Hi guys! I want to get a specific certificate from AWS ACM and according to the documentation there is a possibility to specify tags. So tried this:

import * as aws from "@pulumi/aws";

const issued = aws.acm.getCertificate({
    domain: "<http://subdomain.mysite.com|subdomain.mysite.com>",
    tags: {
        Name: "my-speficic-tag-name",
    }
});
export const cert_arn = issued;

An error appears, because I have multiple certificates in AWS ACM for

<http://subdomain.mysite.com|subdomain.mysite.com>

(for example:

<http://dev1.subdomain.mysite.com|dev1.subdomain.mysite.com>

,

<http://dev2.subdomain.mysite.com|dev2.subdomain.mysite.com>

, etc...). Is it possible to make it works? Or filter by additional domain names? In my case I need to get a wildcard certificate

*.<http://subdomain.mysite.com|subdomain.mysite.com>

Thanks!

@little-cartoon-10569 I will start a new thread here. With

awsx.ecs.FargateService

under

FargateTaskDefinitionArgs

then under

Container

you will see an option called Secrets. This type definition can be found under:

<node>@pulumi/aws/ecs/container.d.ts/Secret

. On my file it is around line 198. I will also add my deps here as well so you can get the exact versions. NOTE: I moved pulumi back down( this does not change anything in the code, .40 awsx is the same as 1.0.0 awsx/classic that we talked about yesterday.)

"dependencies": {
    "@pulumi/pulumi": "^3.0.0",
    "@pulumi/aws": "^5.0.0",
    "@pulumi/awsx": "^0.40.0"
  },

Secret interface definition.

export interface Secret {
    /**
     * The name of the secret.
     */
    name: pulumi.Input<string>;
    /**
     * The secret to expose to the container. The supported values are either the full ARN of the
     * AWS Secrets Manager secret or the full ARN of the parameter in the AWS Systems Manager
     * Parameter Store.
     *
     * Note: If the AWS Systems Manager Parameter Store parameter exists in the same Region as the
     * task you are launching, then you can use either the full ARN or name of the parameter. If the
     * parameter exists in a different Region, then the full ARN must be specified.
     */
    valueFrom: pulumi.Input<string>;
}

Previously we used this same concept of secrets inside a .ecs_taskdefinition yaml file and passed in a name and an ARN to a secret value from ssm. I am currently trying to move our infra to pulumi. (I am coming from python to typescript, so assume I know nothing about proper typescript) To make things simple, I will refer to my two projects as infra (all of our share none service specific code goes here) and ms (service level pulumi code that is only meant for that service) on infra we have one stack called base. In this stack a create base common shared secrets, that do not change from environment to environment. I create an ssm entry and set it to the value that is in my pulumi config, then I populate an array of

aws.ecs.Secret

(mentioned above) with the name that I want the variable to be in the container (name) and the arn of the param. I then export this

aws.ecs.Secret[]

for later stack reference. I then do the exact same thing for the envSecrets in infra on the dev stack. These values are things like DB connection strings that need the same variable name in the container, but have different values per env. These values use the env name (dev, stage, prod) so the values can be different per environment. Then I export a similar

aws.ecs.Secret[]

. I now have two different stacks (base and dev) each with different secret arrays on infra. On ms I then import that with a stack reference AS

pulumi.Output<aws.ecs.Secret[])

I do this because later I have to use apply to merge the two arrays together. This is really messy and frankly bad code. It assumes that I will always be handed the proper data, I genericly hate using

as

like this. And then merging the two arrays the way you have to is not ideal. I do it this way though because

FargateTaskDefinitionArgs

/

Container

/

secrets

is expecting only the type of `pulumi.Input<aws.ecs.Secret[]>

const baseSecretArns = baseStackRef.getOutput('baseSecrets') as pulumi.Output<aws.ecs.Secret[]>; //Please don't do this. 
  const envSecretArns = envStackRef.getOutput(`envSecrets`) as pulumi.Output<aws.ecs.Secret[]>;
  
	const secrets: pulumi.Output<aws.ecs.Secret[]> = pulumi
    .all([baseSecretArns, envSecretArns])
    .apply(([base, env]) => {
      return base.concat(env);
    });

The end goal, I would like to have both of the arrays combined on the infra side and stored as an export per environment (dev, stage, prod), that way when I do an env stack reference on ms I will get one big

pulumi.Output<aws.ecs.Secret[]>

that I can just pass into secrets. So every environment will grab the base secrets array that has already been made and add it to their own array. The nice thing here is, when I do the stack reference I will not need to do the as, because pulumi can infere the type when I pass it in. So the code is cleaner and I can avoid that as statement on ms. The challenge that I face is, on infra, when I cam creating the env variables on the dev stack, I can not find a good way to "import" the config values of the base stack. I think I can do a stack reference into my env stack and just pull the base secrets array in. However, that is going to give me a pulumi.Output<T> I am not sure how to pull T out, unless .apply is the right way to do that, then I will just do that. What I mean is, I can not combine pulumi.Output<aws.ecs.Secret[]> with aws.ecs.Secret[]. The type are not compatible. I just thought about this though as I have typed all this out, I am going to have trouble when I update anything in the base stack, EVERY stack in my infra will need to run an update to pull the latest values.... I think I might just need a different way to think about this problem ultimately. Maybe a better route is to keep environment specific variables in ms. This will be annoying because if one of those env specific variables needs updated, like a DB connection string, it is going to have to be updated on every project.

👋 I was wondering how do you package your Lambda’s? I keep hitting the issue with Pulumi not being able to serialize…. is the only way out to bundle things myself and give Puluimi a zip? having to not use dependencies because of this issue is not ideal. I have tried some of the work arounds suggested on some issues, but they don’t always work sad panda

is there a reason

ComponentResourceOptions

which extends

ResourceOptions

doesn't have

deleteBeforeReplace

?

CustomResourceOptions

(which also extends

ResourceOptions

) has it.

I am stumped on this issue. Is it possible to take a value from the config file that is stored as a secret and then later turn the secret into a string so that it can be used inside of a string. In this case, as part of an API endpoint URL? Given what I have read so far, I don't know if Pulumi will allow a secret value to live "in the clear". Examples I can use these two options to successfully convert a non-secret to a string, but they do not work with a secret:

const nonSecret = config.require("non-secret")
const nonSecretString = nonSecret.apply(v => `${v}`);
// or 
const nonSecretString = pulumi.interpolate`${nonSecret}`;

These do not work because apiKey is an Output<T> and errors out when converting to a string:

const apiKey = config.requireSecret("myApiKey")
const apiKeyString = apiKey.apply(v => `${v}`);
// or 
const apiKeyString = pulumi.interpolate`${apiKey}`;

Example of how I need to put the secret into a string:

const newObject = new gcp.pubsub.Subscription("new-sub", {
    topic: existingPubSubTopic.name,
    pushConfig: {
        pushEndpoint: `<https://example.com/api/v2/logs?api-key=${apiKey}&protocol=gcp>`
    },
    project: config.require("gcp-project-id")
});

Hello, I am having an issue creating a secondary TAG on a Docker Image using the new

@pulumi/docker

v4.0.0: The example below shows how to create and push a Docker Image with tag

xyz

, but how can I tag the image with a secondary TAG

latest

?

const demoImage = new docker.Image("demo-image", {
    build: {
        context: ".",
        dockerfile: "Dockerfile",
    },
    imageName: "host/image:xyz"
});

The desired result is to being able to publish both: •

host/image:latest

•

host/image:xyz

I am trying to add annotations to the

ingress-nginx

controller service but running into an issue. I'm getting the following:

Type 'string' is not assignable to type 'Input<{ [key: string]: Input<string>; }>'.

{
        controller: {
          service: {
            type: 'LoadBalancer',
            annotations: {
              "<http://service.beta.kubernetes.io/aws-load-balancer-name|service.beta.kubernetes.io/aws-load-balancer-name>":
                "apps-ingress",
 ...

I am new to Pulumi, and I want to change the apiKey value in Pulumi. prod.yaml. From the Pulumi documentation, I saw that with this command I can change: pulumi config set apiKey "value" --secret. I'm not sure how I should do it. Any help would be appreciated!

@little-cartoon-10569 @astonishing-dentist-11149 I looked into

aws.ecs.Secret

interface and it looks like it is manually maintained https://github.com/pulumi/pulumi-aws/blob/1fc37e531140fd0dfb6b39cbfca9a99dadd19be2/sdk/nodejs/ecs/container.ts#L257 as opposed to automatic generation from the spec like

aws-native

does it. Until now I was not aware of that interface because nothing except

awsx

seems to call it, hence I'd consider it undocumented https://www.pulumi.com/registry/packages/aws/api-docs/ecs/taskdefinition/#containerdefinitions_nodejs This issue supports my theory https://github.com/pulumi/pulumi-aws/issues/2322 about it. @billowy-army-68599 As the author of the issue above, could you please confirm or correct my suspicion?

Hi All 👋 , I'm working on a problem where I am trying to conditionally control the AMI ID that is used to create an EC2 instance in my Pulumi program (typescript). If the stack already contains an EC2 instance with a name, then I want to just use the AMI ID that is already used by that instance, but if this program is running for the fist time I want to lookup and use the latest AMI ID from AWS. I've been googling around and experimenting with StackReference, but I can't seem to figure out how this should work. Ultimately this approach is in order to prevent the EC2 instance from being recreated because a new AMI is available other than the one that was originally used. Are there concepts/approaches I should know more about to make this work? Thanks

I am having trouble escaping a single backslash for a UNC path.

export const var = pulumi.concat("\\", storageAccount.name, ".<http://file.core.windows.net|file.core.windows.net>\", fileShare.name);

The backslash after .net is what I am wanting to keep and having trouble with. Anyone know how to accomplish this?

while using stack reference, and also using apply getting the error `output<string> is not assignable to type string”, here is my code for the same

const stack = pulumi.getStack();
const nodePoolStackRef = new pulumi.StackReference(`${org}/${orgName}/${stack}`);
let stackOutput = pulumi.interpolate`${nodePoolStackRef.getOutput("clusterNodePool")}`; 

const primaryNodePool = stackOutput.apply(v => v.toString());
console.log(`nodepool: ${primaryNodePool}`);

Yo, why can't I seem to resolve types for

inputs

?

import * as inputs from '@pulumi/azure-native/types/input';

but unable to navigate to symbol for eg:

inputs.keyvault.AccessPolicyEntryArgs

I can only navigate to

inputs

but everything in there is interpreted as text and not symbols so cant navigate, and have to search for type definitions by name, so annoying 🤷‍♂️

Hey Team, is there any way to lookup for the existence of a resource without the function actually throwing an error? For context - I am trying to get

getUserAssignedIdentityOutput

but it errors out and the error seems to be not catchable. Maybe relatable - https://github.com/pulumi/pulumi/issues/3364

Is there a way to imperatively generating an output in typescript instead of exporting the value? Like pulumi.export in other languages. I'm trying to avoid having circular dependencies in a complex file structure.

Hello team, What should be the ideal project structure for AWS using typescript. I am thinking some thing like these.

.
|
├── Pulumi.dev.yaml
├── Pulumi.qa.yaml
├── Pulumi.prod.yaml
├── Pulumi.yaml
├── dist.                         -- output directory after building typescript
│   ├── index.d.ts
│   ├── index.js
│   ├── index.js.map
│   ├── infra
│   │   ├── index.d.ts
│   │   ├── index.js
│   │   ├── index.js.map
│   │   ├── lambda
│   │       ├── index.d.ts
│   │       ├── index.js
│   │       ├── index.js.map
│   │       ├── variable.d.ts
│   │       ├── variable.js
│   │       └── variable.js.map
│   │   └── vpc
│   │       ├── index.d.ts
│   │       ├── index.js
│   │       ├── index.js.map
│   │       ├── variable.d.ts
│   │       ├── variable.js
│   │       └── variable.js.map
│   └── tsconfig.tsbuildinfo
├── index.ts                   -- entry point file
├── infra
│   ├── index.ts.              -- import services lambda, vpc, etc...
│   ├── lambda
│       ├── index.ts.          -- to create lambdas basics, use variable according to stack stack (dev, qa, prod)
│       └── variable.ts        -- to store variables used in lambda, different values for each stack (dev, qa, prod)
│   └── vpc
│       ├── index.ts
│       └── variable.ts
├── package-lock.json
├── package.json   
└── tsconfig.json

Any suggestion will be appreciated.

I do not think there is an ideal setup that fits all kinds of scenarios. That being said, assuming there will be other things than lambdas and VPC/network stuff, I would consider splitting up things in multiple stacks, based on lifecycle and logical grouping. With multiple stacks I mean separate deployable units, not just different environment configurations.

Hi everyone, We are running Pulumi behind an API as part of an internal self service tool. The application is running in Node and we use the LocalWorkspace class part of @pulumi/pulumi package in NPM. This means that whenever we have a failing pulumi program we will catch the exception and log it, but it will not exit the Node process. This is causing an issue for us, since whenever one of our Pulumi programs throws an exception all subsequent Pulumi programs will also fail. The program itself succeeds, but Pulumi always end the invocation with a "One or more errors occurred" error message. I have created a small repository demonstrating the issue. If you run this code at

<http://localhost:3001/faileverythreetimes>

it will throw an exception every three invocations. For that invocation it will fail with the error thrown from the Pulumi program, but for all subsequent calls it will fail with the "One or more errors occurred" error message. When we reboot the process/pod the same subsequent calls will complete successfully. https://github.com/knirkefritt/pulumiautomationbugspike Is this a know issue, and do you know of way to fix it (preferably not requiring us to restart the pod on every failed run)? Attached picture illustrates the problem

Heyo you fine people! Using the Automation API, is there a way to mimic the functionality of

pulumi stack init

with the

--copy-config-from

flag set? Tried using

getAllConfig()

and

setAllConfig()

but it doesn't seem to support nested values and gets really funky when secrets are involved. Help's greatly appreciated! ✌️

Not sure what i'm doing wrong and the error isn't particularly helpful.

const serviceAccount = pulumi.output(gcp.compute.getDefaultServiceAccount({}));
        const email = serviceAccount.apply(account => account.email)
      
        this.admin_policy = pulumi.output(gcp.organizations.getIAMPolicy({
            bindings: [
                {
                    role: "roles/secretmanager.secretAccessor",
                    members: [
                        `serviceAccount:${email.apply(e=>e)})}`,
                    ],
                },
            ],
        }, { parent: this }));


        this.dbUrlPolicy = new gcp.secretmanager.SecretIamPolicy("db-url-policy", {
            project: gcp.config.project,
            secretId: this.database_url_secret.secretId,
            policyData: pulumi.interpolate`${this.admin_policy.apply(admin => admin.policyData)}`,
        }, { parent: this });

        this.jwtSecretPolicy = new gcp.secretmanager.SecretIamPolicy("jwt-secret-policy", {
            project: gcp.config.project,
            secretId: this.jwt_secrets_secret.secretId,
            policyData: pulumi.interpolate`${this.admin_policy.apply(admin => admin.policyData)}`,
        }, { parent: this });

        this.cookie_secret_policy = new gcp.secretmanager.SecretIamPolicy("cookie-secret-policy", {
            project: gcp.config.project,
            secretId: this.cookie_secret.secretId,
            policyData: pulumi.interpolate`${this.admin_policy.apply(admin => admin.policyData)}`,
        }, { parent: this });

Hi everyone! I have a simple question, but I didn't find any information about... I've created custom component resource for AWS IAM role creation and IAM Policies (two separate) Is it possible to import existing IAM role to be managed by my custom component resource? Thanks

Hi everyone, I am struggling with something I feel is very basic, I have the following FargateService definition, I am trying to configure the Role for

taskRole

, but it keeps rejecting it:

const fargateTaskRole = new aws.iam.Role(`${appName}-fargate-task`, {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [
            ...
        ],
    }),
});

const appService = new awsx.ecs.FargateService(`${appName}-app-svc`, {
    cluster: cluster.arn,
    desiredCount: 0,
    taskDefinitionArgs: {
        taskRole: fargateTaskRole,
        container: {
            name: `${appName}-sync-container`,
            image: img.imageUri,
            cpu: 102,
            memory: 50,
        },
    },
    ...
});

It won't allow me to assign fargateTaskRole to taskRole. The error is:

Type 'Role' has no properties in common with type 'DefaultRoleWithPolicyArgs'.

Thanks!

Does anyone have experience with splitting up your infra into multiple stacks and referencing resources from one stack in another? Specifically I have a core stack that creates an EKS cluster, and I'm looking to use that cluster in my other stacks. I'm trying to do this with: pulumi.StackReference I can get the reference to the cluster with: cluster = coreInfrastructureReference.requireOutput("cluster"); But how can I then use that cluster variable. I need to access the provider property from it, but Property 'provider' does not exist on type 'Output<any>'. How do I convert this Output<any> to a cluster object?

Hey everyone, I might be thinking about this wrong but I am wondering the best way to go about getting our GCP Cloud SQL Connection Name after we deploy our infrastructure. Our Database migration script will run in Github Actions and it will need the Connection Name. Is there a way to grab it from Pulumi? Or should we just store it in the secrets manager?

Hi! Is there something worng if we don't define a variable for each resource? Like this:

// Create public route association
new aws.ec2.RouteTableAssociation(data.pubrtasst_name, {
  routeTableId: pubRouteTable.id,
  subnetId: publicSubnet.id,
});

Anyone knows why installing

@pulumi/azure-native

takes so long time? I get stuck sort of here for a couple of minutes every time I install it:

Hi everyone! Glad to be here..

Hey there, I'm trying to do something with Pulumi and I feel like I am making this way more complicated than it needs to be and was wondering if anyone knows of a simpler solution. For context, I'm using the auth0 provider. The project I'm working on is supposed to be able to be deployed to

n

tenants. So I want to create some ClientGrants which for one of their fields require a

clientId

which I want to pull from Client objects also managed through Pulumi. After I have created all Clients I just have a simple array list of Clients, and when creating the grants I want to refer to the id of a specific Client in the list. Except when I just to something like

const clientId = clients.find(client => client.name === 'Foo')!.clientId

This wouldn't work because

client.name

is of type

Output<string>

because I wouldn't know the client name. So my other attempt was using

output

to lift the type like this:

const clientId = output(clients).apply((clients) => clients.find((client) => client.name === "Foo")!.clientId);

But that still has the same problem 😞 I'm a bit at a loss on the correct way to solve this and I wasn't able to find my problem in the Pulumi docs or on the interwebs

Hello Pulumi community! I am glad to be here! Context I tried searching in the messages about my specific question but couldn’t find anything, so I would probably duplicate the topic (sorry for that). We started adopting Pulumi in our organization, and everything works really great! Currently, we are in the phase of integrating it into our CI/CD process. Our goal is to have CI/CD runners, cloud environments, dev containers and local dev environment similar to each other. In case of Pulumi, we are using the SDK, which requires the CLI to be installed before the yarn/npm install step. Question • Is there a way to avoid/omit CLI installation as a required step for

yarn/npm install

command?

I am creating a resource in Azure with Pulumi in TS. In one of the properties within this resource, I need to pull the main resource's ID. Trying the normal ways, I get a

Block-scoped variable 'variable' used before its declaration.

How can I accomplish this?