Getting consistent 403s on

pulumi refresh

when it tries to download plugins. This is in GitHub actions, ubuntu:22 runners which come w/Pulumi CLI loaded. Even the retry logic isn't enough most of the time. Took 4 re-runs (each w/5 retries!) to get past it this morning. GitHub Actions run step:

- name: Refresh Kubernetes
  shell: bash
  run: |
    cd kubernetes/
    pulumi stack select our-org/${GOOGLE_PROJECT}
    n=1
    max=5
    while true; do
      pulumi refresh -y --non-interactive && break || {
        if [ "$n" -lt 5 ]; then
          echo "Failed attempt $n/$max"
          n=$((n+1))
          sleep 30
        else  
          echo "[ERROR] Retries exhausted"; exit 1
        fi
      }
    done

Error:

error: could not load plugin for kubernetes provider 'urn:pulumi:my-stack::kubernetes::gcp:container/cluster:Cluster$pulumi:providers:kubernetes::provider': Could not automatically download and install resource plugin 'pulumi-resource-kubernetes', install the plugin using `pulumi plugin install resource kubernetes`.
Underlying error: 403 HTTP error fetching plugin from <https://api.github.com/repos/pulumi/pulumi-kubernetes/releases/latest>

Some days it works first try, most of the time it gives us issues.

we have a scenario where we either point to an existing (AWS) Vpc or create a new one. I need to pass the subnet IDs to another piece of code in the 'existing' case, i need to look up the subnet IDs... which i can do using

await aws.ec2.getSubnetIdsOutput({vpcId: predefined.vpcId});

and it returns an object with an

ids

property of type:

Output<string[]>

in the case of pulumi managed (awsx) VPC, the vpc object has a

privateSubnetIds

property with a type of

Output<string>[]

... any idea how to convert them both into the same type? ie, either convert

Output<string[]>

into

Output<string>[]

or visa versa

pulumi>=3.0.0,<4.0.0
pulumi_cloudflare>=4.14.0
pulumi-vault
pulumiverse_sentry

hmm, I’m working on Python project and look like there is no naming conversation for packages =.=!

Anyone want to help out a dummy with an api version error? azure-nativestorageBlobServiceProperties (sablobServiceProperties): error: autorest/azure: Service returned an error. Status=404 Code="HttpResourceNotFound" Message="The request url https://management.azure.com/subscriptions/<StorageAccountURL>?api-version=2021-02-01 is not found." Can I select a specific api version for the resource somehow?

How can I log stack reference values (in TS)? I tried using pulumi.log https://www.pulumi.com/docs/intro/concepts/logging/#logging, regular console.log statements, but nothing prints out the value. simplified code:

const oidcProvider = new pulumi.StackReference(`org/project/${awsAccount}`);
const oidcProviderArn = oidcProvider.getOutput('arn');

console.log(oidcProviderArn)

Hey there; I’m getting this error:

tailscale:index:Acl (development-tailnetAcl):
    error: 1 error occurred:
        * Failed to set ACL: ! You seem to be trying to overwrite a non-default ACL with a tailscale_acl resource.
    Before doing this, please import your existing ACL into Terraform state using:
     terraform import $(this_resource) acl
    (got error "precondition failed, invalid old hash (412)")

I’m not really sure which room to ask for help in. Does anyone have an idea why this may be happening? Or how I can rectify it?

hi everyone, does the @pulumi/cloudflare package support importing cloudflare managed rulesets and configuring rule overrides on the ruleset?

Hi Folks , I am going to add GCS to manage backend state for my pulumi application. How to add gcs bucket cred in directly in pulumi configurations files instead of pulumi login gs://bucket_name.

Hello, how can I transfer a stack ownership after it has been transferred to an organization? I currently own a stack, after transferring to the organization I can't rename the stack. I would like to have the organization to have ownership.

Is there a way to cause a resource in pulumi to be generated each time another resource requests it? As opposed to being stored permanently I’d like it to be fresh each time it’s needed. The specific use case is the generation of a temporary authorization key for a SaaS product (tailscale). The auth key allows the target ec2 node to connect to the platform. It’s considered a one use token. I’m often recreating this ec2 instance as I make changes to it. I’d like the auth key to be generated each time the ec2 instance is recreated. As it currently stands the key is being created and stored in state, and then referenced thereafter. This key expires after 5 minutes, and I start getting errors related to using an old key.

Hello! I’d like your advice. I’m building a PaaS feature to let my framework users deploys apps similarly to Heroku or Vercel. Thinking about storing all the app code in Gitlab repos, and driving all deploys with Pulumi API (from Node backend) Are there existing projects that would offer a good working base (starting from scratch here), or provide me with good foundations? For example, I’m not sure if I should store my user’s app secrets in Pulumi, or store them in my own database for easier retrieval. I’d love your input 🙂

For reference, here are the basic function I’d need to implement. How would you go around it?

Blog - VPC endpoint centralization using Pulumi. https://www.linkedin.com/pulse/vpc-endpoint-centralization-using-pulumi-dinesh-sharma/?trackingId=Kwpiq2XASoW1uUERqjCiFw%3D%3D

Hey gusy, anybody knows why I am getting this error when trying to access a stack configs?

error: unable to check if bucket <s3://tom-pulumi-state> is accessible: blob (code=Unknown): AccessDenied: Access Denied

while running this command

pulumi config get foo:bar --config-file Pulumi.dave-test.yaml

I don’t expect pulumi to look at files on remote backend though

Hi David This can happen if you have created the stack with one set of credentials and thn try to edit the stack with different credentials. If you are using SSO temp credentials, please make sure to use the same credential.

Hello, I am trying to enable Azures blobCSIDriver (https://learn.microsoft.com/en-us/azure/aks/azure-blob-csi?tabs=NFS) on a managed cluster in the azure.native (https://www.pulumi.com/registry/packages/azure-native/api-docs/containerservice/managedcluster/) package. However, I cannot figure out how to do so. Azures documentation uses the Azure CLI like so

az aks update --enable-blob-driver -n myAKSCluster -g myResourceGroup

which doesn't help much wrt. pulumi and I cannot find anything in the pulumi docs on how to do this for the azure.native package.

Hi! Was wondering if it is possible to use Pulumi to push a image to AWS lightsail?

Hi, I’m new to your ecosystem. I just wanted to say how amazing Pulumi is. I love what you all have done. As a software engineer who’s been writing highly efficient and effective on-prem “infrastructure as code” in Perl, Python and Go for about two decades now, I realize that I’ve been constantly building and rebuilding what you all have successfully formalized. Your strategy with the “Deployment Engine” is brilliant and the only thing that makes sense when automating infrastructure. The popularization of Ansible, Terraform, and other DSL-garbage has recently pushed me into trying to make those solutions fit into my latest endeavors, and I hate it. Thank you for this breath of fresh air, and for validating what I’ve known to be the right and only sensible way of doing automation all along. I hope that this message makes its way to at least some of the people involved in manifesting Pulumi, and I sincerely hope I have the opportunity to work with some of you in the future.

I keep running into situations where I want to create resources in

.apply()

. For example, I create a vpc

const vpc = new awsx.ec2.Vpc(...)

then I want to add a route to a transit gateway to each route table

const onPremIps = ...
const transitGatewayIps = ...
const routeTables = aws.ec2.getRouteTablesOutput({ vpcId: vpc.vpcId })
routeTables.apply((rts) =>
  rts.ids.forEach((id) => {
    new aws.ec2.Route(`${id}-onprem-route`, {
      routeTableId: id,
      destinationCidrBlock: onPremIps,
      transitGatewayId,
    })
  })
)

Is there some other way I’m supposed to be doing this kind of thing?

Hey everyone, the Pulumi offices are closed and Pulumi employees are on break this week (it’s our “winter refresh week”), so replies from Pulumi folks might take a tad longer than normal. We appreciate your patience! cute pulumi heart

Hey everyone I'm trying out Pulumi first time and is running into some issues. Wrote a simple go program to provision an ARO cluster following this article as a reference. https://www.pulumi.com/registry/packages/azure-native/api-docs/redhatopenshift/openshiftcluster/ I am creating resource group, vnet, subnets etc. before creating the aro cluster resource. Issue I'm having is cluster provisioning just happens partially. I see the resource created in azure portal but dont see any infra resources. I have tested the steps in my go program with az cli commands and I'm able to provision the ARO cluster. So am sure its an issue with the provider. Here is the error. Can anyone help?

Diagnostics:
  pulumi:pulumi:Stack (create-aro-cluster-dev):
    error: update failed
    error: an unhandled error occurred: program failed:
    waiting for RPCs: rpc error: code = Unknown desc = invocation of azure-native:redhatopenshift:listOpenShiftClusterAdminCredentials returned an error: error reading from server: read tcp 127.0.0.1:54443->127.0.0.1:54440: use of closed network connection

  azure-native:redhatopenshift:OpenShiftCluster (aro-demo):
    error: 1 error occurred:
    	* Code="InternalServerError" Message="Internal server error."

Looking at the docs API version shows 2020-04-30 that seems like a date? If there is another channel for aro specific issues let me know. Can definitely use your help. Working with a customer who is in the middle of infra as code journey so it would be great to have this working end to end. I've tried granting

Okta OAuth app loses assignements when updating to add a second group Hey everyone, I have the following code to add 2 groups to the same app. In the preview it only shows the change for the group creation and the group assignment... however when I did the up, pulumi removed the first group from the app and left only the new one.. manually add the group to the app in okta but now every time i do a pulumi up, the group is removed... any ideas?

export const Group = new okta.group.Group(

config.appName,

{

name: config.appName,

description: config.appName,

},

{ ignoreChanges: ["users"] }

)

export const AdminGroup = new okta.group.Group(

config.adminGroupName,

{

name: config.adminGroupName,

description: config.adminGroupName,

},

{ ignoreChanges: ["users"] }

)

const app = new okta.app.OAuth(

config.appName,

{

grantTypes: ["authorization_code", "refresh_token", "implicit"],

label: config.appName,

redirectUris: config.redirectUris,

postLogoutRedirectUris: config.postLogoutRedirectUris,

refreshTokenRotation: "ROTATE",

responseTypes: ["code", "token", "id_token"],

tokenEndpointAuthMethod: "none",

type: "browser",

pkceRequired: true

},

{

ignoreChanges: ["users", "groups"],

customTimeouts: {

create: "5m",

delete: "60m",

update: "60m",

},

}

)

Hi folks, looking to ask if there are any examples of how Pulumi could be used with a front end UI to trigger infrastructure builds ?

What is difference betwen Pulumi.AzureNative.Network and Pulumi.Azure.Network. Document says Pulumi.AzureNative uses ARM Api, does this mean that any new changes to azure is readily available to pulumi. Sometime terraform takes sometime to get new features (Azure front door changes -SKU took around 5-6 months to be available in TF)

How do you expect optional inputs to be used in .NET? I can see config.GetAsOptionalInput(string name) method, returning Input<T>, but I have hard time wiring it up with a component. Or rather doing that by also providing a default value.

What's the best practice for updating a k8s deployment as part of a cicd pipeline? The container image version atm comes from the config, should it come from an event variable (like the git sha)?

Hi, we´re currently running into the following error when trying a pulumi up with github actions:

Diagnostics:
    kubernetes:core/v1:ConfigMap (log4j):
      error: failed to initialize discovery client: The gcp auth plugin has been removed.
      Please use the "gke-gcloud-auth-plugin" kubectl/client-go credential plugin instead.
      See <https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke> for further details

We already tried, adding:

env:
          USE_GKE_GCLOUD_AUTH_PLUGIN: true

with

run: gcloud container clusters get-credentials <CLUSTER_NAME>

and:

name: 'Set up Cloud SDK'
        uses: 'google-github-actions/setup-gcloud@v0'
        with:
          install_components: 'gke-gcloud-auth-plugin'

We also tried using different version of "setup-gcloud". Does anybody has an idea what we could try next?

Hi, what is the recommended approach for updating resources that... well, can't be updated 😄 . Let's say we have a role assignment in Azure, that doesn't allow changing some properties, but it can be replaced with a new instance of the same, but different properties. When pulumi tries to update it, it fails as provider doesn't allow update operation. Is there any way to force pulumi to remove the old object and create a new one instead? I can also imagine an ugly way where we delete the resource manually, and let pulumi recreate updated version, but form my experience Pulumi doesn't like changes, which aren't reflected in stack state. Any hints?

Hi community, Has anyone dealt with slow Snowflake table updates via pulumi? For instance, our database has around 300 tables where some tables have very many columns. Sometimes when we add new columns to these tables, the process may take a long time to complete (2 hours) or the process may ultimately time out. Some of these tables that take a long time have little to no records. Executing SQL commands to add new columns are instant, so we were wondering what could be the difference? I'm wondering if it's the number of tables that need to be updated concurrently that is the limiting factor. We're using

v4.0.0

of pulumi/actions https://github.com/pulumi/actions/releases/tag/v4.0.0

Hi Guys My Pulumi Packages journey continues 🙂 I have created a pulumi packages repo, and components written in Go The component gets a structure like this:

// GcpPermissionsArgs The set of arguments for creating a GcpPermissions component resource.
type GcpPermissionsArgs struct {
   Project               string   `pulumi:"project"`
   GcpServiceAccountName string   `pulumi:"gcpServiceAccountName"`
   GcpPermissions        []string `pulumi:"gcpPermissions"`
}

GcpPermissions

is an array of strings ([]string). The packages is generating the Typescript code, making the args as follows:

/**
 * The set of arguments for constructing a GcpPermissions resource.
 */
export interface GcpPermissionsArgs {
    /**
     * Array of GCP permissions.
     */
    gcpPermissions: pulumi.Input<pulumi.Input<{
        [key: string]: pulumi.Input<string>;
    }>[]>;
    /**
     * Wanted name for the new service account.
     */
    gcpServiceAccountName: pulumi.Input<string>;
    /**
     * Pulumi project's name.
     */
    project: pulumi.Input<string>;
}

Making the

gcpPermissions

argument be an array of key value variables. Actual result should have been something like:

gcpPermissions: pulumi.Input<string>[];

What am I doing wrong? how can I solve this?