pulumi-community #google-cloud

Docs

Join the conversation Join Slack

Channels

google-cloud

victorious-dusk-75271

07/15/2022, 11:36 PM

Hey guys, how do you use google CDN with gke ingress?

colossal-quill-8119

07/18/2022, 11:55 AM

i’m following this guide to build and push docker image but it uses GCR which is being phased our for Google Artifact Registry. how to use google artifact registry to do the same thing

victorious-dusk-75271

07/19/2022, 8:12 PM

failed to access secret version for secret projects/xxx/secrets/pulumi-access-token/versions/1: rpc error: code = PermissionDenied desc = Secret Manager API has not been used in project 1065221880276 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/secretmanager.googleapis.com/overview then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry. error details: name = ErrorInfo reason = SERVICE_DISABLED domain = googleapis.com metadata = map[consumer:projects/xxx service:secretmanager.googleapis.com] error details: name = Help desc = Google developers console API activation url = https://console.developers.google.com/apis/api/secretmanager.googleapis.com/overview?project=xxxxx

victorious-dusk-75271

07/19/2022, 8:12 PM

any idea how to resolve this issue? i have secret manager enabled

dry-engine-17210

07/22/2022, 12:20 AM

I've been trying to upload a large file (> 1 GB) to GCS and it's a no-go. Here's the code:

// Create a storage object for installer
		_, err = storage.NewBucketObject(ctx, "installer-object",
			&storage.BucketObjectArgs{
				Bucket: bucket.Name,
				Source: pulumi.NewFileAsset("./assets/installer.tgz"),
			},
			pulumi.Timeouts(&pulumi.CustomTimeouts{Create: "10m", Update: "10m"}))
		if err != nil {
			return err
		}

But I keep getting this error after 1m...

google-native:storage/v1:BucketObject (installer-object):
    error: error sending upload request: Post "<https://storage.googleapis.com/upload/storage/v1/b/bucket-2f7c370/o?alt=json&name=installer-object-81c28a2&uploadType=multipart>": net/http: request canceled (Client.Timeout exceeded while awaiting headers): "<https://storage.googleapis.com/upload/storage/v1/b/asset-bucket-2f7c370/o?name=installer-object-81c28a2>" map[__autonamed:true bucket:asset-bucket-2f7c370 name:installer-object-81c28a2 source:0xc0004a94f0] 1820077047

...

Duration: 1m5s

dry-engine-17210

07/22/2022, 12:23 AM

Any way I can extend the underlying http client timeout? I tried the

pulumi.Timeouts(&pulumi.CustomTimeouts{Create: "10m", Update: "10m"})

option when calling

NewBucketObject

but it doesn't appear to do anything in this case.

dry-engine-17210

07/22/2022, 12:46 AM

I've also tried splitting it into 100MB files and uploading each of them... same problem

gifted-cat-49297

07/22/2022, 9:22 AM

How to run

pulumi preview

of GCP stuff on Gitlab merge request pipeline with Workload Identity Federation json file for given environment? I don't have idea how to provide correct file from variables 😕

big-account-56668

07/29/2022, 9:28 AM

Has there been any progress or workaround for https://github.com/pulumi/pulumi-gcp/issues/827? This issue is holding us back switching from manually running Pulumi to running it in CI. We currently create services with Pulumi, but deploy updates using gcloud which sets annotations and updates the image which will diff in Pulumi after a refresh.

fast-motherboard-33901

08/06/2022, 5:17 PM

Howdy! Is it possible to create an AlloyDB instance in GCP with Pulumi?

gorgeous-flag-72833

08/07/2022, 9:56 AM

Hello everyone! I am trying to get all the users who are members of a group by using this:

export function getUsers({ groupName }: GCPNamespaces) {
  const groupMembers = pulumi.output(
    gcp.cloudidentity.getGroupMemberships({
      group: groupName,
    })
  );
  console.log(groupMembers);

and I get this error:

error: Error: invocation of gcp:cloudidentity/getGroupMemberships:getGroupMemberships returned an error: invoking gcp:cloudidentity/getGroupMemberships:getGroupMemberships: 1 error occurred:
        * Error when reading or editing CloudIdentityGroupMemberships "": googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the <http://cloudidentity.googleapis.com|cloudidentity.googleapis.com>. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see <https://cloud.google.com/docs/authentication/>. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check <https://cloud.google.com/apis/docs/system-parameters>.
    Details:
    [
      {
        "@type": "<http://type.googleapis.com/google.rpc.ErrorInfo|type.googleapis.com/google.rpc.ErrorInfo>",
        "domain": "<http://googleapis.com|googleapis.com>",
        "metadata": {
          "consumer": "projects/764086051850",
          "service": "<http://cloudidentity.googleapis.com|cloudidentity.googleapis.com>"
        },

Has anyone run into this and know how to solve it?

lively-table-10226

08/08/2022, 10:08 AM

Hi! I have created dual region bucket with location as

US-EAST1+US-WEST1

, and i tried to reapply the code once again. Ideally it should not do anything. But it says location changed from

US

US-EAST1+US-WEST1

and trying to delete the bucket and recreate it. Can someone help me to resolve this.

flat-laptop-90489

08/09/2022, 12:45 AM

👋 I’m trying to create a regional network endpoint group for an apiGateway. I know this functionality is pre-GA. It seems like the gcp-classic provider has the ability to create NEGs with the type SERVERLESS, but it doesn’t support the apiGateway backend. The google-native provider does support this, but I’m stuck on (what I think is) a bug Then I thought, Oh! I can just create it and then import to see the differences, but… google native doesn’t have import? So now I’m a bit stuck. Does anyone have a workaround or ideas for this situation?

future-window-78560

08/12/2022, 4:56 AM

is there a way to create instance schedules for gce vm through pulumi?

gorgeous-country-43026

08/17/2022, 7:52 AM

Any ideas how to create a Cloud SQL PostgreSQL instance with a database of a custom collation strictly through Pulumi?

fast-easter-23401

08/17/2022, 12:22 PM

Hello folks, I’m struggling with the confluent cloud API, that we’re using to create a Kafka related resources (topics, SA, api keys, and what not). We have properly configured the GCP Marketplace integration, and I’m acting on the confluent platform as a member of my organization, but can’t manage to create a kafka topic. Any ideas what’s failing?

const topic = new KafkaTopic(
  args.name,
  {
    topicName: args.name,
    kafkaCluster: { id: cluster.id },
    restEndpoint: cluster.restEndpoint,
    credentials: {
      key: clusterSA.apiKey.name,
      secret: clusterSA.apiKey.secret,
     },
   },
 { parent: this }
);

   Type                                    Name                    Status                  Info
     pulumi:pulumi:Stack                     confluent-test          **failed**              1 error; 2 messages
     └─ nesto:kafka                          test                                            
 +      ├─ confluentcloud:index:KafkaTopic   test                    **creating failed**     1 error
 +      └─ confluentcloud:index:RoleBinding  test-environment-admin  **creating failed**     1 error
 
Diagnostics:
  pulumi:pulumi:Stack (confluent-test):
    2022/08/17 08:19:24 [DEBUG] POST <https://pkc-41voz>.<region>.gcp.confluent.cloud:443/kafka/v3/clusters/<cluster-id>/topics
 
    error: update failed
 
  confluentcloud:index:KafkaTopic (test):
    error: 1 error occurred:
        * error creating Kafka Topic: 401 Unauthorized: Unauthorized

I also tried it creating a Provider resource, then passing the latter as

opts

. Didn’t work either. Any insights will be greatly appreciated. Have a nice day,

great-sunset-355

08/18/2022, 6:42 AM

Hi I keep getting 404 after

pulumi up

with google native while trying to deploy Cloud Run Job

import * as gcp from "@pulumi/google-native"

const region = "europe-west3"  // Frankfurt, Germany
const project = "my-gcp-project"
const appName = "my-app"

const provider = new gcp.Provider(
  "jan-provider",
  {
    project: project, 
    region: region, 
  }
)

const reg = new gcp.artifactregistry.v1.Repository(
  "repo",
  {
    description: "Hello repo world",
    format: "DOCKER",
    repositoryId: "rid"
  },
  {provider}
)

const job = new gcp.run.v2.Job(
  "job",
  {
    jobId: 'myjob',
    template: {
      taskCount: 1,
      template: {
        maxRetries: 0,
        timeout: "600s",
        containers: [
          {
            image: `${region}-docker.pkg.dev/${project}/rid/${appName}:1-amd64`,
          }
        ]
      }
    },
  },
  {provider}
)

Can anyone tell me what am I doing wrong?

error: error sending request: googleapi: Error 404: Requested entity was not found.:
 "<https://run.googleapis.com/v2/projects/my-gcp-project/locations/europe-west3/jobs?jobId=myjob>"
  map[__autonamed:true jobId:myjob location:europe-west3 name:projects/my-gcp-project/locations/europe-west3/jobs/job-255417b
  project:my-gcp-project template:map[taskCount:1 template:map[containers:[map[image:europe-west3-docker.pkg.dev/my-gcp-project/rid/my-app:1-amd64]] maxRetries:0 timeout:600s]]]

big-engineer-71075

08/18/2022, 8:53 PM

I am using Pulumi to create a dataproc cluster. When I run

preview --refresh --diff

, I see a diff on the cluster for the

machineTypeUri

property. The weird thing is that the diff is of the form:

"<https://www.googleapis.com/compute/v1/projects/MY_PROJECT_ID/zones/us-east4-b/machineTypes/c2-standard-8>" => "c2-standard-8"

I initially set

machineTypeUri

to "c2-standard-8" but I am guessing that GCP updates this with the full URI. How can I make this stop causing a diff? I know I could add

config.workerConfig.machineTypeUri

ignoreChanges

but I'm not sure that's a great approach - if it changes outside of Pulumi, I think I'd want Pulumi to know and deal with it. Also, somewhat related: on this page, https://www.pulumi.com/registry/packages/gcp/api-docs/dataproc/cluster/#clusterclusterconfigworkerconfig , it shows that there is a property named

machineType

. But the actual code requires a config property named

machineTypeUri

machineType

doesn't seem to be a valid name.

gray-train-92590

08/24/2022, 7:53 PM

For GCP alert Notification Channels for Slack (https://www.pulumi.com/registry/packages/gcp/api-docs/monitoring/notificationchannel/) does anyone know how the slack refresh token can be used? I see the sensitive label for auth token, but not refresh token.

gorgeous-country-43026

08/25/2022, 1:27 PM

Trying to create a

gcp.iam.WorkloadIdentityPoolProvider

but with no luck. To me this is looking like a bug in Pulumi's implementation (or terraform since it has been generated from it). I'm basing this on the error I get, it's a 404 from Google endpoint with URL (obfuscated slightly, but it's still valid:

<p>The requested URL <code>/v1beta/projects/my-gcp-project/locations/global/workloadIdentityPools/projects/my-gcp-project/locations/global/workloadIdentityPools/my-workload-pool/providers?alt=json&workloadIdentityPoolProviderId=github</code> was not found on this server.  <ins>That's all we know.</ins>

Please note the doubling of the

/projects/my-gcp-project/locations/global/workloadIdentityPools

part in the URL. No wonder it gets a 404. I'm just double checking if I'm not misinterpreting this before I create an issue?

aloof-traffic-97122

08/25/2022, 5:58 PM

hi friends, this is probably really simple, but I'm trying to create a gcp instance and a gcp instance group using the pulumi python API. The code for this looks like:

instance = gcp.compute.Instance(...a bunch of args)
instance_group = gcp.compute.InstanceGroup(instances=[instance.self_link], ...other args)

When I run pulumi pre, I get

AttributeError: 'NoneType' object has no attribute 'self_link'

, so it looks like the instance is

None

. Are there any tips on how I debug what to do next?

echoing-angle-67526

08/28/2022, 12:55 PM

Hello! I can't find the API to add GKE zonal NEGs to my backend service. I'm trying to find the equivalent of this gcloud command: https://cloud.google.com/kubernetes-engine/docs/how-to/standalone-neg#add_backends is this supported? thanks in advance!

gorgeous-country-43026

08/29/2022, 12:23 PM

Just out of curiosity, can I do anything about this? I mean, my local

gcloud

has been setup accordingly and doesn't complain anymore but Pulumi executions do:

pulumi:pulumi:Stack (my-stack):
    W0829 14:00:19.388176   16096 gcp.go:120] WARNING: the gcp auth plugin is deprecated in v1.22+, unavailable in v1.25+; use gcloud instead.
    To learn more, consult <https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke>

incalculable-midnight-8291

08/31/2022, 10:14 AM

Is it possible to configure OAuth 2.0 Client IDs with Pulumi? Especially to add more Authorized JavaScript origins and redirect URIs?

flat-oyster-65811

08/31/2022, 11:20 AM

After upgrading the node dependency

@pulumi/google-native

all of the DNS records I created will be 'replaced' with identical records with a new

urn

. I predict that this could cause disruptions in our DNS. Any ideas on how to avoid the replacement while still being able to upgrade the dependency?

big-engineer-71075

09/01/2022, 2:46 PM

I'm having trouble creating a

ProjectIamPolicy

in a new stack: When I try, I get an error:

error: object retrieval failure after successful create / read state: googleapi: got HTTP response code 404 with body

(followed by the 404 body). If I use curl to query GCP for the directly policy, I get a response, containing a full policy. The policy clearly exists in GCP but Pulumi somehow can't find it. I'm thinking of trying to modify the state of the stack by adding the basic JSON for a policy (based on an example from a different stack's state I exported to a file) but this seems like a questionable way to fix it. Has anyone else run into this? Does anyone have a suggestion on how to fix this?

victorious-dusk-75271

09/02/2022, 7:03 PM

Is there anyway to edit aws-auth config map with pulumi?

victorious-dusk-75271

09/02/2022, 7:09 PM

I am getting this error in codebuild

-- kubernetes:apps/v1:Deployment allrites-frontend deleting original error: configured Kubernetes cluster is unreachable: unable to load schema information from the API server: the server has asked for the client to provide credentials
    kubernetes:core/v1:ConfigMap allrites-frontend-config  
 -- kubernetes:apps/v1:Deployment allrites-frontend **deleting failed** error: configured Kubernetes cluster is unreachable: unable to load schema information from the API server: the server has asked for the client to provide credentials

crooked-cpu-12491

09/06/2022, 8:47 PM

Hi there, I pulled pulumi-google-native 0.25.0 version this morning and trying to do pulumi preview. I get the following error with the latest version. I could do the preview when I tried the same with 0.14.0 last week. Any thoughts on this? I'm using pulumi version 3.38.0

error: Preview failed: unable to find required configuration setting: GCP Project
Set the GCP Project by using:
	`pulumi config set gcp:project <project>`

gorgeous-country-43026

09/07/2022, 8:58 AM

So, I have a situation where I have a DNS registered to project A and it is setup there into a DNS zone. All fine. Now I also have a project B where I have a GKE running and it has an ingress. I want to bind this domain to that ingress IP address without having to do copy-pasting addresses over to different codebases. My initial thoughts on this are: 1. Read the other project state file and deduct the IP address from there. But as far as I have understood this is not possible but can only be done over different stacks? 2. Retrieve the managed cluster object via

gcp.container.getCluster

and proceed from there to get the ingress. I do not see however an immediate logical way to proceed to get the ingress object and its IP via this route 3. Bind the domain on project B cluster definition via its

dnsConfig

attribute but I think this won't work and would only work on the same project? 4. Bite the bullet and just do copy-pasting over. Not happy if I have to do this but might be the only reasonable choice

Title

gorgeous-country-43026

09/07/2022, 8:58 AM

gcp.container.getCluster

dnsConfig

attribute but I think this won't work and would only work on the same project? 4. Bite the bullet and just do copy-pasting over. Not happy if I have to do this but might be the only reasonable choice

Oh, I'm an idiot. Of course one would have to fetch the load balancer not the ingress 🤦‍♂️

Didn't find an easy way to do this. I find it astonishing that Pulumi still doesn't support referencing another project state but it does support this for terraform remote states? Like, what. I ended up downloading the another project state file via custom code, parsing that and finding the correct resource and from its outputs get the IP address value. Nuts but works.

Did it like this. Yes, it is a hack, yes, I do feel dirty, yes, it can break. But until I can figure out a better way I'm going with this:

const project = pulumi.output(gcp.projects.getProject({ filter: "name:project-with-state-name" }));

const stackStateContent = project.apply(project => new storage.Storage({
  projectId: project.id
})).apply(stor => stor
  .bucket("pulumi-state")
  .file("rootFolderName/.pulumi/stacks/stackname.json")
  .download())
  .apply(downloadResult => JSON.parse(downloadResult.toString()));

const ingressIp = liveDevStackStateContent.apply(stackState => {
  const resources : Array<any> = stackState.checkpoint.latest.resources;
  const ingressResource = resources.find((res : any) => res.id === "web/web-ingress");
  const ip : string = ingressResource.outputs.status.loadBalancer.ingress[0].ip;
  return ip;
});

Any better ideas are welcome!

View count: 4