Changelogs » Pulumi



- awsx.ecs.Cluster can be created from an existing aws.ecs.Cluster's id.
- Add OPTIONS as a valid method and add ability to set custom gateway responses for
- Load balancing targets can now be simply added to an ALB, NLB, Listener or TargetGroup using the
new `.attachTarget` methods on the respective classes.

Compatibility issues

- An `awsx.ec2.Vpc` with `assignGeneratedIpv6CidrBlock: true` will now set
`assignIpv6AddressOnCreation: true` by default for child subnets.  This can be overridden by
setting that value explicitly to `false` with the subnet's args.

- `awsx.Cluster` and `awsx.Network` are now deprecated and will no longer receive future changes.
Code that uses these types should migrate to `awsx.ecs.Cluster` and `awsx.ec2.Vpc` respectively.


- VPCs can now be made which scale to use all availability zones in a region if desired.  Use
`new awsx.ec2.Vpc("name", { numberOfAvailabilityZones: "all" })` to get this behavior.  If
`numberOfAvailabilityZones` is not provided, the current behavior of defaulting to 2 availability
zones remains.
- Externally available application listeners will now open their security group to both ingress and
egress for their specified port.
- Tweaked API.getFunction to allow [route] and [method] parameters to be optional.  Also changed
function to throw if passed arguments that don't map to an actual function.
- awsx.cloudwatch.Dashboard now exports a `url` property that gives you an immediate link to the


- ApiGateway now provides control over the backing s3.Bucket created for `StaticRoute`s.  This is
useful for SinglePageApp scenarios that want to control relevant Bucket values like
`errorDocument` or `indexDocument`.
- A new `ecr` module has been created, simplifying creation of `ecr.Repository`s and


- Add support for Authorizers, API Keys and Request Validation to Integration Routes in API Gateway


- Adds a new set of APIs for defining and CloudWatch metrics and creating alarms from them. See
[awsx.cloudwatch.Metric] for more details, and see [awsx.lambda.metrics.duration] as an example of
a newly exposed easy-to-use metric.
- Dashboards can easily be created from the above [awsx.cloudwatch.Metric] objects using the new
[awsx.cloudwatch.Dashboard] helper.  See
for an example.
- [awsx.autoscaling.AutoScalingGroup]s can now easily have a scheduling action provided by using the
new [AutoScalingGroup.createSchedule] instance method.
- [awsx.autoscaling.AutoScalingGroup]s can now easily scale based on an [aws.cloudwatch.Metric] or
based on some preexisting well-known metrics.  See the new [AutoScalingGroup.scaleToTrackXXX]
instance methods. Amazon EC2 Auto Scaling creates and manages the CloudWatch alarms that trigger
the scaling policy and calculates the scaling adjustment based on the metric and the target value.
The scaling policy adds or removes capacity as required to keep the metric at, or close to, the
specified target value.
- [Step-Scaling-Policies](
can easily be added for [awsx.autoscaling.AutoScalingGroup]s.  All you need to do is provide an
appropriate metric and simple information about where your scale-out and scale-in steps should
begin and the [AutoScalingGroup] will create the appropriate policies and
[cloudwatch.MetricAlarm]s to trigger those policies.  See the new [AutoScalingGroup.scaleInSteps] instance method.


- TypeScript typings for awsx.apigateway.API have been updated to be more accurate.
- Application LoadBalancers/Listeners/TargetGroups will now create a default SecurityGroup for their
LoadBalancer if none is provided.
- Added easier convenience methods overloads on an awsx.ec2.SecurityGroup to make ingress/egress
- Add TypeScript documentation on API Gateway's Integration Route and Raw Data Route
- Add support for [Lambda Authorizers]( and [Cognito Authorizer]( and [API Keys]( for API Gateway in TypeScripts



- Moves to the new 0.18.0 version of `pulumi/aws`.  Version 0.18.0 of `pulumi-aws` is now based on
v2.2.0 of the AWS Terraform Provider, which has a variety of breaking changes from the previous
version. See documentation in `pulumi/aws` repo for more details.

- Add support for request parameter validation to API Gateway as well as documentation


- Allow setting backend URL explicitly in `Pulumi.yaml` file

- `StackReference` now has a `.getOutputSync` function to retrieve exported values from an existing
stack synchronously.  This can be valuable when creating another stack that wants to base
flow-control off of the values of an existing stack (i.e. importing the information about all AZs
and basing logic off of that in a new stack). Note: this only works for importing values from
Stacks that have not exported `secrets`.

- When the environment variaible `PULUMI_TEST_MODE` is set to `true`, the
Python runtime will now behave as if
`pulumi.runtime.settings._set_test_mode_enabled(True)` had been called. This
mirrors the behavior for NodeJS programs (fixes [2818](

- Resources that are only 'read' will no longer be displayed in the terminal tree-display anymore.
These ended up heavily cluttering the display and often meant that programs without updates still
showed a bunch of resources that weren't important.  There will still be a message displayed
indicating that a 'read' has happened to help know that these are going on and that the program is making progress.



- docs(login): escape codeblocks, and add object store state instructions
- The API for passing along a custom provider to a ComponentResource has been simplified.  You can
now just say `new SomeComponentResource(name, props, { provider: awsProvider })` instead of `new
SomeComponentResource(name, props, { providers: { "aws" : awsProvider } })`
- Fix a bug where the path provided to a URL in `pulumi login` is lost are dropped, so if you `pulumi login
s3://bucketname/afolder`, the Pulumi files will be inside of `s3://bucketname/afolder/.pulumi` rather than
`s3://bucketname/.pulumi` (thanks, [bigkraig](!).  **NOTE**: If you have been
logging in to the s3 backend with a path after the bucket name, you will need to either move the .pulumi
folder in the bucket to the correct location or log in again without the path prefix to see your previous
- Fix a crash that would happen if you ran `pulumi stack output` against an empty stack (fixes
- Unparented Pulumi `CustomResource`s now support calling `.getProvider(...)` on them.



- Fixed a bug that caused an assertion when dealing with unchanged resources across version upgrades.



- Pulumi now allows Python programs to "read" existing resources instead of just creating them. This feature enables
Pulumi Python packages to expose ".get()" methods that allow for reading of resources that already exist.
- Support for referencing the outputs of other Pulumi stacks has been added to the Pulumi Python libraries via the
`StackReference` type.
- Add CI system detection for Bitbucket Pipelines.
- Pulumi now tolerates changes in default providers in certain cases, which fixes an issue where users would see
unexpected replaces when upgrading a Pulumi package.
- Add support for renaming resources via the `aliases` resource option.  Adding aliases allows new resources to match
resources from previous deployments which used different names, maintaining the identity of the resource and avoiding
replacements or re-creation of the resource.
- `pulumi plugin install` gained a new optional argument `--server` which can be used to provide a custom server to be
used when downloading a plugin.



- `pulumi refresh` now tries to install any missing plugins automatically like
`pulumi destroy` and `pulumi update` do (fixes [pulumi/pulumi2669](
- `pulumi whoami` now outputs the URL of the currently connected backend.
- Correctly suppress stack outputs when serializing previews to JSON, i.e. `pulumi preview --json --suppress-outputs`.
Fixes [pulumi/pulumi2765](



- Fix an issue where creating a first class provider would fail if any of the
configuration values for the providers were secrets. (fixes [pulumi/pulumi2741](
- Fix an issue where when using `--diff` or looking at details for a proposed
updated, the CLI might print text like: `<{%reset%}>
--outputs:--<{%reset%}>` instead of just `--outputs:--`.
- Fixes local login on Windows.  Specifically, windows local paths are properly understood and
backslashes `\` are not converted to `__5c__` in paths.
- Fix an issue where some operations would fail with `error: could not deserialize deployment: unknown secrets provider type`.
- Fix an issue where pulumi might try to replace existing resources when upgrading to the newest version of some resource providers.



- Pulumi now tells you much earlier when the `--secrets-provider` argument to
`up` `init` or `new` has the wrong value. In addition, supported values are
now listed in the help text. (fixes [pulumi/pulumi2727](
- Pulumi no longer prompts for your passphrase twice during operations when you
are using the passphrase based secrets provider. (fixes [pulumi/pulumi2729](
- Fix an issue where complex inputs to a resource which contained secret values
would not be stored correctly.
- Fix a panic during property diffing when comparing two secret arrays.


Major Changes

Secrets and Pluggable Encryption

- The Pulumi engine and Python and NodeJS SDKs now have support for tracking values as "secret" to ensure they are
encrypted when being persisted in a state file. `[pulumi/pulumi397](`

Any existing value may be turned into a secret by calling `pulumi.secret(<value>)` (NodeJS) or
`Output.secret(<value>`) (Python).  In both cases, the returned value is an output which may be passed around
like any other.  If this value flows into a resource, the plaintext will not be stored in the state file, but instead
It will be encrypted, just like values added to config with `pulumi config set --secret`.

You can verify that values are being stored as you expect by running `pulumi stack export`, When values are encrypted
in the state file, they appear as an object with a special signiture key and a ciphertext property.

When ouputs of a stack are secrets, `pulumi stack output` will show `[secret]` as the value, by default.  You can
pass `--show-secrets` to `pulumi stack output` in order to see the actual raw value.

- When storing state with the Pulumi Service, you may now elect to use the passphrase based encryption for both secret
configuration values and values that are encrypted in a state file.  To use this new feature, pass
`--secrets-provider passphrase` to `pulumi new` or `pulumi stack init` when you initally create the stack. When you
create the stack, you will be prompted for a passphrase (or if `PULUMI_CONFIG_PASSPHRASE` is set, it will be used).
This passphrase is used to generate a unique key for your stack, and config values and encrypted state values are
encrypted using AES-256-GCM. The key is derived from your passphrase, and while information to re-create it when
provided with your passphrase is stored in both the `Pulumi.<stack-name>.yaml` file and the state file for your stack,
this information can not be used to recover the key. When using this mode, the Pulumi Service is unable to decrypt
either your secret configuration values or and secret values in your state file.

We will be adding gestures to move existing stacks managed by the service to use passphrase based encryption soon
as well as gestures to change the passphrase for an existing stack.

** Note **

Stacks with encrypted secrets in their state files can only be managed by 0.17.11 or later of the CLI. Attempting
to use a previous version of the CLI with these stacks will result in an error.

Fixes 397


- Add support for Azure Pipelines in CI environment detection.
- Minor fix to how Azure repository information is extracted to allow proper grouping of Azure
repositories when various remote URLs are used to pull the repository.



- Fixes issue introduced in 0.17.9 where local-login broke on Windows due to the new support for
`s3://`, `azblob://` and `gs://` save locations.
- Minor contributing document improvement.
- Warnings from `npm` about missing description, repository, and license fields in package.json are
now suppressed when `npm install` is run from `pulumi new` (via `npm install --loglevel=error`).
- Depend on newer version of gRPC package in the NodeJS SDK. This version has
prebuilt binaries for Node 12, which should make installing `pulumi/pulumi`
more reliable when running on Node 12.



- `pulumi login` now supports `s3://`, `azblob://` and `gs://` paths (on top of `file://`) for
storing stack information. These are passed the location of a desired bucket for each respective
cloud provider (i.e. `pulumi login s3://mybucket`).  Pulumi artifacts (like the
`xxx.checkpoint.json` file) will then be stored in that bucket.  Credentials for accessing the
bucket operate in the normal manner for each cloud provider.  i.e. for AWS this can come from the
environment, or your `.aws/credentials` file, etc.
- The pulumi version update check can be skipped by setting the environment variable
`PULUMI_SKIP_UPDATE_CHECK` to `1` or `true`.
- Fix an issue where the stack would not be selected when an existing stack is specified when running
`pulumi new <template> -s <existing-stack>`.
- Add a `--json` flag (`-j` for short) to the `preview` command. This allows basic serialization of a plan,
including the anticipated set of deployment steps, list of diagnostics messages, and summary information.
Each step includes deeply serialized information about the resource state and step metadata itself. This
is part of ongoing work tracked in [pulumi/pulumi2390](



- Add a new `ignoreChanges` option to resource options to allow specifying a list of properties to
ignore for purposes of updates or replacements.  [2657](
- Fix an engine bug that could lead to incorrect interpretation of the previous state of a resource leading to
unexpected Update, Replace or Delete operations being scheduled. [2650]
- Build/push `pulumi/actions` container to [DockerHub]( with new SDK releases [2646](



- A new "test mode" can be enabled by setting the `PULUMI_TEST_MODE` environment variable to
`true` in either the Node.js or Python SDK. This new mode allows you to unit test your Pulumi programs
using standard test harnesses, without needing to run the program using the Pulumi CLI. In this mode, limited
functionality is available, however basic resource object allocation with input properties will work.
Note that no actual engine operations will occur in this mode, and that you'll need to use the
`PULUMI_CONFIG`, `PULUMI_NODEJS_PROJECT`, and `PULUMI_NODEJS_STACK` environment variables to control settings
the CLI would have otherwise managed for you.



- `refresh` will now warn instead of returning an error when it notices a resource is in an
unhealthy state. This is in service of


- Correctly handle the case where we would fail to detect an archive type if the filename included a dot in it. (fixes [pulumi/pulumi2589](
- Make `Config`'s constructor's `name` argument optional in Python, for consistency with our Node.js SDK. If it isn't
supplied, the current project name is used as the default.
- `pulumi logs` will now display log messages from Google Cloud Functions.



- Don't print the `error:` prefix when Pulumi exists because of a declined confirmation prompt (fixes [pulumi/pulumi458](
- Fix issue where `Outputs` produced by `pulumi.interpolate` might have values which could
cause validation errors due to them containing the text `<computed>` during previews.


- awsx.ec2.Subnets created for a VPC will have a unique `name: VpcName-SubnetType-Index` entry
provided for them in their tags.  This can help distinguish things when there are many subnets
created in a vpc.
- NatGateways created as part of creating private subnets in an awsx.ec2.VPC will now be parented
by the VPC.
- Fixes issue where computation of Fargate Memory/CPU requirements was not being done properly.
- Fixes issue where VPC might fail to create because tags could not be set on its EIPs.


- Expose log group and task definition for AWS `Service`s
- Updated to latest versions of dependent packages.


- Fixes issue where creating an ApplicationListener would fail with an error of:
"description" cannot be longer than 255 characters



Updating to v0.17.0 version of `pulumi/pulumi`.  This is an update that will not play nicely
in side-by-side applications that pull in prior versions of this package.

See for more details.

As such, we are rev'ing the minor version of the package from 0.16 to 0.17.  Recent version of `pulumi` will now detect, and warn, if different versions of `pulumi/pulumi` are loaded into the same application.  If you encounter this warning, it is recommended you move to versions of the `pulumi/...` packages that are compatible.  i.e. keep everything on 0.16.x until you are ready to move everything to 0.17.x.


- Rolled back change where calling toString/toJSON on an Output would cause a message
to be logged to the `pulumi` diagnostics stream.


- Fix an issue where the Pulumi CLI would load the newest plugin for a resource provider instead of the version that was
requested, which could result in the Pulumi CLI loading a resource provider plugin that is incompatible with the
program. This has the potential to disrupt users that previously had working configurations; if you are experiencing
problems after upgrading to 0.16.17, you can opt-in to the legacy plugin load behavior by setting the environnment
variable `PULUMI_ENABLE_LEGACY_PLUGIN_SEARCH=1`. You can also install plugins that are missing with the command
`pulumi plugin install resource <name> <version> --exact`.


- Attempting to convert an [Output<T>] to a string or to JSON will now result in a warning
message being printed, as well as information on how to rectify the situation.  This is
to help with diagnosing cryptic problems that can occur when Outputs are accidentally
concatenated into a string in some part of the program.

- Fixes incorrect closure serialization issue (

- `pulumi` will now check that all versions of `pulumi/pulumi` are compatible in your node_modules
folder, and will issue a warning message if not.  To be compatible, the versions of
`pulumi/pulumi` must agree on their major and minor versions.  Running incompatible versions is
not something that will be blocked, but it is discouraged as it may lead to subtle problems if one
version of `pulumi/pulumi` is loaded and passes objects to/from an incompatible version.



- Rolling back the change:
"Depending on a Resource will now depend on all other Resource's parented by that Resource."

Unforseen problems cropped up that caused deadlocks.  Removing this change until we can
have a high quality solution without these issues.



- Fix deadlock with resource dependencies (



- When trying to `stack rm` a stack managed by that has resources, the error message now informs you to pass `--force` if you really want to remove a stack that still has resources under management, as this would orphan these resources (fixes [pulumi/pulumi2431](
- Enabled Python programs to delete resources in parallel (fixes [pulumi/pulumi2382]( If you are using Python 2, you should upgrade to Python 3 or else you may experience problems when deleting resources.
- Fixed an issue where Python programs would occasionally fail during preview with errors about empty IDs being passed
to resources. ([pulumi/pulumi2450](
- Return an error from `pulumi stack tag` commands when using the `--local` mode.
- Depending on a Resource will now depend on all other Resource's parented by that Resource.
This will help out the programming model for Component Resources as your consumers can just
depend on a Component and have that automatically depend on all the child Resources created
by that Component.



- Fix a regression in `pulumi/pulumi` introduced by 0.16.13 where an update could fail with an error like:

pulumi:pulumi:Stack (my-great-stack):
TypeError: resproto.InvokeRequest is not a constructor
at Object.<anonymous> (.../node_modules/pulumi/pulumi/runtime/invoke.js:58:25)
at (<anonymous>)
at fulfilled (.../node_modules/pulumi/pulumi/runtime/invoke.js:17:58)
at <anonymous>

We appologize for the regression.  (fixes [pulumi/pulumi2414](


- Individual resources may now be explicitly marked as requiring delete-before-replace behavior. This can be used e.g. to handle explicitly-named resources that may not be able to be replaced in the usual manner.


Major Changes

- When used in conjuction with the latest versions of the various language SDKs, the Pulumi CLI is now more precise about the dependent resources that must be deleted when a given resource must be deleted before it can be replaced (fixes [pulumi/pulumi2167](

**NOTE**: As part of the above change, once a stack is updated with v0.16.13, previous versions of `pulumi` will be unable to manage it.


- Issue a more prescriptive error when using StackReference and the name of the stack to reference is not of the form `<organization>/<project>/<stack>`.


Major Changes

- When using the cloud backend, stack names now must only be unique within a project, instead of across your entire account. Starting with version of 0.16.12 the CLI, you can create stacks with duplicate names. If an account has multiple stacks with the same name across different projects, you must use 0.16.12 or later of the CLI to manage them.

**BREAKING CHANGE NOTICE**: As part of the above change, when using the 0.16.12 CLI (or a later version) the names passed to `StackReference` must be updated to be of the form (`<organization>/<project>/<stack>`) e.g. `acmecorp/infra/dev` to refer to the `dev` stack of the `infra` project in the `acmecorp` organization.


- Add `--json` to `pulumi config`, `pulumi config get`, `pulumi history` and `pulumi plugin ls` to request the output be in JSON.

- Changes to `pulumi new`'s output to improve the experience.



- In the nodejs SDK, `pulumi.interpolate` and `pulumi.concat` have been added as convenient ways to combine Output values into strings.

- Added `pulumi history` to show information about the history of updates to a stack.

- When creating a project with `pulumi new` the generated `Pulumi.yaml` file no longer contains the template section, which was unused after creating a project

- In the Python SDK, the `is_dry_run` function just always returned `true`, even when an update (and not a preview) was being preformed. This has been fixed.

- Python programs will no longer deadlock due to exceptions in functions run during applies.



- Support for first-class providers in Python.

- Fix a bug where `StackReference` outputs were not updated when changes occured in the referenced stack.

- Added `pulumi stack tag` commands for managing stack tags stored in the cloud backend.

- Link directly to /account/tokens when prompting for an access token.

- Exporting a Resource from an application Stack now exports it as a rich recursive pojo instead of just being an opaque URN (fixes



- Update the error message when When `pulumi` commands fail to detect your project to mention that `pulumi new` can be used to create a new project (fixes [pulumi/pulumi2234](

- Added a `--stack` argument (short form `-s`) to `pulumi stack`, `pulumi stack init`, `pulumi state delete` and `pulumi state unprotect` to allow operating on a different stack than the currently selected stack. This brings these commands in line with the other commands that operate on stacks and already provided a `--stack` option (fixes [pulumi/pulumi1648](

- Added `Output.all` and `Output.from_input` to the Python SDK.

- During previews and updates, read operations (i.e. calls to `.get` methods) are no longer shown in the output unless they cause any changes.

- Fix a performance regression where `pulumi preview` and `pulumi up` would hang for a few moments at the end of a preview or update, in additon to the overall operation being slower.



- Fix an issue that caused panics due to shutting the Jaeger tracing infrastructure down before all traces had finished ([pulumi/pulumi1850](



- Configuration and stack commands now take a `--config-file` options. This option allows the user to override the file used to fetch and store config information for a stack during the execution of a command.

- Fix an issue where ANSI escape codes would appear in messages printed from the CLI when running on Windows.

- Fix an error about a bad icotl when trying to read sensitive input from the console and standard in was not connected to a terminal.

- The dynamic provider would fail to launch if your `node_modules` folder was non in the default location or had a non standard layout. This has been fixed so we correctly find your `node_modules` folder in the same way node does. (fixes [pulumi/pulumi2261](


Major Changes

- When running a Python program, pulumi will now run `python3` instead of `python`, since `python` often points at Python 2.7 binary, and Pulumi requires Python 3.6 or later. The environment variable `PULUMI_PYTHON_CMD` can be used to provide a different binary to run.


- Allow `Output`s in the dependsOn property of `ResourceOptions` (fixes [pulumi/pulumi991](

- Add a new `StackReference` type to the node SDK which allows referencing an output of another stack (fixes [pulumi/pulumi109](

- Fix an issue where `pulumi` would not respect common `NO_PROXY` settings (fixes [pulumi/pulumi2134](

- The CLI wil now correctly report any output from a Python program which writes to `sys.stderr` (fixes [pulumi/pulumi1542](

- Don't install packages by default for Python projects when creating a new project from a template using `pulumi new`. Previously, `pulumi` would install these packages using `pip install` and they would be installed globally when `pulumi` was run outside a virtualenv.

- Fix an issue where `pulumi` could panic during a peview when using a first class provider which was constructed using an output property of another resource (fixes [pulumi/pulumi2223](

- Fix an issue where `pulumi` would fail to load resource plugins for newer dev builds.

- Fix an issue where running two copies of `pulumi plugin install` in parallel for the same plugin version could cause one to fail with an error about renaming a directory.

- Fix an issue where if the directory containing the `pulumi` executable was not on the `$PATH` we would fail to load language plugins. We now will also search next to the current running copy of Pulumi (fixes [pulumi/pulumi1956](

- Fix an issue where passing a key of the form `foo:config:bar:baz` to `pulumi config set` would succeed but cause errors later when trying to interact with the stack. Setting this value is now blocked eagerly (fixes [pulumi/pulumi2171](


- Supply easy mechanisms to add Internet and NAT gateways to a VPC.
- Change awsx.elasticloadbalancingv2.Listener.endpoint from a method to a property.
- Change to be a richer type to allow extensibility.
- Allow awsx.elasticloadbalancingv2.NetworkListener to be used as to simply
incoming APIGateway routes to a NetworkListener endpoint.
- Add support for arbitrary APIGateway integration routes (i.e. to any supported aws service).
Note: this comes with a small breaking change where the names of some apigateway types have
changed from ProxyXXX to IntegrationXXX.
- Require at least version 0.16.14 of pulumi/pulumi, in order to support the `deleteBeforeReplace`
option and improve handling of delete-before-replace.


- Renamed 'aws-infra' package to 'awsx'.
- Moved `aws.apigateway.x.Api` from `pulumi/aws` into this package under the name `awsx.apigateway.Api`.


- Experimental abstractions have been promoted to supported abstractions.  see new modules for:
- autoscaling
- ec2
- ecs
- elasticloadbalancingv2



- Add some experimental abstractions for Services and Tasks in the `experimental` module.



- Fix an issue where passing a cluster to another component would fail in some cases.