pulumi-community #google-cloud

google-cloud

better-actor-92669

02/16/2020, 2:17 PM

It is also very strange that there is no way to grant roles in here https://github.com/pulumi/pulumi-gcp/tree/master/sdk/python/pulumi_gcp/sql, so maybe GCP's API doesn't support it

thankful-gpu-3329

02/18/2020, 8:26 PM

Does anyone have any helpful links or spot in the docs for configuring pulumi to use gcp as a secrets provider?

limited-rainbow-51650

02/19/2020, 7:57 AM

gcp.serviceAccount.Account

, is there a property which gives me the value

serviceAccount:<unique email address>

directly? https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/gcp/serviceaccount/#Account

enough-baker-16813

02/19/2020, 3:50 PM

Has anyone managed to use Pulumi for the new GCP secret manager? I am having 403 issues creating secrets. I am able to create resources in the same Pulumi stack, so I am authenticated in Pulumi. Creating secrets with curl works fine, so I have permissions. If I compare the request sent by Pulumi and the curl command line, I see that the headers 'authorization' and 'x-goog-user-project' are missing. I'll put details in thread. I don't know how to debug the problem from here, so pointers would be welcome.

steep-caravan-65104

02/20/2020, 10:56 AM

Hi, we are trying to setup Pulumi in CI/CD with Google Cloud Build and encountered a weird issue where it is showing the following error about

Pulumi SDK has not been installed

even though we are indeed running

yarn install

. Can someone please help?

pulumi login <GCP Bucket address>
Logged into <GCP Bucket address>
pulumi preview --cwd=/workspace/identity --stack=identity-prod --refresh --non-interactive
Previewing update (identity-prod):
    pulumi:pulumi:Stack identity-identity-prod  error: It looks like the Pulumi SDK has not been installed. Have you run npm install or yarn install?
    pulumi:pulumi:Stack identity-identity-prod  1 message
Diagnostics:
  pulumi:pulumi:Stack (identity-identity-prod):
    error: It looks like the Pulumi SDK has not been installed. Have you run npm install or yarn install?
error: failed to load language plugin nodejs: could not read plugin [/usr/bin/pulumi-language-nodejs] stdout: EOF
Makefile:17: recipe for target 'ci-up' failed
make: *** [ci-up] Error 255

I'll add our setup's details (such as cloud build file etc.) in a thread to this comment.

melodic-byte-32771

02/21/2020, 5:40 PM

Hi everyone, I want to create a cloud function but I stuck with following error:

creating urn:pulumi:dev-api::api::gcp:cloudfunctions/function:Function::api-nest-func: Error waiting for Creating CloudFunctions Function: error while retrieving operation: googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the <http://cloudfunctions.googleapis.com|cloudfunctions.googleapis.com>. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see <https://cloud.google.com/docs/authentication/>., accessNotConfigured

How can I solve it? The docs are not helping me so much

limited-rainbow-51650

02/27/2020, 7:43 PM

Getting started with GCP here. Via

gcloud auth login

I’m authenticated as

Organization Administrator

. I want to create a new

Project

with a linked

ServiceAccount

. At

pulumi up

, I get a permission error:

error: Error waiting for creating folder: Error code 7, message: Permission 'resourcemanager.projects.create' denied on parent resource 'organizations/<my_org_number_here>'.

When I test my permissions here, logged in with the same account: https://cloud.google.com/resource-manager/reference/rest/v1beta1/organizations/testIamPermissions with:

{
  "permissions": [
    "resourcemanager.projects.create"
  ]
}

I get a correct “200 OK”. Where does Pulumi pick up the GCP credentials?

limited-rainbow-51650

02/27/2020, 7:48 PM

BTW, I also tried

gcloud auth application-default login

but without any difference.

limited-rainbow-51650

03/01/2020, 2:37 PM

Anyone having a Pulumi example to set up and publish to Firebase hosting? Or is Firebase not supported?

creamy-engineer-83524

03/02/2020, 8:30 PM

When creating a

new gcp.cloudrun.DomainMapping

, how do I use the output's resource records to create a new

new gcp.dns.RecordSet

? I tried this, but won't work:

const mapping = new gcp.cloudrun.DomainMapping(...)
new gcp.dns.RecordSet(
    `${prefix}-a-records`,
    {
      name: 'xxx.',
      managedZone: zone.name,
      type: 'A',
      ttl: 3600,
      rrdatas: mapping.status.resourceRecords,
    },
    {
      dependsOn: [zone, mapping],
      deleteBeforeReplace: true,
    },
  )

The issue is: error TS2322: Type 'Output<DomainMappingStatusResourceRecord[]>' is not assignable to type 'Input<Input<string>[]>'.

some-xylophone-39695

03/03/2020, 2:46 AM

how do I get the private ip of my compute instance?

some-xylophone-39695

03/03/2020, 2:46 AM

Untitled

some-xylophone-39695

03/03/2020, 2:47 AM

pulumi.export("instance_ip", instance.network_interfaces[0]['networkIp'])

some-xylophone-39695

03/03/2020, 2:47 AM

this export command was working when the instance was already up.

some-xylophone-39695

03/03/2020, 2:47 AM

i destroyed it and now am running

pulumi up

and am getting this error:

some-xylophone-39695

03/03/2020, 2:48 AM

KeyError: 'networkIp'

some-xylophone-39695

03/03/2020, 3:24 AM

Is there a Python version of this tutorial? https://www.pulumi.com/docs/tutorials/gcp/gce-webserver/

chilly-waiter-18319

03/03/2020, 5:25 PM

Is there a way to pull the secrets from secret manager? I know terraform has a data module for that but I didn't know if pulumi does or not. Maybe I missed something?

better-actor-92669

03/04/2020, 9:16 AM

Hey! How do you guys create roles and grants for a CloudSQL Postgre Instances?

prehistoric-account-60014

03/04/2020, 4:54 PM

Anybody getting this error when attempting to create a cloud function?

Error waiting for Creating CloudFunctions Function: error while retrieving operation: googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the <http://cloudfunctions.googleapis.com|cloudfunctions.googleapis.com>. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see <https://cloud.google.com/docs/authentication/>., accessNotConfigured

chilly-waiter-18319

03/05/2020, 4:31 PM

are you able to pass around a kube provider to multiple classes/ subclasses?

chilly-waiter-18319

03/05/2020, 4:32 PM

for some reason if I implement a class for an app, the app will deploy fine. But if I try to make a class that houses several apps together, the provider fails with a message saying it failed to parse, even though it looks exactly the same in console.log

steep-caravan-65104

03/06/2020, 7:29 AM

For some reason, with some GCP keys, if I export values with double quotes in

index.ts

, then

pulumi up

shows the expected behaviour. However, if I change the double quotes to single quotes, then GCP keys from one of the imported files are prompted for deletion. This looks like a pulumi bug. Please let me know if you need any additional details, I can file a github issue or provide more details in private chat.

cluster.ts

import * as gcp from "@pulumi/gcp";
import { config } from "./config";
import { regionalKeyring } from "./keyrings";

export const experimentsregionalClusterKey = new gcp.kms.CryptoKey(
  config.regionalClusterKey,
  {
    keyRing: regionalKeyring.selfLink,
    rotationPeriod: "31556952s",
    name: config.regionalClusterKey,
    purpose: "ENCRYPT_DECRYPT"
  },
  {
    protect: true
  }
);

export const regionalClusterKeyEDPerms = new gcp.kms.CryptoKeyIAMBinding(
    config.regionalClusterKeyEDPermsName,
    {
    cryptoKeyId: `${config.gcpProject}/${config.gcpRegion}/${config.regionalKeyring}/${config.regionalClusterKey}`,
    members: [config.k8sServiceAgent],
    role: "roles/cloudkms.cryptoKeyEncrypterDecrypter"
    }
);

index.ts

with single quotes in the

export

statements. This prompts for deletion of the key and permissions imported from the

cluster.ts

file above when performing

pulumi up

export * from './pulumi'
export * from './cluster'
export * from './cloudbuild'


export * from './apps/zzz'

pulumi up

output with this file. The deletion fails in preview as the key is protected.

gcp:kms:CryptoKey             <regional-cluster-key-name>  delete      1 error

index.ts

with double quotes in the

export

statements. This does NOT prompt for deletion of any resources which is the expected behaviour.

export * from "./pulumi";
export * from "./cluster";
export * from "./cloudbuild";


export * from "./apps/zzz";

bland-battery-15307

03/09/2020, 9:45 PM

Has anyone tried making standalone https lb, and connecting an neg autogenerated from a kube service in gke

bland-battery-15307

03/09/2020, 10:04 PM

Or rather can you query settings to set the neg as backend service's for an existing https lb?

steep-caravan-65104

03/16/2020, 1:59 AM

Helm chart creation with

@pulumi/kubernetes/helm

doesn't seem to respect the

GOOGLE_CREDENTIALS

environment variable (working with GKE + google cloud build) for some reason and uses the default cloud build service account instead. I've opened https://github.com/pulumi/pulumi-kubernetes/issues/1033 for this issue and would appreciate if someone could look into this issue? We want to use this separate service account instead of the default cloud build service account for proper access control in our setup, thanks.

big-restaurant-51338

03/23/2020, 12:12 PM

hi! how do I retrieve the internal IP of a newly created

compute.Instance

? I tried this, but I get a KeyError

# actual vm creation
instance = compute.Instance("instance",
        machine_type=config.require('type'),
        boot_disk={
            "initializeParams": {
                "image": config.require('image')
                }
            },
        network_interfaces=[
            {
                "subnetwork": parentStack.get_output('subnet_id'),
                }
            ],
        # metadata={
        #     "startup-script": init_script
        #     },
        zone = config.require('zone'),
        tags = ["mytags"]
        )
# Register the DNS record
dns_name = parentStack.get_output('private_dns_zone').apply(lambda a: f"instance.{a}")
instance_recordset = dns.RecordSet("instance-recordset",
        managed_zone = parentStack.get_output('private_dns_name'),
        name = dns_name,
        rrdatas = [ instance.network_interfaces[0]['networkIp'] ],
        ttl = 3600,
        type = "A",
        opts=pulumi.ResourceOptions(depends_on=[instance]))

miniature-rose-15269

03/25/2020, 9:03 AM

Howdy! Having an issue where

gcp.compute.RouterNat

is always in need of update even when there are no changes I've made.

Previewing update (dev):
     Type                      Name         Plan       Info
     pulumi:pulumi:Stack       appital-dev
 ~   └─ gcp:compute:RouterNat  router-nat   update     [diff: ~natIps]

Resources:
    ~ 1 to update
    28 unchanged

and this is how it's specified:

export const router = new gcp.compute.Router('router', {
	network: network.name
})

const routerIpName = `${pulumi.getProject()}-${pulumi.getStack()}-ip`

export const routerIp = new gcp.compute.Address('router-ip', {
	name: routerIpName
})

export const routerNat = new gcp.compute.RouterNat('router-nat', {
	router: router.name,
	natIpAllocateOption: 'MANUAL_ONLY',
	natIps: [routerIpName],
	sourceSubnetworkIpRangesToNat: 'LIST_OF_SUBNETWORKS',
	subnetworks: [
		{
			name: subnetwork.name,
			sourceIpRangesToNats: ['ALL_IP_RANGES']
		}
	]
})

Any ideas on how to fix this?

adorable-action-51248

03/25/2020, 10:48 AM

oh. having the same issue with

gcp.cloudrun.DomainMapping

no changes. yet it tries to do an update. which fails. because gcp.cloudrun.DomainMapping doesn’t support changes… . tried already ignoreChanges and adding deleteBeforeReplace. (adding all properties) but that didn’t seem to work.

const domainMapping = new gcp.cloudrun.DomainMapping(
    `${prefix}-domain-mapping-${env}`,
    {
      location: region,
      name: `${dnsName}`,
      metadata: {
        namespace: project,
      },
      project,
      spec: {
        routeName: service.name,
      },
    },
  )

currently the only work around i found is to comment out the resource (and its dependencies). deploy (forcing its destruction). and then comment it in. and deploy again. ok. weird. can’t reproduce it at the moment anymore. not sure what i changed.

stocky-rose-89322

03/26/2020, 3:56 AM

Hello guys! Anyone can help me solve an issue wrt deploying a docker image to GCP from a GitHub Action? From local everything works, because I run the command

gcloud auth configure-docker

, within the GH Action I am using a Service Account I created with

Project > Owner

role, however, I get the following error:

error: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: <https://cloud.google.com/container-registry/docs/advanced-authentication>

Title

stocky-rose-89322

03/26/2020, 3:56 AM

Hello guys! Anyone can help me solve an issue wrt deploying a docker image to GCP from a GitHub Action? From local everything works, because I run the command

gcloud auth configure-docker

, within the GH Action I am using a Service Account I created with

Project > Owner

role, however, I get the following error:

error: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: <https://cloud.google.com/container-registry/docs/advanced-authentication>

curved-ghost-20494

06/10/2020, 1:20 PM

Hi Kevin, did you manage to get around this? Presumably adding Container Registry permissions to your service account? Or Something else?

If anyone else finds this, I had to add "Storage Admin" permissions to my service account. Now... I've since down a destroy and rebuilt my architecture from scratch and this is. the only part that's stopped working again. I can't deploy any of my containers to the registry.

View count: 2