Hey guys, new to the pulumi world. I'm trying to make aws eks cluster with alb attached. Do you have any good resource that I can look for as an example? I've found one here https://www.learnaws.org/2021/06/22/aws-eks-alb-controller-pulumi/

Is it possible to define a relationship like “if this resource is deleted, all of these associated resources are implicitly deleted”? The specific problem I have is using the new

Command

module, if my instance is deleted, Pulumi tries to execute the

delete

part of the command, which is no longer possible. So I want to tell it to just give up on cleaning up any commands that were run on a deleted instance. Is something like this possible? Right now, I have to manually edit my state to clean them up.

Hi guys, has anyone seen this error before when creating eks cluster?

Message_: "Security group(s) [sg-0cb56162e90f5f571] are not in the same VPC as the subnets. Please specify a security group that is associated with the VPC: vpc-0b6bc0745054144c7."

This the python code to create cluster:

cluster = eks.Cluster(
    cluster_name,
    version="1.22",

    skip_default_node_group=True,

    vpc_id=vpc.id,
    public_subnet_ids=vpc.public_subnet_ids,
    node_associate_public_ip_address=False,
    private_subnet_ids=vpc.private_subnet_ids,
    cluster_security_group=cluster_sg,

    service_role=cluster_role,
    instance_roles=[node_role],

    create_oidc_provider=True,

    cluster_tags=common_tags
)

I know EKS will create a separate security group for cluster service, but seems it’s using my default VPC instead of the

vpc.id

that I passed.

Does anyone know the Self Hosted Pulumi (Enterprise) Default admin credentials?

Hi, A question on the Azure Web Apps and having all the existing App Settings wiped!! It appears that any non-Pulumi app settings are getting wiped even when Pulumi indicates that it will not be updating the App Settings. This was a Pulumi Preview --diff for a function app of mine. No AppSetting changes indicated. I did the Pulumi Up and all existing App Settings were deleted. Very annoying!! This was after doing a Refresh and then also an Import to ensure all existing settings were discovered. However it does not appear that AppSettings are gathered into state using either. Is this expected behaviour or am I missing something? Ran

pulumi preview --target 'urn:pulumi:qa::gqt::azure-native:web:WebApp::######-func-gqtproperty-qa-ne' --diff

Got following response

Build succeeded.
    0 Warning(s)
    0 Error(s)

Time Elapsed 00:00:00.75

'dotnet build -nologo .' completed successfully
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:qa::gqt::pulumi:pulumi:Stack::gqt-qa]
    --outputs:--
  + Readme: output<string>
    ~ azure-native:web:WebApp: (update)
        [id=/subscriptions/#####/resourceGroups/#####-rg-gqt-qa-ne/providers/Microsoft.Web/sites/#####-func-gqtproperty-qa-ne]
        [urn=urn:pulumi:qa::gqt::azure-native:web:WebApp::#####-func-gqtproperty-qa-ne]
        [provider: urn:pulumi:qa::gqt::pulumi:providers:azure-native::default_1_64_1::2ed5c319-5430-469d-9031-83ac95dd6fc9 => urn:pulumi:qa::gqt::pulumi:providers:azure-native::default_1_66_0::f2b4d03f-0b4d-4628-8f22-da8abd55a375]
      ~ tags                  : {
          ~ Purpose: "Contain Bedroom Genie Resources" => "Contains Groups Quoting Tool (GQT) Resources"
        }
      ~ virtualNetworkSubnetId: "/subscriptions/#####/resourceGroups/#####-rg-network-qa-Ne/providers/Microsoft.Network/virtualNetworks/#####-vnet-intrt-qa-Ne/subnets/#####-snet-intrt-qa-Ne-002" => "/subscriptions/#####/resourcegroups/#####-rg-network-qa-ne/providers/microsoft.network/virtualnetworks/#####-vnet-intrt-qa-ne/subnets/#####-snet-intrt-qa-ne-002"
Resources:
    ~ 1 to update
    124 unchanged

My WebApp code looks like

var webAppArgs = new WebAppArgs
{
	Name = funcAppName,
	Kind = "functionapp,linux",
	ResourceGroupName = args.ResourceGroupName,
	ServerFarmId = args.ServerFarmId,
	HttpsOnly = true,
	SiteConfig = new SiteConfigArgs
	{
		Cors = new CorsSettingsArgs() { AllowedOrigins = "*" },
		AlwaysOn = true,
		AppSettings = new[]
		{
			new NameValuePairArgs
			{
				Name = "AzureWebJobsStorage",
				Value = AsfPulumiHelper.GetConnectionString(args.ResourceGroupName,
					args.FuncStorageAccountName),
			},
			new NameValuePairArgs
			{
				Name = "FUNCTIONS_WORKER_RUNTIME",
				Value = "dotnet",
			},
			new NameValuePairArgs
			{
				Name = "FUNCTIONS_EXTENSION_VERSION",
				Value = "~4"
			},
			new NameValuePairArgs
			{
				Name = "APPLICATIONINSIGHTS_CONNECTION_STRING",
				Value = Output.Format($"InstrumentationKey={args.AppInsightsInstrumentKey}"),
			},
			new NameValuePairArgs
			{
				Name = "APPINSIGHTS_INSTRUMENTATIONKEY",
				Value = args.AppInsightsInstrumentKey
			},
		}
	},
	Identity = new Pulumi.AzureNative.Web.Inputs.ManagedServiceIdentityArgs
	{
		Type = ManagedServiceIdentityType.SystemAssigned,
	},
	Tags = args.Tags
};
if (!string.IsNullOrEmpty(args.VnetSubNetId))
{
	webAppArgs.VirtualNetworkSubnetId = args.VnetSubNetId;
}

Hi, I am using the automation API and to test certain workflows that use infrastructure that’s managed by Pulumi I’d like to run tests in one stack per test each. That works, but now I am accumulating empty stacks. Is there a way to remove a stack programmatically, i.e. other than through

pulumi stack rm

?

stack.Destroy()

only removes resources, but keeps the stack itself.

Are intermittent errors like this a known issue? Happens to me about every 3-4 runs of

pulumi up

. Re-running without changes usually works

error: could not read plugin [/Users/craigglennie/.pulumi/plugins/resource-aws-v5.9.2/pulumi-resource-aws] stdout: EOF

Is there a way to see what stacks in an organization are using the stack outputs of particular stack? For example, if stack "Org/A " has a stack output "output1" can I see all stacks within "Org" that are using "output1" from stack "Org/A" without manually looking through all stacks?

I am having a problem with the pulumi spot fleet request, maybe someone can help. Everything works as expected, except when i try to destroy the stack. Because pulumi doesn't wait for the ec2 instances of the spot request to be deleted, it starts romoving the VPC which removes the internet gateway and all other associated resources. It then waits until the subnet can be deleted which happens after the actual instance is terminated. Becuase of this behaviour, the ec2 instance cannot trigger an http call that I have configured on termination. (no internet gateway, no security group to allow any traffic). Anyone has any ideas how to tell pulumi to basically remove spot fleet request, then maybe wait 2 minutes, then continue to remove the vpc and its resources?

When I run

pulumi new

with an AWS template it asks for the AWS region. How do I change the region later? I don't see it anywhere in the project files

What is the best way to handle when normal operation hits IAC'y code ? With IAC'y code I mean when under normal operation the code needs to create or destroy resources or make configuations of those resources. Examples from Azure Example 1: a user is added to a customer. In application that adds a subscription for a topic in the Azure Event Grid. Is this IAC that Pulumi should handle or just in code as it is not IAC'y enough ? Example 2: a new customer is added. In application that adds a container on the blob storages for documents for that customer so it is easier to adhere to GDPR. IAC'y ? Example 3: a new customer is added. The creation of a new database is made for the customers data. IAC'y? Example 4: a new customer is added. The autorization system creates the default setup for the customer. IAC'y? #general

In case this is also used as a feedback channel I’ll drop a tiny feature request: I’d love a little reload button in the Pulumi web UI, like it’s also available in the GCP or AWS UIs, to refresh changes without having to reload the whole page. I didn’t need it in the past but now I’m using the automation API and find myself debugging using the web UI Cheers and thanks for your great work 🚀

Should I separate the ArgoCD manifests repo and Pulumi IaC repo?

Hey team, I've been using API Gateway to serve static files, essentially doing what is specified in the docs here. The only trouble I am having is getting the content of the s3 bucket to deterministically change based on changes to file contents on my local file system. Ideallly, I would like to keep the

localPath

and

path

static, but ensure that the resource is updated each time the file contents change. Reading this document, it suggests this would be the default behavior. Am I misunderstanding something?

Hey guys, I've been setting up an AWS WAFV2 and have been running into issues where pulumi assumes my rules for my webacl have been changed every time I

pulumi up

. I know sometimes it has to do with some default values in a field that need to be provided but in this case, I'm not too sure which field I'm missing. Here is the example code

hi, is there a way to use stack references when storing state in s3 buckets?

How do I remove stale stacks that are in a weird state? These are stacks that were never deleted as something went wrong during testing and they were not cleaned up. For more context, I am using the integration testing set up using Golang.

➜ vpc-builder (main) ✔ pulumi stack rm p-it-ny6j4r57fl-aep-base-i-1768dd0e
error: failed to decrypt: incorrect passphrase, please set PULUMI_CONFIG_PASSPHRASE to the correct passphrase or set PULUMI_CONFIG_PASSPHRASE_FILE to a file containing the passphrase

👋 Hi everyone!

I want to make sure that we’re running commands on a stack against the correct AWS account. My first approach is to use

aws.getCallerIdentity({})

to get the accountId and compare it, but that’s not possible:

const accountId = await aws.getCallerIdentity({}).then(current => current.accountId);

if((pulumi.getStack() == "prod" && accountId != "512302493601") || (pulumi.getStack() != "prod" && accountId != "497659568814")) {
  process.exit(1);
}

(

await

can only be used against an async function). I also tried

await aws.getCallerIdentity({})

and got the same result. Any suggestions? I want to add a little safeguard so we don’t inadvertently run stack commands against the wrong account.

Is anyone running their Pulumi stack in something like AWS Lambda? As in,

index.ts

of Pulumi is actually a function and I can trigger it from all the usual lambda sources?

Does anyone knows where I can watch previously recorded Pulumi Webinars?

Hello everyone 👋 I couldn't find example in TS how to set up Route53 / ALB / ECS / Fargate / RDS in VPC with needed SGs. Could anyone share such example?

Having a really confusing problem creating a CRD object that I generated using crd2pulumi. The diff shows the correct spec for the resource I’m trying to create, but when I actually execute I get

[spec.source: Invalid value: "string": spec.source in body must be of type object: "string", <nil>: Invalid value: "": "spec.source" must validate one and only one schema (oneOf). Found 2 valid alternatives]

indicating that a nil or empty value is actually being passed to k8s and failing validation server side. Since the diff is correct and shows the populated value, I have no idea how to debug. Any ideas? EDIT: Figured this out, the type was generated as

any

and I was improperly supplying the wrong value due to type inference missing.

I'm working with a third-party plugin (Twingate) and I think I've found a bug in the plugin, but just want to check the expected behaviour before I report it or try to fix it. I am running

pulumi refresh

and it's giving an error about not finding an expected Twingate resource (because it's been deleted via the Twingate UI). IMO this should update the current state by removing the resource, rather than failing with an error. Does that seem right?

Currently I'm fixing it by running

pulumi export

and removing the deleted resource from the JSON

To clarify: The whole

refresh

is failing because of this error, it's just not failing to update the one missing resource

Hi everyone! I am playing a little bit with Pulumi to get into it. I tried out the google-native sdk. I wrote following code:

import * as gcp from "@pulumi/google-native";

const customProvider = new gcp.Provider("default",{
    project: "12312312"
})

const agent = new gcp.dialogflow.v3.Agent("Test", {
    defaultLanguageCode: "DE",
    displayName: "Pulumi-Demo",
    timeZone: "Europe/Berlin",
    location: "global",
}, {
    provider: customProvider
})

const page = new gcp.dialogflow.v3.Page("basicPage", {
    agentId: agent.id,
    displayName: "BasicPage",
    flowId: agent.startFlow,
    location: "global",
}, {
    provider: customProvider
})

Poorly I am getting the following error message:

error: error sending request: googleapi: Error 400: com.google.apps.framework.request.BadRequestException: Page name should not be specified as it will be automatically generated by Dialogflow upon creation.: "<https://dialogflow.googleapis.com/v3/projects/.../locations/global/agents/v3%2Fprojects%2Flocations%2Fglobal%2Fagents%2Fc6e7342e-3385-4846-af64-cbf6918c2b39/flows/projects%2FFlocations%2Fglobal%2Fagents%2Fc6e7342e-3385-4846-af64-cbf6918c2b39%2Fflows%2F00000000-0000-0000-0000-000000000000/pages>" map[__autonamed:true agentId:v3/projects/.../locations/global/agents/c6e7342e-3385-4846-af64-cbf6918c2b39 displayName:Hallo flowId:projects/.../locations/global/agents/c6e7342e-3385-4846-af64-cbf6918c2b39/flows/00000000-0000-0000-0000-000000000000 location:global name:projects/.../locations/global/agents/v3/projects/.../locations/global/agents/c6e7342e-3385-4846-af64-cbf6918c2b39/flows/projects/.../locations/global/agents/c6e7342e-3385-4846-af64-cbf6918c2b39/flows/00000000-0000-0000-0000-000000000000/pages/5757dc8e-e2ce-4d51-a257-675cd7c00e01-5bc9156 project:...]

It seams Pulumi wants to set the name / id of the page. But google does not allow it. Someone who tried this earlier? Thanks for helping!

Hi All, I'm a noob to typescript but have a bit of experience with pulumi. I'm trying to find a way to define an array in my stack yaml (Pulumi.int.yaml) and reference the array within a class and pass it as an array to azure.network.Subnet. eg. My class looks like

export class subNet {
    constructor(name: string) {
        const data = new azure.network.Subnet("data", {
            addressPrefixes: [config.require('datasubnetrange')],
            enforcePrivateLinkEndpointNetworkPolicies: true,
            name: "data",
            resourceGroupName: "dpc-spi-networking-"+config.require('envid')+"-rg-aue-"+config.require('index'),
            serviceEndpoints: [
                //"Microsoft.KeyVault",
                //"Microsoft.AzureActiveDirectory",
                //"Microsoft.Storage",
                //"Microsoft.Sql",
                config.require('serviceEndpoints')
            ],
            virtualNetworkName: "dpc-vnet-spi-"+config.require('envid')+"-aue-"+config.require('index'),
        }, {
            protect: true,
        });
    }
}

My stack yaml will look something like

env:serviceEndpoints:
    - Microsoft.KeyVault
    - Microsoft.AzureActiveDirectory
    - Microsoft.Storage
    - Microsoft.Sql

I've tried everything I can think of. Any help would be greatly appreciated.

Hi, when i execute

pulumi refresh

, i got these errors, i'm sure i have the correct aws profile config

aws:ec2:SecurityGroup (relation-nodeSecurityGroup):
    error: Preview failed: 1 error occurred:
    	* error configuring Terraform AWS Provider: AWS account ID not previously found and failed retrieving via all available methods. See <https://www.terraform.io/docs/providers/aws/index.html#skip_requesting_account_id> for workaround and implications. Errors: 3 errors occurred:
    	* failed getting account information via iam:GetUser: SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
    	status code: 403, request id: 34fa5f6b-9d3a-420a-a840-3c5a1c0a1cc2
    	* error calling sts:GetCallerIdentity: SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
    	status code: 403, request id: 64751105-14bb-40e7-b12d-2b94e75a9280
    	* failed getting account information via iam:ListRoles: SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
    	status code: 403, request id: 70da462e-b97e-42f2-a389-62147dd6c695