https://pulumi.com logo
Title
h

helpful-pillow-14958

04/20/2023, 7:37 PM
Hi, I was under the impression that
pulumi login s3://<bucket-name>
is going to create the self-managed backend automatically as bootstrap/initialization. Is this a wrong expectation or something I am missing here https://www.pulumi.com/docs/intro/concepts/state/#aws-s3 ?
m

millions-furniture-75402

04/20/2023, 8:30 PM
Yes, you'll need to create the bucket
Something like this in CloudFormation would work:
AWSTemplateFormatVersion: '2010-09-09'

Description: State bucket for Pulumi

Resources:
  PulumiStateS3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private
      BucketName: !Sub ${AWS::StackName}-pulumi-state-${AWS::AccountId}
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      PublicAccessBlockConfiguration:
        BlockPublicAcls: True
        BlockPublicPolicy: True
        IgnorePublicAcls: True
        RestrictPublicBuckets: True
      VersioningConfiguration:
        Status: Enabled

  PulumiStateS3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref PulumiStateS3Bucket
      PolicyDocument:
        Statement:
          - Sid: AllowSSLRequestsOnly
            Effect: Deny
            Action: s3:*
            Resource:
              - !Sub arn:aws:s3:::${PulumiStateS3Bucket}
              - !Sub arn:aws:s3:::${PulumiStateS3Bucket}/*
            Condition:
              Bool:
                aws:SecureTransport: 'false'
            Principal: '*'

Outputs:
  PulumiStateS3Bucket:
    Description: Bucket for Pulumi state files
    Value: !Ref PulumiStateS3Bucket
    Export:
      Name: !Sub ${AWS::StackName}-PulumiStateS3Bucket
h

helpful-pillow-14958

04/20/2023, 9:00 PM
Thanks @millions-furniture-75402, I assume this is by design. 💡 Although imho, this could be a nice feature, if
login
subcommand for custom backends handle this 1-time initialization May I also suggest to Pulumi folks, that that this
pre-requisite
is mentioned explicitly in the document above?
m

millions-furniture-75402

04/21/2023, 11:56 AM
Yeah, it's a chicken and an egg situation. Pulumi needs a state to be managed somewhere, but in the case of an s3 bucket, that resource for hosting the state needs to exist. You can deploy it with Pulumi before your application stacks as well, but imho AWS Native approach makes sense for this.
I'm not sure if it would make a good feature. Yes, I will concede it is a barrier to entry, but I have full freedom to create the bucket with the configuration I need. The above example is actually less than what we use in PROD, we also have a central log bucket configured.