I'm seeing my deployments stuck in a pending state currently. Is the system experiencing some downtime?

Hi, I just started learning Pulumi. I am trying to create an EC2 instance, but it is failing with "creating EC2 Instance: MissingInput: No subnets found for the default VPC". I checked AWS console and see the VPC have the subnet. I also tried passing the subnet_id directly in the call, but still getting the error. ec2_instance = ec2.Instance("web-server", ami="ami-053b0d53c279acc90", instance_type="t3.nano", key_name="test1", vpc_security_group_ids=[sg.id], tags = {"Name": "web"}, subnet_id = "subnet-03d7502aaa49932d8" ) Any help in providing some clues to resolve this issue greatly appreciated.

Is there an ongoing problem? I'm receiving this error for every call to the deployment settings API

{"code":400,"message":"Bad Request: User is not a member of Pulumi organization's backing identity provider."}

Has anyone figured out a way to build ARM64 images with

pulumi-docker

or similar with Pulumi Deployments? I'm thinking we'll need to set up QEMU in the pre-run commands

@polite-ocean-13631 if you're on M1/M2 you can get docker to build images for x86 , this isn't helpful if you're actually trying to run ARM programs

image.png

Pulumi Deployments is running on AMD64 (i.e. x86), and we're trying to get it to build ARM64 images. We use M1/M2 to build ARM64 natively when we run

pulumi

locally, but we want to be able to use Pulumi Deployments for CI and gitops

i'm struggling to get deployments OIDC set up with GCP. i'm getting:

Exception: invoke of gcp:organizations/getProject:getProject failed: invocation of gcp:organizations/getProject:getProject returned an error: invoking gcp:organizations/getProject:getProject: 1 error occurred: 
     	* Error when reading or editing Project "myproject": Get "<https://cloudresourcemanager.googleapis.com/v1/projects/myproject?alt=json&prettyPrint=false>": oauth2/google: unable to generate access token: Post "<https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/pulumi-dply-app-staging@myproject.iam.gserviceaccount.com:generateAccessToken>": oauth2/google: status code 400: {"error":"invalid_request","error_description":"Invalid value for \"audience\". This value should be the full resource name of the Identity Provider. See <https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token> for the list of possible formats."}

i found this, which hints that i'm using the wrong values for the workload pool ID and identity provider ID:

I was using project name and full names for provider and pool id. After changing to number and just the short id for both worked like a charm

however, i've been unable to figure out the right format. https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token tells me that it expects

audience

to have the format

<//iam.googleapis.com/projects/><project-number>/locations/global/workloadIdentityPools/<pool-id>/providers/<provider-id>

, which i've tried; i've also tried it without the

<//iam.googleapis.com/>

prefix. i've tried a few other formats as well. can anyone help me figure out the exact format i should be using for those two values?

alternatively, is there any way to pump up the debugging so that i can see what pulumi is sending as the

audience

?

okay, i finally figured it out: • the

Project ID

field must have the numeric project ID • The "Workload Pool ID" and "Identity provider ID" fields must each have just the short ID, not the fully-qualified

<//iam.googleapis.com/>...

or even

/projects/<project-number>/...

. that's definitely what this comment says, i just didn't follow it. some help text on this would be super helpful....

next deployments question: in the console you can set a custom image along with a username/password to authenticate to the registry to pull that image. i don't see any options to authenticate in the `pulumiservice.DeploymentSettings` docs -- is it possible to set up registry auth via Pulumi itself? or is that currently console-only? (i asked Pulumi AI, but it apparently hasn't been retrained in a while 🙂)

I have two stacks connecting to same repo

abc

but with different branch in the settings. stack 1:

qa

branch in

abc

repo stack 2:

main

branch in

abc

repo Now, every time I create PR for qa and merge it.

pulumi preview

and

pulumi up

triggers both stack to run. Am I doing anything wrong here? I want want stack 1 to run when changing

qa

branch and only run stack 2 when changing

main

branch.

when managing deployment settings with the

pulumiservice

provider, i find that the changes aren't really "finalized" by the provider -- i have to go in to the console, make no changes, and click "Save deployment configuration." all of the settings are fully populated by the provider, so it certainly appears to have worked, but it doesn't work until I click that save button. has anyone else run into this? Is there a step i'm missing?

Hello, I am having a tough time with configuring OIDC - I have tried already many combinations of audiences, but I have still one error:

Diagnostics:
18
   pulumi:pulumi:Stack (smilingwords-gcp-management-prod):
19
     warning: unable to detect a global setting for GCP Project;
20
     Pulumi will rely on per-resource settings for this operation.
21
     Set the GCP Project by using:
22
     	`pulumi config set gcp:project <project>`
23
     warning: unable to detect a global setting for GCP Project;
24
     Pulumi will rely on per-resource settings for this operation.
25
     Set the GCP Project by using:
26
     	`pulumi config set gcp:project <project>`
27
     error: Running program '/deployment/index.ts' failed with an unhandled exception:
28
     [36m<ref *1>[39m Error: invocation of gcp:projects/getProject:getProject returned an error: invoking gcp:projects/getProject:getProject: 1 error occurred:
29
     	* Error retrieving projects: Get "<https://cloudresourcemanager.googleapis.com/v1/projects?alt=json&filter=name%3Asmw-bot+lifecycleState%3AACTIVE+labels.smw_bot%3Ay+labels.pulumi%3Ay>": oauth2/google: unable to generate access token: Post "<https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/smw-bot-serviceaccount@smw-bot-qowk5.iam.gserviceaccount.com:generateAccessToken>": oauth2/google: status code 400: {"error":"invalid_target","error_description":"The target service indicated by the \"audience\" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn't exist."}
30

31

32
         at Object.callback [90m(/deployment/[39mnode_modules/[4m@pulumi[24m/runtime/invoke.ts:172:37[90m)[39m
33
         at Object.onReceiveStatus [90m(/deployment/[39mnode_modules/[4m@grpc[24m/grpc-js/src/client.ts:360:26[90m)[39m
34
         at Object.onReceiveStatus [90m(/deployment/[39mnode_modules/[4m@grpc[24m/grpc-js/src/client-interceptors.ts:458:34[90m)[39m
35
         at Object.onReceiveStatus [90m(/deployment/[39mnode_modules/[4m@grpc[24m/grpc-js/src/client-interceptors.ts:419:48[90m)[39m
36
         at [90m/deployment/[39mnode_modules/[4m@grpc[24m/grpc-js/src/resolving-call.ts:132:24
37
     [90m    at processTicksAndRejections (node:internal/process/task_queues:77:11)[39m {
38
       promise: Promise { [36m<rejected>[39m [36m[Circular *1][39m }
39
     }

What is the issue or how it can be solved? It would be very nice if someone would have the answer! Please help 😕 Thanks in advance!

Hello, I don't know if this is the best place to ask my question, but I have an issue with Github "Preview" Action with our own backend (AWS S3 bucket).

Hello, I’m getting out of memory errors while running preview/update in Deployments

Type                 Name              Plan     Info
     pulumi:pulumi:Stack  infra-production           1 error; 133 messages
 
Diagnostics:
  pulumi:pulumi:Stack (infra-production):
    # <http://github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/compute|github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/compute>
    fatal error: runtime: out of memory
    runtime stack:
    runtime.throw({0xd7b769?, 0x20306f3?})
    	runtime/panic.go:1077 +0x5c fp=0xc00008bdb0 sp=0xc00008bd80 pc=0x444e3c
    runtime.sysMapOS(0xc1bd400000, 0x1000000?)

I’m not sure what I can do to deal with it… Locally,

pulumi update

works without problems.

Will it help triaging a Github issue if I post the link here?

I just created a new project using the wizard on the website, after opening a fresh account. I chose "Go" as language, "AWS" as cloud provider. It says this

$ /pulumi-deploy-executor pulumi update --stackIdentity="pinpayments/vm-aws-go/dev" --workDir="/deployment/vm-aws-go" 
2Updating (pinpayments/dev) 
3 
4 View Live: <https://app.pulumi.com/pinpayments/vm-aws-go/dev/updates/3> 
5 
6 @ Updating............................ 
7 
8 @ Updating............ 
9    pulumi:pulumi:Stack vm-aws-go-dev  go: <http://github.com/gogo/protobuf@v1.3.2|github.com/gogo/protobuf@v1.3.2> requires 
10   pulumi:pulumi:Stack vm-aws-go-dev  	<http://github.com/kisielk/errcheck@v1.5.0|github.com/kisielk/errcheck@v1.5.0>: missing go.sum entry for go.mod file; to add it: 
11   pulumi:pulumi:Stack vm-aws-go-dev  	go mod download <http://github.com/kisielk/errcheck|github.com/kisielk/errcheck> 
12     pulumi:pulumi:Stack vm-aws-go-dev  error: error in compiling Go: unable to run `go build`: exit status 1 
13     pulumi:pulumi:Stack vm-aws-go-dev **failed** 1 error; 3 messages 
14 Diagnostics: 
15   pulumi:pulumi:Stack (vm-aws-go-dev): 
16     go: <http://github.com/gogo/protobuf@v1.3.2|github.com/gogo/protobuf@v1.3.2> requires 
17     	<http://github.com/kisielk/errcheck@v1.5.0|github.com/kisielk/errcheck@v1.5.0>: missing go.sum entry for go.mod file; to add it: 
18     	go mod download <http://github.com/kisielk/errcheck|github.com/kisielk/errcheck> 
19  
20     error: error in compiling Go: unable to run `go build`: exit status 1 
21  
22 Resources: 
23  
24 Duration: 10s 
25  
26 Error: Update failed: [resource plugin aws-6.0.2] installing

When using Pulumi deployments in a GitHub monorepo w/ micro-stacks and PR previews enabled, is there a way to require that Pulumi status checks pass if they exist? I'm having trouble coming up with a branch protection/rule that doesn't block PRs that have no Pulumi changes (since no status check exists in this scenario), but then require that those checks pass when Pulumi changes do exist. These are probably feature requests, but I feel like others might benefit from simplified repo/PR configuration: 1. Is it possible to configure the Pulumi PR status check to always show (even if no Pulumi job runs)? 2. Is it possible to consolidate all of the micro-stack PR status checks into a single PR status check rather than 1+ per stack?

In Github Actions, when a Preview job passes, it leaves this type of comment on the pull request (first screenshot). But in the docs here https://www.pulumi.com/docs/using-pulumi/continuous-delivery/github-actions/ I can see a better-formatted comment (see my second screenshot). Is this only available with Pulumi Cloud account?

I'm trying to manage Pulumi Deployments via Pulumi and my preview looks good but on apply it fails with a 500 API error without anything useful to use as breadcrumbs. I'm new to managing Deployments with Pulumi, but for all intents and purposes I'm following the docs for Go here: https://www.pulumi.com/registry/packages/pulumiservice/api-docs/deploymentsettings/

Any idea on why the pulumi github app would stop doing preview/up on PR/Push?

Deployments OIDC integration has been hugely popular with our community, and was one of the primary inspirations for environments and ESC. If you haven't looked at environments integration with Pulumi IaC, I strongly suggest that you make time! https://pulumi-community.slack.com/archives/CB36DSVSA/p1698452762928679

Hey folks, I'm having some issues trying to set up Deployments with AWS OIDC. I've verified that the OIDC IdP and Audience is set correctly, and the OIDC flow does indeed return both keys and session token (I've `echo`ed out all three as part of a preview deployment run), but when it comes to the preview it fails with the following:

Error: Preview failed: error: getting stack configuration: get stack secrets manager: operation error KMS: Decrypt, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, canceled, context deadline exceeded

The IAM Role associated with the OIDC config and audience has admin privs across the whole AWS account. Our stack config uses KMS as a secrets provider. The stack config is configured to use an AWS profile thus:

awskms://alias/pulumi?region=eu-west-1&profile=<profile>&awssdk=v2

but I'm overriding that in the Deployment config with the mapping

secretsprovider: <awskms://alias/pulumi?region=eu-west-1>

(at least I'm assuming that's overriding it). I've also verified that the KMS key has a policy attached to it that allows access from the whole AWS account. Anyone have any ideas what I'm doing wrong?

I'm also setting

aws:profile

and

aws-classic:profile

to empty in the environment variables Deployment config.

I also have GitHub integration set up that's pulling the stack config

Is it expected that there could be a long delay between a Deployment triggering a Pulumi action and the action actually starting? For example, I'm triggering a

preview

and it's taking on average 3-5 minutes before the preview is actually run (see attached). Running the same preview locally (but executed on Pulumi Cloud) takes only a few seconds for the preview to start, as does executing via Github Actions.

All in all it takes about 5-6 minutes just for a preview to complete, whereas the same op started locally takes about 30s in total

Hello. I was wondering if any of you had documentation for setting up a shared S3 backend for deploying stack resources in different AWS accounts. I created an AWS CodePipeline to deploy "dev" resources to account "a" which is where the S3 backend resides. I created a second CodePipeline in account "a" to deploy "prod" resources to account "b". Account "b" has a role that the CodePipeline project in account "a" can assume which works, but I lose access to the shared S3 backend in account "a" after assuming the role in account "b"' (not surprising). I have ideas for how I can make this work, but I want to make sure that I'm using the right tool for the job instead of trying to use a hammer on a screw. This is a non-issue for Pulumi cloud, but I was hoping to mock up a project before getting a Pulumi Cloud subscription so my team could play around with it.

Hello, has anyone else encountered this issue when trying to deploy from the github action

pulumi/actions@v3

I create an ECR image like this

const imageWebDev = new awsx.ecr.Image(
  `web-${env}-image`,
  {
    repositoryUrl: ecrRepo.repositoryUrl,
    dockerfile: `Dockerfile`,
    path: "../../"
  },
  { protect: true }
);

And then pass it to my ec2 task definiton like this

const taskDefinition = new awsx.ecs.EC2TaskDefinition(
  `web-${env}`,
  {
    containers: {
      app: {
        name: "app",
        image: imageWebDev.imageUri,
        cpu: 0,
        portMappings: [
          {
            containerPort: 3000,
            hostPort: 0,
            protocol: "tcp",
          },
        ],
.
.
.

This runs fine locally but when running in the Github action I get the following error:

error: 1 error occurred:
    	* failed creating ECS Task Definition (web-production): ClientException: Container.image should not be null or empty.

I have tried the following • creating a whole new stack • using promises to ensure the task does not begin it's update before the image is finished • added in waiting to give things time to update • assigned the uri to a new variable and passed that to the task definition • hard coded in the

latest

image uri This is my pulumi action

- name: Pulumi Update
              uses: pulumi/actions@v3
              with:
                command: up
                stack-name: prod
                comment-on-pr: true
                work-dir: ${{ env.WORKDIR }}
                upsert: true
              env:
                PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}