https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# aws
s
This message was deleted.
m
Yes, you'll need to create the bucket
Something like this in CloudFormation would work:
Copy code
AWSTemplateFormatVersion: '2010-09-09'

Description: State bucket for Pulumi

Resources:
  PulumiStateS3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      AccessControl: Private
      BucketName: !Sub ${AWS::StackName}-pulumi-state-${AWS::AccountId}
      BucketEncryption:
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256
      PublicAccessBlockConfiguration:
        BlockPublicAcls: True
        BlockPublicPolicy: True
        IgnorePublicAcls: True
        RestrictPublicBuckets: True
      VersioningConfiguration:
        Status: Enabled

  PulumiStateS3BucketPolicy:
    Type: AWS::S3::BucketPolicy
    Properties:
      Bucket: !Ref PulumiStateS3Bucket
      PolicyDocument:
        Statement:
          - Sid: AllowSSLRequestsOnly
            Effect: Deny
            Action: s3:*
            Resource:
              - !Sub arn:aws:s3:::${PulumiStateS3Bucket}
              - !Sub arn:aws:s3:::${PulumiStateS3Bucket}/*
            Condition:
              Bool:
                aws:SecureTransport: 'false'
            Principal: '*'

Outputs:
  PulumiStateS3Bucket:
    Description: Bucket for Pulumi state files
    Value: !Ref PulumiStateS3Bucket
    Export:
      Name: !Sub ${AWS::StackName}-PulumiStateS3Bucket
👍 1
h
Thanks @millions-furniture-75402, I assume this is by design. 💡 Although imho, this could be a nice feature, if 
login
subcommand for custom backends handle this 1-time initialization May I also suggest to Pulumi folks, that that this 
pre-requisite
is mentioned explicitly in the document above?
m
Yeah, it's a chicken and an egg situation. Pulumi needs a state to be managed somewhere, but in the case of an s3 bucket, that resource for hosting the state needs to exist. You can deploy it with Pulumi before your application stacks as well, but imho AWS Native approach makes sense for this.
I'm not sure if it would make a good feature. Yes, I will concede it is a barrier to entry, but I have full freedom to create the bucket with the configuration I need. The above example is actually less than what we use in PROD, we also have a central log bucket configured.
Open in Slack
PreviousNext
Powered by