Want to learn about running containers in Lambda? Join our free hands-on workshop. Register Now

Pulumi Console

The Pulumi Console allows users to view the stacks they have created, see any past activities recorded for those stacks. It also allows you to manage RBAC for your users.

In order for the CLI to persist the state of a particular stack, a user must login to the CLI. In order to login to the CLI, you should have created an account using the Console first.

Dependencies

The Console service depends on the API service. It relies on the API service for authentication callbacks. Depending on the type of authentication mechanism you choose for your users, the services in the Console container may need to communicate with the API container.

Prerequisites

  • Provide a server or virtual machine to install and run the Pulumi components (see Minimum System Requirements below).

You can run this container on the same host that your API container is running or on a different host. If you are running this container on a separate host than the API, be sure to set the appropriate environment variables (more on that below) in order for the Console to be able to reach the API service.

Minimum System Requirements

TypePropertiesNotes
Compute1 CPU core w/ 1 GB memory

What’s In The Container?

The Console container runs a web server using a Node 10-based image.

Server

The container runs a single web server which handles delivering UI static assets to your web browser, as well as handling authentication callbacks. The console will be served using port 3000 over HTTP by default. If TLS is configured the console will instead be served using port 3443 over HTTPS.

Primary Environment Variables

The following are the core environment variables that are required at a minimum.

Tip: The quickstart solutions set reasonable default values for these variables, so you can get started without worrying about configuration.

Variable NameDescription
PULUMI_APIThe endpoint URL where the service APIs can be reached. This should match the value of PULUMI_API_DOMAIN. Default is http://localhost:8080.
PULUMI_API_INTERNAL_ENDPOINTThe endpoint URL local to the container using which the Console app can reach the API container using a container-to-container network.
CONSOLE_DOMAINCONSOLE_DOMAIN is used to redirect the user after they have signed-in using a social identity or SAML SSO.
HOMEPAGE_DOMAINHOMEPAGE_DOMAIN is used to redirect the user after they have signed-out.

Environment Variables For Identities

Variable NameDescription
RECAPTCHA_SITE_KEYUse for password reset requests by users. Create a new reCaptcha v2.

GitHub OAuth

Variable NameDescription
GITHUB_OAUTH_IDGitHub OAuth app client ID. Used for GitHub OAuth signins. Create a new GitHub OAuth app.
GITHUB_OAUTH_SECRETGitHub OAuth app client secret. See above.
GITHUB_OAUTH_ENDPOINT

GitLab OAuth

Variable NameDescription
GITLAB_OAUTH_IDGitLab OAuth app client ID. Used for GitLab OAuth signins. Create a new GitLab OAuth app.
GITLAB_OAUTH_SECRETGitLab OAuth app client secret. See above.
GITLAB_OAUTH_ENDPOINT

Bitbucket OAuth

Variable NameDescription
BITBUCKET_OAUTH_IDAtlassian Bitbucket OAuth consumer client ID. Used for Bitbucket OAuth signins.
BITBUCKET_OAUTH_SECRET

TLS Environment Variables

The following environment variables must be configured to enable TLS. The values of the environment variables may either be a filepath or the actual value of the entity. If these variables are set, the console will be served over HTTPS (i.e. using TLS) using port 3443. If the following variables are not set the console will default to serving over HTTP using port 3000.

Variable NameDescription
CONSOLE_TLS_CERTIFICATEThe TLS certificate. The certificate must be supplied in X.509 format and must be PEM encoded.
CONSOLE_TLS_PRIVATE_KEYThe private key associated with the TLS certificate. The private key must be PEM encoded.
CONSOLE_MIN_TLS_VERSIONThe minimum version of TLS to allow (must be in <major>.<minor> format, e.g. 1.2). This variable is optional, if not set a minimum version will not be enforced.
ALLOW_INVALID_CERTSThis optional value can be set to allow connections originating from the Console container to the Service container to connect without TLS verification. This can be helpful in scenarios like testing or when using self-signed certs for internal traffic.

Note: Self-signed certificates may be used to configure TLS in the event the need for a trusted entity is not necessary. A self-signed cert and private key may be generated using OpenSSL. The following command uses OpenSSL to generate a self-signed certificate. This example will output two files, the certificate (cert.pem) and the private key (key.pem) used to sign it.

openssl \
  req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \
  -days { days_until_expiration } -nodes -subj "/CN={ common_name }"