Hi, I'm using aws cli2 with pulumi to try to create S3 bucket. The creation part is ok, but I always got this error:

Error putting S3 policy: AccessDenied: Access Denied

. The thing is the IAM user has been granted full s3 access permission, which includes PutS3Policy. And then I tried our root user credential, still the same. Is there anything I did wrong? Thanks.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";

const bucket = new aws.s3.Bucket("my-bucket");

const bucketMetric = new aws.s3.BucketMetric("my-bucket-metric", {
  bucket: bucket.bucket,
});

const bucketNotification = new aws.s3.BucketNotification(
  "my-bucket-notification",
  {
    bucket: bucket.bucket,
  }
);

const bucketObject = new aws.s3.BucketObject("my-bucket-object", {
  bucket: bucket.bucket,
  content: "hello world",
});

const bucketPolicy = new aws.s3.BucketPolicy("my-bucket-policy", {
  bucket: bucket.bucket,
  policy: bucket.bucket.apply(publicReadPolicyForBucket),
});

function publicReadPolicyForBucket(bucketName: string) {
  return JSON.stringify({
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Principal: "*",
        Action: ["s3:GetObject"],
        Resource: [
          `arn:aws:s3:::${bucketName}/*`, // policy refers to bucket name explicitly
        ],
      },
    ],
  });
}

// Export the name of the bucket
export const bucketName = bucket.id;

Any pulumi devs able to chime in on this? https://pulumi-community.slack.com/archives/CRFUR2DGB/p1686379227682259

I upgraded to v3.70 via homebrew and now seeing this error, it seems like a child process is printing with colors switched on?

pulumi:providers:pulumi-nodejs default  error: pulumi-nodejs (resource) plugin [/opt/homebrew/bin/pulumi-resource-pulumi-nodejs] wrote a non-numeric port to stdout ('0'): strconv.Atoi: parsing "\x1b[33m64263\x1b[39m": invalid syntax

Can Pulumi handle a circular

StackReference

, or will that break? I am trying to Create a Snowflake External Storage Integration using an AWS IAM Role, and they need to reference each other. Ideally, we would keep our Snowflake and AWS resources in separate stacks. Thanks!

config items for cloud providers that are set, is there a var we can use to reference what we entered ala

pulumi config set aws:profile my-aws-profile

? Pulumi.my-stack.yaml :

config:
    aws:profile: my-aws-profile
    gcp:project: my-gcp-profile

or would we need to set this as a second param?

Is there a way to re-deploy a resource whenever a dependency is changed? for example: my API gateway stage resource needs to re-deploy every time when the resource or method is changed in the api-gateway

Ok, this isn't directly Pulumi related, but I'm wondering if anyone has any good resources/information/experience on what KPIS/cycle time metrics are good for monitoring progress of a platform team? We're a relatively small start up so whilst we're making platform improvements there isn't major requests coming from our product teams regularly so most things I've read don't make sense for us right now.

Hello, is it possible to reference outputs of a stack that is stored on S3?

hi, quick question that I didn't find any docs for: what is the recommended practice for committing pulumi projects to a public repo, when those projects have secrets?

Anyone at AWS re:Inforce today and/or tomorrow?

Hey team! What’s the best way. to upload a bunch of files recursively into a GCP storage bucket? I want to deploy a webapp and as part of the deployment process I want to upload the static assets to a GCP bucket. I was hoping this would be trivial but so far I haven’t found a recommended practice. Thanks!

Using the C# API, if I create a ComponentResource, how do I block Outputs until all child resources have been created? I know I can do DependsOn but I'd rather just have those semantics automatically unless I explicitly opt out of them

Hello. I have an AWS Aurora RDS which I am upgrading from serverless v1 to serverless v2. The AWS documentation suggests that the equivalent way to do this in the AWS CLI is to use the

--engine-mode

and

--allow-engine-mode-change

parameters in

modify-db-cluster

(I have confirmed this works via the CLI). If I change my aws.rds.Cluster's

engineMode

value from "serverless" to "provisioned" and try a

pulumi up

, the process fails ("DB Cluster already exists") as it tries to replace the cluster. There doesn't seem to be an equivalent to the

allow-engine-mode-change

parameter in the aws.rds.Cluster definition in the Pulumi documentation. I am using Pulumi version 3.70.0.

I'm looking to learn more about the various ways folks in the Pulumi community are authoring and running tests over their Pulumi IaC. We have our own guides on testing at https://www.pulumi.com/docs/using-pulumi/testing/, but I'd love to hear from anyone applying testing to their IaC in particularly notable or impactful ways, to learn more about the approaches you are using. Feel free to share here or in DM if you've got any stories you are able to share!

Does the encryptionsalt (In the

Pulumi.<stack>.yaml

) change every time you (re)create the project state, and is there a way to keep this static? I'm using the password secrets provider and I recreate the state to spin up a local lab, but this is causing a load of needless changes in git

Hello! Is it possible to set

deleteBeforeReplace

in a Crosswalk resource (e.g.,

awsx.ecs.FargateService

)? It's not included in

ResourceOptions

, and it's not clear if I can pass

CustomResourceOptions

somehow. (I'm prototyping with AWS EFS and Fargate and running into problems with multiple Prometheus containers not being able to share the EFS volume.)

Are there any ongoing or known issues with pulumi cloud right now? All of our runs are getting timeout errors.

How do you go about having pieces that need to be created before others. Specifically creating an ECR repository, have a GitHub action workflow push a first image that depends on the creation of the repository which can then be deployed in apprunner for example.

[solved] Testing question: Hi all, I'm trying to learn to test Pulumi code. I wrote this pulumi program in Python to create and configure a GitHub repo. I wrapped the program in a CLI tool using the automation API. Is there a way I can mock the API calls to pulumi while running my CLI tool in some sort of testing mode, and then make assertions about what pulumi says would be created?

import pulumi_github as github
from my_module import GithubRepo  # a dataclass with repo configuration

def _create_repo(repo_config: GithubRepo) -> github.Repository:
    repo = github.Repository(
        resource_name=repo_config.name,
        name=repo_config.name,
        archive_on_destroy=True,
        description=repo_config.description,
        visibility="private",
    )

    if repo_config.actions_variables:
        create_actions_variables(actions_variables=repo_config.actions_variables, repo_name=repo.name)

    if repo_config.actions_secrets:
        create_actions_secrets(action_secrets=repo_config.actions_secrets, repo_name=repo.name)

    for env in repo_config.environments:
        create_environment(env, repo_name=repo.name)

    create_repository_teams(admin_teams=repo_config.admin_teams, repo_name=repo.name)

    return repo

Problem: Pulumi does not stop updating I use the pulumi automation API to deploy aws infrastructure. The screenshot indicates for me that every task is done (see status). Nonetheless, pulumi keeps updating and doesn't finish the up command. What could be a reason for that?

FYI - looks like this change is in a holding pattern: https://github.com/pulumi/pulumi-aws/blob/master/sdk/nodejs/types/enums/lambda/index.ts#L41 however, upgrading to 3.10 python runtime is the fix for urllib3 issue: https://urllib3.readthedocs.io/en/latest/v2-migration-guide.html#ssl-module-is-compiled-with-openssl-1-0-2-k-fips any ETA on next release? been almost a month since the commit was added

hi all! Giving https://www.pulumi.com/blog/converting-full-terraform-programs-to-pulumi/ a go and facing the following issue with conversion:

pulumi convert --from terraform --language go --out pulumi
Converting from terraform...
Downloading provider: terraform
Downloading provider: kubernetes
warning: failed to install provider "helm": could not find latest version for provider helm: 404 HTTP error fetching plugin from <https://api.github.com/repos/pulumi/pulumi-helm/releases/latest>. If this is a private GitHub repository, try providing a token via the GITHUB_TOKEN environment variable. See: <https://github.com/settings/tokens>

there are more errors after that which are related to helm provider config. Nothing fancy in providers.tf in terraform though:

provider "kubernetes" {
  host                   = data.aws_eks_cluster.cluster.endpoint
  token                  = data.aws_eks_cluster_auth.cluster.token
  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
}

provider "helm" {
  kubernetes {
    host                   = data.aws_eks_cluster.cluster.endpoint
    token                  = data.aws_eks_cluster_auth.cluster.token
    cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority.0.data)
  }
}

Hey team! The new Docker provider version v4+ completely changes the output of docker.Image in imageName. In the new version there’s now image hash attached. For example: v3:

imageName = <http://gcr.io/xxxxx/my-app:dd173278046fcc735e6bd5f884a42ace408775b3aea38431aafe9267a46647ba|gcr.io/xxxxx/my-app:dd173278046fcc735e6bd5f884a42ace408775b3aea38431aafe9267a46647ba>

v4:

imageName = <http://gcr.io/xxxxx/my-app|gcr.io/xxxxx/my-app>

With this change, the resources that depend on the Docker image don’t get updated whenever the docker image is updated. That also breaks many of the examples provided by Pulumi that involve deploying a docker image to the cloud. Is that intentional or it’s a bug?

hi there, is it possible to create a VM instance on a specific compute node in openstack using pulumi?

Hi, I am looking for a way to update a resource by splitting its config into multiple Pulumi stacks and perform updates to that resource after selecting those Pulumi stacks at various points in time. To be precise, we have an application load balancer (Application Gateway) from Azure that hosts multiple sites, our single Pulumi stack for that is getting really fat day by day as more and more domains/sites are exposed through the same and we are looking into a way that would allow us to put different domain configs into different stacks and then update them through different Pulumi stacks. Any idea would be very much appreciated!

Hello! We got a strange issue here, we were deploying our infra with MSI, and backend storage is an Azure storage blob. All the state files are created and saved in the .pulumi/stacks folder, very flat. Now, we moved to deploy with OIDC, for some reason, the state file is now created by Pulumi up to .pulumi/stacks/[Name value in Pulumi.yaml] folder. Does anyone know if this is an intended feature for OIDC authenticated deployment?

Hello everyone!!! I hope you’re all learning a ton this week with PulumiUP. I wanted to introduce myself, I recently joined Pulumi and I'm part of the docs and learning team and thrilled to be a part of this amazing community. The beauty of open source is that it thrives on collaboration and continuous learning. We have a firm belief that easy to find and helpful content, learning, and documentation are all things essential to this community being successful and I’d love to hear from you! Whether you’ve stumbled across a bug or typo, found a convoluted explanation that left you scratching your head, or discovered an amazing tutorial and example that made your job so much easier. Feel free to drop me a DM, post in this channel, or if you prefer the old school way, shoot an email my way at jdenyer@pulumi.com. If you have a suggestion or question, don't hesitate to bring it up. Can't wait to hear from you! -- James

I am really having trouble wrapping my head around what makes sense to have in a

Pulumi.yaml

file VS what should just be defined in code. It seems like the docs recommend that you'd want to have things defined in your

Pulumi.yaml

config the stuff that is likely to vary between versions of your stack (e.g. development VS production). Okay, reasonable enough. However, I'm struggling with the proper way to structure this. I was hoping to have something like this in my Project-level config:

project:mysql-instance:
    description: MySQL instance
    value:
      name: my-db
      version: MYSQL_8_0
      disk-size: 10
      availability: REGIONAL
      tier: db-custom-1-3840

and then something like this in my Stack-level config:

project:mysql-instance:
      availability: ZONAL

To have a lower availability level in my dev environment. Unfortunately, it seems that this wipes out the entire

mysql-instance

config rather than just overwriting a single value. Are there any recommendations on how to achieve something like this? The only way I can think of is to ditch structured configuration values and have every single configuration option that would vary between stack as a top-level attribute in your config -- but that doesn't scale at all, you'll soon have hundreds of top-level properties in your config and it will be extremely challenging to figure out what corresponds to what.

I've just created a new Pulumi project and stack by creating the yaml files manually: the only Pulumi commands I've run so far are

pulumi stack init

,

pulumi stack select

and

pulumi stack tag set ...

. I'm now trying

pulumi preview

(or

pulumi up

) but the CLI is giving me this error message:

error: getting stack configuration: stack configuration could not be loaded from either Pulumi.yaml or the backend: no previous deployment

This is new to me. Does anyone know what causes it? Or where in the code I might find this, so I can figure it out?

Hi All, Hi there, I ran into an issue when deploying the pulumi project, even after upgrading to the latest npm package version 5.44.0. Can you please advise me on how to fix this? Thanks!