Has Pulumi considered moving to a Lambda model for deploying resources on a Kubernetes cluster deployed on to AWS similar to how AWS CDK does it ? I am struggling with CI/CD since I need to block my control plane to the vpc however my CI runs outside of the vpc

this is really a network problem rather than a Pulumi problem, we likely won’t move to a lambda model. You could use the Kubernetes operator inside your cluster: https://github.com/pulumi/pulumi-kubernetes-operator

Yeah I looked into that however because I am doing a monorepo with multiple stacks using yarn workspaces it wasn't configurable enough to allow what I was hoping for

did you open issues? we’d love to fix those

I'll have to redeploy and try it again to see exact error, happy to throw another issue though.

@elegant-activity-51782 I’m not sure if you’re able to use TailScale, but it basically solved this problem for us. If you configure a subnet router in Tailscale and use a CI solution to adding your CI node to Tailscale it can access your VPC only endpoints via the subnet router.

And this’ll bootstrap your subnet router for you https://github.com/lbrlabs/pulumi-tailscale-bastion

Not interested in tailscale but thanks

I know this thread started on AWS, but FYI to anybody looking into the same sort of thing in GCP, TailScale can run on GCP Cloud Run. Unfortunately, TailScale doesn't work for us (compliance) and I couldn't find a wireguard-based, relatively off-the-shelf stack to replicate what TailScale has done with GCP Cloud Run. the tl;dr is that converting wireguard's UDP to websockets for Cloud Run compatibility would be non-trivial (not to mention hurt performance), and running wireguard on a VM would make more sense overall.