https://pulumi.com logo
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
pulumi-deployments
  • h

    hallowed-photographer-31251

    11/02/2022, 5:49 PM
    hi everyone šŸ‘‹ thanks for your interest in Pulumi Deployments! check out the blog post here and consider signing up for preview access here!
  • c

    curved-application-45650

    11/06/2022, 3:11 PM
    I'm having some trouble using RemoteWorkspace from the Automation SDK in TypeScript. According to an email I received, I've been granted access to Pulumi Deployments, but I get this error:
    "creating deployment failed: [404] Not Found: url '/api/preview/marcus-sa/tenant/remote-3/deployments' not found"
    Has anyone else experienced this?
    l
    • 2
    • 4
  • f

    fancy-spoon-46046

    11/07/2022, 12:46 PM
    Hey everyone, we would like to set custom node version. We got the info back from Meagan that we could either use pre-run commands or a custom docker image. Is there any documentation on this? Could we maybe use a
    .nvmrc
    or
    .node-version
    file, or
    NODE_VERSION
    environment variable?
    l
    • 2
    • 3
  • b

    brash-gigabyte-81569

    11/07/2022, 5:15 PM
    Had a weird issue and I am not sure if it is related to deployments 🧵
    b
    r
    • 3
    • 25
  • f

    fancy-spoon-46046

    11/08/2022, 2:25 PM
    Another quick feedback. If multiple (more than one) deployments are queued, then all queued deployments except the last one should be skipped. Since a later commit on a branch does include the changes of an earlier commit. As far as I can tell, currently no deployments are skipped.
    h
    c
    l
    • 4
    • 5
  • w

    wide-cat-87818

    11/09/2022, 2:35 PM
    Hi everybody šŸ™‚ I’m using Poetry for Python dependency management and the files (pyproject.toml, poetry.lock) are located in the root of my repo. I’ve created subfolders with different Pulumi projects and configured one of them for the deployment. The workflow starts, but in ā€œDownload dependenciesā€ I see: Error: python projects without a
    virtualenv
    project configuration are not yet supported Are there any plans to support this usecase in the future?
    l
    l
    r
    • 4
    • 7
  • f

    fresh-minister-66960

    11/10/2022, 8:04 PM
    Hello! I need some help here with my use case. We have written a library that we use internally where we have the Pulumi Automation code, we send some parameters so we can dynamically create resources when calling that library from multiple repositories. This is the code I have in that library in order to create resources:
    def deploy_code_to_aws(metadata):
        """
        Deploy all the resources to aws using Pulumi.
        """
    
        def pulumi_program():
            pass
        project_name = metadata.bucket
        stack_name = "Dev"
        stack = auto.create_or_select_stack(
            stack_name=stack_name, project_name=project_name, program=pulumi_program
        )
        print("successfully initialized stack")
        print("installing plugins...")
        stack.workspace.install_plugin("aws", "v4.0.0")
        print("plugins installed")
        print("setting up config")
        stack.set_config("aws:region", auto.ConfigValue(value=metadata.region))
        stack.set_config(
            "aws:profile", auto.ConfigValue(value=metadata.profile_name)
        ) 
        print("config set")
        print("refreshing stack...")
        stack.refresh(on_output=print)
        print("refresh complete")
    
        print("updating stack...")
        up_res = stack.up(on_output=print)
        print(f"update summary: \n{json.dumps(up_res.summary.resource_changes, indent=4)}")
    My question is: How can I update this code so we can start using Remote Deployments? (We already requested access) From this example I know we have the option to call
    create_or_select_remote_stack_git_source()
    but we don’t have a ā€œgit sourceā€ we just wanted to grab the pulumi program/stack that we wrote and send that to a Pulumi Deployment remote server so it can process the stack instead of processing everything on our local machines. Is that even possible? Is there another way we could accomplish that with Remote Deployments?
    l
    r
    • 3
    • 6
  • q

    quaint-hydrogen-7228

    11/14/2022, 9:50 AM
    I have a question about the deployments feature - is it, or will it be possible to set up with Open ID Connect, to avoid storing any permanent credentials for the deployment? Another approach I was thinking of is to have something deployed in the cloud provider that pushes out new credentials to Pulumi service at regular intervals, although I am not sure if that is possible to do?
    r
    l
    • 3
    • 5
  • g

    great-smartphone-86927

    11/14/2022, 7:03 PM
    Hey! I've installed the github app but every time I try and link it just sends me back to configure the app. Anyone else having that issue?
    r
    g
    • 3
    • 4
  • q

    quaint-hydrogen-7228

    11/15/2022, 10:38 PM
    A questions regarding the REST API: If I try to trigger a deployment for a private repository via REST API and use a GitHub personal access token, what permissions are needed for the token? Both for the classic tokenas and the new fine-grained tokens? It works fine to run via the classic tokens and if I pick all the repo permissions, but would rather know more in detail what it would need and preferably also for the fine-grained tokens. I could not find that in the docs.
    r
    • 2
    • 3
  • b

    billowy-horse-79629

    11/17/2022, 2:40 PM
    Hey moderators, I requested a preview for the Pulumi Deployments, do you think it’ll be an option to get accepted by this weekend ? Thank you very much !
  • g

    gifted-cat-49297

    11/28/2022, 10:35 AM
    Hi, is there a plan for supporting Gitlab?
    l
    • 2
    • 1
  • f

    fresh-minister-66960

    11/29/2022, 9:00 PM
    Hello, I need some help here. I have started using Deployments REST API but I am getting an error when trying to provision a lambda function in a subaccount. I get this error:
    aws:lambda:Function (XXXXX): 
    44
         error: 1 error occurred: 
    45
         	* error creating Lambda Function (1): AccessDeniedException: 
    46
         	status code: 403, request id: 2224b871-f8fc-43f9-baf5-c62809b1779d
    I am creating a new account in my organization using IAM credentials of an admin user in my main account. Will post the code in a comment here.
    r
    • 2
    • 5
  • l

    lemon-agent-27707

    12/13/2022, 7:07 PM
    We're looking for users who are interested in providing feedback on their experience with Deployments. We'll send all participants a Pulumi tshirt. If you're interested, please book a time through https://calendly.com/evan-148/30min-2 šŸ˜›artypus-8bit:
  • h

    hallowed-oil-54879

    12/13/2022, 7:55 PM
    hey, I wonder if Deployments and Automation API are compatible? e.g. I want to construct a desired state in my service that leverages Pulumi under the hood and then I want to go to Pulumi dashboard, review the changes and deploy it. It looks like Deployment is executing code itself, but at no point I have a code executable by Pulumi Deployment
    l
    • 2
    • 3
  • l

    lemon-agent-27707

    01/05/2023, 4:21 AM
    When the deployment runs, it expects that the workdir has a Pulumi.yaml file it it along with your program. In your example above it looks like your workdir is ā€˜deployment’ - does that directory exist in your hit enlistment and contain a pulumi.yaml file?
  • f

    flat-engineer-30260

    01/05/2023, 5:35 AM
    Hi, I have another question, even if the Secret environment variables are encrypted end-to-end, but Pulumi Service is not a self-host environment, how do you ensure our AWS credential or kubeconfig is secure without store it somewhere? From our previous experience, we stored our secrets in vault or as secret in kubernetes cluster, CI/CD containter read them by secretKeyRef to env, everything stays inside the cluster. What Pulumi deployment do now is to pass them via the environment variable to authenticate with AWS or Kubernetes, it there other recommended way to do authentication? Thx.
    l
    r
    • 3
    • 5
  • l

    lemon-agent-27707

    01/06/2023, 3:48 AM
    We just shipped a Deployments OIDC integration to enable short term, deployment scoped credentials with AWS, GCP, and Azure. https://github.com/pulumi/service-requests/issues/144 See the user guide here: https://www.pulumi.com/docs/guides/oidc/ as well as examples in the REST API documentation: https://www.pulumi.com/docs/reference/deployments-rest-api/#operationcontext OIDC can be configured within the console for push to deploy, and can be used directly with the REST API. Looking forward to feedback!
  • f

    flat-engineer-30260

    01/06/2023, 10:48 AM
    Hi, How do we correctly import kubeconfig of external kubernetes which isn't created via pulumi into pulumi deployment container? We had tried to put kubeconfig content as environment variable KUBECONFIG, it doesn't work. In the meantime,
    pulumi config set --secret kubernetes:kubeconfig   --path ~/.kube/config
    , something like this, it won't load the file content. The only worked way is to read it from the local file
    pulumi_k8s = kubernetes.Provider("pulumi_k8s", kubeconfig=(lambda path: open(path).read())("kubeconfig"))
    , but it is not secure to store kubeconfig file in github.
    r
    • 2
    • 4
  • l

    lemon-agent-27707

    01/09/2023, 10:10 PM
    https://pulumi-community.slack.com/archives/CB36DSVSA/p1673302170382629
    g
    • 2
    • 4
  • a

    adorable-area-51412

    01/20/2023, 4:05 PM
    Hi team! How can i get access to pulumi deployments?
    s
    • 2
    • 1
  • e

    eager-keyboard-30823

    02/16/2023, 1:13 PM
    Hey, I’m having a bit of trouble understanding how to enable deployments for our organization. Is it in public preview or do we still need to be granted access somehow? The registration link just redirects to a generic documentation page about Deployments.
    b
    l
    • 3
    • 25
  • e

    eager-keyboard-30823

    02/21/2023, 2:02 PM
    Hey, when using OIDC with GCP, what kind of credentials are stored in
    GOOGLE_CREDENTIALS
    ? Trying to figure out how to login to the docker registry on the deployment runner.
    b
    a
    w
    • 4
    • 21
  • n

    nice-rain-32013

    02/22/2023, 11:47 AM
    Hello all, I'm trying to trigger some deployments but keep getting "400 Bad Request: ssh private key cannot be empty" (using sshAuth with a passwordless key for github -for testing). I followed the doc carefully and the privateKey.secret field is definitely not empty, so i'm puzzled. any clues? specific format for the key that i should use?
    a
    • 2
    • 6
  • l

    limited-account-35949

    02/23/2023, 1:57 PM
    Hi. I apologise up front if this is an oft-asked question but I can't seem to find an answer. How do I get the Deploy button to appear in the Console? I'd like to try out the functionality but I don't see the Deploy button in the console, and from the announcement it looks like Deployments is out of the closed-preview phase. My code lives in BitBucket rather than GitHub; however, from the Docs (and from what I've seen from Searching) it appears that GitHub is an option rather than a requirement. Is that right? If you can use Deployments without GitHub, is there something special I need to do in order to enable it? Thanks in advance.
    e
    a
    • 3
    • 4
  • s

    sparse-intern-71089

    03/02/2023, 11:27 AM
    This message was deleted.
    l
    e
    • 3
    • 3
  • r

    rhythmic-traffic-52280

    03/02/2023, 8:09 PM
    Hello! I was testing the new Pulumi Deployments feature and now I would like to remove it again from the stack. But if I hit the button Clean all deployment settings (at the bottom of the Deploy settings section), I get a 405 error response and an error message Failed to clear your deployment settings. Can someone help me to clear these settings?
    l
    • 2
    • 3
  • d

    dry-journalist-60579

    03/14/2023, 9:47 PM
    Ok so it’s me again… posted in #getting-started before not realizing this channel exists… I’m trying to get deployments to run with Poetry. I’d like to not specify
    runtime:
      name: python
      options:
        virtualenv: venv
    in my Pulumi.yaml because locally we use
    poetry run pulumi up
    and poetry uses the correct virtualenv automatically. Side note: we are using a custom docker image for deployments because we’re using python 3.10 so I built one:
    # based on <https://github.com/pulumi/pulumi-docker-containers/blob/main/docker/pulumi/Dockerfile>
    
    FROM python:3.10-slim
    
    RUN apt-get update -y && \
      apt-get install -y \
      curl
    
    # Passing --build-arg PULUMI_VERSION=vX.Y.Z will use that version
    # of the SDK. Otherwise, we use whatever <http://get.pulumi.com|get.pulumi.com> thinks is
    # the latest
    ARG PULUMI_VERSION
    
    # Install the Pulumi SDK, including the CLI and language runtimes.
    RUN curl -fsSL <https://get.pulumi.com/> | bash -s -- --version $PULUMI_VERSION
    
    # Install Poetry
    ENV POETRY_HOME=/usr/local
    RUN curl -sSL <https://install.python-poetry.org> | python3 -
    
    # Create wrappers such that pulumi commands always run with poetry
    COPY ./create-poetry-wrappers.sh /usr/local/bin
    RUN create-poetry-wrappers.sh
    
    ENTRYPOINT ["/bin/bash", "-c"]
    CMD [ "/bin/bash" ]
    I thought that I could create some wrapper scripts to force
    poetry run …
    on pulumi, but it seems like the
    /pulumi-deploy-executor
    is not ? somehow? using the pulumi located in the container’s $PATH?
    r
    l
    • 3
    • 35
  • d

    dry-journalist-60579

    03/15/2023, 4:02 PM
    Has anyone run into
    GitHub rate limit exceeded, try again in 23.838081389s. You can set GITHUB_TOKEN to make an authenticated request with a higher rate limit.
    ? I’m seeing this at the end of my deployment runs that I trigger manually from the UI
    b
    l
    • 3
    • 17
  • d

    dry-journalist-60579

    03/16/2023, 4:25 PM
    Security question… is it a terrible idea to trust the Role that Pulumi Deployments uses to assume a role that has Admin privileges in an AWS account?
    b
    l
    • 3
    • 7
Powered by Linen
Title
d

dry-journalist-60579

03/16/2023, 4:25 PM
Security question… is it a terrible idea to trust the Role that Pulumi Deployments uses to assume a role that has Admin privileges in an AWS account?
b

billowy-army-68599

03/16/2023, 6:08 PM
the reality of IaC is that it needs to be a highly privileged role to achieve everything it needs to. Creating resources with Pulumi usually needs a lot of permissions.
You can create a role with lower scope using iamlive https://github.com/iann0036/iamlive which is less privileged
regarding trusting the role with admin, OIDC means that the pulumi deployment runner only gets temporary credentials which expire on each run, it’s largely a case of ā€œit dependsā€ if you trust that
d

dry-journalist-60579

03/16/2023, 6:15 PM
thank you—yeah this is how I’ve been thinking about it… the ROI on granular permissions seems low right now as it’s going to be tedious to lock down the role permissions especially as we iterate on our stacks
l

lemon-agent-27707

03/16/2023, 6:53 PM
Deployments run on single use VMs and compute and storage are never shared across runs. We designed our architecture to maximize isolation. In addition, OIDC does allow you to fine tune things like credential lifetime and expiry. In the future, we will offer the ability to host your own deployment runners.
d

dry-journalist-60579

03/16/2023, 6:57 PM
oh, nice!
thank you for the context!
View count: 1