https://pulumi.com logo
Join Slack
Powered by
Is there a trick to getting pulumi to respect the ...
# general
c
Is there a trick to getting pulumi to respect the aws configuration in the Pulumi.<stack>.yaml file? I have 
aws:profile: <profile>
and 
aws:region: <region>
under the 
config
key, but pulumi is defaulting back to my 
default
aws profile and a different region.
f
I swear I came across this one, but I can't find my notes and I have a call about to start. At the minimum, you should be able to run something like: 
AWS_PROFILE="" AWS_REGION="" pulumi preview
or 
AWS_PROFILE= AWS_REGION= pulumi preview
s
I’m making some inquiries internally, but as a temporary workaround you can use a tool like 
direnv
to set 
AWS_PROFILE
to whatever value you want when you enter the directory where the Pulumi project is stored. It’s not ideal, but it’ll get you up and running.
c
Unfortunately setting the AWS_PROFILE and AWS_REGION env vars won't work because I'm using the AWS KMS secret provider, which is regional. I need pulumi to look in region A for the KMS key to unlock the secrets, and then region B for doing all of the resource management.
s
I see. Well, you’re going to need at least one explicit provider. You’ll either need to use an explicit provider for region A to look up the KMS key to unlock the secrets, or you’ll need an explicit provider for region B to do the resource management.
c
Yes. The KMS secret provider isn't always in the region that my resources are in. FWIW, I am running an 
pulumi import
to import a resource in region A, but my KMS key is in region B. So i say AWS_REGION=B, pulumi can't find the resource I am trying to import (because it's looking in the wrong region). But if I say AWS_REGION=A, pulumi can't find the KMS key to initialize the secrets.
Maybe I am using pulumi in a nonstandard way (I am new) 🙂
The expected behavior I was hoping for was that pulumi would use the 
aws:profile
value for finding the region for the KMS key, and the 
aws:region
value for doing the actual resource management.
s
No, it won’t behave that way. I would define an explicit provider for region B for getting the KMS key, and use the default provider to import resources from region A. You could swap, but either way you need at least one explicit provider (and then you need to specify that provider in the resource options in your code for that particular resource). Pulumi just isn’t going to use 
aws:profile
and 
aws:region
the way you’re describing.
BTW, if you want and are able to share your code, that might make it easier for others to help get you to a working solution.
c
Ok I think I understand. So for the 
pulumi import
command, I did see a 
--provider
option, but I was struggling to figure out how to specify an AWS provider urn that points to a different region. This is what I should dig into though?
Oh lord, I just realized KMS keys can be replicated to different AWS regions 🤦‍♂️ that solves my issue.
f
You can also set the region and profile in the KMS key URL https://www.pulumi.com/docs/concepts/secrets/#available-encryption-providers
2 Views
Open in Slack
PreviousNext
Powered by