hi everyone 👋 thanks for your interest in Pulumi Deployments! check out the blog post here and consider signing up for preview access here!

I'm having some trouble using RemoteWorkspace from the Automation SDK in TypeScript. According to an email I received, I've been granted access to Pulumi Deployments, but I get this error:

"creating deployment failed: [404] Not Found: url '/api/preview/marcus-sa/tenant/remote-3/deployments' not found"

Has anyone else experienced this?

Hey everyone, we would like to set custom node version. We got the info back from Meagan that we could either use pre-run commands or a custom docker image. Is there any documentation on this? Could we maybe use a

.nvmrc

or

.node-version

file, or

NODE_VERSION

environment variable?

Had a weird issue and I am not sure if it is related to deployments 🧵

Another quick feedback. If multiple (more than one) deployments are queued, then all queued deployments except the last one should be skipped. Since a later commit on a branch does include the changes of an earlier commit. As far as I can tell, currently no deployments are skipped.

Hi everybody 🙂 I’m using Poetry for Python dependency management and the files (pyproject.toml, poetry.lock) are located in the root of my repo. I’ve created subfolders with different Pulumi projects and configured one of them for the deployment. The workflow starts, but in “Download dependencies” I see: Error: python projects without a

virtualenv

project configuration are not yet supported Are there any plans to support this usecase in the future?

Hello! I need some help here with my use case. We have written a library that we use internally where we have the Pulumi Automation code, we send some parameters so we can dynamically create resources when calling that library from multiple repositories. This is the code I have in that library in order to create resources:

def deploy_code_to_aws(metadata):
    """
    Deploy all the resources to aws using Pulumi.
    """

    def pulumi_program():
        pass
    project_name = metadata.bucket
    stack_name = "Dev"
    stack = auto.create_or_select_stack(
        stack_name=stack_name, project_name=project_name, program=pulumi_program
    )
    print("successfully initialized stack")
    print("installing plugins...")
    stack.workspace.install_plugin("aws", "v4.0.0")
    print("plugins installed")
    print("setting up config")
    stack.set_config("aws:region", auto.ConfigValue(value=metadata.region))
    stack.set_config(
        "aws:profile", auto.ConfigValue(value=metadata.profile_name)
    ) 
    print("config set")
    print("refreshing stack...")
    stack.refresh(on_output=print)
    print("refresh complete")

    print("updating stack...")
    up_res = stack.up(on_output=print)
    print(f"update summary: \n{json.dumps(up_res.summary.resource_changes, indent=4)}")

My question is: How can I update this code so we can start using Remote Deployments? (We already requested access) From this example I know we have the option to call

create_or_select_remote_stack_git_source()

but we don’t have a “git source” we just wanted to grab the pulumi program/stack that we wrote and send that to a Pulumi Deployment remote server so it can process the stack instead of processing everything on our local machines. Is that even possible? Is there another way we could accomplish that with Remote Deployments?

I have a question about the deployments feature - is it, or will it be possible to set up with Open ID Connect, to avoid storing any permanent credentials for the deployment? Another approach I was thinking of is to have something deployed in the cloud provider that pushes out new credentials to Pulumi service at regular intervals, although I am not sure if that is possible to do?

Hey! I've installed the github app but every time I try and link it just sends me back to configure the app. Anyone else having that issue?

A questions regarding the REST API: If I try to trigger a deployment for a private repository via REST API and use a GitHub personal access token, what permissions are needed for the token? Both for the classic tokenas and the new fine-grained tokens? It works fine to run via the classic tokens and if I pick all the repo permissions, but would rather know more in detail what it would need and preferably also for the fine-grained tokens. I could not find that in the docs.

Hey moderators, I requested a preview for the Pulumi Deployments, do you think it’ll be an option to get accepted by this weekend ? Thank you very much !

Hi, is there a plan for supporting Gitlab?

Hello, I need some help here. I have started using Deployments REST API but I am getting an error when trying to provision a lambda function in a subaccount. I get this error:

aws:lambda:Function (XXXXX): 
44
     error: 1 error occurred: 
45
     	* error creating Lambda Function (1): AccessDeniedException: 
46
     	status code: 403, request id: 2224b871-f8fc-43f9-baf5-c62809b1779d

I am creating a new account in my organization using IAM credentials of an admin user in my main account. Will post the code in a comment here.

We're looking for users who are interested in providing feedback on their experience with Deployments. We'll send all participants a Pulumi tshirt. If you're interested, please book a time through https://calendly.com/evan-148/30min-2 partypus 8bit

hey, I wonder if Deployments and Automation API are compatible? e.g. I want to construct a desired state in my service that leverages Pulumi under the hood and then I want to go to Pulumi dashboard, review the changes and deploy it. It looks like Deployment is executing code itself, but at no point I have a code executable by Pulumi Deployment

When the deployment runs, it expects that the workdir has a Pulumi.yaml file it it along with your program. In your example above it looks like your workdir is ‘deployment’ - does that directory exist in your hit enlistment and contain a pulumi.yaml file?

Hi, I have another question, even if the Secret environment variables are encrypted end-to-end, but Pulumi Service is not a self-host environment, how do you ensure our AWS credential or kubeconfig is secure without store it somewhere? From our previous experience, we stored our secrets in vault or as secret in kubernetes cluster, CI/CD containter read them by secretKeyRef to env, everything stays inside the cluster. What Pulumi deployment do now is to pass them via the environment variable to authenticate with AWS or Kubernetes, it there other recommended way to do authentication? Thx.

We just shipped a Deployments OIDC integration to enable short term, deployment scoped credentials with AWS, GCP, and Azure. https://github.com/pulumi/service-requests/issues/144 See the user guide here: https://www.pulumi.com/docs/guides/oidc/ as well as examples in the REST API documentation: https://www.pulumi.com/docs/reference/deployments-rest-api/#operationcontext OIDC can be configured within the console for push to deploy, and can be used directly with the REST API. Looking forward to feedback!

Hi, How do we correctly import kubeconfig of external kubernetes which isn't created via pulumi into pulumi deployment container? We had tried to put kubeconfig content as environment variable KUBECONFIG, it doesn't work. In the meantime,

pulumi config set --secret kubernetes:kubeconfig   --path ~/.kube/config

, something like this, it won't load the file content. The only worked way is to read it from the local file

pulumi_k8s = kubernetes.Provider("pulumi_k8s", kubeconfig=(lambda path: open(path).read())("kubeconfig"))

, but it is not secure to store kubeconfig file in github.

Hi team! How can i get access to pulumi deployments?

Hey, I’m having a bit of trouble understanding how to enable deployments for our organization. Is it in public preview or do we still need to be granted access somehow? The registration link just redirects to a generic documentation page about Deployments.

Hey, when using OIDC with GCP, what kind of credentials are stored in

GOOGLE_CREDENTIALS

? Trying to figure out how to login to the docker registry on the deployment runner.

Hello all, I'm trying to trigger some deployments but keep getting "400 Bad Request: ssh private key cannot be empty" (using sshAuth with a passwordless key for github -for testing). I followed the doc carefully and the privateKey.secret field is definitely not empty, so i'm puzzled. any clues? specific format for the key that i should use?

Hi. I apologise up front if this is an oft-asked question but I can't seem to find an answer. How do I get the Deploy button to appear in the Console? I'd like to try out the functionality but I don't see the Deploy button in the console, and from the announcement it looks like Deployments is out of the closed-preview phase. My code lives in BitBucket rather than GitHub; however, from the Docs (and from what I've seen from Searching) it appears that GitHub is an option rather than a requirement. Is that right? If you can use Deployments without GitHub, is there something special I need to do in order to enable it? Thanks in advance.

This message was deleted.

Hello! I was testing the new Pulumi Deployments feature and now I would like to remove it again from the stack. But if I hit the button Clean all deployment settings (at the bottom of the Deploy settings section), I get a 405 error response and an error message Failed to clear your deployment settings. Can someone help me to clear these settings?

Ok so it’s me again… posted in #getting-started before not realizing this channel exists… I’m trying to get deployments to run with Poetry. I’d like to not specify

runtime:
  name: python
  options:
    virtualenv: venv

in my Pulumi.yaml because locally we use

poetry run pulumi up

and poetry uses the correct virtualenv automatically. Side note: we are using a custom docker image for deployments because we’re using python 3.10 so I built one:

# based on <https://github.com/pulumi/pulumi-docker-containers/blob/main/docker/pulumi/Dockerfile>

FROM python:3.10-slim

RUN apt-get update -y && \
  apt-get install -y \
  curl

# Passing --build-arg PULUMI_VERSION=vX.Y.Z will use that version
# of the SDK. Otherwise, we use whatever <http://get.pulumi.com|get.pulumi.com> thinks is
# the latest
ARG PULUMI_VERSION

# Install the Pulumi SDK, including the CLI and language runtimes.
RUN curl -fsSL <https://get.pulumi.com/> | bash -s -- --version $PULUMI_VERSION

# Install Poetry
ENV POETRY_HOME=/usr/local
RUN curl -sSL <https://install.python-poetry.org> | python3 -

# Create wrappers such that pulumi commands always run with poetry
COPY ./create-poetry-wrappers.sh /usr/local/bin
RUN create-poetry-wrappers.sh

ENTRYPOINT ["/bin/bash", "-c"]
CMD [ "/bin/bash" ]

I thought that I could create some wrapper scripts to force

poetry run …

on pulumi, but it seems like the

/pulumi-deploy-executor

is not ? somehow? using the pulumi located in the container’s $PATH?

Has anyone run into

GitHub rate limit exceeded, try again in 23.838081389s. You can set GITHUB_TOKEN to make an authenticated request with a higher rate limit.

? I’m seeing this at the end of my deployment runs that I trigger manually from the UI

Security question… is it a terrible idea to trust the Role that Pulumi Deployments uses to assume a role that has Admin privileges in an AWS account?