pulumi-community #google-cloud

fast-easter-23401

12/20/2022, 2:44 PM

Hello folks, I was wondering what’s the most idiomatic way to manage IAM groups in GCP. In the best of worlds, I’d be able to create a group, add a few members (mostly real users, not service accounts) and then create either a IAMMembership or IAMBinding resource to grant explicitly the permissions required to use some cloud resources (e.g., database access). I looked into

cloudidentity

, but am not quite sure this is the best way to go. Any thoughts? Many thanks,

lemon-wire-69305

12/27/2022, 2:27 AM

Hi all,

refined-pilot-45584

12/29/2022, 7:10 AM

Is there a Pulumi recommend pattern/template for using the Kubernetes provider to deploy content to a Private GKE cluster? Any thoughts or best practices for Pulumi based solutions would be awesome. I am specifically planning to use Pulumi to bring up the private cluster and deploy Argo which will then handle all further K8's deployments.. Thanks.

refined-pilot-45584

12/29/2022, 10:52 AM

Any examples of how to link a ManagedSslCertificate to a GlobalForwardingRule?

dry-engine-17210

01/01/2023, 7:57 PM

How might one accomplish the following using the "native" GCP Pulumi library? https://www.pulumi.com/registry/packages/gcp/api-docs/storage/getprojectserviceaccount/

millions-branch-13617

01/02/2023, 6:25 AM

Does anyone have any (typescript) pulumi examples of a cloud run container behind an ESPv2 proxy?

lemon-wire-69305

01/03/2023, 10:41 PM

Hi all, does anyone have any tips for connecting K8s -> CloudSQL? I've got a job running a simple ping golang app using the in-process CloudSQLProxy connector (https://github.com/GoogleCloudPlatform/cloud-sql-go-connector), but keep getting a`failed to connect to `host=localhost user=my-service-account@my-domain.iam database=my_db_name`: dial error (timeout: context deadline exceeded)` error. I'm not sure why the log message has host as localhost, as the host given in the connection string is

project:region:db_instance_name

. I can see in the following in the DB logs when it attempts to connect:

Copy code

authorizationInfo: [
  0: {
    granted: true
    permission: "cloudsql.instances.connect"
    resource: "projects/uxu-io-staging/instances/database-instance-uxu-8898595"
    resourceAttributes: {
    name: "projects/uxu-io-staging/instances/database-instance-uxu-8898595"
    service: "<http://sqladmin.googleapis.com|sqladmin.googleapis.com>"
    type: "<http://sqladmin.googleapis.com/Instance|sqladmin.googleapis.com/Instance>"
  }}]
methodName: "cloudsql.instances.connect"

lemon-wire-69305

01/03/2023, 11:05 PM

host

as "localhost", as the host given in the connection string is `projectregiondb_instance_name`_._ I can see in the following in the DB logs when it attempts to connect:

Copy code

authorizationInfo: [
  0: {
    granted: true
    permission: "cloudsql.instances.connect"
    resource: "projects/my-project/instances/my-db-instance-8898595"
    resourceAttributes: {
    name: "projects/my-project/instances/my-db-instance-8898595"
    service: "<http://sqladmin.googleapis.com|sqladmin.googleapis.com>"
    type: "<http://sqladmin.googleapis.com/Instance|sqladmin.googleapis.com/Instance>"
  }}]
methodName: "cloudsql.instances.connect"

So can see it's correctly reaching out for the right db etc, but that's the only message in the logs. The ping code is basically doing:

Copy code

driverName := "cloudsql-postgres"
cleanup, err := pgxv4.RegisterDriver(driverName, cloudsqlconn.WithIAMAuthN())

connStr := fmt.Sprintf("host=%v user=%v dbname=%v sslmode=disable", host, user, name)
db, err := sql.Open(driverName, connStr)

ctx, cancelfunc := context.WithTimeout(context.Background(), 30*time.Second)
pingErr := db.PingContext(ctx) // times out here

if pingErr != nil {
  log.Fatalf("server: Got error: %v\n", pingErr) // logs error here due to timeout
}

and my k8s IAM setup is basically:

Copy code

const saJob = new gcp.serviceaccount.Account("sa-job", {
    accountId: "sa-for-job",
    displayName: "My Service Account for the ping Job",
  });

  const iamDBEditor = new gcp.projects.IAMBinding("iam-db-editor", {
    project: gcpProject,
    role: "roles/cloudsql.editor",
    members: [pulumi.interpolate`serviceAccount:${saJob.email}`],
  }, {
    parent: saJob
  });

  const iamDBUser = new gcp.projects.IAMBinding("iam-db-user", {
    project: gcpProject,
    role: "roles/cloudsql.instanceUser",
    members: [pulumi.interpolate`serviceAccount:${saJob.email}`],
  }, {
    parent: saJob
  });

  const k8sSAJob = new k8s.core.v1.ServiceAccount("k8s-sa-job", {
      metadata: {
        namespace: namespaceName,
        annotations: {
          "<http://iam.gke.io/gcp-service-account|iam.gke.io/gcp-service-account>": saJob.email,
        },
      }
    },
    {
      provider: clusterProvider,
    })

  const iamK8sBinding = new gcp.serviceaccount.IAMBinding("iam-k8s-db-editor", {
    serviceAccountId: saJob.name,
    role: "roles/iam.workloadIdentityUser",
    members: [pulumi.interpolate`serviceAccount:${gcpProject}.svc.id.goog[${namespaceName}/${k8sSAJob.metadata.name}]`],
  })

  /* Create a user with the configured IAM credentials (linked to the service account).
     For more info:
       * <https://cloud.google.com/sql/docs/postgres/iam-logins>
       * <https://cloud.google.com/sql/docs/postgres/add-manage-iam-users#creating-a-database-user>
   */
  const dbUserJobAPIServerMigration = new gcp.sql.User("api_server_migrator", {
    instance: db.instance.name,
    name: saJob.email.apply((v) =>
      v.replace(".<http://gserviceaccount.com|gserviceaccount.com>", "")
    ),
    project: gcpProject,
    type: "CLOUD_IAM_SERVICE_ACCOUNT",
  });

I've also tested locally connecting to CloudSQL with pretty much the same golang code except using a

cloudsqlconn.WithCredentialsFile("/Users/me/creds/sa-creds.json")

file instead of `cloudsqlconn.WithIAMAuthN()`along with a different db user and the ping code works as expected. So, I'm thinking the problem might be something related to perhaps kubernetes and IAM auth, but I'm honestly just a bit stuck and hence the reach out. Apologies for the long post, I'm hoping someone's been through this pain before and can offer a tip or two on troubleshooting or what might be going on. Thanks for your help!

kind-room-82948

01/10/2023, 6:56 PM

Anyone know if there will be a new release for the google native provider anytime soon? There are some new API endpoint that were added in the last few months I'd like to use that aren't in classic

aloof-leather-66267

01/10/2023, 8:40 PM

Is there a reason that the properties of

IAMMemberCondition

are all strings and not

Output<string>

refined-pilot-45584

01/11/2023, 8:13 PM

Hey Community; Best way to check GKE cluster “Ready” before next resource creation.

stocky-sundown-45608

01/12/2023, 4:23 AM

I have been setting up new k8s cluster on GCP and other resources (helm, cert manager, etc) using Pulumi typescript. It is clean and everything works except started to see issues when using Pulumi chart resource to setup Neo4j cluster, it doesn’t apply the values provided for nodeSelector by failing to match the node labels? Is Helm for Pulumi stable that you would recommend me using it in production? Stacktrace below

stocky-sundown-45608

01/12/2023, 4:23 AM

Copy code

Error: invocation of kubernetes:helm:template returned an error: failed to generate YAML for specified Helm chart: failed to create chart from template: execution error at (neo4j-cluster-core/templates/_helpers.tpl:73:16): No node exists in the cluster which has all the below labels (.Values.nodeSelector)
     %smap[<http://cloud.google.com/gke-nodepool:primarynodes-1d024b4|cloud.google.com/gke-nodepool:primarynodes-1d024b4>]
        at Object.callback (/e/node_modules/@pulumi/runtime/invoke.ts:172:33)
        at Object.onReceiveStatus (/node_modules/@grpc/grpc-js/src/client.ts:338:26)
        at Object.onReceiveStatus (/node_modules/@grpc/grpc-js/src/client-interceptors.ts:426:34)
        at Object.onReceiveStatus (/node_modules/@grpc/grpc-js/src/client-interceptors.ts:389:48)
        at /node_modules/@grpc/grpc-js/src/call-stream.ts:276:24
        at processTicksAndRejections (node:internal/process/task_queues:77:11)

brash-hairdresser-60389

01/13/2023, 12:37 AM

Hello there, I have had an issue for months dealing with

gcp.sql.Database

and

gcp.sql.User

(using Postgres) In my pulumi script, I use to create in order: 1. The

gcp.sql.User

2. the

gcp.sql.Database

This works fine until I try to destroy the stack, I have always the issue the User cannot be deleted because there’s a reference (the database). I tried to change the order of creation Database first, then User, but this doesn’t bind the user correctly to the database. I’ve seen there’s the need in such a case to set up the

deletionPolicy: 'ABANDON'

on the Database, but in doing so, the Database is not deleted, and then if I try to recreate the database, it fails because it already exists. It is possible there is no way to manage these GCP resources correctly using Pulumi? I can’t believe I have to delete it manually. Thank you for any answer.

lemon-wire-69305

01/14/2023, 5:20 AM

CloudSQL Postgres Roles - is it possible to create these with Pulumi? I've created three different database users: • migration user (IAM user for db migrations) • server user (IAM user for server connections) • dev user (Built-in user for debugging etc) I'd like to give all three users a postgres role (e.g. 'my_org') that all operations occur under (e.g. tables creation, data CRUD, manual login to debug). I did find someone doing this via pulumi (https://stackoverflow.com/questions/66678471/how-to-deploy-postgresql-schema-to-google-cloud-sql-database-using-pulumi), but it seems like quite a hack (commenting / uncommenting code) - in which case, I figure I may as well create a custom script and run that separately. Is it possible to add postgers roles as part of the

pulumi up

process, or scripted in such a way that after a

pulumi up

no other manual process needs to be run? It's also possible that I'm thinking of this in the wrong way, so I'm curious to hear if there's a better solution to this problem.

dry-keyboard-94795

01/16/2023, 9:26 AM

Is this stable? https://www.pulumi.com/blog/simple-serverless-programming-with-google-cloud-functions-and-pulumi/ It doesn't look to be documented in the provider

stocky-sundown-45608

01/16/2023, 3:47 PM

Has anyone setup Cert manager issuer with Pulumi, while they have cert manager library, the issuer is not accepting http solvers?

stocky-sundown-45608

01/16/2023, 3:47 PM

Copy code

const issuer = new k8s.apiextensions.CustomResource(issuerName, {
  apiVersion: "<http://cert-manager.io/v1|cert-manager.io/v1>",
  kind: "Issuer",
  metadata: {
      namespace: appNs.metadata.name,
      name: issuerName,
  },
  spec: {
      acme: {
        server: "<https://acme-v02.api.letsencrypt.org/directory>",
        email: "",
        privateKeySecretRef: {
          name: issuerSecret.metadata.name,
        },
        solvers: [{
          http01: {
              ingress: {
                  name: "api-ingress-dev"
              },
          },
        }],
      },
  },

stocky-sundown-45608

01/16/2023, 3:47 PM

The above works without a solver, so can you suggest what is wrong?

eager-keyboard-30823

01/19/2023, 5:38 PM

After reading https://www.pulumi.com/blog/simple-serverless-programming-with-google-cloud-functions-and-pulumi/, I started wondering whether there was a way to easily create a function for pubsub, but where the topic already exists and for ownership reasons shouldn’t be imported? e.g. Before:

Copy code

// Create a PubSub Topic
let requests = new gcp.pubsub.Topic("requests");
requests.onMessagePublished("newMessage", (data) => {
    // Print out a log message for every message on the Topic.
    // Change this code to fit your needs!
    console.log(Buffer.from(data.data, "base64").toString());
});

After:

Copy code

// Create a PubSub Topic
let requests = await gcp.pubsub.getTopic("requests");
/// ???
requests.onMessagePublished("newMessage", (data) => {
    // Print out a log message for every message on the Topic.
    // Change this code to fit your needs!
    console.log(Buffer.from(data.data, "base64").toString());
});

eager-keyboard-30823

01/19/2023, 8:39 PM

Anyone know how to specify extra dependencies on a

gcp.cloudfunctions.CallbackFunction

? I’m trying to use

@google-cloud/workflows

in the callback. For reference:

Untitled.ts

magnificent-rainbow-92633

01/21/2023, 1:59 AM

Anyone seen an issue with gcp classic where a GKE cluster keeps being recreated for a NodeConfig change even though there isn't an change? I have to use a non-default NodeConfig because the org requires secure boot for everything.

refined-pilot-45584

01/23/2023, 1:12 PM

Hey all! Using the GCP provider to launch cloud run services. I am combining it with Docker build. Using obviously the Docker provider. I see the image builds successfully and it even get pushed. However the Cloud Run service update with the new image name and tag doesn’t wait for the push command to complete before the Cloud Run service update occurs. Naturally I receive an error telling me the image can’t be found.. Am I missing something or is there a simple way to ensure the cloud run service update only occurs after the Docker push is complete? I have tried Standard “depends on” and references between the resources. If it helps/makes a difference I am using Go. Cheers in advance.

stocky-sundown-45608

02/02/2023, 6:57 AM

I am creating a service account in gcp via pulumi that would use workload identity (gke pods) and access a bucket. I have created a service account, role with bucket objects get/list etc and added binding, code is here https://gist.github.com/seeker815/4b8df54ee2a41bccb5ec84547582b13b while the worload identity works, bucket access isn’t set so I am trying to do something like

gsutil iam ch serviceAccount:<sa-name>:<bucketrole> gs://<bucket-name>

to give access for the sa to the bucket. How do I do that in pulumi,

lively-leather-32109

02/02/2023, 12:36 PM

hi, i'm a new gcp and pulumi user, i'm looking for the possibility to create instance template from a container, but it seems that only disk templates are allowed, i'm using typescript and i've found the Command feature in pulumi (in preview) and i've thought the possibility to use this, but maybe someone has some suggestions about that

flaky-twilight-44520

02/03/2023, 8:03 AM

Hi everyone! Is there any way to extend existing provider functionality? Specifically

@pulumi/postgresql.Provider

to start cloud sql/alloydb auth proxy before connecting to the instance?

best-summer-38252

02/04/2023, 6:47 AM

Hello, Im after some direction on creating/enabling Firestore. I have a new project and Firestore has not been enabled. Yet I get a 429:

error: error sending request: googleapi: Error 429: Project docket-grabber-dev exceeded its quota. Resource Exhausted:

best-summer-38252

02/04/2023, 7:23 PM

gcp.projects.Service doesnt block on the service actually being enabled so the dependent resources fail with "If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry." - even when you use dependsOn

refined-pilot-45584

02/04/2023, 7:31 PM

Additional note; my suggestion is to utilise stacks. For Google Cloud Best practices the enablement of services should be tightly bound to the establishment of a project. Consider the creation of a Pulumi stack that setups your base GCP projects. Enable Service APIs within that stack. Consider this as a Stack that operates as a GCP project factory. Creates project in a given org or folder; enables service APIs and then configures appropriate IAM and project dedicated service accounts as well as any Project specific Org Policies. Then going forward use the service account created in this stack as the runner for the follow on Pulumi Stacks that in turn build out project specific content such as VMs networks and GKE or Firestore; This gives time for stack A to enable APIs before stack B runs. Your stack B can even have logic to confirm APIs are enabled before commencing. Additionally it follows Google’s best practice project management and security by separating concerns and futures for security.

best-summer-38252

02/04/2023, 7:56 PM

Thanks Tim. Seems like my app's stack knows what apis it needs enabled and that going back and forth with a separate project stack would couple the two and make the separation artificial.