Are there any examples / templates available how to create a private GKE cluster and for private IP setup for Cloud SQL instances using Pulumi?

hi, any examples anywhere how could i do a helm init/configure service account for tiller on GKE using Pulumi?

Since I have switched to a private GKE cluster the Pulumi Preview seems to be broken 😞 Pulumi Preview basically shows that the Cluster will be updated:

~   ├─ gcp:container:Cluster                                      staging-k8s                                         update      [diff: ~privateClusterConfig]

and all Kubernetes resources will be replaced:

... 
     ├─ kubernetes:yaml:ConfigFile                                  argocdsecret
 +-  │  └─ kubernetes:core/v1:Secret                                infra/ops-playground                                replace     [diff: ~data,metadata,provider]
     ├─ kubernetes:yaml:ConfigFile                                  letsencrypt_staging
 +-  │  └─ kubernetes:<http://cert-manager.io/v1:ClusterIssuer|cert-manager.io/v1:ClusterIssuer>              infra/letsencrypt-staging                           replace     [diff: ~metadata,provider]
     ├─ kubernetes:yaml:ConfigFile                                  letsencrypt_prod
 +-  │  └─ kubernetes:<http://cert-manager.io/v1:ClusterIssuer|cert-manager.io/v1:ClusterIssuer>              infra/letsencrypt-prod                              replace     [diff: ~metadata,provider]
 +-  ├─ kubernetes:core/v1:Namespace                                m2                                                  replace     [diff: ~metadata,provider]
     ├─ kubernetes:<http://helm.sh/v2:Chart|helm.sh/v2:Chart>                                 cert-manager
...

Still when running Pulumi, only the privateClusterConfig gets updated and the Kubernetes resources are not "touched":

...
 ~   ├─ gcp:container:Cluster                                                staging-k8s                                  updated     [diff: ~privateClusterConfig]
...
Resources:
    ~ 1 updated
    117 unchanged

Does anyone have a tip on how to fix it?

Diagnostics:
  pulumi:pulumi:Stack (gcp-quick-dev):
    error: update failed
 
  gcp:cloudfunctions:Function (graphApi):
    error: googleapi: Error 403: Permission denied on 'locations/us-west1' (or it may not exist), forbidden

config:
  gcp:project: words-and-numbers
  gcp:region: us-west1

pretty sure us-west1 is a a valid region

Has anyone had a problem where

gcp.serviceaccount.Key

keeps being re-created on each new

pulumi up

?

In order to automatically create a

ForwardingRule

for the Firewall in Pulumi I am currently trying to extract the

Network tag

for the nodes in the nodepool. So far I wasnt successful. I tried to • Extract the network tags via nodeConfig: `pulumi.interpolate `${cluster.gkeCluster.nodeConfig.tags}`` => "" • Extract the network tags via nodePool[0].nodeConfig: `pulumi.interpolate `${cluster.gkeCluster.nodePools[0].nodeConfig.tags}`` => "" • Get one of the nodes via

export const instance = gcp.compute.getInstance( {name: "gke-cluster-default-pool-aaaaaa"});

=> The returned

GetInstanceResult

doesnt have a property tags ... So the first two calls just return an empty string, the third call returns an object which does not have a tags property.. TypeScript complains about it, although the call shoud return a

GetInstanceResult

, which should have the property tags... () In the Console I can see the Network Tags displayed on the VM Instance Details Page, the Instance Templates page ...

I've created a service account using

serviceaccount.NewAccount

(in Go) and am trying to assign a role,

roles/logging.logWriter

, to the account so that it can be used by an external service that writes logs. I'm using the

projects.IAMMember

resource to achieve this. I'm getting the following error.

gcp:projects:IAMMember (<name>):
    error: Request "Create IAM Members roles/logging.logWriter serviceAccount:projects/<project>/serviceAccounts/<account>@<project>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com> for \"project \\\"<project>\\\"\"" returned error: Batch request and retried single request "Create IAM Members roles/logging.logWriter serviceAccount:projects/<project>/serviceAccounts/<account>@<project>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com> for \"project \\\"<project>\\\"\"" both failed. Final error: Error applying IAM policy for project "<project>": Error setting IAM policy for project "<project>": googleapi: Error 400: Service account projects/<project>/serviceaccounts/<account>@<project>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com> does not exist., badRequest

The service account is definitely present as I can see it in the console, and I've now retried 24 hours later to exclude an eventual consistency issue for the newly created service account, but I'm still getting the same message. Any suggestions on what to try next?

Hello guys, I have a set of custom resources and unfortunately the dependency graph is not correct. I can’t get a google object storage bucket inside a custom resource “Bucket With Notification” wait for a gcp.Project built inside a custom resource “Ephemeral Project”

Hey All, I'm trying out Pulumi and having a time trying to get Aggregated Log sinks to work. Creating the bucket and logging sink works fine.

bucket = storage.Bucket(resource_name=bucket_name, 
                        location="us-central1")

sink = logging.OrganizationSink("resource-ops-sink",
                        destination=Output.concat("<http://storage.googleapis.com/|storage.googleapis.com/>", bucket.id),
                        filter="logName:activity",
                        include_children=True,
                        org_id=org)

What I can't determine now is how to grant the write permissions to the bucket for service account used on the sink (writer_identity). I've been trying IAMBinding and IAMMember (each separately). However I get errors when it runs.

member = serviceaccount.IAMMember(
                        member=sink.writer_identity,
                        resource_name="log_writer",
                        role="roles/storage.objectCreator",
                        service_account_id=sink.writer_identity)

Diagnostics:
  gcp:serviceAccount:IAMMember (service-account-role-member):
    error: gcp:serviceAccount/iAMMember:IAMMember resource 'log-writer' has a problem: "service_account_id" ("serviceAccount:o976583563296-639776@gcp-sa-logging.iam.gserviceaccount.com") doesn't match regexp "projects/(?:(?:[-a-z0-9]{1,63}\\.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?)|-)/serviceAccounts/((?:(?:[-a-z0-9]{1,63}\\.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?))@[a-z]+.<http://gserviceaccount.com|gserviceaccount.com>$|[0-9]{1,20}-compute@developer.gserviceaccount.com|[a-z](?:[-a-z0-9]{4,28}[a-z0-9])@[-a-z0-9\\.]{1,63}\\.iam\\.gserviceaccount\\.com$)"

With Terraform I would only be providing the role and the member. I'm at a loss on this as to whether 1) am Im using the correct Pulumi object (IAMMember) and 2) why I'm getting the regex error on the resource_name attribute. I appreciate any assistance. Thanks.

Hello, I am currently working on enabling Workload Identity in our env managed by Pulumi. I think I know what needs to be created / wired up. But looking at the Pulumi documentation I am unsure on one of the mandatory parameters to assign the right roles to the Service Account I am creating. Following the steps in the documentation I think I can use either IAMBinding or IAMMember to implement step 2. I think IAMMember would be the better fit, but anyway, both resources require me to specify a parameter member(s). As their is no documentation on this param I would assume that I have to pass in the same value as for the parameter serviceAccountId, or?

Hey all, I am currently switching the CloudSQL Postgres instances to use Private IP. I am a bit stuck on how to setup the VPC peering / Private Service Connection in Pulumi correctly... When spinning up a CloudSQL Instance in the Console with Private IP enabled and Public IP disable the VPC peering / Private Service Connection connection is configured automatically in the background. As I haven't configured the peering manually so far, Pulumi fails when trying to spin up the CloudSQL instance with the following error message:

gcp:sql:DatabaseInstance (dev-test-primary):
    error: Error, failed to create instance dev-test-primary-9c7d79d: googleapi: Error 400: Invalid request: Incorrect Service Networking config for instance: dev-test:dev-test-primary-9c7d79d:NETWORK_NOT_PEERED., invalid

I hope that someone already has done all the needed steps and can point me to an example or something...

Does anyone have any advice for how to configure the dependency tree for ManagedSslCertificates with GKE Ingresses? I feel like with a couple of tweaks, I could figure out how to avoid a situation where Pulumi tries to delete it without first unasssigning it from the Ingress.

I'm using GCP cloudrun service, and I've set the resource up with Pulumi. I also have cloudbuild pipelines that update the cloudrun services with new images. To avoid the diff when I run

pulumi up

I've added

template.spec.containers[0].image

with the IgnoreChanges resource option, I do however sometime run into the following error:

Diagnostics:
  gcp:cloudrun:Service (xxx-cloudrun):
    error: cannot ignore changes to the following properties because one or more elements of the path are missing: "template.spec.containers[0].image"

pulumi refresh

does not help, the only way to get past this message is to remove the IgnoreChanges option, but that will deploy incorrect image to the service.

Beginning to use pulumi om GKE. and i manage to create a cluster, but when i want to make a namespace it cannot find my credentials.

Attempted to load application default credentials since neither `credentials` nor `access_token` was set in the provider block.  No credentials loaded. To use your gcloud credentials, run 'gcloud auth application-default login'.  Original error: google: could not find default credentials. See <https://developers.google.com/accounts/docs/application-default-credentials> for more information.

i have the GOOGLE_CREDENTIALS env var loaded, i assumed i would not need to run gcloud commands to make this work?

I created a simple component for gcp projects: https://www.npmjs.com/package/pulumi-gcpx-project. Out of curiosity, how are others are managing projects? I.e. what kind of architecture? Do you create a project per stack, per project, or something different?

I am creating dynamic dbs with pulumi on gcp. What would be the best to import a dump into the newly created db? I wanted to do it all at once with pulumi. What do you guys recommend?

I am getting an error for an imported organization policy resource:

error: gcp:organizations/policy:Policy resource 'domain_restricted_sharing' has a problem: ExactlyOne

I'm not sure what the issue is and could use some help. I can get it to work with ListPolicy.All, but not ListPolicy.Allow. Code inside the thread.

For some weird reason i cannot get gcp authentication to work in a multi project using stack references on github actions.

error: configured Kubernetes cluster is unreachable: unable to load schema information from the API server: Get "<https://35.189.230.20/openapi/v2?timeout=32s>": error executing access token command "gcloud config config-helper --format=json": err=exit status 1 output= stderr=WARNING: Could not open the configuration file: [/home/runner/.config/gcloud/configurations/config_default].
ERROR: (gcloud.config.config-helper) You do not currently have an active account selected.
Please run:

  $ gcloud auth login

to obtain new credentials.

If you have already logged in with a different account:

    $ gcloud config set account ACCOUNT

to select an already authenticated account to use.

The GOOGLE_CREDENTIALS secret is loaded in the envs. It used to work in a different repo, only difference is that this “project” does not include the gcp library since we get the kubeconfig from a different project/stack. (trying that now but i have to convince typescript to allow unused imports)

Hey all, I’m struggling with creating a gcp service account using another service account. I’m using serviceAccount package (golang) for creating another service account by

account, err := serviceaccount.NewAccount(a.ctx, "new-account", &sa.AccountArgs{
  Project: pulumi.String(ctx.Project()),
  AccountId:   pulumi.String("new-account"),
  Description: pulumi.String("A new service account"),
  DisplayName: pulumi.String("A new service account"),
})

Doing this, Pulumi tells me

Error creating service account: googleapi: Error 403: Permission iam.serviceAccounts.create is required to perform this operation on project ...

For the service account I’m using to create another service account I granted Roles “Create Service Accounts” “Owner” “Project IAM Admin” What’s wrong with that? Using GCP REST API (https://cloud.google.com/iam/docs/creating-managing-service-accounts#iam-service-accounts-create-rest) works with that. go.mod is

go 1.15

require (
	<http://github.com/pulumi/pulumi-gcp/sdk/v4|github.com/pulumi/pulumi-gcp/sdk/v4> v4.6.0
	<http://github.com/pulumi/pulumi/sdk/v2|github.com/pulumi/pulumi/sdk/v2> v2.16.1
)

Thank you in advance.

The GCP provider accepts a number of custom endpoint arguments. Where can I find information on how to use these? https://www.pulumi.com/docs/reference/pkg/gcp/provider/

Hey all, GCP has a new module within terraform-google-lb-http (https://github.com/terraform-google-modules/terraform-google-lb-http/tree/master/modules/serverless_negs) which makes it trivial to set up a global load balancer for cloud run with SSL. Is this available in Pulumi? I can’t seem to find it. It came out 3 Dec so I’m wondering if it’s just not landed yet? Thanks in advance and hope you all enjoy NYE!

Can someone at pulumi cut a release of the gcp provider they just landed an important fix in 3.51.1

For integer comparison, it is causing a lot of issues in terraform at least

@broad-dog-22463 maybe?

Hi @future-potato-71458, we actually use terraform-provider-google-beta and there's no fix for that one yet I'm afraid

Hi, I want to create a GKE-Cluster without workload logging and monitoring by google. In google console there is the option 'Cloud Operations for GKE' -> 'System logging and monitoring (beta)' which may do what I want but I cannot find it in pulumis gcp.container.Cluster typescript class. Has anyone seen this option in pulumi?

I'm having an issue with passing

{ parent: this }

to some GCP objects; the error looks like this --

TypeError: Cannot read property 'promise' of undefined

Passing the same

{parent: this }

to a k8s object is working fine, any thoughts? Edit: I also see this later in the log:

unhandled rejection: CONTEXT(572): resource:api[gcp:serviceAccount/account:Account]

Hey everyone, I’m struggling with setting up (using Go) a service in cloud run in conjunction with a pub sub subscription. What I want to accomplish: 1. Setup / Create a new Cloud Run Service 2. New Cloud Run Service has an URL being generated (in my case, I don’t use domain mapping) 3. Setup / Create a Pub Sub Subscription, hand over the URL as the push endpoint the thing is: I can not find an “URL” Property within cloudrun.Service type 1)

service, _ := cloudrun.NewService(s.ctx, "my-srv",
		&cloudrun.ServiceArgs{
			// Location from config
			Location: pulumi.String(s.region),
			// ProjectId from pulumi
			Project: pulumi.StringPtr(gcpConf.GetProject(s.ctx)),
			Template: &cloudrun.ServiceTemplateArgs{
				Spec: &cloudrun.ServiceTemplateSpecArgs{
					// e-mail of service account to run container in
					ServiceAccountName: s.serviceAccount.Email,
					Containers: &cloudrun.ServiceTemplateSpecContainerArray{
						&cloudrun.ServiceTemplateSpecContainerArgs{
							Image: "<my-image>",
						},
					},
				},
			}})

3)

pubsub.NewSubscription(s.ctx, "my-subscription", &pubsub.SubscriptionArgs{
		Project: pulumi.StringPtr(gcpConf.GetProject(s.ctx)),
		Topic: "<my-topic>",
		Name: pulumi.String("my-subscription"),
		PushConfig: &pubsub.SubscriptionPushConfigArgs {
			PushEndpoint: // what does here?
		}
	
	})

PushConfig: &pubsub.SubscriptionPushConfigArgs { PushEndpoint: // what does here? } Thx in advance

Hello, I've got a problem when I try to refresh, preview or up a stack that contains a Cloud SQL database. It gives me the following error:

➜  pulumi-gcp-databases git:(master) pulumi preview --diff   
Previewing update (dev)

View Live: <https://app.pulumi.com/Kansuler/minikontrakt-gcp-databases/dev/previews/2e34bc6b-191a-484d-a5cf-78b6c98e692f>

+ pulumi:pulumi:Stack: (create)
    [urn=urn:pulumi:dev::minikontrakt-gcp-databases::pulumi:pulumi:Stack::minikontrakt-gcp-databases-dev]
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
Resources:
    + 1 to create

Anyone orchestrating GKE with Pulumi? I am wondering if creating the GKE cluster with static credentials[1] is the only way to go about this? [1] - https://github.com/pulumi/examples/blob/master/gcp-py-gke/__main__.py#L30