Hi everybody 🙂 I’m using Poetry for Python dependency management and the files (pyproject.toml, poetry.lock) are located in the root of my repo. I’ve created subfolders with different Pulumi projects and configured one of them for the deployment. The workflow starts, but in “Download dependencies” I see: Error: python projects without a

virtualenv

project configuration are not yet supported Are there any plans to support this usecase in the future?

Hello! I need some help here with my use case. We have written a library that we use internally where we have the Pulumi Automation code, we send some parameters so we can dynamically create resources when calling that library from multiple repositories. This is the code I have in that library in order to create resources:

def deploy_code_to_aws(metadata):
    """
    Deploy all the resources to aws using Pulumi.
    """

    def pulumi_program():
        pass
    project_name = metadata.bucket
    stack_name = "Dev"
    stack = auto.create_or_select_stack(
        stack_name=stack_name, project_name=project_name, program=pulumi_program
    )
    print("successfully initialized stack")
    print("installing plugins...")
    stack.workspace.install_plugin("aws", "v4.0.0")
    print("plugins installed")
    print("setting up config")
    stack.set_config("aws:region", auto.ConfigValue(value=metadata.region))
    stack.set_config(
        "aws:profile", auto.ConfigValue(value=metadata.profile_name)
    ) 
    print("config set")
    print("refreshing stack...")
    stack.refresh(on_output=print)
    print("refresh complete")

    print("updating stack...")
    up_res = stack.up(on_output=print)
    print(f"update summary: \n{json.dumps(up_res.summary.resource_changes, indent=4)}")

My question is: How can I update this code so we can start using Remote Deployments? (We already requested access) From this example I know we have the option to call

create_or_select_remote_stack_git_source()

but we don’t have a “git source” we just wanted to grab the pulumi program/stack that we wrote and send that to a Pulumi Deployment remote server so it can process the stack instead of processing everything on our local machines. Is that even possible? Is there another way we could accomplish that with Remote Deployments?

I have a question about the deployments feature - is it, or will it be possible to set up with Open ID Connect, to avoid storing any permanent credentials for the deployment? Another approach I was thinking of is to have something deployed in the cloud provider that pushes out new credentials to Pulumi service at regular intervals, although I am not sure if that is possible to do?

Hey! I've installed the github app but every time I try and link it just sends me back to configure the app. Anyone else having that issue?

A questions regarding the REST API: If I try to trigger a deployment for a private repository via REST API and use a GitHub personal access token, what permissions are needed for the token? Both for the classic tokenas and the new fine-grained tokens? It works fine to run via the classic tokens and if I pick all the repo permissions, but would rather know more in detail what it would need and preferably also for the fine-grained tokens. I could not find that in the docs.

Hey moderators, I requested a preview for the Pulumi Deployments, do you think it’ll be an option to get accepted by this weekend ? Thank you very much !

Hi, is there a plan for supporting Gitlab?

Hello, I need some help here. I have started using Deployments REST API but I am getting an error when trying to provision a lambda function in a subaccount. I get this error:

aws:lambda:Function (XXXXX): 
44
     error: 1 error occurred: 
45
     	* error creating Lambda Function (1): AccessDeniedException: 
46
     	status code: 403, request id: 2224b871-f8fc-43f9-baf5-c62809b1779d

I am creating a new account in my organization using IAM credentials of an admin user in my main account. Will post the code in a comment here.

We're looking for users who are interested in providing feedback on their experience with Deployments. We'll send all participants a Pulumi tshirt. If you're interested, please book a time through https://calendly.com/evan-148/30min-2 😛artypus-8bit:

hey, I wonder if Deployments and Automation API are compatible? e.g. I want to construct a desired state in my service that leverages Pulumi under the hood and then I want to go to Pulumi dashboard, review the changes and deploy it. It looks like Deployment is executing code itself, but at no point I have a code executable by Pulumi Deployment

When the deployment runs, it expects that the workdir has a Pulumi.yaml file it it along with your program. In your example above it looks like your workdir is ‘deployment’ - does that directory exist in your hit enlistment and contain a pulumi.yaml file?

Hi, I have another question, even if the Secret environment variables are encrypted end-to-end, but Pulumi Service is not a self-host environment, how do you ensure our AWS credential or kubeconfig is secure without store it somewhere? From our previous experience, we stored our secrets in vault or as secret in kubernetes cluster, CI/CD containter read them by secretKeyRef to env, everything stays inside the cluster. What Pulumi deployment do now is to pass them via the environment variable to authenticate with AWS or Kubernetes, it there other recommended way to do authentication? Thx.

We just shipped a Deployments OIDC integration to enable short term, deployment scoped credentials with AWS, GCP, and Azure. https://github.com/pulumi/service-requests/issues/144 See the user guide here: https://www.pulumi.com/docs/guides/oidc/ as well as examples in the REST API documentation: https://www.pulumi.com/docs/reference/deployments-rest-api/#operationcontext OIDC can be configured within the console for push to deploy, and can be used directly with the REST API. Looking forward to feedback!

Hi, How do we correctly import kubeconfig of external kubernetes which isn't created via pulumi into pulumi deployment container? We had tried to put kubeconfig content as environment variable KUBECONFIG, it doesn't work. In the meantime,

pulumi config set --secret kubernetes:kubeconfig   --path ~/.kube/config

, something like this, it won't load the file content. The only worked way is to read it from the local file

pulumi_k8s = kubernetes.Provider("pulumi_k8s", kubeconfig=(lambda path: open(path).read())("kubeconfig"))

, but it is not secure to store kubeconfig file in github.

Hi team! How can i get access to pulumi deployments?

Hey, I’m having a bit of trouble understanding how to enable deployments for our organization. Is it in public preview or do we still need to be granted access somehow? The registration link just redirects to a generic documentation page about Deployments.

Hey, when using OIDC with GCP, what kind of credentials are stored in

GOOGLE_CREDENTIALS

? Trying to figure out how to login to the docker registry on the deployment runner.

Hello all, I'm trying to trigger some deployments but keep getting "400 Bad Request: ssh private key cannot be empty" (using sshAuth with a passwordless key for github -for testing). I followed the doc carefully and the privateKey.secret field is definitely not empty, so i'm puzzled. any clues? specific format for the key that i should use?

Hi. I apologise up front if this is an oft-asked question but I can't seem to find an answer. How do I get the Deploy button to appear in the Console? I'd like to try out the functionality but I don't see the Deploy button in the console, and from the announcement it looks like Deployments is out of the closed-preview phase. My code lives in BitBucket rather than GitHub; however, from the Docs (and from what I've seen from Searching) it appears that GitHub is an option rather than a requirement. Is that right? If you can use Deployments without GitHub, is there something special I need to do in order to enable it? Thanks in advance.

This message was deleted.

Hello! I was testing the new Pulumi Deployments feature and now I would like to remove it again from the stack. But if I hit the button Clean all deployment settings (at the bottom of the Deploy settings section), I get a 405 error response and an error message Failed to clear your deployment settings. Can someone help me to clear these settings?

Ok so it’s me again… posted in #getting-started before not realizing this channel exists… I’m trying to get deployments to run with Poetry. I’d like to not specify

runtime:
  name: python
  options:
    virtualenv: venv

in my Pulumi.yaml because locally we use

poetry run pulumi up

and poetry uses the correct virtualenv automatically. Side note: we are using a custom docker image for deployments because we’re using python 3.10 so I built one:

# based on <https://github.com/pulumi/pulumi-docker-containers/blob/main/docker/pulumi/Dockerfile>

FROM python:3.10-slim

RUN apt-get update -y && \
  apt-get install -y \
  curl

# Passing --build-arg PULUMI_VERSION=vX.Y.Z will use that version
# of the SDK. Otherwise, we use whatever <http://get.pulumi.com|get.pulumi.com> thinks is
# the latest
ARG PULUMI_VERSION

# Install the Pulumi SDK, including the CLI and language runtimes.
RUN curl -fsSL <https://get.pulumi.com/> | bash -s -- --version $PULUMI_VERSION

# Install Poetry
ENV POETRY_HOME=/usr/local
RUN curl -sSL <https://install.python-poetry.org> | python3 -

# Create wrappers such that pulumi commands always run with poetry
COPY ./create-poetry-wrappers.sh /usr/local/bin
RUN create-poetry-wrappers.sh

ENTRYPOINT ["/bin/bash", "-c"]
CMD [ "/bin/bash" ]

I thought that I could create some wrapper scripts to force

poetry run …

on pulumi, but it seems like the

/pulumi-deploy-executor

is not ? somehow? using the pulumi located in the container’s $PATH?

Has anyone run into

GitHub rate limit exceeded, try again in 23.838081389s. You can set GITHUB_TOKEN to make an authenticated request with a higher rate limit.

? I’m seeing this at the end of my deployment runs that I trigger manually from the UI

Security question… is it a terrible idea to trust the Role that Pulumi Deployments uses to assume a role that has Admin privileges in an AWS account?

ok… here’s another one. I have the following role assuming pattern locally (for… reasons):

role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_AWSAdministratorAccess_xxxxxxxxx (the role I am logged into via the CLI)

=> assumes

role/service-role/AWSControlTowerAdmin (via Pulumi.<stack>.yaml config var aws:assumeRole.roleArn)

=> assumes

role/AWSControlTowerExecution (via `aws.Provider` in the Pulumi code)

locally this works. When running via Pulumi Deployments it doesn’t seem to. The Deployment “configuration” seems to show the correct

aws:assumeRole

value but it doesn’t get assumed. It basically skips the middle assumption and uses the Deployment role to try to directly assume the 3rd role, AWSControlTowerExecution and it fails. If anything I’d expect to see that

assumed-role/PulumiOIDC/pulumi

cannot assume

role/service-role/AWSControlTowerAdmin

or that

role/service-role/AWSControlTowerAdmin

cannot assume

role/AWSControlTowerExecution

, but I’m getting

assumed-role/PulumiOIDC/pulumi

cannot assume

role/AWSControlTowerExecution

. This makes me think that the deploy executor is not respecting the

Pulumi.<stack>.yaml

configuration…

Does anyone have recommendations on how to think about the boundaries between Pulumi Deployments (enabled via UI + GitHub integration) and general Pulumi CI/CD? It seems like deployments enables running

pulumi up

on every commit that happens on a branch, say, the

main

branch. This would mean that only after you merge a PR does

pulumi

run. What do people do to preview changes during the branch development?

If any of ya'll think that Pulumi is the future of infrastructure, we'd appreciate a vote on this poll! https://pulumi-community.slack.com/archives/C84L4E3N1/p1679677366935849

Major Pulumi Deployments update shipped today, complete with overhauled documentation. Happy to answer any questions ya'll may have! https://pulumi-community.slack.com/archives/CB36DSVSA/p1680103635675449