pulumi | Collection of Pulumi modules | AWS library

In the AWS docs there's a detailed guide on how to grant ECS EC2 & Fargate launch type Tasks access to private Registries. Derived from that there are 4 steps to take:

1. Obtain Token or credentials to access private Container Registry
2. Create AWS Secrets Manager Secret containing Token/Creds to private Registry
3. Craft Task Execution Role (using aws.iam.Role) containing inlinePolicy for private Container Registry access
4. Enhance awsx.ecs.FargateService to use our Task Execution Role & Secret ARN in repositoryCredentials

0. Obtain Token or credentials to access private Container Registry

If you don't already have them, you'll need to create an Access Token or credentials inside our private Registry so that an external service is able to access it. With GitHub Container Registry for example we need to create a Personal Access Token (see docs here) using the read:packages scope as a minimum:

1. Create AWS Secrets Manager Secret containing Token/Creds to private Registry

Now head over to the AWS Secrets Manager console at https://console.aws.amazon.com/secretsmanager/ and create a new Secret via the Store a new secret button. In the GUI choose Other type of secrets and Plaintext - and then fill in your private Registry credentials as JSON:

In https://github.com/pulumi/pulumi/issues/6856, you can see that one of the developers of pulumi says

This is the expected behavior. For the purposes of importing the resource to be managed by Pulumi, the necessary inputs are specified in the code generated. You are of course welcome to include the additional details in your code, but Pulumi has generated what is necessary to import the resource.

To see all of the inputs/outputs of your resources, you can take a look at your state file (pulumi stack export).

So this is an expected behavior. The developers of pulumi don't want to show all the details in the code by default.

And currently, there's no way generate a code with all the details.

Those details are stored in the backend of pulumi. They can be found in .pulumi/stacks/.json in the backend.

I don't think you can use a SecretManager secret with cloud build through Pulumi. I solved it by creating a kms key and encrypting my data using gcp.kms.Ciphertext. Here's what it looks like:

I went on with the approach and tried to build a recursive TypeScript function, that either creates files or directories based on Pulumi's BucketObject, as recommended by the tutorials. This got me down a complicated way! I needed to create directories using BucketObject, what could be achieved using a appended "/" inside the key argument (see this answer). Just for the record, the function for that looked like this:

Your Pulumi projects builds inside your infra directory, not in the folder your Pulumi.yaml is in.

The Pulumi provider needs to know the path of the Dockerfile using the docker build context (more info about these here)

Adding the context should fix this:

If I read your code correctly, you assign an arbitrary name to the WebAppAzureStorageAccounts resource. Instead, you should assign the Name property to the name of your web app (the parent resource). It's not the best naming choice from the Azure API but the comment says Name of the app.

Here is the idea that should work:

Pulumi has a powerful feature called Transformations which is exactly what you need here(Example). A transformation is a callback that gets invoked by the Pulumi runtime and can be used to modify resource input properties before the resource is created.

I've not tested the code but you should get the idea:

Here is sample code with an explanation on how we set everything up including create/delete table with Pulumi.

The code will look like this:

The solution was to add network_mode: bridge to my docker compose file, which I show here.