https://pulumi.com logo
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
google-cloud
  • c

    clean-helmet-84712

    09/25/2020, 6:33 PM
    First - thanks for making Pulumi, I've been teaching myself it all week and it's a pleasure to write real IaC. Second - is it possible to get the current GCP project that's being operated on, regardless if it's set by GOOGLE_PROJECT, GOOGLE_APPLICATION_CREDENTIALS?
    b
    • 2
    • 6
  • r

    red-area-47037

    09/29/2020, 9:56 AM
    Are there any examples / templates available how to create a private GKE cluster and for private IP setup for Cloud SQL instances using Pulumi?
    g
    • 2
    • 13
  • f

    fierce-memory-34976

    10/02/2020, 3:27 PM
    hi, any examples anywhere how could i do a helm init/configure service account for tiller on GKE using Pulumi?
  • r

    red-area-47037

    10/07/2020, 11:04 AM
    Since I have switched to a private GKE cluster the Pulumi Preview seems to be broken 😞 Pulumi Preview basically shows that the Cluster will be updated:
    ~   ├─ gcp:container:Cluster                                      staging-k8s                                         update      [diff: ~privateClusterConfig]
    and all Kubernetes resources will be replaced:
    ... 
         ├─ kubernetes:yaml:ConfigFile                                  argocdsecret
     +-  │  └─ kubernetes:core/v1:Secret                                infra/ops-playground                                replace     [diff: ~data,metadata,provider]
         ├─ kubernetes:yaml:ConfigFile                                  letsencrypt_staging
     +-  │  └─ kubernetes:<http://cert-manager.io/v1:ClusterIssuer|cert-manager.io/v1:ClusterIssuer>              infra/letsencrypt-staging                           replace     [diff: ~metadata,provider]
         ├─ kubernetes:yaml:ConfigFile                                  letsencrypt_prod
     +-  │  └─ kubernetes:<http://cert-manager.io/v1:ClusterIssuer|cert-manager.io/v1:ClusterIssuer>              infra/letsencrypt-prod                              replace     [diff: ~metadata,provider]
     +-  ├─ kubernetes:core/v1:Namespace                                m2                                                  replace     [diff: ~metadata,provider]
         ├─ kubernetes:<http://helm.sh/v2:Chart|helm.sh/v2:Chart>                                 cert-manager
    ...
    Still when running Pulumi, only the privateClusterConfig gets updated and the Kubernetes resources are not "touched":
    ...
     ~   ├─ gcp:container:Cluster                                                staging-k8s                                  updated     [diff: ~privateClusterConfig]
    ...
    Resources:
        ~ 1 updated
        117 unchanged
    Does anyone have a tip on how to fix it?
    g
    • 2
    • 7
  • c

    clean-breakfast-29827

    10/07/2020, 6:17 PM
    Diagnostics:
      pulumi:pulumi:Stack (gcp-quick-dev):
        error: update failed
     
      gcp:cloudfunctions:Function (graphApi):
        error: googleapi: Error 403: Permission denied on 'locations/us-west1' (or it may not exist), forbidden
    
    config:
      gcp:project: words-and-numbers
      gcp:region: us-west1
    pretty sure us-west1 is a a valid region
    • 1
    • 1
  • w

    wet-soccer-72485

    10/12/2020, 1:34 AM
    Has anyone had a problem where
    gcp.serviceaccount.Key
    keeps being re-created on each new
    pulumi up
    ?
    g
    • 2
    • 3
  • r

    red-area-47037

    10/19/2020, 8:47 PM
    In order to automatically create a
    ForwardingRule
    for the Firewall in Pulumi I am currently trying to extract the
    Network tag
    for the nodes in the nodepool. So far I wasnt successful. I tried to • Extract the network tags via nodeConfig: `pulumi.interpolate `${cluster.gkeCluster.nodeConfig.tags}`` => "" • Extract the network tags via nodePool[0].nodeConfig: `pulumi.interpolate `${cluster.gkeCluster.nodePools[0].nodeConfig.tags}`` => "" • Get one of the nodes via
    export const instance = gcp.compute.getInstance( {name: "gke-cluster-default-pool-aaaaaa"});
    => The returned
    GetInstanceResult
    doesnt have a property tags ... So the first two calls just return an empty string, the third call returns an object which does not have a tags property.. TypeScript complains about it, although the call shoud return a
    GetInstanceResult
    , which should have the property tags... () In the Console I can see the Network Tags displayed on the VM Instance Details Page, the Instance Templates page ...
    • 1
    • 2
  • b

    big-account-56668

    10/30/2020, 10:12 AM
    I've created a service account using
    serviceaccount.NewAccount
    (in Go) and am trying to assign a role,
    roles/logging.logWriter
    , to the account so that it can be used by an external service that writes logs. I'm using the
    projects.IAMMember
    resource to achieve this. I'm getting the following error.
    gcp:projects:IAMMember (<name>):
        error: Request "Create IAM Members roles/logging.logWriter serviceAccount:projects/<project>/serviceAccounts/<account>@<project>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com> for \"project \\\"<project>\\\"\"" returned error: Batch request and retried single request "Create IAM Members roles/logging.logWriter serviceAccount:projects/<project>/serviceAccounts/<account>@<project>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com> for \"project \\\"<project>\\\"\"" both failed. Final error: Error applying IAM policy for project "<project>": Error setting IAM policy for project "<project>": googleapi: Error 400: Service account projects/<project>/serviceaccounts/<account>@<project>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com> does not exist., badRequest
    The service account is definitely present as I can see it in the console, and I've now retried 24 hours later to exclude an eventual consistency issue for the newly created service account, but I'm still getting the same message. Any suggestions on what to try next?
    g
    • 2
    • 3
  • d

    damp-elephant-82829

    11/02/2020, 10:12 AM
    Hello guys, I have a set of custom resources and unfortunately the dependency graph is not correct. I can’t get a google object storage bucket inside a custom resource “Bucket With Notification” wait for a gcp.Project built inside a custom resource “Ephemeral Project”
    g
    • 2
    • 15
  • c

    curved-alligator-54130

    11/03/2020, 3:51 AM
    Hey All, I'm trying out Pulumi and having a time trying to get Aggregated Log sinks to work. Creating the bucket and logging sink works fine.
    bucket = storage.Bucket(resource_name=bucket_name, 
                            location="us-central1")
    
    sink = logging.OrganizationSink("resource-ops-sink",
                            destination=Output.concat("<http://storage.googleapis.com/|storage.googleapis.com/>", bucket.id),
                            filter="logName:activity",
                            include_children=True,
                            org_id=org)
    What I can't determine now is how to grant the write permissions to the bucket for service account used on the sink (writer_identity). I've been trying IAMBinding and IAMMember (each separately). However I get errors when it runs.
    member = serviceaccount.IAMMember(
                            member=sink.writer_identity,
                            resource_name="log_writer",
                            role="roles/storage.objectCreator",
                            service_account_id=sink.writer_identity)
    Diagnostics:
      gcp:serviceAccount:IAMMember (service-account-role-member):
        error: gcp:serviceAccount/iAMMember:IAMMember resource 'log-writer' has a problem: "service_account_id" ("serviceAccount:o976583563296-639776@gcp-sa-logging.iam.gserviceaccount.com") doesn't match regexp "projects/(?:(?:[-a-z0-9]{1,63}\\.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?)|-)/serviceAccounts/((?:(?:[-a-z0-9]{1,63}\\.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?))@[a-z]+.<http://gserviceaccount.com|gserviceaccount.com>$|[0-9]{1,20}-compute@developer.gserviceaccount.com|[a-z](?:[-a-z0-9]{4,28}[a-z0-9])@[-a-z0-9\\.]{1,63}\\.iam\\.gserviceaccount\\.com$)"
    With Terraform I would only be providing the role and the member. I'm at a loss on this as to whether 1) am Im using the correct Pulumi object (IAMMember) and 2) why I'm getting the regex error on the resource_name attribute. I appreciate any assistance. Thanks.
  • r

    red-area-47037

    11/05/2020, 6:05 PM
    Hello, I am currently working on enabling Workload Identity in our env managed by Pulumi. I think I know what needs to be created / wired up. But looking at the Pulumi documentation I am unsure on one of the mandatory parameters to assign the right roles to the Service Account I am creating. Following the steps in the documentation I think I can use either IAMBinding or IAMMember to implement step 2. I think IAMMember would be the better fit, but anyway, both resources require me to specify a parameter member(s). As their is no documentation on this param I would assume that I have to pass in the same value as for the parameter serviceAccountId, or?
    • 1
    • 1
  • r

    red-area-47037

    11/17/2020, 2:32 PM
    Hey all, I am currently switching the CloudSQL Postgres instances to use Private IP. I am a bit stuck on how to setup the VPC peering / Private Service Connection in Pulumi correctly... When spinning up a CloudSQL Instance in the Console with Private IP enabled and Public IP disable the VPC peering / Private Service Connection connection is configured automatically in the background. As I haven't configured the peering manually so far, Pulumi fails when trying to spin up the CloudSQL instance with the following error message:
    gcp:sql:DatabaseInstance (dev-test-primary):
        error: Error, failed to create instance dev-test-primary-9c7d79d: googleapi: Error 400: Invalid request: Incorrect Service Networking config for instance: dev-test:dev-test-primary-9c7d79d:NETWORK_NOT_PEERED., invalid
    I hope that someone already has done all the needed steps and can point me to an example or something...
    g
    • 2
    • 4
  • w

    wet-soccer-72485

    11/21/2020, 5:31 PM
    Does anyone have any advice for how to configure the dependency tree for ManagedSslCertificates with GKE Ingresses? I feel like with a couple of tweaks, I could figure out how to avoid a situation where Pulumi tries to delete it without first unasssigning it from the Ingress.
    • 1
    • 1
  • c

    creamy-engine-1851

    12/09/2020, 9:14 PM
    I'm using GCP cloudrun service, and I've set the resource up with Pulumi. I also have cloudbuild pipelines that update the cloudrun services with new images. To avoid the diff when I run
    pulumi up
    I've added
    template.spec.containers[0].image
    with the IgnoreChanges resource option, I do however sometime run into the following error:
    Diagnostics:
      gcp:cloudrun:Service (xxx-cloudrun):
        error: cannot ignore changes to the following properties because one or more elements of the path are missing: "template.spec.containers[0].image"
    pulumi refresh
    does not help, the only way to get past this message is to remove the IgnoreChanges option, but that will deploy incorrect image to the service.
    c
    b
    • 3
    • 3
  • p

    proud-pizza-80589

    12/17/2020, 5:48 PM
    Beginning to use pulumi om GKE. and i manage to create a cluster, but when i want to make a namespace it cannot find my credentials.
    Attempted to load application default credentials since neither `credentials` nor `access_token` was set in the provider block.  No credentials loaded. To use your gcloud credentials, run 'gcloud auth application-default login'.  Original error: google: could not find default credentials. See <https://developers.google.com/accounts/docs/application-default-credentials> for more information.
    i have the GOOGLE_CREDENTIALS env var loaded, i assumed i would not need to run gcloud commands to make this work?
    • 1
    • 1
  • c

    calm-table-93204

    12/19/2020, 8:31 PM
    I created a simple component for gcp projects: https://www.npmjs.com/package/pulumi-gcpx-project. Out of curiosity, how are others are managing projects? I.e. what kind of architecture? Do you create a project per stack, per project, or something different?
  • e

    eager-pillow-75917

    12/21/2020, 1:56 PM
    I am creating dynamic dbs with pulumi on gcp. What would be the best to import a dump into the newly created db? I wanted to do it all at once with pulumi. What do you guys recommend?
    g
    • 2
    • 1
  • b

    billions-oxygen-70106

    12/22/2020, 2:30 AM
    I am getting an error for an imported organization policy resource:
    error: gcp:organizations/policy:Policy resource 'domain_restricted_sharing' has a problem: ExactlyOne
    I'm not sure what the issue is and could use some help. I can get it to work with ListPolicy.All, but not ListPolicy.Allow. Code inside the thread.
    • 1
    • 4
  • p

    proud-pizza-80589

    12/23/2020, 3:19 PM
    For some weird reason i cannot get gcp authentication to work in a multi project using stack references on github actions.
    error: configured Kubernetes cluster is unreachable: unable to load schema information from the API server: Get "<https://35.189.230.20/openapi/v2?timeout=32s>": error executing access token command "gcloud config config-helper --format=json": err=exit status 1 output= stderr=WARNING: Could not open the configuration file: [/home/runner/.config/gcloud/configurations/config_default].
    ERROR: (gcloud.config.config-helper) You do not currently have an active account selected.
    Please run:
    
      $ gcloud auth login
    
    to obtain new credentials.
    
    If you have already logged in with a different account:
    
        $ gcloud config set account ACCOUNT
    
    to select an already authenticated account to use.
    The GOOGLE_CREDENTIALS secret is loaded in the envs. It used to work in a different repo, only difference is that this “project” does not include the gcp library since we get the kubeconfig from a different project/stack. (trying that now but i have to convince typescript to allow unused imports)
    d
    c
    • 3
    • 9
  • a

    astonishing-lifeguard-39886

    12/26/2020, 12:32 PM
    Hey all, I’m struggling with creating a gcp service account using another service account. I’m using serviceAccount package (golang) for creating another service account by
    account, err := serviceaccount.NewAccount(a.ctx, "new-account", &sa.AccountArgs{
      Project: pulumi.String(ctx.Project()),
      AccountId:   pulumi.String("new-account"),
      Description: pulumi.String("A new service account"),
      DisplayName: pulumi.String("A new service account"),
    })
    Doing this, Pulumi tells me
    Error creating service account: googleapi: Error 403: Permission iam.serviceAccounts.create is required to perform this operation on project ...
    For the service account I’m using to create another service account I granted Roles “Create Service Accounts” “Owner” “Project IAM Admin” What’s wrong with that? Using GCP REST API (https://cloud.google.com/iam/docs/creating-managing-service-accounts#iam-service-accounts-create-rest) works with that. go.mod is
    go 1.15
    
    require (
    	<http://github.com/pulumi/pulumi-gcp/sdk/v4|github.com/pulumi/pulumi-gcp/sdk/v4> v4.6.0
    	<http://github.com/pulumi/pulumi/sdk/v2|github.com/pulumi/pulumi/sdk/v2> v2.16.1
    )
    Thank you in advance.
    c
    • 2
    • 6
  • l

    limited-rainbow-51650

    12/30/2020, 10:09 AM
    The GCP provider accepts a number of custom endpoint arguments. Where can I find information on how to use these? https://www.pulumi.com/docs/reference/pkg/gcp/provider/
    c
    • 2
    • 2
  • m

    miniature-rose-15269

    12/31/2020, 4:33 PM
    Hey all, GCP has a new module within terraform-google-lb-http (https://github.com/terraform-google-modules/terraform-google-lb-http/tree/master/modules/serverless_negs) which makes it trivial to set up a global load balancer for cloud run with SSL. Is this available in Pulumi? I can’t seem to find it. It came out 3 Dec so I’m wondering if it’s just not landed yet? Thanks in advance and hope you all enjoy NYE!
    b
    c
    • 3
    • 11
  • f

    future-potato-71458

    01/07/2021, 7:23 PM
    Can someone at pulumi cut a release of the gcp provider they just landed an important fix in 3.51.1
  • f

    future-potato-71458

    01/07/2021, 7:23 PM
    For integer comparison, it is causing a lot of issues in terraform at least
  • f

    future-potato-71458

    01/07/2021, 7:24 PM
    @broad-dog-22463 maybe?
  • b

    broad-dog-22463

    01/07/2021, 7:26 PM
    Hi @future-potato-71458, we actually use terraform-provider-google-beta and there's no fix for that one yet I'm afraid
    f
    • 2
    • 12
  • s

    steep-angle-29984

    01/08/2021, 11:23 AM
    Hi, I want to create a GKE-Cluster without workload logging and monitoring by google. In google console there is the option 'Cloud Operations for GKE' -> 'System logging and monitoring (beta)' which may do what I want but I cannot find it in pulumis gcp.container.Cluster typescript class. Has anyone seen this option in pulumi?
    c
    • 2
    • 4
  • c

    curved-summer-41191

    01/08/2021, 9:33 PM
    I'm having an issue with passing
    { parent: this }
    to some GCP objects; the error looks like this --
    TypeError: Cannot read property 'promise' of undefined
    Passing the same
    {parent: this }
    to a k8s object is working fine, any thoughts? Edit: I also see this later in the log:
    unhandled rejection: CONTEXT(572): resource:api[gcp:serviceAccount/account:Account]
  • a

    astonishing-lifeguard-39886

    01/11/2021, 3:19 PM
    Hey everyone, I’m struggling with setting up (using Go) a service in cloud run in conjunction with a pub sub subscription. What I want to accomplish: 1. Setup / Create a new Cloud Run Service 2. New Cloud Run Service has an URL being generated (in my case, I don’t use domain mapping) 3. Setup / Create a Pub Sub Subscription, hand over the URL as the push endpoint the thing is: I can not find an “URL” Property within cloudrun.Service type 1)
    service, _ := cloudrun.NewService(s.ctx, "my-srv",
    		&cloudrun.ServiceArgs{
    			// Location from config
    			Location: pulumi.String(s.region),
    			// ProjectId from pulumi
    			Project: pulumi.StringPtr(gcpConf.GetProject(s.ctx)),
    			Template: &cloudrun.ServiceTemplateArgs{
    				Spec: &cloudrun.ServiceTemplateSpecArgs{
    					// e-mail of service account to run container in
    					ServiceAccountName: s.serviceAccount.Email,
    					Containers: &cloudrun.ServiceTemplateSpecContainerArray{
    						&cloudrun.ServiceTemplateSpecContainerArgs{
    							Image: "<my-image>",
    						},
    					},
    				},
    			}})
    3)
    pubsub.NewSubscription(s.ctx, "my-subscription", &pubsub.SubscriptionArgs{
    		Project: pulumi.StringPtr(gcpConf.GetProject(s.ctx)),
    		Topic: "<my-topic>",
    		Name: pulumi.String("my-subscription"),
    		PushConfig: &pubsub.SubscriptionPushConfigArgs {
    			PushEndpoint: // what does here?
    		}
    	
    	})
    PushConfig: &pubsub.SubscriptionPushConfigArgs { PushEndpoint: // what does here? } Thx in advance
    c
    • 2
    • 4
  • c

    creamy-engine-1851

    01/17/2021, 8:36 PM
    Hello, I've got a problem when I try to refresh, preview or up a stack that contains a Cloud SQL database. It gives me the following error:
    ➜  pulumi-gcp-databases git:(master) pulumi preview --diff   
    Previewing update (dev)
    
    View Live: <https://app.pulumi.com/Kansuler/minikontrakt-gcp-databases/dev/previews/2e34bc6b-191a-484d-a5cf-78b6c98e692f>
    
    + pulumi:pulumi:Stack: (create)
        [urn=urn:pulumi:dev::minikontrakt-gcp-databases::pulumi:pulumi:Stack::minikontrakt-gcp-databases-dev]
    error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
    error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
    error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
    error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
    error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
    error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
    error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
    error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
    error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
    error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
    error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
    Resources:
        + 1 to create
    g
    • 2
    • 3
Powered by Linen
Title
c

creamy-engine-1851

01/17/2021, 8:36 PM
Hello, I've got a problem when I try to refresh, preview or up a stack that contains a Cloud SQL database. It gives me the following error:
➜  pulumi-gcp-databases git:(master) pulumi preview --diff   
Previewing update (dev)

View Live: <https://app.pulumi.com/Kansuler/minikontrakt-gcp-databases/dev/previews/2e34bc6b-191a-484d-a5cf-78b6c98e692f>

+ pulumi:pulumi:Stack: (create)
    [urn=urn:pulumi:dev::minikontrakt-gcp-databases::pulumi:pulumi:Stack::minikontrakt-gcp-databases-dev]
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
error: gcp:sql/databaseInstance:DatabaseInstance resource 'general-database' has a problem: AtLeastOne
Resources:
    + 1 to create
g

gentle-diamond-70147

01/19/2021, 4:29 PM
I believe you're missing a property on your SQL database, but unfortunately Pulumi isn't giving you a complete error message. Can you share your code? I can likely help figure out what's missing.
c

creamy-engine-1851

01/20/2021, 7:48 AM
You are right, I did a change I forgot about... 🤦‍♂️ Thanks for pointing it out @gentle-diamond-70147!
I had set a
sql.DatabaseInstanceReplicaConfigurationArgs{}
with only nil values
👍 1
View count: 1