clean-helmet-84712
09/25/2020, 6:33 PMred-area-47037
09/29/2020, 9:56 AMfierce-memory-34976
10/02/2020, 3:27 PMred-area-47037
10/07/2020, 11:04 AM~ ├─ gcp:container:Cluster staging-k8s update [diff: ~privateClusterConfig]
and all Kubernetes resources will be replaced:
...
├─ kubernetes:yaml:ConfigFile argocdsecret
+- │ └─ kubernetes:core/v1:Secret infra/ops-playground replace [diff: ~data,metadata,provider]
├─ kubernetes:yaml:ConfigFile letsencrypt_staging
+- │ └─ kubernetes:<http://cert-manager.io/v1:ClusterIssuer|cert-manager.io/v1:ClusterIssuer> infra/letsencrypt-staging replace [diff: ~metadata,provider]
├─ kubernetes:yaml:ConfigFile letsencrypt_prod
+- │ └─ kubernetes:<http://cert-manager.io/v1:ClusterIssuer|cert-manager.io/v1:ClusterIssuer> infra/letsencrypt-prod replace [diff: ~metadata,provider]
+- ├─ kubernetes:core/v1:Namespace m2 replace [diff: ~metadata,provider]
├─ kubernetes:<http://helm.sh/v2:Chart|helm.sh/v2:Chart> cert-manager
...
Still when running Pulumi, only the privateClusterConfig gets updated and the Kubernetes resources are not "touched":
...
~ ├─ gcp:container:Cluster staging-k8s updated [diff: ~privateClusterConfig]
...
Resources:
~ 1 updated
117 unchanged
Does anyone have a tip on how to fix it?clean-breakfast-29827
10/07/2020, 6:17 PMDiagnostics:
pulumi:pulumi:Stack (gcp-quick-dev):
error: update failed
gcp:cloudfunctions:Function (graphApi):
error: googleapi: Error 403: Permission denied on 'locations/us-west1' (or it may not exist), forbidden
config:
gcp:project: words-and-numbers
gcp:region: us-west1
pretty sure us-west1 is a a valid regionwet-soccer-72485
10/12/2020, 1:34 AMgcp.serviceaccount.Key
keeps being re-created on each new pulumi up
?red-area-47037
10/19/2020, 8:47 PMForwardingRule
for the Firewall in Pulumi I am currently trying to extract the Network tag
for the nodes in the nodepool. So far I wasnt successful. I tried to
• Extract the network tags via nodeConfig: `pulumi.interpolate `${cluster.gkeCluster.nodeConfig.tags}`` => ""
• Extract the network tags via nodePool[0].nodeConfig: `pulumi.interpolate `${cluster.gkeCluster.nodePools[0].nodeConfig.tags}`` => ""
• Get one of the nodes via export const instance = gcp.compute.getInstance( {name: "gke-cluster-default-pool-aaaaaa"});
=> The returned GetInstanceResult
doesnt have a property tags ...
So the first two calls just return an empty string, the third call returns an object which does not have a tags property.. TypeScript complains about it, although the call shoud return a GetInstanceResult
, which should have the property tags... ()
In the Console I can see the Network Tags displayed on the VM Instance Details Page, the Instance Templates page ...big-account-56668
10/30/2020, 10:12 AMserviceaccount.NewAccount
(in Go) and am trying to assign a role, roles/logging.logWriter
, to the account so that it can be used by an external service that writes logs. I'm using the projects.IAMMember
resource to achieve this. I'm getting the following error.
gcp:projects:IAMMember (<name>):
error: Request "Create IAM Members roles/logging.logWriter serviceAccount:projects/<project>/serviceAccounts/<account>@<project>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com> for \"project \\\"<project>\\\"\"" returned error: Batch request and retried single request "Create IAM Members roles/logging.logWriter serviceAccount:projects/<project>/serviceAccounts/<account>@<project>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com> for \"project \\\"<project>\\\"\"" both failed. Final error: Error applying IAM policy for project "<project>": Error setting IAM policy for project "<project>": googleapi: Error 400: Service account projects/<project>/serviceaccounts/<account>@<project>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com> does not exist., badRequest
The service account is definitely present as I can see it in the console, and I've now retried 24 hours later to exclude an eventual consistency issue for the newly created service account, but I'm still getting the same message. Any suggestions on what to try next?damp-elephant-82829
11/02/2020, 10:12 AMcurved-alligator-54130
11/03/2020, 3:51 AMbucket = storage.Bucket(resource_name=bucket_name,
location="us-central1")
sink = logging.OrganizationSink("resource-ops-sink",
destination=Output.concat("<http://storage.googleapis.com/|storage.googleapis.com/>", bucket.id),
filter="logName:activity",
include_children=True,
org_id=org)
What I can't determine now is how to grant the write permissions to the bucket for service account used on the sink (writer_identity).
I've been trying IAMBinding and IAMMember (each separately). However I get errors when it runs.
member = serviceaccount.IAMMember(
member=sink.writer_identity,
resource_name="log_writer",
role="roles/storage.objectCreator",
service_account_id=sink.writer_identity)
Diagnostics:
gcp:serviceAccount:IAMMember (service-account-role-member):
error: gcp:serviceAccount/iAMMember:IAMMember resource 'log-writer' has a problem: "service_account_id" ("serviceAccount:o976583563296-639776@gcp-sa-logging.iam.gserviceaccount.com") doesn't match regexp "projects/(?:(?:[-a-z0-9]{1,63}\\.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?)|-)/serviceAccounts/((?:(?:[-a-z0-9]{1,63}\\.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?))@[a-z]+.<http://gserviceaccount.com|gserviceaccount.com>$|[0-9]{1,20}-compute@developer.gserviceaccount.com|[a-z](?:[-a-z0-9]{4,28}[a-z0-9])@[-a-z0-9\\.]{1,63}\\.iam\\.gserviceaccount\\.com$)"
With Terraform I would only be providing the role and the member. I'm at a loss on this as to whether 1) am Im using the correct Pulumi object (IAMMember) and 2) why I'm getting the regex error on the resource_name attribute.
I appreciate any assistance. Thanks.red-area-47037
11/05/2020, 6:05 PMred-area-47037
11/17/2020, 2:32 PMgcp:sql:DatabaseInstance (dev-test-primary):
error: Error, failed to create instance dev-test-primary-9c7d79d: googleapi: Error 400: Invalid request: Incorrect Service Networking config for instance: dev-test:dev-test-primary-9c7d79d:NETWORK_NOT_PEERED., invalid
I hope that someone already has done all the needed steps and can point me to an example or something...wet-soccer-72485
11/21/2020, 5:31 PMcreamy-engine-1851
12/09/2020, 9:14 PMpulumi up
I've added template.spec.containers[0].image
with the IgnoreChanges resource option, I do however sometime run into the following error:
Diagnostics:
gcp:cloudrun:Service (xxx-cloudrun):
error: cannot ignore changes to the following properties because one or more elements of the path are missing: "template.spec.containers[0].image"
pulumi refresh
does not help, the only way to get past this message is to remove the IgnoreChanges option, but that will deploy incorrect image to the service.proud-pizza-80589
12/17/2020, 5:48 PMAttempted to load application default credentials since neither `credentials` nor `access_token` was set in the provider block. No credentials loaded. To use your gcloud credentials, run 'gcloud auth application-default login'. Original error: google: could not find default credentials. See <https://developers.google.com/accounts/docs/application-default-credentials> for more information.
i have the GOOGLE_CREDENTIALS env var loaded, i assumed i would not need to run gcloud commands to make this work?calm-table-93204
12/19/2020, 8:31 PMeager-pillow-75917
12/21/2020, 1:56 PMbillions-oxygen-70106
12/22/2020, 2:30 AMerror: gcp:organizations/policy:Policy resource 'domain_restricted_sharing' has a problem: ExactlyOne
I'm not sure what the issue is and could use some help. I can get it to work with ListPolicy.All, but not ListPolicy.Allow. Code inside the thread.proud-pizza-80589
12/23/2020, 3:19 PMerror: configured Kubernetes cluster is unreachable: unable to load schema information from the API server: Get "<https://35.189.230.20/openapi/v2?timeout=32s>": error executing access token command "gcloud config config-helper --format=json": err=exit status 1 output= stderr=WARNING: Could not open the configuration file: [/home/runner/.config/gcloud/configurations/config_default].
ERROR: (gcloud.config.config-helper) You do not currently have an active account selected.
Please run:
$ gcloud auth login
to obtain new credentials.
If you have already logged in with a different account:
$ gcloud config set account ACCOUNT
to select an already authenticated account to use.
The GOOGLE_CREDENTIALS secret is loaded in the envs. It used to work in a different repo, only difference is that this “project” does not include the gcp library since we get the kubeconfig from a different project/stack. (trying that now but i have to convince typescript to allow unused imports)astonishing-lifeguard-39886
12/26/2020, 12:32 PMaccount, err := serviceaccount.NewAccount(a.ctx, "new-account", &sa.AccountArgs{
Project: pulumi.String(ctx.Project()),
AccountId: pulumi.String("new-account"),
Description: pulumi.String("A new service account"),
DisplayName: pulumi.String("A new service account"),
})
Doing this, Pulumi tells me
Error creating service account: googleapi: Error 403: Permission iam.serviceAccounts.create is required to perform this operation on project ...
For the service account I’m using to create another service account I granted Roles
“Create Service Accounts”
“Owner”
“Project IAM Admin”
What’s wrong with that?
Using GCP REST API (https://cloud.google.com/iam/docs/creating-managing-service-accounts#iam-service-accounts-create-rest) works with that.
go.mod is
go 1.15
require (
<http://github.com/pulumi/pulumi-gcp/sdk/v4|github.com/pulumi/pulumi-gcp/sdk/v4> v4.6.0
<http://github.com/pulumi/pulumi/sdk/v2|github.com/pulumi/pulumi/sdk/v2> v2.16.1
)
Thank you in advance.limited-rainbow-51650
12/30/2020, 10:09 AMminiature-rose-15269
12/31/2020, 4:33 PMfuture-potato-71458
01/07/2021, 7:23 PMfuture-potato-71458
01/07/2021, 7:23 PMfuture-potato-71458
01/07/2021, 7:24 PMbroad-dog-22463
01/07/2021, 7:26 PMsteep-angle-29984
01/08/2021, 11:23 AMcurved-summer-41191
01/08/2021, 9:33 PM{ parent: this }
to some GCP objects; the error looks like this --
TypeError: Cannot read property 'promise' of undefined
Passing the same {parent: this }
to a k8s object is working fine, any thoughts?
Edit: I also see this later in the log:
unhandled rejection: CONTEXT(572): resource:api[gcp:serviceAccount/account:Account]
astonishing-lifeguard-39886
01/11/2021, 3:19 PMservice, _ := cloudrun.NewService(s.ctx, "my-srv",
&cloudrun.ServiceArgs{
// Location from config
Location: pulumi.String(s.region),
// ProjectId from pulumi
Project: pulumi.StringPtr(gcpConf.GetProject(s.ctx)),
Template: &cloudrun.ServiceTemplateArgs{
Spec: &cloudrun.ServiceTemplateSpecArgs{
// e-mail of service account to run container in
ServiceAccountName: s.serviceAccount.Email,
Containers: &cloudrun.ServiceTemplateSpecContainerArray{
&cloudrun.ServiceTemplateSpecContainerArgs{
Image: "<my-image>",
},
},
},
}})
3)
pubsub.NewSubscription(s.ctx, "my-subscription", &pubsub.SubscriptionArgs{
Project: pulumi.StringPtr(gcpConf.GetProject(s.ctx)),
Topic: "<my-topic>",
Name: pulumi.String("my-subscription"),
PushConfig: &pubsub.SubscriptionPushConfigArgs {
PushEndpoint: // what does here?
}
})
PushConfig: &pubsub.SubscriptionPushConfigArgs {
PushEndpoint: // what does here?
}
Thx in advancecreamy-engine-1851
01/17/2021, 8:36 PM➜ pulumi-gcp-databases git:(master) pulumi preview --diff
Previewing update (dev)
View Live: <https://app.pulumi.com/Kansuler/minikontrakt-gcp-databases/dev/previews/2e34bc6b-191a-484d-a5cf-78b6c98e692f>
+ pulumi:pulumi:Stack: (create)
[urn=urn:pulumi:dev::minikontrakt-gcp-databases::pulumi:pulumi:Stack::minikontrakt-gcp-databases-dev]
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
Resources:
+ 1 to create
creamy-engine-1851
01/17/2021, 8:36 PM➜ pulumi-gcp-databases git:(master) pulumi preview --diff
Previewing update (dev)
View Live: <https://app.pulumi.com/Kansuler/minikontrakt-gcp-databases/dev/previews/2e34bc6b-191a-484d-a5cf-78b6c98e692f>
+ pulumi:pulumi:Stack: (create)
[urn=urn:pulumi:dev::minikontrakt-gcp-databases::pulumi:pulumi:Stack::minikontrakt-gcp-databases-dev]
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
Resources:
+ 1 to create
gentle-diamond-70147
01/19/2021, 4:29 PMcreamy-engine-1851
01/20/2021, 7:48 AMsql.DatabaseInstanceReplicaConfigurationArgs{}
with only nil values