better-actor-92669
02/16/2020, 2:17 PMthankful-gpu-3329
02/18/2020, 8:26 PMlimited-rainbow-51650
02/19/2020, 7:57 AMgcp.serviceAccount.Account
, is there a property which gives me the value serviceAccount:<unique email address>
directly?
https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/gcp/serviceaccount/#Accountenough-baker-16813
02/19/2020, 3:50 PMsteep-caravan-65104
02/20/2020, 10:56 AMPulumi SDK has not been installed
even though we are indeed running yarn install
. Can someone please help?
pulumi login <GCP Bucket address>
Logged into <GCP Bucket address>
pulumi preview --cwd=/workspace/identity --stack=identity-prod --refresh --non-interactive
Previewing update (identity-prod):
pulumi:pulumi:Stack identity-identity-prod error: It looks like the Pulumi SDK has not been installed. Have you run npm install or yarn install?
pulumi:pulumi:Stack identity-identity-prod 1 message
Diagnostics:
pulumi:pulumi:Stack (identity-identity-prod):
error: It looks like the Pulumi SDK has not been installed. Have you run npm install or yarn install?
error: failed to load language plugin nodejs: could not read plugin [/usr/bin/pulumi-language-nodejs] stdout: EOF
Makefile:17: recipe for target 'ci-up' failed
make: *** [ci-up] Error 255
I'll add our setup's details (such as cloud build file etc.) in a thread to this comment.melodic-byte-32771
02/21/2020, 5:40 PMcreating urn:pulumi:dev-api::api::gcp:cloudfunctions/function:Function::api-nest-func: Error waiting for Creating CloudFunctions Function: error while retrieving operation: googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the <http://cloudfunctions.googleapis.com|cloudfunctions.googleapis.com>. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see <https://cloud.google.com/docs/authentication/>., accessNotConfigured
How can I solve it?
The docs are not helping me so muchlimited-rainbow-51650
02/27/2020, 7:43 PMgcloud auth login
I’m authenticated as Organization Administrator
. I want to create a new Project
with a linked ServiceAccount
. At pulumi up
, I get a permission error:
error: Error waiting for creating folder: Error code 7, message: Permission 'resourcemanager.projects.create' denied on parent resource 'organizations/<my_org_number_here>'.
When I test my permissions here, logged in with the same account:
https://cloud.google.com/resource-manager/reference/rest/v1beta1/organizations/testIamPermissions
with:
{
"permissions": [
"resourcemanager.projects.create"
]
}
I get a correct “200 OK”. Where does Pulumi pick up the GCP credentials?limited-rainbow-51650
02/27/2020, 7:48 PMgcloud auth application-default login
but without any difference.limited-rainbow-51650
03/01/2020, 2:37 PMcreamy-engineer-83524
03/02/2020, 8:30 PMnew gcp.cloudrun.DomainMapping
, how do I use the output's resource records to create a new new gcp.dns.RecordSet
? I tried this, but won't work:
const mapping = new gcp.cloudrun.DomainMapping(...)
new gcp.dns.RecordSet(
`${prefix}-a-records`,
{
name: 'xxx.',
managedZone: zone.name,
type: 'A',
ttl: 3600,
rrdatas: mapping.status.resourceRecords,
},
{
dependsOn: [zone, mapping],
deleteBeforeReplace: true,
},
)
The issue is: error TS2322: Type 'Output<DomainMappingStatusResourceRecord[]>' is not assignable to type 'Input<Input<string>[]>'.some-xylophone-39695
03/03/2020, 2:46 AMsome-xylophone-39695
03/03/2020, 2:46 AMsome-xylophone-39695
03/03/2020, 2:47 AMpulumi.export("instance_ip", instance.network_interfaces[0]['networkIp'])
some-xylophone-39695
03/03/2020, 2:47 AMsome-xylophone-39695
03/03/2020, 2:47 AMpulumi up
and am getting this error:some-xylophone-39695
03/03/2020, 2:48 AMKeyError: 'networkIp'
some-xylophone-39695
03/03/2020, 3:24 AMchilly-waiter-18319
03/03/2020, 5:25 PMbetter-actor-92669
03/04/2020, 9:16 AMprehistoric-account-60014
03/04/2020, 4:54 PMError waiting for Creating CloudFunctions Function: error while retrieving operation: googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the <http://cloudfunctions.googleapis.com|cloudfunctions.googleapis.com>. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see <https://cloud.google.com/docs/authentication/>., accessNotConfigured
chilly-waiter-18319
03/05/2020, 4:31 PMchilly-waiter-18319
03/05/2020, 4:32 PMsteep-caravan-65104
03/06/2020, 7:29 AMindex.ts
, then pulumi up
shows the expected behaviour. However, if I change the double quotes to single quotes, then GCP keys from one of the imported files are prompted for deletion. This looks like a pulumi bug. Please let me know if you need any additional details, I can file a github issue or provide more details in private chat.
cluster.ts
import * as gcp from "@pulumi/gcp";
import { config } from "./config";
import { regionalKeyring } from "./keyrings";
export const experimentsregionalClusterKey = new gcp.kms.CryptoKey(
config.regionalClusterKey,
{
keyRing: regionalKeyring.selfLink,
rotationPeriod: "31556952s",
name: config.regionalClusterKey,
purpose: "ENCRYPT_DECRYPT"
},
{
protect: true
}
);
export const regionalClusterKeyEDPerms = new gcp.kms.CryptoKeyIAMBinding(
config.regionalClusterKeyEDPermsName,
{
cryptoKeyId: `${config.gcpProject}/${config.gcpRegion}/${config.regionalKeyring}/${config.regionalClusterKey}`,
members: [config.k8sServiceAgent],
role: "roles/cloudkms.cryptoKeyEncrypterDecrypter"
}
);
index.ts
with single quotes in the export
statements.
This prompts for deletion of the key and permissions imported from the cluster.ts
file above when performing pulumi up
export * from './pulumi'
export * from './cluster'
export * from './cloudbuild'
export * from './apps/zzz'
pulumi up
output with this file. The deletion fails in preview as the key is protected.
gcp:kms:CryptoKey <regional-cluster-key-name> delete 1 error
index.ts
with double quotes in the export
statements. This does NOT prompt for deletion of any resources which is the expected behaviour.
export * from "./pulumi";
export * from "./cluster";
export * from "./cloudbuild";
export * from "./apps/zzz";
bland-battery-15307
03/09/2020, 9:45 PMbland-battery-15307
03/09/2020, 10:04 PMsteep-caravan-65104
03/16/2020, 1:59 AM@pulumi/kubernetes/helm
doesn't seem to respect the GOOGLE_CREDENTIALS
environment variable (working with GKE + google cloud build) for some reason and uses the default cloud build service account instead. I've opened https://github.com/pulumi/pulumi-kubernetes/issues/1033 for this issue and would appreciate if someone could look into this issue?
We want to use this separate service account instead of the default cloud build service account for proper access control in our setup, thanks.big-restaurant-51338
03/23/2020, 12:12 PMcompute.Instance
? I tried this, but I get a KeyError
# actual vm creation
instance = compute.Instance("instance",
machine_type=config.require('type'),
boot_disk={
"initializeParams": {
"image": config.require('image')
}
},
network_interfaces=[
{
"subnetwork": parentStack.get_output('subnet_id'),
}
],
# metadata={
# "startup-script": init_script
# },
zone = config.require('zone'),
tags = ["mytags"]
)
# Register the DNS record
dns_name = parentStack.get_output('private_dns_zone').apply(lambda a: f"instance.{a}")
instance_recordset = dns.RecordSet("instance-recordset",
managed_zone = parentStack.get_output('private_dns_name'),
name = dns_name,
rrdatas = [ instance.network_interfaces[0]['networkIp'] ],
ttl = 3600,
type = "A",
opts=pulumi.ResourceOptions(depends_on=[instance]))
miniature-rose-15269
03/25/2020, 9:03 AMgcp.compute.RouterNat
is always in need of update even when there are no changes I've made.
Previewing update (dev):
Type Name Plan Info
pulumi:pulumi:Stack appital-dev
~ └─ gcp:compute:RouterNat router-nat update [diff: ~natIps]
Resources:
~ 1 to update
28 unchanged
and this is how it's specified:
export const router = new gcp.compute.Router('router', {
network: network.name
})
const routerIpName = `${pulumi.getProject()}-${pulumi.getStack()}-ip`
export const routerIp = new gcp.compute.Address('router-ip', {
name: routerIpName
})
export const routerNat = new gcp.compute.RouterNat('router-nat', {
router: router.name,
natIpAllocateOption: 'MANUAL_ONLY',
natIps: [routerIpName],
sourceSubnetworkIpRangesToNat: 'LIST_OF_SUBNETWORKS',
subnetworks: [
{
name: subnetwork.name,
sourceIpRangesToNats: ['ALL_IP_RANGES']
}
]
})
Any ideas on how to fix this?adorable-action-51248
03/25/2020, 10:48 AMgcp.cloudrun.DomainMapping
no changes. yet it tries to do an update. which fails. because gcp.cloudrun.DomainMapping doesn’t support changes… . tried already ignoreChanges and adding deleteBeforeReplace. (adding all properties) but that didn’t seem to work.
const domainMapping = new gcp.cloudrun.DomainMapping(
`${prefix}-domain-mapping-${env}`,
{
location: region,
name: `${dnsName}`,
metadata: {
namespace: project,
},
project,
spec: {
routeName: service.name,
},
},
)
currently the only work around i found is to comment out the resource (and its dependencies). deploy (forcing its destruction). and then comment it in. and deploy again.
ok. weird. can’t reproduce it at the moment anymore.
not sure what i changed.stocky-rose-89322
03/26/2020, 3:56 AMgcloud auth configure-docker
, within the GH Action I am using a Service Account I created with Project > Owner
role, however, I get the following error:
error: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: <https://cloud.google.com/container-registry/docs/advanced-authentication>
stocky-rose-89322
03/26/2020, 3:56 AMgcloud auth configure-docker
, within the GH Action I am using a Service Account I created with Project > Owner
role, however, I get the following error:
error: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: <https://cloud.google.com/container-registry/docs/advanced-authentication>
curved-ghost-20494
06/10/2020, 1:20 PM