pulumi-community #google-cloud

google-cloud

chilly-laptop-44574

04/02/2020, 2:07 AM

Hello guys!! What is the best practice to wait for the resource before applying further changes in GCP and Typescript? I have following flow: Project -> enable API -> enable Role

const myProject = new gcp.organizations.Project("gcp proj", settings)

const service = new gcp.projects.Service("Kubernetes Engine API", {

disableDependentServices: true,

project: myProject.projectId,

service: "<http://container.googleapis.com|container.googleapis.com>",

});

And then I want to grand permission to the service account (created by default by container.googleapis.com)

const iamMember = new gcp.projects.IAMMember("iamMember", {

project:  myProject.projectId,

role: "roles/compute.securityAdmin",

`member:

serviceAccount:<mailto:service-${myProject.number}@container-engine-robot.iam.gserviceaccount.com|service-${myProject.number}@container-engine-robot.iam.gserviceaccount.com>

});` But this generates error:

googleapi: Error 400: Service account <mailto:service-xxxxxxxxxx@container-engine-robot.iam.gserviceaccount.com|service-xxxxxxxxxx@container-engine-robot.iam.gserviceaccount.com> does not exist

When I run the

pulumi up

again then it works as service account has been already provisioned by that time by GCP. Is there any way to pull status of the service account and wait if not yet created before calling enabling the role.

helpful-processor-86468

04/03/2020, 9:18 AM

Error creating Service: googleapi: got HTTP response code 404 with body:

i couldn't create cloudrun service. Any thoughts why?

helpful-processor-86468

04/03/2020, 9:31 AM

can pulumi create

Cloud run (fully managed)

miniature-rose-15269

04/03/2020, 1:25 PM

I’m trying to create a Cloud Function that publishes to PubSub but running into a packaging issue on

pulumi up

. Been trying to sort it for a while but can’t crack it. Anyone run into it before?

👀 1

prehistoric-account-60014

04/03/2020, 7:18 PM

Is the following resource (

google_project_service

) from Terraform available in Pulumi? I can’t seem to find it in the docs. https://www.terraform.io/docs/providers/google/r/google_project_service.html

square-rose-64819

04/06/2020, 10:20 PM

i'm trying to access a remote docker image from within my ComponentResource, and i'm getting a 401 even though i can pull the image just fine with a

docker pull

. anyone know why this might be an issue?

square-rose-64819

04/06/2020, 10:20 PM

const imageRegistry = docker.getRegistryImage({
  name:`${imageName}:latest`
});

this.dockerImage = new docker.RemoteImage(`${name}-docker-image`, {
  name: imageRegistry.name!,
  pullTriggers: [imageRegistry.sha256Digest]
});

square-rose-64819

04/06/2020, 10:20 PM

pretty much straight out of the docs

square-rose-64819

04/07/2020, 7:10 PM

this is a gcr.io image for the record

square-rose-64819

04/07/2020, 7:10 PM

seems like it should just work, but maybe pulumi isn't accessing my credentials for docker?

square-rose-64819

04/07/2020, 8:36 PM

answering my own question: i was able to get this to work by using

gcp.container.getRegistryImage

instead of

docker.getRegistryImage

👍 1

broad-helmet-79436

04/08/2020, 11:34 AM

Hi! Just in case this is an instance of the XY problem and I’m asking about the wrong thing: My goal is to be able to upgrade the Kubernetes cluster master and node pool using Pulumi. I’ve somehow screwed up my container cluster’s

minMasterVersion

and

nodeVersion

fields, and set them to

undefined

instead of a string. If I try adding either field now, Pulumi wants to

update

my cluster, which I guess makes sense. However, it also wants to

replace

the kubernetes Provider I’ve created using outputs from the cluster resource (

name

endpoint

, and

masterAuth

). Note that I don’t use

minMasterVersion

nodeVersion

, although I guess that might not matter.

replace

-ing the Kubernetes provider also leads to replacing all my Kubernetes resources, which I very much do not want. Is there a way to add the

minMasterVersion

field without breaking my provider? `If I try adding

adorable-action-51248

04/08/2020, 2:13 PM

I am currently, getting

googleapi: Error 503: The service is currently unavailable.

when running

pulumi up

. also pulumi seems to hang until i abort with ctrl-c

adorable-action-51248

04/08/2020, 2:17 PM

mmh. the firebase console also doesnt work….

square-rose-64819

04/08/2020, 9:34 PM

getting an image from the container registry is actually a huge pain

square-rose-64819

04/08/2020, 9:35 PM

all of the docker commands and gcloud commands work - i'm able to pull an image out of my project's google cloud registry, check the digest, etc

square-rose-64819

04/08/2020, 9:35 PM

but doing this does not work, and doesn't yield a digest:

const registryImage = gcp.container.getRegistryImage({
                name: imageName,
                tag: "latest"
            });

square-rose-64819

04/08/2020, 9:36 PM

for

imageName

, ive tried every combo of: gcr.io/myproject/myimage, gcr.io/myproject/myimage:tag, myimage, myimage:tag

square-rose-64819

04/08/2020, 9:39 PM

super super frustrating

square-rose-64819

04/08/2020, 10:28 PM

what i said yesterday about using

gcp.container.getRegistryImage

was wrong

square-rose-64819

04/08/2020, 10:42 PM

looks like someone is doing this with terraform: https://roidelapluie.be/blog/2019/04/22/docker-gcp-terraform/

square-rose-64819

04/08/2020, 10:42 PM

unclear how that translates to pulumi

square-rose-64819

04/09/2020, 2:37 AM

i'm still not able to get this to work

square-rose-64819

04/09/2020, 2:37 AM

here's what i have:

const provider = new docker.Provider("registry", {
                registryAuth: [{
                    address: "<http://gcr.io|gcr.io>",
                    username: "oauth2accesstoken",
                    // gcloud auth print-access-token | pulumi config set --secret gcpAuthToken
                    password: config.requireSecret("gcpAuthToken")
                }]
            });

            const registryImage = docker.getRegistryImage({
                name: imageName,
            }, {
                provider,
                async: true
            });

            if (!(registryImage.name && registryImage.sha256Digest)) {
                throw new Error("Unable to get registry image")
            }

            this.dockerImage = new docker.RemoteImage(`${name}-docker-image`, {
                name: registryImage.name!,
                pullTriggers: [registryImage.sha256Digest!],
            }, {
                provider,
                parent: this,
            });

square-rose-64819

04/09/2020, 2:38 AM

this still results in a 401

square-rose-64819

04/09/2020, 2:41 AM

Diagnostics:
  pulumi:pulumi:Stack (------------):
    error: Running program '----' failed with an unhandled exception:
    Error: Unable to get registry image
        at new CloudRunService (------------/resources/CloudRunService.ts:143:23)
        at Object.<anonymous> (------------/configurations/CloudRun.ts:13:40)
        at Module._compile (internal/modules/cjs/loader.js:1151:30)
        at Module.m._compile (------------/node_modules/ts-node/src/index.ts:439:23)
        at Module._extensions..js (internal/modules/cjs/loader.js:1171:10)
        at Object.require.extensions.<computed> [as .ts] (------------/node_modules/ts-node/src/index.ts:442:12)
        at Module.load (internal/modules/cjs/loader.js:1000:32)
        at Function.Module._load (internal/modules/cjs/loader.js:899:14)
        at Module.require (internal/modules/cjs/loader.js:1040:19)
        at require (internal/modules/cjs/helpers.js:72:18)
    error: Running program '--------------' failed with an unhandled exception:
    Error: invocation of docker:index/getRegistryImage:getRegistryImage returned an error: invoking docker:index/getRegistryImage:getRegistryImage: Got error when attempting to fetch image version from registry: Got bad response from registry: 401 Unauthorized
        at ------------g/node_modules/@pulumi/pulumi/runtime/invoke.js:172:33
        at Object.onReceiveStatus (------------/node_modules/grpc/src/client_interceptors.js:1210:9)
        at InterceptingListener._callNext (------------/node_modules/grpc/src/client_interceptors.js:568:42)
        at InterceptingListener.onReceiveStatus (------------/node_modules/grpc/src/client_interceptors.js:618:8)
        at callback (------------/node_modules/grpc/src/client_interceptors.js:847:24)

eager-pillow-75917

04/09/2020, 12:56 PM

Hi there! I need to activate about 30+ different Service APIs for GCP. and I created an array with all of them and then a for loop going through the array, but I am getting this error for some of them:

gcp:projects:Service (<http://file.googleapis.com|file.googleapis.com>):
    error: pre-step event returned an error: failed to save snapshot: An IO error occurred during the current operation: blob (key ".pulumi/stacks/infra-staging.json") (code=Unknown): googleapi: Error 429: The rate of change requests to the object onec-pulumi-ops-staging/.pulumi/stacks/infra-staging.json exceeds the rate limit. Please reduce the rate of create, update, and delete requests., rateLimitExceeded

eager-pillow-75917

04/09/2020, 12:56 PM

serviceAPIs.forEach(service => {
    const serviceAPI = new gcp.projects.Service(service, {
        disableDependentServices: true,
        project: config.projectID,
        service: service,
    }); 
});

eager-pillow-75917

04/09/2020, 12:56 PM

serviceAPIs

is my array.

eager-pillow-75917

04/09/2020, 12:57 PM

what should I do in this case?