I’m trying to follow the instructions here (https://www.pulumi.com/docs/guides/oidc/aws/) to set up OIDC such that Pulumi Deployments can run… but I’m getting:

Error: fetching AWS credentials: WebIdentityErr: failed to retrieve credentials, caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity, status code: 403

Any ideas? I’m using Pulumi to create the OIDC configuration and AWS roles:

import pulumi_aws as aws
import json

# Create OIDC provider for Pulumi Deployments
oidc_provider = aws.iam.OpenIdConnectProvider(
    "Pulumi OIDC Provider",
    client_id_lists=["MYORG"],
    # <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html>
    thumbprint_lists=["9E99A48A9960B14926BB7F3B02E22DA2B0AB7280"],
    url="<https://api.pulumi.com/oidc>",
)

oidc_provider_role = aws.iam.Role(
    "Pulumi OIDC Provider Role",
    name="PulumiOIDC",
    assume_role_policy=oidc_provider.arn.apply(
        lambda arn: json.dumps(
            {
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": {
                            "Federated": arn,
                        },
                        "Action": "sts:AssumeRoleWithWebIdentity",
                        "Condition": {
                            "StringEquals": {
                                "<http://api.pulumi.com/oidc:aud|api.pulumi.com/oidc:aud>": "MYORG",
                                "<http://api.pulumi.com/oidc:sub|api.pulumi.com/oidc:sub>": "pulumi:deploy:org:MYORG:project:*:*",
                            }
                        },
                    }
                ],
            }
        )
    ),
)

I’m not sure I understand what ComponentResource’s offer that

{ parent: xyz }

doesn’t already provide?

Hi, I know this is a pulumi only community, i need help with another IaC Provider: Terraform, Could anyone help me? we cold create another channel if necessary

Can someone point me towards a TypeScript Pulumi example that is spread across multiple

.ts

files? I'd like to verify what I think of as idiomatic TypeScript and the preferred approach of the Pulumi community.

I’m trying to reconcile `Error: python projects without a

virtualenv

project configuration are not yet supported` I’m getting from Deployments with the fact that we’re using Poetry for our dependencies like this article demonstrates. Any suggestions?

Hi Guys, i am new to pulumi and trying to deploy kubeflow on gcp. I am using pulumi python and GCP...and deployed pulumi kuberntes-gcp-python and now I would like to deploy kubeflow but I am stuck. Any help ?

I have tried to run the following code but no success:

# new kubeflow
kubeflow = gcp.container.Registry("kubeflow")

deployment = Deployment(
    "kubeflow-deployment",
    spec=DeploymentSpecArgs(
        replicas=1,
        selector=LabelSelectorArgs(
            match_labels={
                "app": "kubeflow",
            },
        ),
        template=PodTemplateSpecArgs(
            metadata=ObjectMetaArgs(
                labels={
                    "app": "kubeflow",
                },
            ),
            spec=PodSpecArgs(
                containers=[
                    ContainerArgs(
                        name="kubeflow",
                        image="kubeflow",
                        env=[
                            EnvVarArgs(
                                name="NAMESPACE",
                                value="kubeflow",
                            ),
                        ],
                        command=["/bin/bash"],
                        args=[
                            "-c",
                            "/opt/deploy.sh",
                        ]
                        
                    )
                ]

            )
        )
    ),
    metadata=ObjectMetaArgs(
        labels={
            "app": "kubeflow",
        }
    )
)

pulumi.export("name", deployment.metadata["name"])

# Allocate an IP to the Deployment.
app_name = "kubeflow"
app_labels = { "app": app_name }
frontend = Service(
    app_name,
    metadata={
        "labels": deployment.spec["template"]["metadata"]["labels"],
    },
    spec={
        "type":  "LoadBalancer",
        "ports": [{ "port": 80, "target_port": 80, "protocol": "TCP" }],
        "selector": app_labels,
    })

# When "done", this will print the public IP.
result = None

ingress = frontend.status.apply(lambda v: v["load_balancer"]["ingress"][0] if "load_balancer" in v else None)
if ingress is not None:
    result = ingress.apply(lambda v: v["ip"] if "ip" in v else v["hostname"])

pulumi.export("ip", result)

Hello all, while i was logging into minio bucket using pulumi i was getting below error. can some one suggest me or help to resolve this issue. pulumi login 's3://test-dataplatform-pulumi-state?endpoint=https://obs.vcloud.abc/&disableSSL=true&s3ForcePathStyle=true' Getting below error error: problem logging in: unable to check if bucket s3://test-dataplatform-pulumi-state?endpoint=https://obs.vcloud.abc/&disableSSL=true&s3ForcePathStyle=true is accessible: blob (code=Unknown): RequestError: send request failed caused by: Get "https://obs.vcloud.abc/test-dataplatform-pulumi-state?list-type=2&max-keys=1": x509: certificate signed by unknown authority

Is there any more documentation on setting up Pulumi Deployments beyond https://www.pulumi.com/docs/intro/pulumi-service/deployments/? I can’t seem to get it working for a Python Pulumi project

Hey all, trying to understand the self-managed state. I'd use either a GCS or S3 bucket. Does Pulumi handle locking/concurrency on these types of backends automatically? The documentation isn't really clear, and seems to suggest only the Pulumi Service backend does this. If we had GCS/S3 backend could we end up with a broken state if a stack was updated by 2+ instances concurrently? Thanks!

Hi teams, Should I restart argocd-server after updating argocd-rbac-cm.yaml

Hi, I am having difficulty understanding how to create a SubnetGroup where the subnet ids are created in the call to

new awsx.ec2.Vpc("vpc-name", ...)

I am passing in a list of subnetSpecs:

const subnetSpecs = [
        {
            type: awsx.ec2.SubnetType.Public,
            name: "public",
            cidrMask: 24,
            tags: {
                ...publicSubnetTags,
            },
        },
        {
            type: awsx.ec2.SubnetType.Private,
            name: "kubernetes",
            cidrMask: 24,
            tags: {
                ...privateSubnetTags,
            },
        },
        {
            type: awsx.ec2.SubnetType.Private,
            name: "rds",
            cidrMask: 24,
            tags: {
                ...rdsSubnetTags,
            },
        },
    ];

rdsSunetTags is:

const rdsSubnetTags : {
        Name: "rds",
    };

Finally, and this is where I am stuck, after the call to

new awsx.ec2.Vpc("vpc-name", ...)

I want to create a subnet group for the rds subnets and attempt to do so as follows:

// Create RDS subnet group
    aws.ec2
        .getSubnets({
            tags: {
                Name: "rds",
            },
        })
        .then((rdsSubnets) => {
            console.log("rdsSubnets: ", rdsSubnets);

            // create a subnet group for the RDS subnets
            const rdsSubnetGroup = new aws.rds.SubnetGroup("rds-subnet-group", {
                subnetIds: rdsSubnets.ids,
                tags: {
                    Environment: env,
                },
            });
        });

Not surprisingly, rdsSubnets contains an empty list of subnets because new awsx.ec2.Vpc hasn't completed provisioning resources yet and there, in fact, are no subnets in the VPC. What is the right approach? Is there a way to get a Subnet promise that resolves when the the VPC and all of the subnets have been created? Thank you.

I'm unable to access Config from within a Jupyter notebook cell .. is that a known problem or has anyone been able to do so? I can access from CLI just fine, but running in a cell the config values are never available. Selecting the stack programmatically and then calling stack.get_all_config() will return an empty dictionary.

Is there an abstraction library I can use on top of pulumi so that our developers/users won't have to write Pulumi code to build aws resources? I'd like to make it invisible for them.

I tried the code from this page yesterday, https://www.pulumi.com/docs/guides/crosswalk/aws/elb/. However, I couldn't get it to work.

pulumi up

was complaining about export. I tried creating it as a typescript as well as javascript. Both failed. It does look like it's a javascript code. Any ideas?

Good morning. I created a load balancer with ec2 instances behind it. A new security group also got created. I manually updated the security group in EC2 console so I can test if

pulumi preview

will see the difference. I would like to see if it works the same as

terraform plan

. However, it didn't see the manual change I made. What am I doing wrong?

Hi teams, I always get sync error info, “some workloads already exist”, when I first sync the application. Do you have any suggestion?

Hey! I can't for the life of me figure out how to use the import functionality for our Pulumi plugin. Looking at the example YAML our resources are named symbiosis:RESOURCE (https://www.pulumi.com/registry/packages/symbiosis/api-docs/cluster/), but trying to import it as symbiosis:RESOURCE yields this error:

import type "symbiosis:Cluster" is not a valid resource type token. Type tokens must be of the format <package>&lt;module&gt;<type>

What am I missing?🫣

Hi all, relatively new to Pulumi but have been doing IaC with Terraform/Terragrunt for a while. I have a question about inputs/outputs across packages/projects. A concrete example: We have an IaC package in a monorepo where we define a VPC. We wish to use the VPC id in the (TypeScript) configuration of a serverless framework package. Previously we did this by putting the VPC id in an AWS secret and importing it in the serverless config, but I was curious to hear if there are alternatives with Pulumi? I have been browsing the docs, but I have not come across anything similar

Hello friends, I'm just checking out Pulumi atm. It looks like you have built some very nice tools ❤️ I have a confession to make however. In the demo video on the homepage, it seems that a config with an S3 bucket exposed as a website is queried for a

bucketUrl

, but the entire URL is not returned (eg., nothing like "http://" at the beginning). This means it is not a URL, as no scheme is present. I find this a bit troubling... is this loose application of domain terms like "URL" par for the course, or just an outlier?

Hey all! I had a question about how to structure our cloud resources within pulumi projects. So things that are meant to be shared (only created once), for example, users and groups, shared fargate clusters, VPCs, and so on, should be in a project, called "infra" for example. Then we could have another pulumi project, called MyApp, that manages the resources specific to this app right? So this second project would use the resources created in the first one, correct? I would be very interested in the experience of others and how they structure their cloud resources and their git-ops repositories if someone is willing to share! Thanks in advance for your help! Cheers!

Whats the difference between: Google Cloud (GCP) Classic and Google Cloud Native ? Which one I supposed to be using? Will Google Cloud (GCP) Classic be moving to Google Cloud Native ?

Hi, I am trying to add access policies to an existing key vault in azure from pulumi like described here https://learn.microsoft.com/en-us/azure/templates/microsoft.keyvault/vaults/accesspolicies?pivots=deployment-language-bicep but it doesn't seem like pulumi has anything equivalent to this? https://www.pulumi.com/registry/packages/azure-native/api-docs/keyvault/

I have been trying for a ridiculous amount of time now to use an array in config in Pulumi.yaml and cannot get anything to work when I try using pulumi up. How am I meant to get this to work? // Pulumi.yaml

name: my-site
runtime: nodejs
main: ./index.ts
config:
    aws:region: us-east-1
    domain: <http://robcarr.net|robcarr.net>
    tags:
        type: array
        items:
            - production
            - staging

// Pulumi.default.yaml

name: default
config:
    aws:region: us-east-1
    domain: <http://robcarr.net|robcarr.net>
    tags:
        type: array
        items:
            - production
            - staging

8 errors occurred: * #/config/tags: oneOf failed * #/config/tags: expected string, but got object * #/config/tags: expected integer, but got object * #/config/tags: expected boolean, but got object * #/config/tags: expected array, but got object * #/config/tags: doesn't validate with '/$defs/configTypeDeclaration' * #/config/tags/items: doesn't validate with '/$defs/configItemsType' * #/config/tags/items: expected object, but got array

Hi, guys. I have a quick question. how do you build a project that have mutiple

Pulumi.<cluster>.yaml

And some yaml file with resource A, some yaml with resource B. Seems each resource will trying to build with all stack files. Here is a example project structure I am going with:

├── infrastructure
│   ├── iac
│   │   ├── aws
│   │   │   ├── containers
│   │   │   │   ├── index.ts
│   │   │   │   ├── package.json
│   │   │   │   ├── Pulumi.yaml
│   │   │   │   ├── Pulumi.foo.yaml
│   │   │   │   ├── Pulumi.bar.yaml
│   │   │   │   ├── ecr
│   │   │   │   │   ├── index.ts
│   │   │   │   ├── fargate
│   │   │   │   │   ├── index.ts

Like a example here

Pulumi.foo.yaml

will only have

ecr

resource.

Pulumi.bar.yaml

will only have

fargate

resource. How do I make each resource

index.ts

smartly know if there is no config about ecr in the stack yaml file. I will do nothing.

Hi, is pulumi service a proprietary software? Or is it possible to self-host it without license? Thanks

Is there anyway of setting a route53 alias to point at another route53 alias? I have the following but the linter is complaining:

export function setCloudFrontRecordAAAA(
    name: string,
    distribution: aws.cloudfront.Distribution,
    zone: aws.route53.Zone
) {
    const record = new aws.route53.Record("AAAA-alias", {
        name,
        type: "AAAA",
        zoneId: zone.zoneId,
        aliases: [
            {
                evaluateTargetHealth: true,
                name: distribution.domainName,
                zoneId: distribution.hostedZoneId,
            },
        ],
    });

    return record;
}

export function setCloudFrontWWWAlias(
    name: string,
    record: aws.route53.Record,
) {
    const wwwRecord = new aws.route53.Record("www-alias", {
        name,
        type: "AAAA",
        zoneId: record.zoneId,
        aliases: {
            name: record.name, <--- LINTER DOESN'T LIKE THIS
            zoneId: record.zoneId,
            evaluateTargetHealth: true,
        }
    });

    return wwwRecord;
}

Is there a way to change Project name in the

Pulumi.yaml

file?

Hi Folks, we recently started facing the issue mentioned here: https://github.com/pulumi/pulumi-eks/issues/720. I have added details about the error and our dependencies: https://github.com/pulumi/pulumi-eks/issues/720#issuecomment-1486265287. It would be great if anyone can guide me on this.

I want to test Pulumi for my private projects. How can I get rid of the question to add an organization after each login?