I am having a problem creating a CDN rule for a Microsoft standard CDN profile. The Pulumi api wants a ruleset name but one isn't needed for rules (based on the ARM template). And trying to create a ruleset via pulumi fails with "That action isn’t allowed in this profile." How can I create a basic CDN rule?

Hi folks. I've searched through this slack & github workspace for a similar issue and couldn't find anything. I suspect my problem is something trivial. Basically running pulumi (preview|up) hits the error below. This seems to be a problem within pulumi as it happens whether or not my index.ts file exists. I'm adding logs in thread:

Hi all. I'm just getting started using Pulumi, and part of my project is using Helm resources to deploy apps into our cluster. I'm using a config secrets to pass into the some of the chart values (passwords for apps). Everytime I do a 'pulumi preview' or 'pulumi up', the value changes, resulting in the k8s Secret to be replaced along with the deployments. What am I doing wrong?

For example, here is a config.ts that I use to represent my config:

import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";

let pulumiConfig = new pulumi.Config();

export type LagoonCoreConfig = {
    kubeconfig: any;
    gitlab: {
        token: pulumi.Output<string>;
    }
    elasticsearch: {
        install: boolean;
        adminUsername: string;
        adminPassword: pulumi.Output<string>; 
    }
    kibana: {
        install: boolean;
        externalHost: pulumi.Output<string>;
        accountUsername: string;
        accountPassword: pulumi.Output<string>;
    },
    registry: {
        hostname: pulumi.Output<string>;
        harborAdminPassword: pulumi.Output<string>;
    },
    dnsBaseName: any;
}

const clusterStackRef = new pulumi.StackReference(pulumiConfig.require("clusterStackRef"));

const dnsBaseName = pulumiConfig.get("dnsBaseName") || clusterStackRef.getOutput("clusterDnsName");


export const lagoonconfig: LagoonCoreConfig = {
    // Infrastructure / Networking
    kubeconfig: clusterStackRef.getOutput("kubeconfig"),
    gitlab: {
        token: pulumiConfig.requireSecret("gitlabToken"),
    },
    elasticsearch: {
        install: true,
        adminUsername: 'admin',
        adminPassword: pulumiConfig.requireSecret("elasticsearchAdminPassword")
    },
    kibana: {
        install: true,
        externalHost: pulumi.interpolate `kibana.${dnsBaseName}`,
        accountUsername: "kibanaserver",
        accountPassword: pulumiConfig.requireSecret("kibanaPassword")
    },
    registry: {
        hostname: pulumi.interpolate `registry.${dnsBaseName}`,
        harborAdminPassword: pulumiConfig.requireSecret("harborAdminPassword")
    },
    dnsBaseName: dnsBaseName
};

// Create the k8s provider with the kubeconfig.
export const k8sProvider = new k8s.Provider("k8sProvider", { kubeconfig: lagoonconfig.kubeconfig });


export default lagoonconfig;

And the file that deploys the chart for Harbor below. Every time I so a pulumi up, the secret in the 'harborAdminPassword' is different.

import * as k8s from "@pulumi/kubernetes";
import { k8sProvider, lagoonconfig } from "../config";

const hostname = lagoonconfig.registry.hostname;
const url = `https://${hostname}`;

export type HarborOutput = {
    chart: k8s.helm.v3.Chart;
    registryUrl: string;
};

const ns = new k8s.core.v1.Namespace("registry", {
    metadata: { name: "registry" },
}, { provider: k8sProvider })

export const createRegistry = (): HarborOutput  =>  {
    const registryChart = new k8s.helm.v3.Chart("registry",
        {
            namespace: ns.metadata.name,
            chart: "harbor",
            version: "1.5.2",
            fetchOpts: { repo: "<https://helm.goharbor.io>" },
            values: {
                harborAdminPassword: lagoonconfig.registry.harborAdminPassword,
                expose: {
                    tls: {
                        enabled: true,
                        certSource: "secret",
                        secret: {
                            secretName: "registry-harbor-tls",
                        }
                    },
                    ingress: {
                        annotations: {
                            "<http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>": "nginx",
                            "<http://kubernetes.io/tls-acme|kubernetes.io/tls-acme>": "true"
                        },
                        hosts: {
                            core: lagoonconfig.registry.hostname
                        }
                    }
                },
                externalUrl: url,
                clair: {
                    enabled: false
                },
                notary: {
                    enabled: false
                },
                trivy: {
                    enabled: true
                }

            },
        },
        {providers: {kubernetes: k8sProvider}},
    );

    return {
        chart: registryChart,
        registryUrl: url
    };

};

Hi there, new to Pulumi and first post. I'm having some difficulty getting interpolation (C#) to work with the ID output of an Azure Native Resource Group in order to generate the string required to access a well-known Role Definiiton. Here's a working example using hard-coded references to an existing resource group:

using System.Threading.Tasks;
using Pulumi;
using Azure = Pulumi.AzureNative;
using AzureAD = Pulumi.AzureAD;

class WorkingStack : Stack
{
    public MyStack()
    {
        var subscriptionId = "12345678-1234-1234-1234-1234567890ab";
        var existingRgId = $"/subscriptions/{subscriptionId}/resourceGroups/some-existing-rg";

        var rgContributorId = $"{existingRgId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c";
        var contributorRoleDef = Azure.Authorization.RoleDefinition.Get("contributorRoleDef",rgContributorId);

        var globalAdmins = AzureAD.Group.Get("globalAdmins","f22ac475-c1e3-4e21-b9a8-4f50f473278c");
        var assignment1 = new Azure.Authorization.RoleAssignment("assignment1", new Azure.Authorization.RoleAssignmentArgs
        {
            PrincipalId      = globalAdmins.Id,
            RoleDefinitionId = contributorRoleDef.Id,
            Scope            = existingRgId
        });
    }
}

but if I try to do the same thing with a created resource group:

class BrokenStack : Stack
{
        public BrokenStack()
    {
        var rg = new Azure.Resources.ResourceGroup("rg", new Azure.Resources.ResourceGroupArgs
        {
            Location = "UK South"
        });

        var rgContributorId = rg.Id.Apply(id => $"{id}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c");
        var contributorRoleDef = Azure.Authorization.RoleDefinition.Get("contributorRoleDef",rgContributorId);

        var globalAdmins = AzureAD.Group.Get("grp","f22ac475-c1e3-4e21-b9a8-4f50f473278c");
        var assignment1 = new Azure.Authorization.RoleAssignment("assignment1", new Azure.Authorization.RoleAssignmentArgs
        {
            PrincipalId      = globalAdmins.Id,
            RoleDefinitionId = contributorRoleDef.Id,
            Scope            = rg.Id
        });
    }
}

then it fails:

Diagnostics:
  azure-native:authorization:RoleDefinition (contributorRoleDef):
    error: azure-native:authorization:RoleDefinition resource 'contributorRoleDef' has a problem: missing required property 'scope'

Hi, I've been experimenting with a small project and want to now move it to an organization that I've just set up. I'm sure I've seen somewhere that you can move a project from a personal account to an organization, but can't find how to do it. Anybody able to help? Thanks.

I'm trying to run code very similar to this example: https://github.com/pulumi/examples/tree/master/aws-ts-thumbnailer but when doing a

pulumi up

I'm getting the following error: error: Error: invocation of aws:ec2/getVpc:getVpc returned an error: invoking aws:ec2/getVpc:getVpc: 1 error occurred: * no matching VPC found Searching for that on line takes me down a rabbit hole of setting up a vpc that I'm nervous about getting into as there's quite a bit of stuff at the next level of abstraction down that I don't understand and I don't want to do anything that will break any existing infrastructure. Any suggestions on how to work around / fix this error?

Hi, I'm trying to test out any linode resource creation but every 'pulumi up' is saying "Configuration 'linode:token' value is a secret; use 'getSecret' instead of 'get' leading to updates failed. I'm aware about cfg.requireSecret() but I don't see where can I actually put this variable, neither input or output. I'm suspecting pulumi is trying to call api using 'get' token instead of 'getSecret' token so where can I actually fix this? Thanks.

I’m trying to use iam.GetPolicyDocumentStatement to reference the ARN of an s3 bucket I created… but the ARN of the bucket is an Output String right? and the Resources part of the iam bit is a bare string? No way to convert Output<String> to string right? Is there a better pattern to use here?

Hi, I have an issue with the basics and would appreciate any help… I have a project running on python on a docker image which runs a shell script using 

subprocess.Popen

. This shell script does 

gcloud auth

 , 

pulumi login

 and 

pulumi new

back in the python application I am trying to use pulumi auto and its complaining about missing google credentials. Note: I am using google storage as my managed backend… Am I doing anything fundamentally wrong ? how to address this ? I want my python application (using Flask) to create and destroy stacks using pulumi auto (using my gs backend url)

Hi, I’m having trouble setting up a Python project. The docs say that Pulumi supports modularized Python programs and setup.py files, but there isn’t any more info provided there and I can’t get it working with my project structure that looks like this:

my_dir/
  Pulumi.yaml 
  setup.py // calls `setup(packages=find_packages())`
  my_package/
    __init__.py
    __main__.py // does `from .pulumi import *`
    pulumi.py // contains AWS resource created with Pulumi

Now when I run

pulumi up

in

my_dir

, I get the following error:

ImportError: can't find '__main__' module in '.'

Which tells me that Pulumi tries to import

my_dir/__main__.py

and ignores

setup.py

. How can I fix this? Is there any documentation that I’m missing?

Anyone seen this before? I'm pretty confident that the AWS creds are correct which is being passed in

Diagnostics:
  aws:ec2:Vpc (vpc):
    error: 1 error occurred:
    	* error configuring Terraform AWS Provider: AWS account ID not previously found and failed retrieving via all available methods. See <https://www.terraform.io/docs/providers/aws/index.html#skip_requesting_account_id> for workaround and implications. Errors: 2 errors occurred:
    	* error calling sts:GetCallerIdentity: InvalidClientTokenId: The security token included in the request is invalid.
    	status code: 403, request id: 52427706-bd0f-49de-ae8c-d82b557e5cb5
    	* failed getting account information via iam:ListRoles: InvalidClientTokenId: The security token included in the request is invalid.
    	status code: 403, request id: c2f043c0-16d0-436a-9e5d-65238953123d

Hi everyone - hoping for some guidance here. I have a k8s Ingress resource I’m creating that ends up provisioning an AWS ALB. I then want to create a Route 53 Alias based on the provisioned ALB. I’m using

getLoadBalancer

to retrieve the provisioned ALB, but this seems to be in a race condition for the ALB controller to fully provision it. So I get a “load balancer not found” error. I’ve tried wrapping the Ingress resource in an

all

, but that doesn’t seem to help. Any suggestions on what I can do to make the

getLoadBalancer

function to wait for the load balancer to provision?

How do I set CORS settings for 2 (Azure) webapps that are allowed to call each other? So, Webapp1 allows calls from Webapp2 and vice versa.

var webapp1 = new WebApp(name,
       new WebAppArgs
       {
           Kind = "app,linux",
           SiteConfig = new SiteConfigArgs
           {
                Cors = new CorsSettingsArgs
                {
                    AllowedOrigins = {
                      // how do I specify WebApp2 here?
                    },
                    SupportCredentials = false
                 }
            },
          });

I have a test project that is virtually identical to https://www.pulumi.com/docs/tutorials/aws/video-thumbnailer/ when the container runs I'm getting access denied errors for accessing the S3 buckets. The only key difference I have is that I'm referring to existing S3 buckets rather than creating them in the pulumi project. What do I have to do to give permissions for the container to access the buckets?

I'm trying to connect a Fargate container with an EFS filesystem. I've tried a setup very similar to this AWS Lambda with EFS example, but after having solved an (apparently new) requirement of transit encryption in the efsVolumeConfiguration, the task fails to build with:

ResourceInitializationError: failed to invoke EFS utils commands to set up EFS volumes: stderr: b'mount.nfs4: Connection reset by peer' : unsuccessful EFS utils command execution; code: 32

I googled, and some people suggested creating a security group with ingress on 2049/tcp, but this doesn't seem to fix the error. I've tried many setups, but no matter how I configure the VPC, targets or mount points, it doesn't seem to work. Any idea of what I could try?

This is my setup: https://gist.github.com/agucova/272337b17a2797ba36d250ff0e8e823b

Moments after posting this I realized one of the targets was on the wrong security group. It seems the right fix was to use the ingress rule.

Hey everyone, all the pulumi operations i'm trying to perform is stuck at

Registering resource monitor end: t=pulumi:pulumi:Stack, name=axiom.saas-manage-dev, custom=False, remote=False

hello! just getting started with pulumi. i got a cloudrun (ruby) app with cloudsql (pg) up and going with a little effort, but i'm stuck on how to use GCP secrets with Pulumi.

Anyone know how to cast an Output<string> to a string? https://github.com/pulumi/pulumi/issues/7179

Any idea why Pulumi skips an update??? The preview shows that WebApp needs an update which is correct: SiteConfig>AppSettings>code blob URL has changed. However, as you can see, Pulumi does not actually execute this update:

Type             Name   Plan    Info
   pulumi:pulumi:Stack     psrc-dev       
 +- ├─ azure-native:storage:Blob zip   replace  [diff: ~source]
 ~ └─ azure-native:web:WebApp  fnapp57 update   [diff: ~siteConfig]

Resources:
  ~ 1 to update
  +-1 to replace
  2 changes. 8 unchanged

Do you want to perform this update? yes
Updating (dev)

View Live: <https://app.pulumi.com/markymark/psrc/dev/updates/3>

   Type             Name   Status   Info
   pulumi:pulumi:Stack     psrc-dev       
 +- └─ azure-native:storage:Blob zip   replaced  [diff: ~source]

Outputs: ...
Resources:
    +-1 replaced
    9 unchanged

I'm trying out the example aws-ts-lambda-thumbnailer. pulumi up seems to get stuck and just sits there for a considerable amount of time. How long should I wait for it before giving up? How long would it normally take to do a pulumi up for this example? Is there a way to see what's going on so I know if it is hanging or if it is actually doing something? (The example in the readme with the repo shows a duration of 1m41s - mine is running for more than 40 minutes). The only difference I have is that the docker container won't build with a error: The command '/bin/sh -c mv ffmpeg-4.3.1-amd64-static/ffmpeg /usr/bin' returned a non-zero code: 1. So I replaced RUN "mv ffmpeg-4.3.1-amd64-static/ffmpeg /usr/bin" with "RUN mv ffmpeg-*-amd64-static/ffmpeg /usr/bin"

Hey Guys - i am very new to this IaC thing but i think combining IaC with Programming languages is rly great^^

Hi everyone After adding 

eslint

 to my project and format all files  I run command 

pulumi up

 and receive multiple errors like this

aws:lambda:Function (dev-v1-internal-verify):

error: 1 error occurred:

* updating urn:pulumi:dev::aok-multi-pulumi::aws:lambda/function:Function::dev-v1-internal-verify: 1 error occurred:

* error modifying Lambda Function (dev-v1-internal-verify-cb6dab7) Code: RequestEntityTooLargeException:

status code: 413, request id: eadb73d4-c9b3-4946-8a4a-ed2743cde46b

Can anyone help ?

I have an k8s deployment in go that I’m trying to enumerate over appending each deployment to an array but I have no idea how to get it to work

Hi Everyone, I want to know is there any pulumi api exposed to get infrastructure data stored in s3 or any db.

Hi All, I have just started exploring pulumi IaC. Iam stuck at a point please let me know if someone can help. Thanks.