Hi all. My name is Jonelle Boyd and I'm apart of the UX team here at Pulumi. The UX team is looking to make some updates to the Service UI which involve redesigning the Stacks list page and creating a new Resources page, and I am trying to find a couple of our users to interview who use these two areas frequently. This would really help us in assuring that we're considering our users needs and wants when designing for these updates. If you're interested, please DM me. Thanks for your help!

[X-Post] Pulumi Service vs Spacelift Question Thanks!

hi folks, you can now bulk transfer stacks in the service ui. look for the transfer stacks button on the stacks page of individual accounts and the 3-dot menu next to the create project button on the stacks page in collaborative organizations.

howdy 👋 I recently noticed we’re no longer getting comments on PRs, I don’t think anything changed with the github integration, the only major change I can think of is that we switched to reusable workflows Pulumi still adds status checks on the PRs, but not comments - any idea how to troubleshoot this?

pulumi usually hangs on

read pulumi:pulumi:StackReference

- is it a known issue with the pulumi service? would it be better to use a different backend?

Hi, Hope someone can be off assistance - I'm guessing it's a bug in the Pulumi Cloud Service. I've tried setting up a simple test case:

import { LocalWorkspace } from '@pulumi/pulumi/automation';

LocalWorkspace.createOrSelectStack({
    stackName: 'debug-stack',
    workDir: 'debug'
}, {
    stackSettings: {
        ['debug-stack']: {
            config: {
                'debug-stack:accountId': '012345678912',
                'aws:allowedAccountIds': ['012345678912'],
                'aws:region': 'eu-west-1'
            }
        }
    },
    envVars: { AWS_PROFILE: 'REDACTED', PULUMI_ACCESS_TOKEN: 'REDACTED' }
}).then(stack => {
    stack.up({ onEvent: console.log }).then(result => console.log(result.summary));
});

What happens is, after the stack is created in the pulumi cloud, the stack is set without the trailing 0 on the accountId. The local

Pulumi.debug-stack.yaml

file is created correctly at this point. When running up, the state is read from the pulumi cloud and then fails, as it validates against allowed account ids [ '12345678912']. When looking at the up request onEvent output, the preludeEvent shows:

{
  sequence: 0,                                   
  timestamp: 1669902905,
  preludeEvent: {                                
    config: {                                    
      'aws:allowedAccountIds': '[12345678912]',  
      'aws:region': 'eu-west-1',
      'debug-stack:accountId': '1.2345678912e+10'
    }
  }
}

So my guess is there is a type conversion error happening in the Cloud Service.

Hi 👋 I've run into a very frustrating issue with Pulumi and am in need of assistance. Currently all deployments of this stack are blocked because of this issue. I have a simple update to create a new KMS Key and Key alias that is failing due to

Duplicate resource URN

. However there is no other KMS key in this stack and no duplicate URN. I have exported the stack to JSON and verified that there is no matching URN.

error: Duplicate resource URN 'urn:pulumi:production::jackpot-reader::aws:kms/key:Key::jackpot-reader-production-key'; try giving it a unique name

Even weirder, when I go back to a previous commit (before the KMS key was in the stack) and run a

pulumi preview

, in the diff it shows that it's trying to create the KMS Key! Yet there's no key in the IaC!

...
 +   └─ aws:kms:Key                     jackpot-reader-production-key            create     
 +      └─ aws:kms:Alias                key-alias                                create 
...

Changing the name just creates two keys as well! (one with the new and one with the old)

...
 +   ├─ aws:kms:Key                     jackpot-reader-production-kms-key        create     
 +   │  └─ aws:kms:Alias                jackpot-reader-production-kms-key-alias  create     
 +   ├─ aws:kms:Key                     jackpot-reader-production-key            create     
 +   │  └─ aws:kms:Alias                key-alias                                create    
...

Any help would be appreciated as we are essentially blocked from deploying this stack. Versions:

"@pulumi/aws": "^4.38.0"

"@pulumi/pulumi": "^2.1.0"

We are using TypeScript as well. I've tried updating the AWS package, pulumi package, refreshing the stack but no luck.

Hi, not sure if this is the right channel to post this question, I’m doing a proof of concept to migrate from the pulumi service to AWS S3 as the backend. What would be the correct operation to remove the stack references from the pulumi service after migrating to AWS S3 the stack state?

theres a few new lil quality of life improvements in the service ui.. • favicons in your browser tab now indicate update status when on an update page • stacks list page now displays the total stack count have ideas on what would make your life better while using the service ui pls share them over in github! https://github.com/pulumi/service-requests

hi, not sure if this is the correct channel for this question. but im currently working in a team working on the same pulumi project. each team member has a fork and when they run a deployment using

pulumi up

the other team member has to redeploy the entire stack again. thinking its a state issue, but state is managed via the pulumi backend. and, interestingly -> when a specific member of my team deploys, pulumi changes the VCS link on that stack to the forked repo and not the original repo. could i any help on this? this significantly affects development time.

hey guys, trying to get a hold of someone in account management. I have a org account user for redacted that is in a

needs_verification

state but don't seem to ever get confirmation emails when the button is used. is there anyone available to help? i created a support request through the site form and never received a response either (we're a team account atm)

Hi, I'm experiencing what i believe is an error, not sure if it's working as intended though. I have a project and stack, that uses a KMS key in AWS for encrypting config secrets, the key is restricted to be used by the deployment role / and account admin. I have another stack for a separate account, that has the same setup. In the second stack, I initialize a stack reference to the first account. When previewing I then get the following error:

error: Preview failed: constructing secrets manager of type "cloud": secrets (code=Unknown): AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access

I can eliminate the error by giving access to the KMS key in stack 1 to the deployment role in stack 2. Which seems counter intuitive when the stack references does not expose the config and has the following comment:

/**
 * Fetches the value promptly of the named stack output. May return undefined if the value is
 * not known for some reason.
 *
 * This operation is not supported (and will throw) if the named stack output is a secret.
 *
 * @param name The name of the stack output to fetch.
 */
getOutputValue(name: string): Promise<any>;

Is this by design? Hope someone can shed some light on it. EDIT: looks like a bug https://github.com/pulumi/pulumi/issues/11109

Hey guys, have an issue using the pulumi button using browser with bitbucket repo https://www.pulumi.com/docs/intro/pulumi-service/pulumi-button/#browser The CLI works fine when creating a new pulumi instance eg.

pulumi new <https://bitbucket.org/{organisation}/{repo}.git>

Issue arises when I add the above as the template value for browser capabilities

eg <https://app.pulumi.com/new?template=https://bitbucket.org/{organisation}/{repo}.git>

Hi there, is there a way to import my existing stack (DIY state stored, login into an S3 bucket) into Pulumi Service?

i am unable to join using link

After enabling SAML, I can still log in with password. Is this only because I’m admin?

Discovered

<https://api.pulumi.com/api/stacks/{org}/{project}/np/decrypt>

after digging in the archive. Where is the best place to make an issue to have it added to

<https://api.pulumi.com/api>

? And is

BuildDecrypt

exposed or only

decrypt

?

has renamed the channel from "pulumi-service" to "pulumi-cloud"

set the channel description: All things Pulumi Cloud (https://app.pulumi.com) Request a feature or file a bug here: https://github.com/pulumi/pulumi-cloud-requests

Big announcement, we just added multi-cloud search, analytics, and intelligence to the Pulumi Cloud. Join #pulumi-insights to learn more! https://pulumi-community.slack.com/archives/CB36DSVSA/p1681398456659489

Hello, I just opened a new issue. Very minor UI bug 🙂 https://github.com/pulumi/pulumi-cloud-requests/issues/226

Hi Everyone! I'm on the process to restructure my HomeLab from a monolith pulumi project to a micro stack monorepo using NX. Aside of the pulumi cli typescript limitations (https://github.com/pulumi/pulumi/issues/8787) so far, so good. I took this path to reduce the deployment times since i can only deploy the stack that was affected on the PR, so I really happy with the result. The only problem comes with my personal account licence, I needed create an organization for this project so I can group the all micro-stacks under the same parent so the

StackReference

make sense. like

homelab/${microstack}/env

. There is a way to link this Organization to use my personal account licence?

would it be possible to add multiple admins to the same team? for common tasks like stack rename/delete it’s inconvenient to depend only on one person

?

Security question/ask. We recently started using the webhook feature (love it). We use the slack integration - can you please not display the slack URL after its configured? (i.e. make it write-once only) Since the slack URL is https encoded with a secret, any user of the Pulumi organization can read it now and spoof messages. (low risk since this is just pulumi updates, but just a best practice) In the image below you can see the full URL:

Feature idea for the "Stacks" page: the repos and projects could be collapsible. I have one org with dozens of repos, some of which have dozens of projects with dozens of stacks each. Making the page smaller would allow me to scroll between interesting bits faster.

Hello, I am having a tough time with configuring OIDC - I have tried already many combinations of audiences, but I have still one error:

Diagnostics:
18
   pulumi:pulumi:Stack (smilingwords-gcp-management-prod):
19
     warning: unable to detect a global setting for GCP Project;
20
     Pulumi will rely on per-resource settings for this operation.
21
     Set the GCP Project by using:
22
     	`pulumi config set gcp:project <project>`
23
     warning: unable to detect a global setting for GCP Project;
24
     Pulumi will rely on per-resource settings for this operation.
25
     Set the GCP Project by using:
26
     	`pulumi config set gcp:project <project>`
27
     error: Running program '/deployment/index.ts' failed with an unhandled exception:
28
     [36m<ref *1>[39m Error: invocation of gcp:projects/getProject:getProject returned an error: invoking gcp:projects/getProject:getProject: 1 error occurred:
29
     	* Error retrieving projects: Get "<https://cloudresourcemanager.googleapis.com/v1/projects?alt=json&filter=name%3Asmw-bot+lifecycleState%3AACTIVE+labels.smw_bot%3Ay+labels.pulumi%3Ay>": oauth2/google: unable to generate access token: Post "<https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/smw-bot-serviceaccount@smw-bot-qowk5.iam.gserviceaccount.com:generateAccessToken>": oauth2/google: status code 400: {"error":"invalid_target","error_description":"The target service indicated by the \"audience\" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn't exist."}
30

31

32
         at Object.callback [90m(/deployment/[39mnode_modules/[4m@pulumi[24m/runtime/invoke.ts:172:37[90m)[39m
33
         at Object.onReceiveStatus [90m(/deployment/[39mnode_modules/[4m@grpc[24m/grpc-js/src/client.ts:360:26[90m)[39m
34
         at Object.onReceiveStatus [90m(/deployment/[39mnode_modules/[4m@grpc[24m/grpc-js/src/client-interceptors.ts:458:34[90m)[39m
35
         at Object.onReceiveStatus [90m(/deployment/[39mnode_modules/[4m@grpc[24m/grpc-js/src/client-interceptors.ts:419:48[90m)[39m
36
         at [90m/deployment/[39mnode_modules/[4m@grpc[24m/grpc-js/src/resolving-call.ts:132:24
37
     [90m    at processTicksAndRejections (node:internal/process/task_queues:77:11)[39m {
38
       promise: Promise { [36m<rejected>[39m [36m[Circular *1][39m }
39
     }

What is the issue or how it can be solved? It would be very nice if someone would have the answer! Please help 😕 Thanks in advance!

It seeems the Pulumi cloud/API is down. Anybody else having problems?

is there a way to automatically grant team access to new stacks? we’re in the middle of migrating some older infrastructure and creating a fair number of stacks. it’s a tedious manual process, and half the time we forget to do it before someone says “hey i need access to this stack.”

I create a team with

readonly

permissions on some stacks. I assumed running

pulumi preview

will work just fine. It does, but after showing a correct preview it if fails with:

error: failed to encrypt secret value: [404] Not Found: Stack 'my-stack' not found

When I give it

write

permissions on the stack, it succeeds. Why does it try to encrypt anything on

preview

, seems like a bug