pulumi-community #google-cloud

google-cloud

adorable-activity-71456

09/09/2022, 8:02 PM

We have a two stack set up (dev/prod) we built out the dev side just fine (@pulumi/gcp@6.32) and when we went to run it on the prod side we get a bunch of strange errors:

Bestowinc/bestow-self-hosted/main (pulumi:pulumi:Stack)
error: update failed
 
prod-tai-windows-server-ip (gcp:compute:Address)
error: error reading from server: EOF
 
prod-tai-nat (gcp:compute:RouterNat)
error: error reading from server: EOF
 
prod-tai-sql-server (gcp:sql:DatabaseInstance)
error: error reading from server: EOF

Any Ideas? Full diagnostics in a thread…

blue-leather-96987

09/11/2022, 10:14 PM

I am running into a weird issue. My Cloud Run services do not have their environment variables stored in pulumi. The https://www.pulumi.com/registry/packages/gcp/api-docs/cloudrun/service/#servicetemplatespeccontainer resource in the pulumi state is actually barely populated, it's not even an array

adorable-activity-71456

09/12/2022, 6:23 PM

Hey, any joy/idea on this from Friday? https://pulumi-community.slack.com/archives/CRFUR2DGB/p1662753735357129

brash-alligator-49865

09/13/2022, 7:36 PM

Hi everyone, lovely to be here! Love GCP and lova Pulumi!

quiet-laptop-13439

09/15/2022, 1:36 PM

anyone knows how pulumi caches gcp credentials? I'm getting ACCESS_TOKEN_EXPIRED and logging in again doesn't help

quiet-laptop-13439

09/16/2022, 9:20 AM

crickets

brash-alligator-49865

09/18/2022, 9:56 AM

Hi all, was anyone able to make KMS work? I tried both options with existing project/region/keyring in https://www.pulumi.com/docs/intro/concepts/secrets/

brash-alligator-49865

09/18/2022, 9:56 AM

but when i set up a secret it continues to use Pulumi local yaml 😕

brash-alligator-49865

09/18/2022, 9:56 AM

Is it just me?

brash-alligator-49865

09/18/2022, 9:57 AM

I also believe the semantic is wrong: the example asks you to provide a KEY but I believe you should provide a KEYRING to support multiple secrets:

brash-alligator-49865

09/18/2022, 9:57 AM

pulumi stack init my-stack --secrets-provider="<gcpkms://projects/acmecorpsec/locations/us-west1/keyRings/prod/cryptoKeys/payroll>"

brash-alligator-49865

09/18/2022, 9:57 AM

i would have thought this would make much more sense:

pulumi stack init my-stack --secrets-provider="<gcpkms://projects/acmecorpsec/locations/us-west1/keyRings/prod/>"

brash-alligator-49865

09/18/2022, 9:59 AM

unless I just misunderstood and the KMS key is single and its just used to decrypt the local keys? This would make also sense.

famous-kite-52506

09/22/2022, 1:32 PM

@sparse-park-68967 Hi, I was wondering was is the ETA for the native gcp provider release (out of preview)? In the meantime, I guess it is safer to use the classic provider?

gorgeous-country-43026

09/23/2022, 8:16 AM

Hmm. It looks like Google APIs do not allow managing Firebase projects via normal

gcloud auth

authenticated users but you are forced to use a service account? Is this true and is there any way to go around this? I mean,

gcloud auth

is much better security wise for IaC unless one setups infrastructure setup into CI/CD but then one cannot really do development locally. Any tips or tricks or am I screwed?

bulky-minister-91867

09/23/2022, 12:45 PM

Hello all, I am trying to use "Google native" and GCS backend together. I need them to use different service accounts. "Google native" unlike "GCP classic" does not allow to set credentials in the code. And I am having issues with the credentials conflicting with each other. I tried a few things but couldn't get it to work. Does someone know a way around this issue maybe?

gentle-nightfall-2327

09/26/2022, 4:57 PM

Hi Peeps, does anyone here perhaps have a take on creating resources cross project?

gentle-nightfall-2327

09/26/2022, 5:00 PM

My situation is that I registered Domains via Google Domains in a "shared" project and would now like to front services in Cloud Run with subdomains of these domains.

👀 1

future-window-78560

09/26/2022, 5:14 PM

Hello Team, Can we use same bucket name in different accounts For eg#

bucket01

<mailto:gcpacc11@gmail.com|gcpacc11@gmail.com>

and

bucket01

<mailto:gcpacc22@gmail.com|gcpacc22@gmail.com>

especially when

<mailto:gcpacc11@gmail.com|gcpacc11@gmail.com>

is deleted I get this error so I have to change the bucket name in the script every time which is a manual step in the automation process and we need to avoid that

googleapi: Error 409: The requested bucket name is not available. The bucket namespace is shared by all users of the system. Please select a different name and try again., conflict

future-window-78560

09/26/2022, 5:24 PM

Also, Team!! We need to know if creating a new GCP project is possible without specifying any project_ID in the pulumi script? Our purpose is to have a console-free IAC which is possible through pulumi but we have to create a GCP project manually first because we need a project ID as input for creating a new GCP project.

brash-alligator-49865

09/28/2022, 6:25 PM

HAfsa, AFAIK Resource Manager doesnt allow you to create a project without a starting project. So my humble opinion is that you cant.

✅ 1

aloof-leather-66267

10/03/2022, 3:21 AM

How can I import a

gcp:serviceAccount/key:Key

with the

serviceAccountId

? When I run

pulumi import

with the

name

and

id

, I get a warning that

serviceAccountId

is missing, even if I add it to the JSON file. I can still complete the import, but the state is created without the

serviceAccountId

, and if I add it to the code, Pulumi thinks it's a different resource and wants to replace the imported one.

delightful-monkey-90700

10/03/2022, 5:12 PM

I'm trying to use a GCP Secret to coordinate a job between a Schedule which runs periodically and an Google Cloud Run function which it invokes via HTTP (since that seems to be the only mechanism for doing this). How do I get the value of a Secret within Pulumi, to pass to the Job ?

incalculable-flag-48574

10/04/2022, 3:00 PM

Hi, I created a static web site on gcp with the template static-website-gcp-typescript and now I want to secure the HttpProxy with SSL. I found this doc (https://www.pulumi.com/registry/packages/gcp/api-docs/compute/sslcertificate) with a "SSL Certificate Target Https Proxies" section but it's empty (coming soon!). Do you know when this config would be available and would you have an example ? Thanks a lot.

billowy-nightfall-59212

10/18/2022, 9:53 PM

Hi, I am trying to create a service account and assign it a role. Here is the sample code.

p, err := serviceaccount.NewAccount(ctx, "prom-frontend",
		&serviceaccount.AccountArgs{
			AccountId:   pulumi.String("prom-frontend"),
			DisplayName: pulumi.String("prom-frontend"),
			Project:     pulumi.String(c.Project),
		})
	if err != nil {
		return err
	}

	// create Project Iam policy binding for the service account to the role roles/storage.admin
	_, err = serviceaccount.NewIAMBinding(ctx, "foo-bar-iam-binding", &serviceaccount.IAMBindingArgs{
		Role: pulumi.String("roles/storage.admin"),
		Members: pulumi.StringArray{
			pulumi.String("serviceAccount:prom-frontend@experiments.iam.gserviceaccount.com"),
		},
		ServiceAccountId: p.Name,
	})
	if err != nil {
		return err
	}

jolly-addition-88642

10/18/2022, 10:28 PM

Hi everyone! Pulumi noob here. I have an existing cert in GCP and I'm trying to do an import of a self managed cert but I always get warnings about a missing private_key. I figure I am running the command incorrectly. Do I need to specify a private key file during the import, though that is not an available option for this command.. When doing an import with terraform it worked fine with just a reference to the cert name and id in GCP. pulumi import gcp:compute/sSLCertificate:SSLCertificate test_cert my_gcp_project/test_cert Any help appreciated. https://www.pulumi.com/registry/packages/gcp/api-docs/compute/sslcertificate/ Error:

warning: One or more imported inputs failed to validate. This is almost certainly a bug in the `gcp` provider. The import will still proceed, but you will need to edit the generated code after copying it into your program.
    warning: gcp:compute/sSLCertificate:SSLCertificate resource 'test_cert' has a problem: Missing required argument: The argument "private_key" is required, but no definition was found.. Examine values at 'SSLCertificate.PrivateKey'.

billowy-nightfall-59212

10/20/2022, 6:14 PM

A friendly ping! I would appreciate some help.

microscopic-cpu-38113

10/25/2022, 11:22 AM

does anyone have any reference or website to share regarding the migration of existing production workload that's managed by Terraform to Pulumi? Our workload mostly are deployed on GCP but seems like the gcp-native providers doesn't even support a project import, please share your migration experience if any, TIA!

thousands-pizza-93362

10/25/2022, 11:47 PM

How do i change the health check path for cloudrun?

thousands-pizza-93362

10/25/2022, 11:47 PM

I cant find the option anywhere in the cloud run service files