Channels
#google-cloud
- b
best-summer-38252
02/04/2023, 8:07 PMBest practices are not universal for all contexts, I have not read security guidance from GCP specing this type of separation, but I know AWS' "Well Architect Framework" is garbage as the ideal and even worse as a universal that all must mimic. For my team's context I think projects should be disposable so the CD for the app can tear-down and provision its containing project. But thats a different discussion. If my project.Service and my cloudtask.Queue are on the same DAG with a dependent relationship (regardless of some other person's best practices) then shouldnt Pulumi make sure the Service is provisioned before continuing the walk to the cloudtask.Queue resource ? - s
stocky-restaurant-98004
02/06/2023, 4:33 PM👋 - s
straight-arm-50771
02/08/2023, 7:52 PMLooking for some best practice guidance on Cloud Functions. Presently on v1, below spec. Looking for a method to keep the CFs up-to-date with HEAD on the identified branch. This doesn't appear possible natively via Pulumi/Terraform (per this ticket). It doesn't seem ideal either to add another CI component for a resource that's managed in IaC? We've had issues deploying CFv2 previously, I can revisit, is this better handled with v2?Copy codelora-iot-provision: type: gcp:cloudfunctions:Function properties: description: "Provisions a wireless device in AWS IoT." runtime: go119 availableMemoryMb: 256 environmentVariables: APP_ENV: ${iotEnv} AWS_REGION: us-east-1 secretEnvironmentVariables: - key: AWS_ACCESS_KEY_ID secret: cf_iotAwsAccessKey_${environment} version: latest projectId: my-gcp-proj - key: AWS_SECRET_ACCESS_KEY secret: cf_iotAwsSecretKey_${environment} version: latest projectId: my-gcp-proj entryPoint: ProvisionDevicePubSub eventTrigger: eventType: providers/cloud.pubsub/eventTypes/topic.publish resource: projects/${pulumi.stack}/topics/lorawan-device-provisioned project: ${pulumi.stack} region: us-east1 serviceAccountEmail: ${cloud-functions-sa.email} sourceRepository: url: "<https://source.developers.google.com/projects/my-gcp-proj/repos/github_my-mirrored-repo/moveable-aliases/main/paths/lora-iot-provision>" - b
brainy-caravan-45245
02/09/2023, 5:15 PMhas renamed the channel from "gcp" to "google-cloud" - s
strong-belgium-33104
02/10/2023, 2:38 AMHi there, I have a question please. I am trying to automate projects creations using pulumi. I keep getting
. However, I am the owner of the gcp account and authenticated403 access denied
. Is there anything specific I need to do to be able to allow pulumi to provision the projects?gcloud auth application-default logino- 2
- 7
- k
kind-island-70054
02/10/2023, 2:33 PMHi, I’m trying to add a domain to a managed ssl certificate. I’m ok replacing it because it’s just a dev project with no traffic. When I proceed with the update though, it fails because a target http proxy uses it. I would expect pulumi to remove first the target http proxy and then the ssl certificate, but it does not.Copy code
Here is my pulumi code:Previewing update (infra.dev): Type Name Plan Info pulumi:pulumi:Stack infrastructure-infra.dev + ├─ gcp:compute:RegionNetworkEndpointGroup global-lb-notification-rest-europe-west1 create +- ├─ gcp:compute:ManagedSslCertificate global-lb replace [diff: ~managed] + ├─ gcp:compute:RegionNetworkEndpointGroup global-lb-notification-rest-europe-west4 create + ├─ gcp:compute:BackendService global-lb-notification-rest create ~ └─ gcp:compute:URLMap global-lb update [diff: ~hostRules,pathMatchers] Resources: + 3 to create ~ 1 to update +-1 to replace 5 changes. 34 unchanged Do you want to perform this update? yes Updating (infra.dev): Type Name Status Info pulumi:pulumi:Stack infrastructure-infra.dev **failed** 1 error + ├─ gcp:compute:RegionNetworkEndpointGroup global-lb-notification-rest-europe-west4 created (11s) + ├─ gcp:compute:RegionNetworkEndpointGroup global-lb-notification-rest-europe-west1 created (11s) +- └─ gcp:compute:ManagedSslCertificate global-lb **replacing failed** 1 error Diagnostics: pulumi:pulumi:Stack (infrastructure-infra.dev): error: update failed gcp:compute:ManagedSslCertificate (global-lb): error: deleting urn:pulumi:infra.dev::infrastructure::gcp:compute/managedSslCertificate:ManagedSslCertificate::global-lb: 1 error occurred: * Error when reading or editing ManagedSslCertificate: googleapi: Error 400: The ssl_certificate resource 'projects/dev-julien-****/global/sslCertificates/global-lb' is already being used by 'projects/dev-julien-****/global/targetHttpsProxies/global-lb-35b3f02', resourceInUseByAnotherResource Outputs:Copy code
Is there a way to tell pulumi that it needs to remove dependencies too?const sslCertificate = new gcp.compute.ManagedSslCertificate(key, { name: key, managed: { domains: domains.map(({ domain }) => domain), }, }); const targetHttpsProxy = new gcp.compute.TargetHttpsProxy( key, { urlMap: urlMap.id, sslCertificates: [sslCertificate.name], });- 1
- 1
- d
delightful-monkey-90700
02/14/2023, 4:45 AMI'm creating a Cloud Build job from a local directory. GCP Cloud Build expects the source code to be provided as a .tar.gz in a Bucket. There doesn't seem to be an obvious way to easily upload a directory as a .tar.gz file (just using
uploads it as a zip file, apparently andFileAsset
provides no mechanism for specifying the kind of archive to produce).FileArchive - m
melodic-room-61098
02/14/2023, 10:49 AMHello #google-cloud. I've created a simple GCP Run service based on https://github.com/pulumi/examples/tree/master/gcp-ts-docker-gcr-cloudrun. I'm using a single
and ran into an issue: the container image is being build and uploaded in parallel with the service update. This means that the service can only see the older image and won't update. So I have to runindex.ts
2x, which is not ideal. Is there a way to declare this dependency in code? This is roughly what I have now: https://gist.github.com/thekarel/f8701649097eaf450d96bdf889db6d7c I've thought of usingpulumi up
(might slow things down) or putting the image and service in different folders (makespulumi up --parallell 1
more cumbersome). Any thoughts?up- 1
- 1
- r
refined-pilot-45584
02/14/2023, 10:56 PMHey all; Question. Is service/api enablement on a GCP project possible from the Google Native provider? I am trying to find the Native corresponding functionality to this Classic resource/function: https://www.pulumi.com/registry/packages/gcp/api-docs/projects/service/s- 2
- 2
- d
delightful-monkey-90700
02/15/2023, 6:48 PMThe GCP Native
doesn't seem to be finished yet, is there anything equivalent for GCP Classic ?cloudbuild.v1.Build() - j
jolly-journalist-76169
02/16/2023, 9:53 AMHope someone can help me with my problem! I would like to keep the state of Pulumi in GS (
). What am I doing now? 1. I use the module "npm googleapis" where I log in viaGoogle Storage
and get the accessToken - I have it stored under the variable. 2. I would like to use my accessToken in Pulumi to hold the state in GS. I have read about setting theOAuth2 to GCP
(https://www.pulumi.com/registry/packages/gcp/installation-configuration/#configuration-reference;accessToken
), but all attempts end up forcing me to log intopulumi config set gcp:accessToken
- and I would like to avoid that. Actually, the matter would be solved if someone would show me how to use thePulumi Service
command and pass my accessToken in it. I hope there will be someone here with knowledge!pulumi login gs:// - g
gentle-intern-40981
02/21/2023, 10:07 PMHi all, I started off by creating an
project which worked fine but after installingaws-python
, adding the required configpulumi_gcp
and adding agcp:project
resource the pulumi preview fails with:gcpCopy code
Debug output show:error: could not validate provider configuration: 1 error occurred: * Invalid or unknown keyCopy code
If I create a new project using thedebug: exception when preparing or executing rpc: Traceback (most recent call last): File "/home/dissonance/Code/ouroboros/infrastructure/venv/lib/python3.10/site-packages/pulumi/runtime/resource.py", line 916, in do_rpc_call return monitor.RegisterResource(req) File "/home/dissonance/Code/ouroboros/infrastructure/venv/lib/python3.10/site-packages/grpc/_channel.py", line 946, in __call__ return _end_unary_response_blocking(state, call, False, None) File "/home/dissonance/Code/ouroboros/infrastructure/venv/lib/python3.10/site-packages/grpc/_channel.py", line 849, in _end_unary_response_blocking raise _InactiveRpcError(state) grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with: status = StatusCode.UNAVAILABLE details = "error reading from server: read tcp 127.0.0.1:52012->127.0.0.1:33739: use of closed network connection" debug_error_string = "UNKNOWN:Error received from peer ipv4:127.0.0.1:40435 {created_time:"2023-02-21T16:43:34.450732655-05:00", grpc_status:14, grpc_message:"error reading from server: read tcp 127.0.0.1:52012->127.0.0.1:33739: use of closed network connection"}"
template this problem does not exist.gcp-pythonb- 2
- 1
- g
great-sunset-355
02/22/2023, 10:55 AMCan anyone please confirm that this is the correct way to ignore changes in the image? of this resource https://www.pulumi.com/registry/packages/gcp/api-docs/cloudrunv2/job/#jobtemplatetemplatecontainerCopy code
Because I also triedignoreChanges: [ "template.template.containers[*].image", ],
and it did not work at all. After some experiments, I noticed this worksignoreChanges: ["*"]"template.template.containers[0].image" - d
delightful-monkey-90700
02/23/2023, 9:38 PMThe google-native plugin for
fails because the provider is base64 encoding a UUID string:cloudbuild.v1.Build()Copy code
-->error: waiting for completion / read state googleapi: Error 404: Requested entity was not found. (URL=<https://cloudbuild.googleapis.com/v1/projects/production/locations/us-west2/builds/NTBhNjY5MjMtZTJmYy00YTE0LWI5ZjQtNmEwZWVkNGIwMWIw>): polling operation status: googleapi: Error 404: Requested entity was not found.Copy code
--> The real URL should have been> echo 'NTBhNjY5MjMtZTJmYy00YTE0LWI5ZjQtNmEwZWVkNGIwMWIw' | base64 -d 50a66923-e2fc-4a14-b9f4-6a0eed4b01b0<https://cloudbuild.googleapis.com/v1/projects/production/locations/us-west2/builds/50a66923-e2fc-4a14-b9f4-6a0eed4b01b0>b- 2
- 6
- b
better-pencil-34948
02/24/2023, 5:34 PMI am looking to understand Stack References; in particular, ones where the Stack Reference is on a different Google Storage bucket than the stack being used. Scenario: • Stack Account - configures an private artifact registry with charts, docker images, etc, along with a secret key Output. Hosted in, say, gs://bucket/account/ • Stack B - brings up a kubernetes cluster, networking, etc. Hosted in, say, gs://otherbucket/b/. • Problem: In Stack B's code, I want to reference Stack A to bring down the secret key and allow pulling from Stack A's output. Result (go SDK):pulumi:pulumi:StackReference (<gs://bucket/account>):error: Preview failed: unknown stack "account"b- 2
- 16
- r
rich-motorcycle-3089
02/27/2023, 7:10 PMHas anyone been able to delete health checks from a Cloud Run service? I have a Startup Probe and a Liveness probe defined in my Cloud Run service driven off some config file values. When I clear out those values, I wanted to remove the appropriate health checks. Filling the appropriate values with
seem to cause Pulumi to ignore the health checks altogether (keep the existing values for the next revision). Attempting to give it empty objects causes Pulumi to overwrite the values, but with default implementations of the health check. I’m using the Go SDKnil - b
best-summer-38252
02/28/2023, 7:18 PMIm tying to add an IAM policy to a service account as per https://www.pulumi.com/registry/packages/gcp/api-docs/serviceaccount/iammember/ The policy has a list of bindings and every role I have tried provided results in an Error 400 (other than "roles/iam.serviceAccountUser"):Copy code
Surely a service account can have a role as per the Pulumi example. The exmaple shows the format of the role being just the role name, roles/iam.serviceAccountUser, which seems consistent with the type info: _The role that should be applied Only oneError 400: Role roles/workflow.invoker is not supported for this resource., badRequest
can be used per role. Note that custom roles must be of the formatgcp.organizations.IAMBinding
._ Given I am not using custom roles, isorganizations/{{org_id}}/roles/{{role_id}}
the correct format?roles/workflow.invokere- 2
- 4
- c
clean-winter-59829
03/01/2023, 5:56 AMhow do you get the current GCP project of the stack in pulumi?be- 3
- 5
- s
stocky-restaurant-98004
03/01/2023, 6:29 PMI'm gonna write a basic clickops -> Pulumi importer for Google Cloud, similar to the one I wrote for AWS in this blog post. Anyone got a basic Google Cloud architecture, e.g. in TF that I could use as source material? Thinking something like a VPC and some VMs, or maybe a GKE cluster. (Not sure how common VPC/VMs are on Google Cloud.) - p
purple-electrician-80135
03/02/2023, 12:54 AMHello GCP channel ... I am getting a strange error deploying an autopilot cluster and I'm unsure what I'm doing wrong.Copy code
From this code:python inline source runtime error: 'Cluster' object is not callableCopy code
Is there anything obvious I should be doing differently? .. this is running in a Jupyter notebook .. which has made configs unavailable (probably due being unable to find the .yaml file) but otherwise seems to work.def create_gks_autopilot_cluster(project_id, name, region, network_id, subnet_id): gke_min_version = "1.25.6-gke.200" default = gcp.serviceaccount.Account("default", account_id="service-account-id", display_name="Service Account") # Define the GKE Autopilot cluster gke_cluster = gcp.container.Cluster(name, enable_autopilot=True, ip_allocation_policy=container.ClusterIpAllocationPolicyArgs( cluster_secondary_range_name="pods", services_secondary_range_name="services", ), location=region, min_master_version=gke_min_version, network=network_id, release_channel={"channel": "STABLE"}, subnetwork=subnet_id, project=project_id,) return gke_cluster- 1
- 1
- m
many-knife-65312
03/03/2023, 11:41 PM👋 - m
many-knife-65312
03/03/2023, 11:42 PMi'm trying to use the
function to check for existing gcp resources, but i'm struggling with the unique provider ID, does anyone have docs or tips for using.get()
?.get()ds- 3
- 17
- g
gorgeous-architect-28903
03/09/2023, 12:14 PMAnyone seen this when creating a GKE Node Pool?
— I’m definitely not setting a name. It happens even if I setCannot specify both name and name_prefix for a node_pool
toName
explicitly.nilv- 2
- 4
- l
limited-wolf-14679
03/09/2023, 11:51 PMHi Guys, i am new to pulumi and trying to deploy kubeflow on gcp. I am using pulumi python and GCP...and deployed pulumi kuberntes-gcp-python and now I would like to deploy kubeflow but I am stuck. Any help ? I have tried to run the following code but no success:Copy code
I am getting the following error: * the Kubernetes API server reported that "default/kubeflow-deployment-d5cb3c03" failed to fully initialize or become live: 'kubeflow-deployment-d5cb3c03' timed out waiting to be Ready * [MinimumReplicasUnavailable] Deployment does not have minimum availability. * [ProgressDeadlineExceeded] ReplicaSet "kubeflow-deployment-d5cb3c03-769cdfbd67" has timed out progressing. * Minimum number of live Pods was not attained * [Pod kubeflow-deployment-d5cb3c03-769cdfbd67-4lsjp]: containers with unready status: [kubeflow] -- [ImagePullBackOff] Back-off pulling image "kubeflow"# new kubeflow kubeflow = gcp.container.Registry("kubeflow") deployment = Deployment( "kubeflow-deployment", spec=DeploymentSpecArgs( replicas=1, selector=LabelSelectorArgs( match_labels={ "app": "kubeflow", }, ), template=PodTemplateSpecArgs( metadata=ObjectMetaArgs( labels={ "app": "kubeflow", }, ), spec=PodSpecArgs( containers=[ ContainerArgs( name="kubeflow", image="kubeflow", env=[ EnvVarArgs( name="NAMESPACE", value="kubeflow", ), ], command=["/bin/bash"], args=[ "-c", "/opt/deploy.sh", ] ) ] ) ) ), metadata=ObjectMetaArgs( labels={ "app": "kubeflow", } ) ) pulumi.export("name", deployment.metadata["name"]) # Allocate an IP to the Deployment. app_name = "kubeflow" app_labels = { "app": app_name } frontend = Service( app_name, metadata={ "labels": deployment.spec["template"]["metadata"]["labels"], }, spec={ "type": "LoadBalancer", "ports": [{ "port": 80, "target_port": 80, "protocol": "TCP" }], "selector": app_labels, }) # When "done", this will print the public IP. result = None ingress = frontend.status.apply(lambda v: v["load_balancer"]["ingress"][0] if "load_balancer" in v else None) if ingress is not None: result = ingress.apply(lambda v: v["ip"] if "ip" in v else v["hostname"]) pulumi.export("ip", result)p- 2
- 1
- v
victorious-florist-84818
03/14/2023, 9:49 AMHey, I have a question regarding the google native provider for Pulumi. Is it fully maintained by Pulumi, or is Google supporting this as well?b- 2
- 8
- b
billions-hydrogen-34268
03/15/2023, 5:43 PMI want to create a Log Router Sink. Is a ProjectSink what I should use?s- 2
- 4
- c
chilly-garage-80867
03/15/2023, 8:00 PMAnyone deploying Autopilot GKE getting this error? `````` - c
chilly-garage-80867
03/15/2023, 8:00 PMCopy codeError 400: Max pods constraint on node pools for Autopilot clusters should be 32. - a
adorable-activity-71456
03/15/2023, 10:39 PMHey, when running an up with changes to a template on a CloudRun service. We are getting the following error:
after the pulumi up runs for about 20 minutes.Error 409: The operation was aborted.v- 2
- 3
- s
stocky-restaurant-98004
03/16/2023, 6:23 PMHi. I wrote a blog post on bulk importing Google Cloud resources into Pulumi. Check it out! https://www.pulumi.com/blog/google-cloud-pulumi-import-account-scraper/