https://pulumi.com logo
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
google-cloud
  • b

    better-actor-92669

    02/16/2020, 2:17 PM
    It is also very strange that there is no way to grant roles in here https://github.com/pulumi/pulumi-gcp/tree/master/sdk/python/pulumi_gcp/sql, so maybe GCP's API doesn't support it
    b
    • 2
    • 1
  • t

    thankful-gpu-3329

    02/18/2020, 8:26 PM
    Does anyone have any helpful links or spot in the docs for configuring pulumi to use gcp as a secrets provider?
    w
    • 2
    • 3
  • l

    limited-rainbow-51650

    02/19/2020, 7:57 AM
    On
    gcp.serviceAccount.Account
    , is there a property which gives me the value
    serviceAccount:<unique email address>
    directly? https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/gcp/serviceaccount/#Account
  • e

    enough-baker-16813

    02/19/2020, 3:50 PM
    Has anyone managed to use Pulumi for the new GCP secret manager? I am having 403 issues creating secrets. I am able to create resources in the same Pulumi stack, so I am authenticated in Pulumi. Creating secrets with curl works fine, so I have permissions. If I compare the request sent by Pulumi and the curl command line, I see that the headers 'authorization' and 'x-goog-user-project' are missing. I'll put details in thread. I don't know how to debug the problem from here, so pointers would be welcome.
    • 1
    • 5
  • s

    steep-caravan-65104

    02/20/2020, 10:56 AM
    Hi, we are trying to setup Pulumi in CI/CD with Google Cloud Build and encountered a weird issue where it is showing the following error about
    Pulumi SDK has not been installed
    even though we are indeed running
    yarn install
    . Can someone please help?
    pulumi login <GCP Bucket address>
    Logged into <GCP Bucket address>
    pulumi preview --cwd=/workspace/identity --stack=identity-prod --refresh --non-interactive
    Previewing update (identity-prod):
        pulumi:pulumi:Stack identity-identity-prod  error: It looks like the Pulumi SDK has not been installed. Have you run npm install or yarn install?
        pulumi:pulumi:Stack identity-identity-prod  1 message
    Diagnostics:
      pulumi:pulumi:Stack (identity-identity-prod):
        error: It looks like the Pulumi SDK has not been installed. Have you run npm install or yarn install?
    error: failed to load language plugin nodejs: could not read plugin [/usr/bin/pulumi-language-nodejs] stdout: EOF
    Makefile:17: recipe for target 'ci-up' failed
    make: *** [ci-up] Error 255
    I'll add our setup's details (such as cloud build file etc.) in a thread to this comment.
    g
    • 2
    • 4
  • m

    melodic-byte-32771

    02/21/2020, 5:40 PM
    Hi everyone, I want to create a cloud function but I stuck with following error:
    creating urn:pulumi:dev-api::api::gcp:cloudfunctions/function:Function::api-nest-func: Error waiting for Creating CloudFunctions Function: error while retrieving operation: googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the <http://cloudfunctions.googleapis.com|cloudfunctions.googleapis.com>. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see <https://cloud.google.com/docs/authentication/>., accessNotConfigured
    How can I solve it? The docs are not helping me so much
    s
    t
    • 3
    • 6
  • l

    limited-rainbow-51650

    02/27/2020, 7:43 PM
    Getting started with GCP here. Via
    gcloud auth login
    I’m authenticated as
    Organization Administrator
    . I want to create a new
    Project
    with a linked
    ServiceAccount
    . At
    pulumi up
    , I get a permission error:
    error: Error waiting for creating folder: Error code 7, message: Permission 'resourcemanager.projects.create' denied on parent resource 'organizations/<my_org_number_here>'.
    When I test my permissions here, logged in with the same account: https://cloud.google.com/resource-manager/reference/rest/v1beta1/organizations/testIamPermissions with:
    {
      "permissions": [
        "resourcemanager.projects.create"
      ]
    }
    I get a correct “200 OK”. Where does Pulumi pick up the GCP credentials?
    s
    • 2
    • 10
  • l

    limited-rainbow-51650

    02/27/2020, 7:48 PM
    BTW, I also tried
    gcloud auth application-default login
    but without any difference.
  • l

    limited-rainbow-51650

    03/01/2020, 2:37 PM
    Anyone having a Pulumi example to set up and publish to Firebase hosting? Or is Firebase not supported?
    • 1
    • 1
  • c

    creamy-engineer-83524

    03/02/2020, 8:30 PM
    When creating a
    new gcp.cloudrun.DomainMapping
    , how do I use the output's resource records to create a new
    new gcp.dns.RecordSet
    ? I tried this, but won't work:
    const mapping = new gcp.cloudrun.DomainMapping(...)
    new gcp.dns.RecordSet(
        `${prefix}-a-records`,
        {
          name: 'xxx.',
          managedZone: zone.name,
          type: 'A',
          ttl: 3600,
          rrdatas: mapping.status.resourceRecords,
        },
        {
          dependsOn: [zone, mapping],
          deleteBeforeReplace: true,
        },
      )
    The issue is: error TS2322: Type 'Output<DomainMappingStatusResourceRecord[]>' is not assignable to type 'Input<Input<string>[]>'.
    t
    • 2
    • 3
  • s

    some-xylophone-39695

    03/03/2020, 2:46 AM
    how do I get the private ip of my compute instance?
  • s

    some-xylophone-39695

    03/03/2020, 2:46 AM
    Untitled
  • s

    some-xylophone-39695

    03/03/2020, 2:47 AM
    pulumi.export("instance_ip", instance.network_interfaces[0]['networkIp'])
  • s

    some-xylophone-39695

    03/03/2020, 2:47 AM
    this export command was working when the instance was already up.
  • s

    some-xylophone-39695

    03/03/2020, 2:47 AM
    i destroyed it and now am running
    pulumi up
    and am getting this error:
  • s

    some-xylophone-39695

    03/03/2020, 2:48 AM
    KeyError: 'networkIp'
  • s

    some-xylophone-39695

    03/03/2020, 3:24 AM
    Is there a Python version of this tutorial? https://www.pulumi.com/docs/tutorials/gcp/gce-webserver/
    g
    • 2
    • 4
  • c

    chilly-waiter-18319

    03/03/2020, 5:25 PM
    Is there a way to pull the secrets from secret manager? I know terraform has a data module for that but I didn't know if pulumi does or not. Maybe I missed something?
  • b

    better-actor-92669

    03/04/2020, 9:16 AM
    Hey! How do you guys create roles and grants for a CloudSQL Postgre Instances?
    l
    • 2
    • 8
  • p

    prehistoric-account-60014

    03/04/2020, 4:54 PM
    Anybody getting this error when attempting to create a cloud function?
    Error waiting for Creating CloudFunctions Function: error while retrieving operation: googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the <http://cloudfunctions.googleapis.com|cloudfunctions.googleapis.com>. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see <https://cloud.google.com/docs/authentication/>., accessNotConfigured
    t
    w
    • 3
    • 11
  • c

    chilly-waiter-18319

    03/05/2020, 4:31 PM
    are you able to pass around a kube provider to multiple classes/ subclasses?
  • c

    chilly-waiter-18319

    03/05/2020, 4:32 PM
    for some reason if I implement a class for an app, the app will deploy fine. But if I try to make a class that houses several apps together, the provider fails with a message saying it failed to parse, even though it looks exactly the same in console.log
    w
    • 2
    • 23
  • s

    steep-caravan-65104

    03/06/2020, 7:29 AM
    For some reason, with some GCP keys, if I export values with double quotes in
    index.ts
    , then
    pulumi up
    shows the expected behaviour. However, if I change the double quotes to single quotes, then GCP keys from one of the imported files are prompted for deletion. This looks like a pulumi bug. Please let me know if you need any additional details, I can file a github issue or provide more details in private chat.
    cluster.ts
    import * as gcp from "@pulumi/gcp";
    import { config } from "./config";
    import { regionalKeyring } from "./keyrings";
    
    export const experimentsregionalClusterKey = new gcp.kms.CryptoKey(
      config.regionalClusterKey,
      {
        keyRing: regionalKeyring.selfLink,
        rotationPeriod: "31556952s",
        name: config.regionalClusterKey,
        purpose: "ENCRYPT_DECRYPT"
      },
      {
        protect: true
      }
    );
    
    export const regionalClusterKeyEDPerms = new gcp.kms.CryptoKeyIAMBinding(
        config.regionalClusterKeyEDPermsName,
        {
        cryptoKeyId: `${config.gcpProject}/${config.gcpRegion}/${config.regionalKeyring}/${config.regionalClusterKey}`,
        members: [config.k8sServiceAgent],
        role: "roles/cloudkms.cryptoKeyEncrypterDecrypter"
        }
    );
    index.ts
    with single quotes in the
    export
    statements. This prompts for deletion of the key and permissions imported from the
    cluster.ts
    file above when performing
    pulumi up
    export * from './pulumi'
    export * from './cluster'
    export * from './cloudbuild'
    
    
    export * from './apps/zzz'
    pulumi up
    output with this file. The deletion fails in preview as the key is protected.
    gcp:kms:CryptoKey             <regional-cluster-key-name>  delete      1 error
    index.ts
    with double quotes in the
    export
    statements. This does NOT prompt for deletion of any resources which is the expected behaviour.
    export * from "./pulumi";
    export * from "./cluster";
    export * from "./cloudbuild";
    
    
    export * from "./apps/zzz";
    w
    g
    • 3
    • 3
  • b

    bland-battery-15307

    03/09/2020, 9:45 PM
    Has anyone tried making standalone https lb, and connecting an neg autogenerated from a kube service in gke
  • b

    bland-battery-15307

    03/09/2020, 10:04 PM
    Or rather can you query settings to set the neg as backend service's for an existing https lb?
  • s

    steep-caravan-65104

    03/16/2020, 1:59 AM
    Helm chart creation with
    @pulumi/kubernetes/helm
    doesn't seem to respect the
    GOOGLE_CREDENTIALS
    environment variable (working with GKE + google cloud build) for some reason and uses the default cloud build service account instead. I've opened https://github.com/pulumi/pulumi-kubernetes/issues/1033 for this issue and would appreciate if someone could look into this issue? We want to use this separate service account instead of the default cloud build service account for proper access control in our setup, thanks.
  • b

    big-restaurant-51338

    03/23/2020, 12:12 PM
    hi! how do I retrieve the internal IP of a newly created
    compute.Instance
    ? I tried this, but I get a KeyError
    # actual vm creation
    instance = compute.Instance("instance",
            machine_type=config.require('type'),
            boot_disk={
                "initializeParams": {
                    "image": config.require('image')
                    }
                },
            network_interfaces=[
                {
                    "subnetwork": parentStack.get_output('subnet_id'),
                    }
                ],
            # metadata={
            #     "startup-script": init_script
            #     },
            zone = config.require('zone'),
            tags = ["mytags"]
            )
    # Register the DNS record
    dns_name = parentStack.get_output('private_dns_zone').apply(lambda a: f"instance.{a}")
    instance_recordset = dns.RecordSet("instance-recordset",
            managed_zone = parentStack.get_output('private_dns_name'),
            name = dns_name,
            rrdatas = [ instance.network_interfaces[0]['networkIp'] ],
            ttl = 3600,
            type = "A",
            opts=pulumi.ResourceOptions(depends_on=[instance]))
    w
    • 2
    • 1
  • m

    miniature-rose-15269

    03/25/2020, 9:03 AM
    Howdy! Having an issue where
    gcp.compute.RouterNat
    is always in need of update even when there are no changes I've made.
    Previewing update (dev):
         Type                      Name         Plan       Info
         pulumi:pulumi:Stack       appital-dev
     ~   └─ gcp:compute:RouterNat  router-nat   update     [diff: ~natIps]
    
    Resources:
        ~ 1 to update
        28 unchanged
    and this is how it's specified:
    export const router = new gcp.compute.Router('router', {
    	network: network.name
    })
    
    const routerIpName = `${pulumi.getProject()}-${pulumi.getStack()}-ip`
    
    export const routerIp = new gcp.compute.Address('router-ip', {
    	name: routerIpName
    })
    
    export const routerNat = new gcp.compute.RouterNat('router-nat', {
    	router: router.name,
    	natIpAllocateOption: 'MANUAL_ONLY',
    	natIps: [routerIpName],
    	sourceSubnetworkIpRangesToNat: 'LIST_OF_SUBNETWORKS',
    	subnetworks: [
    		{
    			name: subnetwork.name,
    			sourceIpRangesToNats: ['ALL_IP_RANGES']
    		}
    	]
    })
    Any ideas on how to fix this?
    g
    • 2
    • 3
  • a

    adorable-action-51248

    03/25/2020, 10:48 AM
    oh. having the same issue with
    gcp.cloudrun.DomainMapping
    no changes. yet it tries to do an update. which fails. because gcp.cloudrun.DomainMapping doesn’t support changes… . tried already ignoreChanges and adding deleteBeforeReplace. (adding all properties) but that didn’t seem to work.
    const domainMapping = new gcp.cloudrun.DomainMapping(
        `${prefix}-domain-mapping-${env}`,
        {
          location: region,
          name: `${dnsName}`,
          metadata: {
            namespace: project,
          },
          project,
          spec: {
            routeName: service.name,
          },
        },
      )
    currently the only work around i found is to comment out the resource (and its dependencies). deploy (forcing its destruction). and then comment it in. and deploy again. ok. weird. can’t reproduce it at the moment anymore. not sure what i changed.
    • 1
    • 1
  • s

    stocky-rose-89322

    03/26/2020, 3:56 AM
    Hello guys! Anyone can help me solve an issue wrt deploying a docker image to GCP from a GitHub Action? From local everything works, because I run the command
    gcloud auth configure-docker
    , within the GH Action I am using a Service Account I created with
    Project > Owner
    role, however, I get the following error:
    error: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: <https://cloud.google.com/container-registry/docs/advanced-authentication>
    c
    • 2
    • 2
Powered by Linen
Title
s

stocky-rose-89322

03/26/2020, 3:56 AM
Hello guys! Anyone can help me solve an issue wrt deploying a docker image to GCP from a GitHub Action? From local everything works, because I run the command
gcloud auth configure-docker
, within the GH Action I am using a Service Account I created with
Project > Owner
role, however, I get the following error:
error: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: <https://cloud.google.com/container-registry/docs/advanced-authentication>
c

curved-ghost-20494

06/10/2020, 1:20 PM
Hi Kevin, did you manage to get around this? Presumably adding Container Registry permissions to your service account? Or Something else?
If anyone else finds this, I had to add "Storage Admin" permissions to my service account. Now... I've since down a destroy and rebuilt my architecture from scratch and this is. the only part that's stopped working again. I can't deploy any of my containers to the registry.
View count: 2