This message was deleted Pulumi Community #general

Join Slack

This message was deleted.

# general

sparse-intern-71089

07/27/2023, 9:28 PM

This message was deleted.

fresh-scientist-56300

07/27/2023, 9:39 PM

I swear I came across this one, but I can't find my notes and I have a call about to start. At the minimum, you should be able to run something like:

AWS_PROFILE="" AWS_REGION="" pulumi preview

AWS_PROFILE= AWS_REGION= pulumi preview

👀 1

salmon-account-74572

07/27/2023, 9:40 PM

I’m making some inquiries internally, but as a temporary workaround you can use a tool like

direnv

to set

AWS_PROFILE

to whatever value you want when you enter the directory where the Pulumi project is stored. It’s not ideal, but it’ll get you up and running.

crooked-lizard-5175

07/27/2023, 10:10 PM

Unfortunately setting the AWS_PROFILE and AWS_REGION env vars won't work because I'm using the AWS KMS secret provider, which is regional. I need pulumi to look in region A for the KMS key to unlock the secrets, and then region B for doing all of the resource management.

salmon-account-74572

07/27/2023, 10:40 PM

I see. Well, you’re going to need at least one explicit provider. You’ll either need to use an explicit provider for region A to look up the KMS key to unlock the secrets, or you’ll need an explicit provider for region B to do the resource management.

crooked-lizard-5175

07/27/2023, 10:48 PM

Yes. The KMS secret provider isn't always in the region that my resources are in. FWIW, I am running an

pulumi import

to import a resource in region A, but my KMS key is in region B. So i say AWS_REGION=B, pulumi can't find the resource I am trying to import (because it's looking in the wrong region). But if I say AWS_REGION=A, pulumi can't find the KMS key to initialize the secrets.

crooked-lizard-5175

07/27/2023, 10:49 PM

Maybe I am using pulumi in a nonstandard way (I am new) 🙂

crooked-lizard-5175

07/27/2023, 10:51 PM

The expected behavior I was hoping for was that pulumi would use the

aws:profile

value for finding the region for the KMS key, and the

aws:region

value for doing the actual resource management.

salmon-account-74572

07/27/2023, 10:55 PM

No, it won’t behave that way. I would define an explicit provider for region B for getting the KMS key, and use the default provider to import resources from region A. You could swap, but either way you need at least one explicit provider (and then you need to specify that provider in the resource options in your code for that particular resource). Pulumi just isn’t going to use

aws:profile

and

aws:region

the way you’re describing.

salmon-account-74572

07/27/2023, 10:55 PM

BTW, if you want and are able to share your code, that might make it easier for others to help get you to a working solution.

crooked-lizard-5175

07/27/2023, 11:15 PM

Ok I think I understand. So for the

pulumi import

command, I did see a

--provider

option, but I was struggling to figure out how to specify an AWS provider urn that points to a different region. This is what I should dig into though?

crooked-lizard-5175

07/27/2023, 11:32 PM

Oh lord, I just realized KMS keys can be replicated to different AWS regions 🤦‍♂️ that solves my issue.

fierce-ability-58936

07/28/2023, 1:19 AM

You can also set the region and profile in the KMS key URL https://www.pulumi.com/docs/concepts/secrets/#available-encryption-providers

4 Views

Open in Slack

Previous Next