvider(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *OpenIdConnectProviderState, opts ...pulumi.ResourceOption) (*OpenIdConnectProvider, error) {
	var resource OpenIdConnectProvider
	err := ctx.ReadResource("aws:iam/openIdConnectProvider:OpenIdConnectProvider", name, id, state, &resource, opts...)
	if err != nil {
		return nil, err
	}
	return &resource, nil
}

If feels like the

state

argument is redundant… since this function requires the resource

id

which I’m assuming this would make this unique. What’s the point of the

state

arg?

this is not specific to

Go

(even though I’m presenting this question from the Go provider)

Hey all, I exported my resource group (and its resources) in one ARM file, but when I try to convert it, only the resource group is being converted (for typescript), and for Go, I get an error. Is there a better way to import an existing setup to be managed?

does Pulumi have neovim lsp-config support ?