Hello community Once we import the resources from aws to pulumi stack ( ex ec2) , and if i want to remove it from pulumi in future ( suppose if i dont want to manage that resource under pulumi) how can we do it?

hia, looking into setting up elastic cloud resource using azure. We are using the pulumi native , and i cant find any info on how to do this . azure.elasticcloud.Elasticsearch is part of classic.

any idea where to start

Hello everyone, I am close to importing a whole Snowflake stack but I seem to have some trouble importing the RoleGrants. I have several users and roles granted the ACCOUNTADMIN role like this:

show grants of role ACCOUNTADMIN;

<output redacted>

role          granted_to  grantee_name
------------  ----------  ---------------------
ACCOUNTADMIN  USER        ******
ACCOUNTADMIN  ROLE        PULUMI_ROLE
ACCOUNTADMIN  USER        *****************.com
ACCOUNTADMIN  USER        ***********.com
ACCOUNTADMIN  USER        *************.com
ACCOUNTADMIN  USER        ************.com
ACCOUNTADMIN  USER        ***************.com

when importing, I expect the following command to pull in the roles mentioned above:

pulumi import --diff snowflake:index/roleGrants:RoleGrants ACCOUNTADMIN ACCOUNTADMIN

but the result is disappointing:

accountadmin = snowflake.RoleGrants(
    "ACCOUNTADMIN", 
    role_name="ACCOUNTADMIN",
    opts=pulumi.ResourceOptions(protect=True))

No mention of grantee roles or users here, what am I missing? thanks!

Hello community, I am trying to create a docker image in which I try to loging to pulumi into my Docker file

RUN aws configure set aws_default_prodile $PULUMI_S3_AWS_DEFAULT_PROFILE
RUN aws configure set aws_access_key_id $PULUMI_S3_AWS_ACCESS_KEY_ID
RUN aws configure set aws_secret_access_key $PULUMI_S3_AWS_SECRET_ACCESS_KEY
RUN aws configure set default-region $PULUMI_S3_AWS_DEFAULT_REGION

# TODO: make pulumi login no hard code
RUN pulumi --non-interactive login '<s3://archie23>-${STAGE}-pulumi-backend?region=${PULUMI_S3_AWS_DEFAULT_REGION}&awssdk=v2&profile=${PULUMI_S3_AWS_DEFAULT_PROFILE}'

but in the step 35 crash:

Step 31/45 : RUN aws configure set aws_default_prodile $PULUMI_S3_AWS_DEFAULT_PROFILE
 ---> Running in 3aa5ef2e4978
Removing intermediate container 3aa5ef2e4978
 ---> 479c2649a3c3
Step 32/45 : RUN aws configure set aws_access_key_id $PULUMI_S3_AWS_ACCESS_KEY_ID
 ---> Running in 86446c0c9058
Removing intermediate container 86446c0c9058
 ---> f7e2e41f43f1
Step 33/45 : RUN aws configure set aws_secret_access_key $PULUMI_S3_AWS_SECRET_ACCESS_KEY
 ---> Running in 282e2d08e50a
Removing intermediate container 282e2d08e50a
 ---> a56e9d25e713
Step 34/45 : RUN aws configure set default-region $PULUMI_S3_AWS_DEFAULT_REGION
 ---> Running in e2f39cfad76e
Removing intermediate container e2f39cfad76e
 ---> 837b42c8b01e
Step 35/45 : RUN pulumi --non-interactive login '<s3://archie23>-${STAGE}-pulumi-backend?region=${PULUMI_S3_AWS_DEFAULT_REGION}&awssdk=v2&profile=${PULUMI_S3_AWS_DEFAULT_PROFILE}'
 ---> Running in 4fce5d9c0a7f
error: problem logging in: PULUMI_ACCESS_TOKEN must be set for login during non-interactive CLI sessions
The command '/bin/sh -c pulumi --non-interactive login '<s3://archie23>-${STAGE}-pulumi-backend?region=${PULUMI_S3_AWS_DEFAULT_REGION}&awssdk=v2&profile=${PULUMI_S3_AWS_DEFAULT_PROFILE}'' returned a non-zero code: 255

Hi guys, i am running into some issues trying to run a simple script on an existing ECS container using pulumi. Is there anything from pulumi to execute single use task for archiving this ?

I was wondering is it possible to check if a given aws resource is externally managed from within code say before it and after a import

I have pulumi cli and aws cli installed on my linux machine but it won't import anything I think I'm missing something I loaded on my mac via pip but i can't recall what it was

I have recently upgraded the Crosswalk package from 0.40.1 to 1.0.1 Refactoring to replace the classic components with the new top-level components came across a problem... I'm using

amazon-ecs-deploy-task-definition

GitHub action to deploy containers to the Fargate service provisioned with Pulumi. My GitHub workflow reads Pulumi stack output, and feeds the task definition to the GitHub action. The action expects

containerDefinitions

in a JSON format, and nested under the

task_definition

key. However, a simple output in the following form:

export const fgtest = {
  task_definition: service.taskDefinition.taskDefinition,
}

results in

containerDefinitions

key serialized to a string. I have a relatively simple

taskDefinitionOutput

function that deserializes that key into proper JSON, but I am unable to make it work with the new Crosswalk. Any attempt to use the spread operator on the new Crosswalk task definition output results in this obscure error:

TypeError: prop.apply is not a function

Here is a sample code that works with the old (classic) Crosswalk:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";

const stack = pulumi.getStack();

// taskDefinitionOutput helps return a valid taskDefinition for use in CI/CD
export function taskDefinitionOutput(fargate: awsx.classic.ecs.FargateService) {
  const { id, arn, urn, ...taskDefinition } =
    fargate.taskDefinition.taskDefinition;

  return {
    ...taskDefinition,
    containerDefinitions: taskDefinition.containerDefinitions.apply((data) =>
      JSON.parse(data)
    ),
  };
}

const cluster = new awsx.classic.ecs.Cluster(`cluster-${stack}`, {});
const listener = new awsx.classic.lb.NetworkListener(`nginx-${stack}`, { port: 80 });
const service = new awsx.classic.ecs.FargateService(`service-${stack}`, {
    cluster: cluster,
    assignPublicIp: true,
    desiredCount: 2,
    taskDefinitionArgs: {
        container: {
            image: "nginx:latest",
            cpu: 512,
            memory: 128,
            essential: true,
            portMappings: [listener],
        },
    },
});
export const url = listener.endpoint;

export const fgtest = {
  task_definition: taskDefinitionOutput(service),
}

And here is the (failing) attempt at refactoring for new Crosswalk:

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";

const stack = pulumi.getStack();

// taskDefinitionOutput helps return a valid taskDefinition for use in CI/CD
export function taskDefinitionOutput(taskDefinitionOutput: any) {

  return {
    ...taskDefinitionOutput,
    containerDefinitions: taskDefinitionOutput.containerDefinitions.apply((data:any) =>
      JSON.parse(data)
    ),
  };
}

const cluster = new aws.ecs.Cluster(`cluster-${stack}`, {});
const lb = new awsx.lb.ApplicationLoadBalancer(`lb-${stack}`, {});
const service = new awsx.ecs.FargateService(`service-${stack}`, {
    cluster: cluster.arn,
    assignPublicIp: true,
    desiredCount: 2,
    taskDefinitionArgs: {
        container: {
            image: "nginx:latest",
            cpu: 512,
            memory: 128,
            essential: true,
            portMappings: [{
              targetGroup: lb.defaultTargetGroup,
            }],
        },
    },
});
export const url = lb.loadBalancer.dnsName;

export const fgtest = {
  task_definition: taskDefinitionOutput(service.service.taskDefinition),
}

Please help.

Hi eveyone, noob here. Is there any way to add override.yaml file ( instead of values in a helm chart )?. I have a very long values file with many overrides. And striggling to keep with the Dictionary format ( pulumi python ). Any help would be appreciated greatly.

Hi there, can someone help me take a look, i’m trying to use automation api with

stack_auto = auto.select_stack(stack_name, work_dir='../stacks')
        print(f"successfully select stack {stack_name}")
        print("Previewing stack")
        stack_auto.preview(on_output=print, target=stack_target)
        print("Preview complete")

since

stack_target

is an array like [‘**DOMAIN_abc’] and what I expect is pulumi will preview only on urn matched

**DOMAIN_abc

but python script above running on all urn even not matched with

**DOMAIN_abc

p/s: ran with

pulumi preview --stack <stack_name> --target "**DOMAIN_abc"

was worked well

Hey guys! I have created on AWS ECS a simple service and it runs perfect Now the problem is then i try to destroy the stack and Pulumi tries to delete that Service resource and hangs on its deletion for over 5 mins which is pretty long time for 1 resource deletion Can you guys give me some insights on how to attack this problem?

View Live: <https://app.pulumi.com/neurohelp/ecs-oscs/dev/updates/126>

     Type                                 Name                                                  Status              
 -   pulumi:pulumi:Stack                  ecs-oscs.dev                                 deleted             
 -   ├─ aws:ecs:Service                   ecs-oscs-dev-ecs-service                     deleted (434s)

public sealed class DynamoDbResource : ComponentResource
{
    public DynamoDbResource(string name)
        : base("account-transactions-dynamodb", name)
    {
        var stack = Deployment.Instance.StackName;

        var userTradesTable = new Table("user-trades-table", new()
        {
            Attributes = new[]
            {
                new TableAttributeArgs
                {
                    Name = "Date",
                    Type = "S",
                },
                new TableAttributeArgs
                {
                    Name = "TradeSourceId",
                    Type = "S",
                }
            },

            Name = $"user-trades-{stack}",
            BillingMode = "PAY_PER_REQUEST",
            HashKey = "Date",
            RangeKey = "TradeSourceId"
        });

        var userTransfersTable = new Table("user-transfers-table", new()
        {
            Attributes = new[]
            {
                new TableAttributeArgs
                {
                    Name = "Date",
                    Type = "S",
                },
                new TableAttributeArgs
                {
                    Name = "TransferSourceId",
                    Type = "S",
                }
            },

            Name = $"user-transfers-{stack}",
            BillingMode = "PAY_PER_REQUEST",
            HashKey = "Date",
            RangeKey = "TransferSourceId"
        });

        var role = CreateIamRoleAndAllowActionsForTables(userTradesTable.Arn, userTransfersTable.Arn);

        UserTradesTableArn = userTradesTable.Arn;
        UserTransfersTableArn = userTransfersTable.Arn;
        RoleArn = role.Arn;
    }

    [Output("userTradesTable")]
    public Output<string> UserTradesTableArn { get; set; }

    [Output("userTransfersTable")]
    public Output<string> UserTransfersTableArn { get; set; }

    [Output("role")]
    public Output<string> RoleArn { get; set; }

    private Role CreateIamRoleAndAllowActionsForTables(params Output<string>[] tables)
    {
        var projectName = Deployment.Instance.ProjectName;

        var role = new Role($"{projectName}-role", new RoleArgs
        {
            AssumeRolePolicy = JsonSerializer.Serialize(new Dictionary<string, object?>
            {
                ["Version"] = "2012-10-17",
                ["Statement"] = new[]
                {
                    new Dictionary<string, object?>
                    {
                        ["Action"] = "sts:AssumeRole",
                        ["Effect"] = "Allow",
                        ["Sid"] = "",
                        ["Principal"] = new Dictionary<string, object?>
                        {
                            ["AWS"] = "arn:aws:iam::545464702807:root"
                        }
                    }
                }
            }),
            InlinePolicies =
            {
                new RoleInlinePolicyArgs
                {
                    Name = "dynamodb",
                    Policy = Output.All(tables).Apply(args =>
                    {
                        return JsonSerializer.Serialize(new Dictionary<string, object?>
                        {
                            ["Version"] = "2012-10-17",
                            ["Statement"] = new[]
                            {
                                new Dictionary<string, object?>
                                {
                                    ["Action"] = new[]
                                    {
                                        "dynamodb:BatchWriteItem",
                                        "dynamodb:PutItem",
                                        "dynamodb:DeleteItem",
                                        "dynamodb:UpdateItem",
                                        "dynamodb:DescribeTable",
                                        "dynamodb:Query"
                                    },
                                    ["Effect"] = "Allow",
                                    ["Resource"] = new[] { args[0] }
                                },
                                new Dictionary<string, object?>
                                {
                                    ["Action"] = "dynamodb:ListTables",
                                    ["Effect"] = "Allow",
                                    ["Resource"] = "*"
                                }
                            }
                        });
                    })
                }
            }
        });

        return role;
    }
}

Guys, I'm trying to figure out what is best practices for the allocated services. Should I put all of services in

ComponentResource

? E.g. SQS, SNS, DynamoDB, S3, Secrets Manager

Hello community Is there any option to run a script on a remote machine? Something similar to remote exec function from terraform? I checked the "pulumi command" Provider documents, but the guide is very limited to typescript. We are looking for some examples in python run time. Any example repo/guide would be appreciated 🙏

Has anyone managed to get the GitHub Pulumi Provider to work? I'm just trying to create an environment in a repository and the issue i'm facing is that the GITHUB_OWNER environment variable doesn't appear to do anything and it's failing constructing the correct url to interact with.

Diagnostics:
  github:index:RepositoryEnvironment (preproduction):
    error: PUT <https://api.github.com/repos//pulumi-sample/environments/preproduction>: 404 Not Found []

  github:index:RepositoryEnvironment (sandbox):
    error: PUT <https://api.github.com/repos//pulumi-sample/environments/sandbox>: 404 Not Found []

The value for the GitHub owner should be where the double

//

are after

repos

Hi Pulumi community, How to login into s3 backend using AWS IAM role? supplying the

pulumi config set aws:assumeRole

configuration doesn't work. related issue - https://github.com/pulumi/pulumi/issues/10316 (closed due to no response)

Hey guys, currently I'm running on free-tier, and plan on upgrading to Team, I'm running around 634 resources in pulumi, is there any way to gauge how much pulumi credits we'd be needing/consuming per month?

Hi there, I’m using github action

pulumi/action@v4

and getting error, base in code it’s refer to

def get_config_env() -> Dict[str, Any]:
    """
    Returns the environment map that will be used for config checking when variables aren't set.
    """
    if "PULUMI_CONFIG" in os.environ:
        env_config = os.environ["PULUMI_CONFIG"]
        return json.loads(env_config)
    return {}

but from https://www.pulumi.com/docs/reference/cli/environment-variables/ say

PULUMI_CONFIG

> This environment variable is ignored during normal Pulumi operations -- e.g.,

up

,

preview

, etc. github action yaml file is

- uses: pulumi/actions@v4
        with:
          command: preview
          stack-name: ${{ matrix.stack }}
          comment-on-pr: false
          github-token: ${{ secrets.GITHUB_TOKEN }}
          cloud-url: "<s3://system-pulumi/batdongsan?endpoint=s3.bds.lc&s3ForcePathStyle=true>"
          work-dir: stacks
          target: ${{ matrix.target }}
        env:
          AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
          AWS_REGION: ${{secrets.AWS_REGION}}
          AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
          CLOUDFLARE_API_KEY: ${{secrets.CLOUDFLARE_API_KEY}}
          CLOUDFLARE_EMAIL: ${{secrets.CLOUDFLARE_EMAIL}}
          PULUMI_CONFIG_PASSPHRASE: ${{secrets.PULUMI_CONFIG_PASSPHRASE}}

So I’m thinking there is have a misconfigured, can you help me take a look?

Hi, I have an

pulumi refresh

that is stucking on a Gitlab CI... I am not sure what is the root cause, networking issues, etc.... have anyone went through something similar or have any ideas on how to debug it? my cloud provider is gcp btw...

Hi - is there any way to either define multiple runtimes OR pass in a runtime binary path via the CLI? I’d like to offer some better UX for people trying to debug Pulumi for people using Go

Hi there, is there anyway to implement Webhook or how to send update to Slack channel when run

pulumi/action

on Github action?

Do Pulumi have PHP SDK?

does anyone have any experience with Pulumi's MongoDB API?

Working on moving my homelab to be entirely provisioned on pulumi, this stuff is super cool!

Out of curiosity; to manually establish dependencies; Does resource 1 need to have a

dependsOn

resource 3 explicitly? Or because 3 is a child of 2, will 1 wait until 3 is provisioned if only given a dependency on 2 manually

I want to install only compute related pulumi azure packages in my docker image instead of whole pulumi azure native package. with pulumi azure native package docker image is huge. Can I know to install only required pulumi azure packages in my docker image..Thanks !!

G'day all - I'm attempting to import an existing AWS Elasticsearch (Opensearch) domain in to a pulumi stack - a

pulumi import ...

shows

logPublishingOptions : [
            [0]: {
                enabled              : false
                logType              : "ES_APPLICATION_LOGS"
            }
        ]

however this resource is impossible to recreate exactly on the Typescript side, because

cloudwatchLogGroupArn

is a required property. https://www.pulumi.com/registry/packages/aws/api-docs/opensearch/domain/#domainlogpublishingoption What do I do? Thanks for any advice 😃

what’s the best way to fetch kubeconfig and setup provider for a cluster that has already been created, should we cross reference the stack or build the kubeconfig again or any other way?

Just read the latest article on imports. I think it's great you're raising awareness of this functionality. Pulumi does have a lot of tools in its belt, but often lacks easy-to-digest examples. The blog posts are a nice way of filling the gap. The AWS Account Importer looks like a sweet tool as well. It'd be good to see this added to to help out smaller operations. My experience with importing infrastructure was pretty rocky, however (see thread). It'd be great to hear what alternatives could be taken for importing multiple stacks (environments) and accounting for Drift, or if the experience can lead to improvements in imports for others going forward.

Hi there, another question today. is Pulumi support to detect resources which create manually by user and not managed by Pulumi?