https://pulumi.com logo
Powered by
#google-cloud
  • t

    thankful-gpu-3329

    02/18/2020, 8:26 PM
    Does anyone have any helpful links or spot in the docs for configuring pulumi to use gcp as a secrets provider?
    w
    • 2
    • 3
  • l

    limited-rainbow-51650

    02/19/2020, 7:57 AM
    On 
    gcp.serviceAccount.Account
    , is there a property which gives me the value 
    serviceAccount:<unique email address>
    directly? https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/gcp/serviceaccount/#Account
  • e

    enough-baker-16813

    02/19/2020, 3:50 PM
    Has anyone managed to use Pulumi for the new GCP secret manager? I am having 403 issues creating secrets. I am able to create resources in the same Pulumi stack, so I am authenticated in Pulumi. Creating secrets with curl works fine, so I have permissions. If I compare the request sent by Pulumi and the curl command line, I see that the headers 'authorization' and 'x-goog-user-project' are missing. I'll put details in thread. I don't know how to debug the problem from here, so pointers would be welcome.
    • 1
    • 5
  • s

    steep-caravan-65104

    02/20/2020, 10:56 AM
    Hi, we are trying to setup Pulumi in CI/CD with Google Cloud Build and encountered a weird issue where it is showing the following error about 
    Pulumi SDK has not been installed
    even though we are indeed running 
    yarn install
    . Can someone please help?
    Copy code
    pulumi login <GCP Bucket address>
Logged into <GCP Bucket address>
pulumi preview --cwd=/workspace/identity --stack=identity-prod --refresh --non-interactive
Previewing update (identity-prod):
    pulumi:pulumi:Stack identity-identity-prod  error: It looks like the Pulumi SDK has not been installed. Have you run npm install or yarn install?
    pulumi:pulumi:Stack identity-identity-prod  1 message
Diagnostics:
  pulumi:pulumi:Stack (identity-identity-prod):
    error: It looks like the Pulumi SDK has not been installed. Have you run npm install or yarn install?
error: failed to load language plugin nodejs: could not read plugin [/usr/bin/pulumi-language-nodejs] stdout: EOF
Makefile:17: recipe for target 'ci-up' failed
make: *** [ci-up] Error 255
    I'll add our setup's details (such as cloud build file etc.) in a thread to this comment.
    g
    • 2
    • 4
  • m

    melodic-byte-32771

    02/21/2020, 5:40 PM
    Hi everyone, I want to create a cloud function but I stuck with following error:
    Copy code
    creating urn:pulumi:dev-api::api::gcp:cloudfunctions/function:Function::api-nest-func: Error waiting for Creating CloudFunctions Function: error while retrieving operation: googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the <http://cloudfunctions.googleapis.com|cloudfunctions.googleapis.com>. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see <https://cloud.google.com/docs/authentication/>., accessNotConfigured
    How can I solve it? The docs are not helping me so much
    s
    t
    • 3
    • 6
  • l

    limited-rainbow-51650

    02/27/2020, 7:43 PM
    Getting started with GCP here. Via 
    gcloud auth login
    I’m authenticated as 
    Organization Administrator
    . I want to create a new 
    Project
    with a linked 
    ServiceAccount
    . At 
    pulumi up
    , I get a permission error: 
    error: Error waiting for creating folder: Error code 7, message: Permission 'resourcemanager.projects.create' denied on parent resource 'organizations/<my_org_number_here>'.
    When I test my permissions here, logged in with the same account: https://cloud.google.com/resource-manager/reference/rest/v1beta1/organizations/testIamPermissions with:
    Copy code
    {
  "permissions": [
    "resourcemanager.projects.create"
  ]
}
    I get a correct “200 OK”. Where does Pulumi pick up the GCP credentials?
    s
    • 2
    • 10
  • l

    limited-rainbow-51650

    02/27/2020, 7:48 PM
    BTW, I also tried 
    gcloud auth application-default login
    but without any difference.
  • l

    limited-rainbow-51650

    03/01/2020, 2:37 PM
    Anyone having a Pulumi example to set up and publish to Firebase hosting? Or is Firebase not supported?
    • 1
    • 1
  • c

    creamy-engineer-83524

    03/02/2020, 8:30 PM
    When creating a 
    new gcp.cloudrun.DomainMapping
    , how do I use the output's resource records to create a new 
    new gcp.dns.RecordSet
    ? I tried this, but won't work:
    Copy code
    const mapping = new gcp.cloudrun.DomainMapping(...)
new gcp.dns.RecordSet(
    `${prefix}-a-records`,
    {
      name: 'xxx.',
      managedZone: zone.name,
      type: 'A',
      ttl: 3600,
      rrdatas: mapping.status.resourceRecords,
    },
    {
      dependsOn: [zone, mapping],
      deleteBeforeReplace: true,
    },
  )
    The issue is: error TS2322: Type 'Output<DomainMappingStatusResourceRecord[]>' is not assignable to type 'Input<Input<string>[]>'.
    t
    • 2
    • 3
  • s

    some-xylophone-39695

    03/03/2020, 2:46 AM
    how do I get the private ip of my compute instance?
  • s

    some-xylophone-39695

    03/03/2020, 2:46 AM
  • s

    some-xylophone-39695

    03/03/2020, 2:47 AM
    Copy code
    pulumi.export("instance_ip", instance.network_interfaces[0]['networkIp'])
  • s

    some-xylophone-39695

    03/03/2020, 2:47 AM
    this export command was working when the instance was already up.
  • s

    some-xylophone-39695

    03/03/2020, 2:47 AM
    i destroyed it and now am running 
    pulumi up
    and am getting this error:
  • s

    some-xylophone-39695

    03/03/2020, 2:48 AM
    Copy code
    KeyError: 'networkIp'
  • s

    some-xylophone-39695

    03/03/2020, 3:24 AM
    Is there a Python version of this tutorial? https://www.pulumi.com/docs/tutorials/gcp/gce-webserver/
    g
    • 2
    • 4
  • c

    chilly-waiter-18319

    03/03/2020, 5:25 PM
    Is there a way to pull the secrets from secret manager? I know terraform has a data module for that but I didn't know if pulumi does or not. Maybe I missed something?
  • b

    better-actor-92669

    03/04/2020, 9:16 AM
    Hey! How do you guys create roles and grants for a CloudSQL Postgre Instances?
    l
    • 2
    • 8
  • p

    prehistoric-account-60014

    03/04/2020, 4:54 PM
    Anybody getting this error when attempting to create a cloud function?
    Copy code
    Error waiting for Creating CloudFunctions Function: error while retrieving operation: googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the <http://cloudfunctions.googleapis.com|cloudfunctions.googleapis.com>. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see <https://cloud.google.com/docs/authentication/>., accessNotConfigured
    t
    w
    • 3
    • 11
  • c

    chilly-waiter-18319

    03/05/2020, 4:31 PM
    are you able to pass around a kube provider to multiple classes/ subclasses?
  • c

    chilly-waiter-18319

    03/05/2020, 4:32 PM
    for some reason if I implement a class for an app, the app will deploy fine. But if I try to make a class that houses several apps together, the provider fails with a message saying it failed to parse, even though it looks exactly the same in console.log
    w
    • 2
    • 23
  • s

    steep-caravan-65104

    03/06/2020, 7:29 AM
    For some reason, with some GCP keys, if I export values with double quotes in 
    index.ts
    , then 
    pulumi up
    shows the expected behaviour. However, if I change the double quotes to single quotes, then GCP keys from one of the imported files are prompted for deletion. This looks like a pulumi bug. Please let me know if you need any additional details, I can file a github issue or provide more details in private chat. 
    cluster.ts
    Copy code
    import * as gcp from "@pulumi/gcp";
import { config } from "./config";
import { regionalKeyring } from "./keyrings";

export const experimentsregionalClusterKey = new gcp.kms.CryptoKey(
  config.regionalClusterKey,
  {
    keyRing: regionalKeyring.selfLink,
    rotationPeriod: "31556952s",
    name: config.regionalClusterKey,
    purpose: "ENCRYPT_DECRYPT"
  },
  {
    protect: true
  }
);

export const regionalClusterKeyEDPerms = new gcp.kms.CryptoKeyIAMBinding(
    config.regionalClusterKeyEDPermsName,
    {
    cryptoKeyId: `${config.gcpProject}/${config.gcpRegion}/${config.regionalKeyring}/${config.regionalClusterKey}`,
    members: [config.k8sServiceAgent],
    role: "roles/cloudkms.cryptoKeyEncrypterDecrypter"
    }
);
    index.ts
    with single quotes in the 
    export
    statements. This prompts for deletion of the key and permissions imported from the 
    cluster.ts
    file above when performing 
    pulumi up
    Copy code
    export * from './pulumi'
export * from './cluster'
export * from './cloudbuild'


export * from './apps/zzz'
    pulumi up
    output with this file. The deletion fails in preview as the key is protected.
    Copy code
    gcp:kms:CryptoKey             <regional-cluster-key-name>  delete      1 error
    index.ts
    with double quotes in the 
    export
    statements. This does NOT prompt for deletion of any resources which is the expected behaviour.
    Copy code
    export * from "./pulumi";
export * from "./cluster";
export * from "./cloudbuild";


export * from "./apps/zzz";
    w
    g
    • 3
    • 3
  • b

    bland-battery-15307

    03/09/2020, 9:45 PM
    Has anyone tried making standalone https lb, and connecting an neg autogenerated from a kube service in gke
  • b

    bland-battery-15307

    03/09/2020, 10:04 PM
    Or rather can you query settings to set the neg as backend service's for an existing https lb?
  • s

    steep-caravan-65104

    03/16/2020, 1:59 AM
    Helm chart creation with 
    @pulumi/kubernetes/helm
    doesn't seem to respect the 
    GOOGLE_CREDENTIALS
    environment variable (working with GKE + google cloud build) for some reason and uses the default cloud build service account instead. I've opened https://github.com/pulumi/pulumi-kubernetes/issues/1033 for this issue and would appreciate if someone could look into this issue? We want to use this separate service account instead of the default cloud build service account for proper access control in our setup, thanks.
  • b

    big-restaurant-51338

    03/23/2020, 12:12 PM
    hi! how do I retrieve the internal IP of a newly created 
    compute.Instance
    ? I tried this, but I get a KeyError
    Copy code
    # actual vm creation
instance = compute.Instance("instance",
        machine_type=config.require('type'),
        boot_disk={
            "initializeParams": {
                "image": config.require('image')
                }
            },
        network_interfaces=[
            {
                "subnetwork": parentStack.get_output('subnet_id'),
                }
            ],
        # metadata={
        #     "startup-script": init_script
        #     },
        zone = config.require('zone'),
        tags = ["mytags"]
        )
# Register the DNS record
dns_name = parentStack.get_output('private_dns_zone').apply(lambda a: f"instance.{a}")
instance_recordset = dns.RecordSet("instance-recordset",
        managed_zone = parentStack.get_output('private_dns_name'),
        name = dns_name,
        rrdatas = [ instance.network_interfaces[0]['networkIp'] ],
        ttl = 3600,
        type = "A",
        opts=pulumi.ResourceOptions(depends_on=[instance]))
    w
    • 2
    • 1
  • m

    miniature-rose-15269

    03/25/2020, 9:03 AM
    Howdy! Having an issue where 
    gcp.compute.RouterNat
    is always in need of update even when there are no changes I've made.
    Copy code
    Previewing update (dev):
     Type                      Name         Plan       Info
     pulumi:pulumi:Stack       appital-dev
 ~   └─ gcp:compute:RouterNat  router-nat   update     [diff: ~natIps]

Resources:
    ~ 1 to update
    28 unchanged
    and this is how it's specified:
    Copy code
    export const router = new gcp.compute.Router('router', {
	network: network.name
})

const routerIpName = `${pulumi.getProject()}-${pulumi.getStack()}-ip`

export const routerIp = new gcp.compute.Address('router-ip', {
	name: routerIpName
})

export const routerNat = new gcp.compute.RouterNat('router-nat', {
	router: router.name,
	natIpAllocateOption: 'MANUAL_ONLY',
	natIps: [routerIpName],
	sourceSubnetworkIpRangesToNat: 'LIST_OF_SUBNETWORKS',
	subnetworks: [
		{
			name: subnetwork.name,
			sourceIpRangesToNats: ['ALL_IP_RANGES']
		}
	]
})
    Any ideas on how to fix this?
    g
    • 2
    • 3
  • a

    adorable-action-51248

    03/25/2020, 10:48 AM
    oh. having the same issue with 
    gcp.cloudrun.DomainMapping
    no changes. yet it tries to do an update. which fails. because gcp.cloudrun.DomainMapping doesn’t support changes… . tried already ignoreChanges and adding deleteBeforeReplace. (adding all properties) but that didn’t seem to work.
    Copy code
    const domainMapping = new gcp.cloudrun.DomainMapping(
    `${prefix}-domain-mapping-${env}`,
    {
      location: region,
      name: `${dnsName}`,
      metadata: {
        namespace: project,
      },
      project,
      spec: {
        routeName: service.name,
      },
    },
  )
    currently the only work around i found is to comment out the resource (and its dependencies). deploy (forcing its destruction). and then comment it in. and deploy again. ok. weird. can’t reproduce it at the moment anymore. not sure what i changed.
    • 1
    • 1
  • s

    stocky-rose-89322

    03/26/2020, 3:56 AM
    Hello guys! Anyone can help me solve an issue wrt deploying a docker image to GCP from a GitHub Action? From local everything works, because I run the command 
    gcloud auth configure-docker
    , within the GH Action I am using a Service Account I created with 
    Project > Owner
    role, however, I get the following error:
    Copy code
    error: unauthorized: You don't have the needed permissions to perform this operation, and you may have invalid credentials. To authenticate your request, follow the steps in: <https://cloud.google.com/container-registry/docs/advanced-authentication>
    c
    • 2
    • 2
  • c

    chilly-laptop-44574

    04/02/2020, 2:07 AM
    Hello guys!! What is the best practice to wait for the resource before applying further changes in GCP and Typescript? I have following flow: Project -> enable API -> enable Role 
    const myProject = new gcp.organizations.Project("gcp proj", settings)
    const service = new gcp.projects.Service("Kubernetes Engine API", {
    disableDependentServices: true,
    project: myProject.projectId,
    service: "<http://container.googleapis.com|container.googleapis.com>",
    });
    And then I want to grand permission to the service account (created by default by container.googleapis.com) 
    const iamMember = new gcp.projects.IAMMember("iamMember", {
    project:  myProject.projectId,
    role: "roles/compute.securityAdmin",
    `member: 
    serviceAccount:<mailto:service-${myProject.number}@container-engine-robot.iam.gserviceaccount.com|service-${myProject.number}@container-engine-robot.iam.gserviceaccount.com>
    ,
    Copy code
    });` But this generates error: 
    googleapi: Error 400: Service account <mailto:service-xxxxxxxxxx@container-engine-robot.iam.gserviceaccount.com|service-xxxxxxxxxx@container-engine-robot.iam.gserviceaccount.com> does not exist
    When I run the 
    pulumi up
    again then it works as service account has been already provisioned by that time by GCP. Is there any way to pull status of the service account and wait if not yet created before calling enabling the role.
12345...27Latest