pulumi-community #python

agreeable-king-2755

03/18/2022, 2:54 PM

Hey folks, I'm about to port this to Python so I can run one-off tasks like database (Alembic) migrations against our RDS instance: https://github.com/sevenwestmedia-labs/pulumi/tree/master/packages/run-fargate-task But I was wondering if anyone already has a recipe for this somewhere? Cheers 👍

dazzling-angle-45051

03/23/2022, 8:19 PM

Hey there! How can I make sure in a

ComponentResource

that another type of resource will always be created by Pulumi before? I can use

depends_one

, but it's quite verbose and I would like to find a better way for the end user. To clarify, the

ComponentResource

I'm writing is for deploying a bunch of Kubernetes resources, and I would like to make sure that

pulumi_kubernetes.core.v1.Namespace

are applied first. Thanks in advance! 🙏

dazzling-angle-45051

03/23/2022, 8:36 PM

too bad Pulumi doesn't support context managers, something like this would have been awesome:

Copy code

with kubernetes.core.v1.Namespace(project):
    acme_corp.MyResource(f"{project}-{stack}-myresource")

breezy-painter-29573

03/28/2022, 3:01 AM

Hi everyone. With the code snippet below I am trying to achieve creation of aws subnets with specific CIDR addresses blocks in each available Availability Zone.

Copy code

for i, az in enumerate(azs):
            subnet = aws.ec2.Subnet(
                resource_name=f"public-{i}",
                vpc_id=vpc.id,
                availability_zone=az,
                cidr_block=vpc.cidr_block.apply(lambda cidr_block: ip_network(cidr_block).subnets(new_prefix=27)[i]),
                tags=tags,
            )
            subnets.append(subnet)

but it fails with the

TypeError: 'generator' object is not subscriptable

. Which, probably makes sense. I just can’t find a way to do it in a for loop. Thank you in advance! P.S.

ip_network

is a function for

netaddr

incalculable-whale-36468

03/28/2022, 9:24 PM

Hey guys! I need to use a secret inside a template string. For example:

Copy code

my_template = "my secret: {my_secret}"
my_secret = config.require_secret('my_secret')
foo = my_template.format(my_secret=my_secret)

This will result in the following output:

Copy code

my secret: <pulumi.output.Output object at 0x7f02baf74b80>

I tried using apply, and even Output.all, like follows:

Copy code

foo = my_template.format(my_secret=my_secret.apply(lambda current_secret: current_secret))

But it will give me the same result. What am I missing here?

stocky-xylophone-20575

04/03/2022, 7:50 PM

Hi all, need help in importing a rds parameter group and modifying it, currently i am trying to write a inline pulumi program, can you please help me in giving any pointers i am doing it like this

Copy code

parameter_group = aws.rds.ParameterGroup(parameter_group_name,
                                             family=rds_family,
                                             opts=ResourceOptions(import_=parameter_group_name))

but coming out to

inputs to import do not match the existing resource

even though parameter group name is same i also tried to user

aws.rds.ParameterGroup.get()

but it is asking for id which is not present in case of parametergroups , we only have name for a parameter group

alert-raincoat-81485

04/05/2022, 1:32 AM

Hello team. I am trying to follow the example where i want to use

args[FilsSystemArgs]

but it seems not valid. Can someone guide me over? https://www.pulumi.com/registry/packages/aws/api-docs/efs/filesystem/

Copy code

foo = aws.efs.FileSystem(
    "efs_filesystem", 
    resource_name="efs",
    args=[aws.efs.FileSystemArgs()]
})

able-thailand-87943

04/05/2022, 3:23 PM

Hello Folks, I have a weird problem... I've written some tests for pytest, and when I execute the test with the file, it works fine...

py.test -v tests/test_foobar.py

But if I run it without explicit providing the file name, to make sure it runs all tests under

tests

, it bombs with the error: pulumi.errors.RunError: Program run without the Pulumi engine available; re-run using the
pulumi
CLI Does anyone have any suggestions to fix this?

curved-morning-41391

04/05/2022, 10:09 PM

Hey odd question, it would be really awesome if instead of

pulumi up

I could do this from within my python program like

pulumi.up()

anyone aware if there is a way to do that, or if folks have thought of this?

alert-raincoat-81485

04/08/2022, 4:58 PM

Hello Team, I am trying to add EFS DNS name to the parameter store but The value of the parameter store is registering as Pulumi object. Is there any way we can register actual dns name (str) instead pulumi object?

Copy code

efsFileSys = aws.efs.FileSystem( 
    resource_name=stackname+'-'+'efs',
    args=aws.efs.FileSystemArgs(
        encrypted='true',
        kms_key_id='<kms-arn>',
        performance_mode="maxIO",
        tags={
                "Name": stackname + '-' + 'fs'
            },
    )
)

efsParame=aws.ssm.Parameter(
    str(stackname)+'-'+'efs_parameter',
    type='String',
    name="efs_parameter",
    value=str(efsFileSys.dns_name),
)

Output

Copy code

Parameter store value: 	<pulumi.output.Output object at 0x10xxxx>

calm-megabyte-11174

04/11/2022, 2:18 AM

I need some help here: My code snippet is below, from pulumi website:

Copy code

"""A Python Pulumi program"""

import pulumi
from pulumi_azure_native import storage
from pulumi_azure_native import resources

resource_group = resources.ResourceGroup("aa-msdn-rg-pulumi")
account = storage.StorageAccount('sa',
    resource_group_name = resource_group.name,
    sku = storage.SkuArgs(
        name = storage.SkuArgs.STANDARD_LRS,
        ),
        kind = storage.kind.STORAGE_V2)

primary_key = storage.list_storage_account_keys_output(
    resource_group_name = resource_group.name,
    account_name = account.name
    ).accountKeys.keys[0].value

pulumi.export("primary_storage_key",primary_keycdpu)

I get error as below:

Copy code

File "C:\OnlyOnMyPC\my-training\awesomeazure\.\__main__.py", line 4, in <module>
        from pulumi_azure_native import storage
    ModuleNotFoundError: No module named 'pulumi_azure_native'
    error: an unhandled error occurred: Program exited with non-zero exit code: 1

Yes and I have installed the package as well but still no luck ?

Copy code

PS C:\OnlyOnMyPC\my-training\awesomeazure> pip install pulumi_azure_native
Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: pulumi_azure_native in c:\users\aagashe002\appdata\roaming\python\python310\site-packages (1.62.0)
Requirement already satisfied: parver>=0.2.1 in c:\users\aagashe002\appdata\roaming\python\python310\site-packages (from pulumi_azure_native) (0.3.1)
Requirement already satisfied: pulumi<4.0.0,>=3.0.0 in c:\users\aagashe002\appdata\roaming\python\python310\site-packages (from pulumi_azure_native) (3.28.0)
Requirement already satisfied: semver>=2.8.1 in c:\users\aagashe002\appdata\roaming\python\python310\site-packages (from pulumi_azure_native) (2.13.0)
Requirement already satisfied: attrs>=19.2 in c:\users\aagashe002\appdata\roaming\python\python310\site-packages (from parver>=0.2.1->pulumi_azure_native) (21.4.0)
Requirement already satisfied: six~=1.13 in c:\users\aagashe002\appdata\roaming\python\python310\site-packages (from parver>=0.2.1->pulumi_azure_native) (1.16.0)
Requirement already satisfied: arpeggio~=1.7 in c:\users\aagashe002\appdata\roaming\python\python310\site-packages (from parver>=0.2.1->pulumi_azure_native) (1.10.2)
Requirement already satisfied: pyyaml>=5.3.1 in c:\users\aagashe002\appdata\roaming\python\python310\site-packages (from pulumi<4.0.0,>=3.0.0->pulumi_azure_native) (6.0)
Requirement already satisfied: protobuf>=3.6.0 in c:\users\aagashe002\appdata\roaming\python\python310\site-packages (from pulumi<4.0.0,>=3.0.0->pulumi_azure_native) (3.20.0)
Requirement already satisfied: dill>=0.3.0 in c:\users\aagashe002\appdata\roaming\python\python310\site-packages (from pulumi<4.0.0,>=3.0.0->pulumi_azure_native) (0.3.4)
Requirement already satisfied: grpcio<1.44.0,>=1.33.2 in c:\users\aagashe002\appdata\roaming\python\python310\site-packages (from pulumi<4.0.0,>=3.0.0->pulumi_azure_native) (1.43.0)

My Python path is already in Environment variable: ``````

calm-megabyte-11174

04/11/2022, 2:24 AM

fast-spoon-69536

04/22/2022, 2:13 PM

Hello, I could use some help here. I'm not sure what is happening. The issue almost seems like a bug. I'm running latest pulumi version. The vpc in question does exist egress_vpc: vpc-03b6755e47c26a69f. I tried setting various combinations of the depends_on. But this doesn't seem to change the outcome.

Copy code

# failure if I exclude the local route
  egress_vpc_fw_public_subnet_rtb = aws.ec2.RouteTable(custom_tags['Name'],
        vpc_id=egress_vpc.id,
        routes=[
        aws.ec2.RouteTableRouteArgs(cidr_block="0.0.0.0/0",gateway_id=egress_igw.id)
        ],
       
        tags=custom_tags,
        opts=ResourceOptions(depends_on=[tgw, egress_igw],parent=egress_vpc)) 



 aws:ec2:RouteTable (egress_vpc_fw_public_subnet_us_east_2_rtb):
    error: 1 error occurred:
        * updating urn:pulumi:dev::transitgateway::aws:ec2/vpc:Vpc$aws:ec2/routeTable:RouteTable::egress_vpc_fw_public_subnet_us_east_2_rtb: 1 error occurred:
        * error deleting Route in Route Table (rtb-08121bf0496297bff) with destination (10.31.0.0/16): InvalidParameterValue: cannot remove local route 10.31.0.0/16 in route table rtb-08121bf0496297bff
        status code: 400, request id: fc0dcdd7-ce6f-4ec8-92e7-250c268c4933





# failure if I add the local route

egress_vpc_fw_public_subnet_rtb = aws.ec2.RouteTable(custom_tags['Name'],
        vpc_id=egress_vpc.id,
        routes=[
        aws.ec2.RouteTableRouteArgs(cidr_block="0.0.0.0/0",gateway_id=egress_igw.id),
	aws.ec2.RouteTableRouteArgs(cidr_block=egress_vpc.cidr_block,local_gateway_id=egress_vpc.id)
        ],
       
        tags=custom_tags,
        opts=ResourceOptions(depends_on=[tgw, egress_igw],parent=egress_vpc))

error: 1 error occurred:
        * updating urn:pulumi:dev::transitgateway::aws:ec2/vpc:Vpc$aws:ec2/routeTable:RouteTable::egress_vpc_fw_public_subnet_us_east_2_rtb: 1 error occurred:
        * error creating Route in Route Table (rtb-08121bf0496297bff) with destination (10.31.0.0/16): InvalidLocalGatewayID.Malformed: Invalid id: "vpc-03b6755e47c26a69f"
        status code: 400, request id: 3e59a09d-b7b7-4dfa-b46d-ae0caf214ee7

quick-telephone-15244

04/29/2022, 3:26 PM

👋

quick-telephone-15244

04/29/2022, 3:27 PM

I'm working to integrate mypy into my Pulumi codebase and I'm wondering if anyone can share/point me to some "Best Practices" MyPy configs specifically for Pulumi?

quick-telephone-15244

04/29/2022, 3:28 PM

I think the

disallow_any_*

config options might be a bit much?

bitter-horse-93353

05/02/2022, 6:02 PM

Question: do people import resources from pulumi stacks in scripts/code? I.e.

Copy code

# mypulumi/__main__.py
bucket = aws.s3.Bucket("bucket")

# myscript.py
from mypulumi import bucket
import boto3

bucket = boto3.client('s3').Bucket(bucket.id)  # use the value from the pulumi stack script

Trying to understand if this is a support/common use case and what the best practices around this are. It feels like one benefit of having the definitions in python would be accessing them in various places and knowing that the IDs/ARNs/etc. will always match correctly.

wide-xylophone-60952

05/03/2022, 8:37 AM

Hello All

👋 1

quick-telephone-15244

05/04/2022, 2:08 PM

Hi all, I'm running up against an issue using the AWS EKS package from the repo, specifically that I need to modify the policyArn of a

aws:iam/rolePolicyAttachment:RolePolicyAttachment

however when i attempt to apply a transformation at the stack level via

pulumi.runtime.register_stack_transformation

I'm not seeing the

type_

aws:iam/rolePolicyAttachment:RolePolicyAttachment

within my transformation function?

quick-telephone-15244

05/04/2022, 2:09 PM

FWIW this is the

<http://pulumi.info|pulumi.info>

output of every

type_

I see within the function:

Copy code

TYPE: aws:ec2/securityGroup:SecurityGroup
    TYPE: aws:kms/key:Key
    TYPE: aws:iam/role:Role
    TYPE: eks:index:Cluster
    TYPE: aws:ec2/securityGroup:SecurityGroup
    TYPE: aws:eks/cluster:Cluster
    TYPE: kubernetes:core/v1:ConfigMap
    TYPE: aws:ec2/securityGroupRule:SecurityGroupRule
    TYPE: aws:ec2/securityGroup:SecurityGroup
    TYPE: aws:ec2/securityGroup:SecurityGroup
    TYPE: pulumi:providers:kubernetes
    TYPE: aws:eks/cluster:Cluster
    TYPE: eks:index:VpcCni
    TYPE: aws:iam/openIdConnectProvider:OpenIdConnectProvider
    TYPE: aws:ec2/securityGroup:SecurityGroup
    TYPE: aws:ec2/securityGroupRule:SecurityGroupRule
    TYPE: pulumi:providers:kubernetes

quick-telephone-15244

05/04/2022, 2:12 PM

this is the plan created from `pulumi preview --logtostderr`:

Copy code

+   pulumi:pulumi:Stack                   
 +   ├─ aws:ec2:SecurityGroup             
 +   ├─ aws:kms:Key                       
 +   ├─ aws:iam:Role                      
 +   └─ eks:index:Cluster                 
 +      ├─ eks:index:ServiceRole          
 +      │  ├─ aws:iam:Role                 
 +      │  ├─ aws:iam:RolePolicyAttachment 
 +      │  ├─ aws:iam:RolePolicyAttachment 
 +      │  └─ aws:iam:RolePolicyAttachment 
 +      ├─ aws:eks:Cluster                 
 +      ├─ pulumi:providers:kubernetes     
 +      ├─ pulumi:providers:kubernetes     
 +      ├─ aws:ec2:SecurityGroup           
 +      ├─ eks:index:VpcCni                
 +      ├─ aws:ec2:SecurityGroupRule       
 +      ├─ aws:ec2:SecurityGroupRule       
 +      ├─ aws:ec2:SecurityGroupRule       
 +      ├─ aws:ec2:SecurityGroupRule       
 +      ├─ aws:ec2:SecurityGroupRule       
 +      ├─ aws:iam:OpenIdConnectProvider   
 +      └─ kubernetes:core/v1:ConfigMap

quick-telephone-15244

05/04/2022, 2:36 PM

the other thing that i'm kinda scratching my head about is even though i'm specifying

service_role

as a cluster creation arg. along with

skip_default_node_group=True

, those managed policies are still attempting to be attached.. shouldn't the

service_role=<aws.iam.Role obj.>

arg. prevent default role/managed policy attachment in favor of what was provided by

service_role

? Or am I misunderstanding

service_role

entirely?

brave-processor-54742

05/05/2022, 9:11 AM

Hi everyone! 👋 Would someone have an idea on how to call a bash script in the

user_data

parameter, instead of writing a long string inside the code? I would like to use this bash script to add key pairs to my instances, because writing those inside the code looks tidy. Thanks! 🤸‍♂️

great-sunset-355

05/06/2022, 7:22 AM

Hi I think I hit some weird bug with

rolePolicyAttachment:RolePolicyAttachment

I had a role assigned to 2 ECS tasks and it had 3 policy attachments

Copy code

import pulumi_aws as aws

role = iam.Role("role")  # dummy role

for idx, arn in enumerate(
        [
            "arn:aws:iam::aws:policy/AmazonSESFullAccess",
            "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",
            "arn:aws:iam::aws:policy/AmazonS3FullAccess",
        ]
    ):
        aws.iam.RolePolicyAttachment(
            f"{self._config.name}-{idx}-app-role-extension",
            args=aws.iam.RolePolicyAttachmentArgs(policy_arn=arn, role=role.id),
            opts=self._opts,
        )
        aws.iam.RolePolicyAttachment(
            f"{self._config.name}-{idx}-scheduler-role-extension",
            args=aws.iam.RolePolicyAttachmentArgs(
                policy_arn=arn, role=role.id
            ),
            opts=self._opts,
        )

Later on I decided to add 1 more Policy attachment and limit some Full access policies to necessary permissions.

Copy code

import pulumi_aws as aws

role = iam.Role("role")  # dummy role
ses_policy = aws.iam.Policy("ses-pol")
s3_policy = aws.iam.Policy("s3-pol")
lambda_invoke_policy = aws.iam.Policy("lambda-pol")

for idx, arn in enumerate(
        [
            ses_policy.arn,
            lambda_invoke_policy.arn,
            "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",
            s3_policy.arn,
        ]
    ):
        aws.iam.RolePolicyAttachment(
            f"{self._config.name}-{idx}-app-role-extension",
            args=aws.iam.RolePolicyAttachmentArgs(policy_arn=arn, role=role.id),
            opts=self._opts,
        )
        aws.iam.RolePolicyAttachment(
            f"{self._config.name}-{idx}-scheduler-role-extension",
            args=aws.iam.RolePolicyAttachmentArgs(
                policy_arn=arn, role=role.id
            ),
            opts=self._opts,
        )

This has caused a weird state, that Pulumi state shows that the

PolicyAttachment

"arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",

exists but the final IAM role did not have the policy. After changing the order to cause an update, IAM role gained the policy. And after deploying to another environment the problem was back. What is going on here? Am I being tricked by some async anomaly? Note:

pulumi up

is running in a CI pipeline, do I need to run

pulumi refresh

there as well?

brave-processor-54742

05/10/2022, 9:27 AM

Hi all! 👋 When doing pulumi up i am getting this error:

Copy code

ImportError: dlopen(/infrastructure/venv/lib/python3.10/site-packages/grpc/_cython/cygrpc.cpython-310-darwin.so, 0x0002): tried: '/infrastructure/venv/lib/python3.10/site-packages/grpc/_cython/cygrpc.cpython-310-darwin.so' (mach-o file, but is an incompatible architecture (have 'x86_64', need 'arm64e'))
    It looks like the Pulumi SDK has not been installed. Have you run pip install?
    If you are running in a virtualenv, you must run pip install -r requirements.txt from inside the virtualenv.

Someone experienced that also? Thanks a lot!

strong-intern-84363

05/13/2022, 11:14 PM

Hey lovely community ! Can someone help me to understand this ? Let’s imagine that I have a piece of code that creates a GCP service account, a custom role (both works fine) and a IAM Binding to assign this role to this service account (this one fails) Here is my IAM binding call

Copy code

sarolebinding = gcp.projects.IAMBinding(
            f"sa-role-binding-{self.projectName}-owner",
            role=self.role,
            project=self.project.name,
            members=[f"serviceAccount:{self.service_account.email}"],
        )
        return sarolebinding

This fails with the following error

Copy code

Request `Set IAM Binding for role "projects/app-burger-nonprod-wzj/roles/projectOwner" on "project \"app-burger-nonprod-wzj\""` returned error: Error applying IAM policy for project "app-burger-nonprod-wzj": Error setting IAM policy for project "app-burger-nonprod-wzj": googleapi: Error 400: Invalid service account (<pulumi.output.Output object at 0x7fbf29648640>)., badRequest

Looks like the service_account.email field is wrong. How can I refer to the email of the newly created service account and use it as the value of the members arguments ? Thanks for reading, have a nice day.

able-oyster-47333

05/15/2022, 6:09 PM

hello, I used the for loop in pulumi-python's automation-api to define resources, and found that subnets can always only create one. Do I need to use special definitions to create multiple resources?

👀 1

hallowed-australia-10473

05/17/2022, 3:16 AM

I’m trying to use Python to instantiate some resources on DigitalOcean. The problem is that I’m using an M1 Mac. When I try to import pulumi, I get an error:

Copy code

ImportError: dlopen(/blah/venv/lib/python3.9/site-packages/grpc/_cython/cygrpc.cpython-39-darwin.so, 0x0002): tried: '/blah/venv/lib/python3.9/site-packages/grpc/_cython/cygrpc.cpython-39-darwin.so' (mach-o file, but is an incompatible architecture (have 'x86_64', need 'arm64e'))

How do I get past this?

square-dress-80180

05/19/2022, 12:41 AM

I have had a couple times run into an issue where my call to

<stackname>.get_output('foo')

silently fails and I only find out when some resource mysteriously isn’t configured correctly. The root of the error is me doing something silly like misspelling the variable name and I usually find it in not too long, but it would certainly make it easier to catch if the failure wasn’t silent. What is the rationale for not throwing an error during preview to prevent these issues?

many-secretary-62073

05/23/2022, 7:10 PM

I am trying to follow along with the example here to create Azure Container Apps. My experience does not match with the expectation of that example. On line 24 a “type” parameter is specified, but the

KubeEnvironmentArgs

doesn’t actually allow that field. Additionally, there is no setter for the “type” property, so I cannot set the value after init either. In the end, I get this error response:

Copy code

azure-native:web/v20210301:KubeEnvironment (env):
    error: Code="BadRequest" Message="KubeEnvironment is invalid.  Must specify either AksResourceID or ArcConfiguration or 'type' must be 'Managed'." Details=[{"Message":"KubeEnvironment is invalid.  Must specify either AksResourceID or ArcConfiguration or 'type' must be 'Managed'."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"51021","Message":"KubeEnvironment is invalid.  Must specify either AksResourceID or ArcConfiguration or 'type' must be 'Managed'.","MessageTemplate":"{0} is invalid.  {1}","Parameters":["KubeEnvironment","Must specify either AksResourceID or ArcConfiguration or 'type' must be 'Managed'."]}}]

How can I provide this value?