I am trying to implement Crossguard here, my use case is to block any resource deletion or IAM rules changes. Is there a way to allow human review on the Pulumi plan result and decide approve or reject? From the examples given in the website, it seems that the only way to get rid of the error is to remove the code changes completely

Suppose if I don't subscribe to Pulumi Business Critical plan, does it mean the policy check will be done locally for which the

--policy-pack <path-to-policy-pack-directory>

has to be supplied in the pulumi up command? In this case, seems like anyone can just alter the policies in the directory and then get their changes applied? Secondly, it seems that the Github Actions for Pulumi doesn't support policy-pack option yet, which means the policy won't be able to be enforced if the workflow is executed via Github Actions?

The current release version of the pulumi sdk (3.11.2) contains protobufjs which is affected by https://security.snyk.io/vuln/SNYK-JS-PROTOBUFJS-2441248 Currently the code on master does not contain this vulnerability, is there any chance for a release soon to patch this?

Hello i have pulumi.ComponentResource called(Application) defined in a git repo A i want to import that ComponentResource into git repo B something like import { Application} from "git repo ";

Anyone work with Databricks yet? I'm getting the following error

cannot create mws vpc endpoint: ENDPOINT_NOT_FOUND: Invalid endpoint

for my vpc, when using

databricks.MwsVpcEndpoint()

... but that same endpoint works with

aws.ec2.VpcEndpoint.get()

Apologies if I'm doing something really dumb here, but I'm trying to create a

k8s.Provider

with a

kubeconfig

that is an

Output<string>

(from a kubernetes cluster dynamic resource). The

k8s.Provider

seems to accept a type

Input<string>

for

kubeconfig

but when I then try to use this provider with a

k8s.yaml.ConfigFile

, I get the error:

error: TypeError: Cannot read property 'map' of undefined

from

@pulumi\yaml\yaml.ts:2993:14

. The problem goes away if I use a

string

for

kubeconfig

instead, but I can't do that in this case because the cluster isn't created yet. It looks like I could work around this by putting this all in an

.apply

, but then I'm allocating resources in an apply which seems like a bad idea? Is this possible to do/am I doing something wrong?

am I missing something, or is the digitalocean VolumeAttachmentArgs just wrongly typed? droplet IDs seem to be strings, but this demands a number

I use an AWS ec2 instance as my workstation, it has 2GiB memory, but node is using all of it when I run pulumi up which is causing the box to lock-up as there is no swap. I can increase the instance size and/or add a swap drive to it, but is this normal? I didn't expect composing some yaml to stuff in to an api to use that much memory.

anyone else face this? https://github.com/pulumi/pulumi-kubernetes-ingress-nginx/issues/13

I ended up installing a helm release instead

Hey everyone 👋 . Apologies in advance if this isn't exactly the right channel to share this in. If you've been wishing for typesafe `StackReference`s, this post might be of some use: https://ersenal.com/posts/pulumi-micro-stack/

hello friends, I've got this weird error trying to pull an image from docker via pulumi

// index.ts
const image = new docker.RemoteImage("ubuntuimage", {
  name: "ubuntu:latest"
});

const container = new docker.Container(`node-${args.nodeNum}`, {
      image: image.id,
});

error

docker:index:Container (node-0):
    error: 1 error occurred:
        * Unable to create container with image sha256:27941809078cc9b2802deb2b0bb6feed6c236cde01e487f200e24653533701eeubuntu:latest: unable to pull image sha256:27941809078cc9b2802deb2b0bb6feed6c236cde01e487f200e24653533701eeubuntu:latest: error pulling image sha256:27941809078cc9b2802deb2b0bb6feed6c236cde01e487f200e24653533701eeubuntu:latest: invalid reference format

the sha is getting concated with the image name and screwing everything up

Hey awesome Pulumi people! 👋 I'd really like to set a specific provider (so I can specify a region) for a aws.lambda.CallBackFunction, but that doesn't seem to be allowed? Am I holding it wrong?

requestsSns.onEvent(`foo-runner-${region}`, new aws.lambda.CallbackFunction(`foo-runner-func-${region}`, {
    callback: async (ev, ctx) => { ... },
    runtime: "nodejs14.x",
    provider: provider,
}));

Hi foks Can anyone give me a tip how to get around this 403

pulumi plugin install resource aws v2.13.1
[resource plugin aws-2.13.1] installing
error: [resource plugin aws-2.13.1] downloading from : 403 HTTP error fetching plugin from <https://get.pulumi.com/releases/plugins/pulumi-resource-aws-v2.13.1-darwin-arm64.tar.gz>

Hey pulumi gang, I’m hoping someone has an explanation for some weird output issue I’m seeing with my example stack below:

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as k8s from "@pulumi/kubernetes";

let config = new pulumi.Config();

const dbUser = new gcp.sql.User(
    "users",
    {
        name: "testUser",
        instance: "my-instance",
        password: config.requireSecret("secret-db-password"),
    }
);

const deployment = new k8s.apps.v1.Deployment("my-test-app", {
    apiVersion: "apps/v1",
    kind: "Deployment",
    metadata: {
        name: "my-test-app",
    },
    spec: {
        selector: {
            matchLabels: {
                app: "my-test-app",
            },
        },
        template: {
            spec: {
                containers: [
                    {
                        env: [
                            {
                                name: "SECRET_DB_PASS",
                                value: config.requireSecret("secret-db-password"),
                            },
                        ],
                        name: "my-test-app",
                    },
                ],
            },
        },
    },
});

export const databaseUser = dbUser.name;
export const deploymentName = deployment.metadata.name;

I’m trying to figure out why the

deploymentName

output is marked as

[secret]

while the

databaseUser

output isn’t. My original assumption was that Pulumi’s

Output

unwrapping might just be marking things as secret if they’re constructed with a secret (

config.requireSecret("secret-db-password")

in this case), however this doesn’t seem to be the case given that the

databaseUser

output isn’t marked as

[secret]

. Any idea what might be happening here? Is this behaviour unique to the output of kubernetes deployments?

Hi, I'm trying to create a VPC via Crosswalk, to use with a new EKS cluster. However the example code from the docs doesn't compile:

import * as awsx from "@pulumi/awsx";
import * as eks from "@pulumi/eks";

// Create a VPC for our cluster.
const vpc = new awsx.ec2.Vpc("my-vpc");

It does compile if I pass some basic config, such as explicitly setting the

cidrBlock

argument to what it's supposed to default to

const vpc = new awsx.ec2.Vpc("my-vpc", { cidrBlock: "10.0.0.0/16" });

Hello I’m aws able to create a cluster linode k8s cluster but now I’m getting this error when I try to use the kubeconfig on the next steps:

error: configured Kubernetes cluster is unreachable: failed to parse kubeconfig data in `kubernetes:config:kubeconfig`- couldn't get version/kind; json parse error: json: cannot unmarshal string into Go value of type struct { APIVersion string "json:\"apiVersion,omitempty\""; Kind string "json:\"kind,omitempty\"" }

This is the code that creates the cluster:

const procCluster = new linode.LkeCluster(label(date), {
    k8sVersion: "1.23",
    label: date,
    pools: [{
        count: 3,
        // <https://api.linode.com/v4/linode/types>
        type: "g6-standard-2",
    }],
    region: "us-central",
    tags: ["prod"],
});

and where I try to use the kubctl on the provider:

const lkeProvider = new k8s.Provider("date", {
    kubeconfig: procCluster.kubeconfig
})

Hello Everyone, Is there a way to add a new capacity provider to an ECS cluster backed by ASG to an already existing ecs cluster that has a capacity provider.

👋 Hello, team!

I'm looking for a little help / handholding. I'm wanting to use pulumi to create a stack based on docker-compose using aws fargate and images from a private repository. Has anyone got any samples or tutorials they can point me in the direction of ? There is so many options, and I've tried aws, ecs-cli, co-pilot etc and am hoping the pulumi will be the magic sauce 😉 Most of the samples I've found so far have been for very basic single-image stacks and mine unfortunately is a little more compilcated 😉

I am trying to read data from an external source (I have created earlier in the pipeline) in Typescript and based on that build the pulumi with state (from the external source where I have customers and users) for the resources needed for each user and customer. I will then only call the Pulumi Pipeline when changes happen. Is it possible at all ? I have not gotten it to work but it might be something I am missing. Mainly it is from index.ts call the async function and get that to work. Is there any example of something like this ? #typescript

Hello everyone 👋 I couldn't find example in TS how to set up Route53 / ALB / ECS / Fargate / RDS in VPC with needed SGs. Could anyone share such example?

Using Pulumi Outputs as a string input is breaking my brain... It should be simple and I've tried using concat, interpolate and .apply but nothing seems to allow me to access the string of the output. How do I take an output of a vnet id and pass it as a string to call another class? Here's my code

import * as pulumi from "@pulumi/pulumi";
import { ComponentResource, Input, Output } from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";
import * as azure from "@pulumi/azure";
import { roleAssignment } from "../roleAssignment/roleAssignment";

let config= new pulumi.Config('env')

export class virtualNetwork {
    constructor(name: string) {
        const dpc_vnet_aue_001 = new azure.network.VirtualNetwork(name+"-aue-"+config.require('index'), {
            addressSpaces:
                config.requireObject(name+'-vnetrange'),
            location: config.require('location'),
            name: name+"-"+config.require('envid')+"-aue-"+config.require('index'),
            resourceGroupName: "dpc-spi-networking-"+config.require('envid')+"-rg-aue-"+config.require('index'),
        }, {
            protect: true,
        });
        const vnet_id = dpc_vnet_aue_001.id
        const aadplatforms_networkContributor = new roleAssignment(name+"aadplatforms_networkContributor", {
            principleId: config.require('aadplatforms'),
            principleType: "Group",
            roleDefinition: config.require('networkContributor'),
            //scope: pulumi.concat `${dpc_vnet_aue_001.id}`,
            //scope: vnet_id,
            scope: dpc_vnet_aue_001.id
        }
        )
    }   
}

I've commented some previous attempts but vscode just tells me that what I'm passing isn't a string.

Hello folks, I need some advice on the right way to use Pulumi

StackReference

My scenario is as follows: 1. I have a base infrastructure project where I have created some common AWS resources like VPC, RDS, Fargate cluster etc. Resource creation is working fine in this base project. The fargate cluster is created like this

// Create new fargate cluster for running containers
export const fargateCluster = new awsx.ecs.Cluster(
  `foo-bar`,
  {
    vpc: vpc,
    securityGroups: [fargateSecurityGroup],
  }
);

2. Now i want to import this Fargate cluster in another Pulumi project so that I can create new Fargate services and task definitions on top this common cluster. I'm doing this to accomplish that

// Get resources from infra-base
const baseInfra = new pulumi.StackReference(
  `blah/blah/blah`
);

// Get fargate cluster from base infra
const fargateCluster = baseInfra.getOutput("fargateCluster");

// Define the fargate service and task definitions
const service = new awsx.ecs.FargateService(`blah blah`, {
  cluster: (fargateCluster as unknown as awsx.ecs.Cluster) || undefined,
  name: `blah blah`,
  desiredCount: 1,
  taskDefinitionArgs: { ... },
  },
});

When i try to do

pulumi up

I get this error

TypeError: this.cluster.autoScalingGroups.map is not a function
        at new Service (/Users/amal/rasa/tooling/infra-app/node_modules/@pulumi/ecs/service.ts:60:55)
        at new FargateService (/Users/amal/rasa/tooling/infra-app/node_modules/@pulumi/ecs/fargateService.ts:216:9)
        at Object.<anonymous> (/Users/amal/rasa/tooling/infra-app/index.ts:103:17)
        at Module._compile (node:internal/modules/cjs/loader:1103:14)
        at Module.m._compile (/Users/amal/rasa/tooling/infra-app/node_modules/ts-node/src/index.ts:439:23)
        at Module._extensions..js (node:internal/modules/cjs/loader:1157:10)
        at Object.require.extensions.<computed> [as .ts] (/Users/amal/rasa/tooling/infra-app/node_modules/ts-node/src/index.ts:442:12)
        at Module.load (node:internal/modules/cjs/loader:981:32)
        at Function.Module._load (node:internal/modules/cjs/loader:822:12)
        at Module.require (node:internal/modules/cjs/loader:1005:19)

What is the right way to do this? Any help is much appreciated.

Anyone have any performance tips for larger stacks? We've got a couple stacks with 1000+ objects with a mix of GCP and K8s objects and running a refresh+up can take 10-15 minutes at this point. Doesn't seem to be specific to certain objects either since all stacks are different. I've run the debug tracing and haven't been able to get much out of that yet.