I ran into a “feature” that was unfortunate for my use case, and I’m wondering how others have gone about solving it. Problem Statement: I have an RDS instance in a [pre-existing] VPC that I cannot connect to from CI, or locally.  The MySQL Provider needs this connectivity to provision databases on the instance.  I thought the first obvious solution might be to serialize a lambda with the MySQL Provider that can run in the VPC.  This is where I ran into the “feature” that strips out any dependencies that start with 

@pulumi/

  recursively, so even if I specify 

pulumi.runtimeDependencies

 in package.json, they’ll be removed. • https://www.pulumi.com/docs/tutorials/aws/serializing-functions/#determining-the-appropriate-node-modules-packages-to-include-with-a-lambda • https://github.com/pulumi/pulumi/blob/master/sdk/nodejs/runtime/closure/codePaths.ts#L296-L300 Being able to run the lambda with the mysql provider would be preferred, but it seems I’m forced to look into other possible solutions, which are more complex. Other Possible Solutions: 1. Publish a lambda with an external tool, and call it as an existing lambda with pulumi (messy, requires more than 

pulumi up

). 2. Use mysql nodejs package to create the database (that stinks, I have a MySQL provider). 3. In addition to GitHub Actions, use AWS Code Services so the pipeline can run in the VPC (redundant). 4. Run either a mysql, or pulumi container in fargate that can provision the databases (seems like a lot more infra and complexity to create databases). Maybe I’m missing something obvious here.  Hoping someone can shed some light on how I should approach this problem, and maybe other opportunities I’ve overlooked.  Thanks, loving Pulumi so far!

hey catmeme! interesting problem! I think you've been posted a lot of the ideas I would have suggested, ultimately you're in a networking problem 🙂 Another possible idea is that you could use pulumi to spin up a temporary instance inside the VPC with access the instantiate your MySQL provider using an SSH tunnel through that instance. So you'd do the equivalent of

ssh -L

as perhaps a dynamic provider. Not a better idea than what you've come up with

Ahh yes, a bastion was another idea that came up, but I find it a bit kludgey. We’re basically backdooring ourselves into the stateful infrastructure. Which if we can avoid, would be preferred.

I’ve installed squid proxies in the past to run end-to-end tests from CI envs. Helps if you already have a k8s cluster available but you could also deploy it in Fargate.