pulumi-community #google-cloud

eager-pillow-75917

04/09/2020, 5:26 PM

I am trying to import a bucket that is sitting in another gcp project. My service account has the correct permissions, because I have been using this bucket to manage the stacks fine. but when I try to import I get a difference in project. Can I have in my stack a resource sitting in a gcp project different from the stack it self?

prehistoric-account-60014

04/09/2020, 11:05 PM

Is there planned support for

gs://

URLs when using

RemoteAsset

RemoteArchive

for the

BucketObject

source

abundant-airplane-93796

04/13/2020, 2:00 PM

I keep receiving a

Copy code

panic: fatal: An assertion has failed: Expected diff to not require deletion or replacement during Update of urn:pulumi:production::irisvr::gcp:container/cluster:Cluster::core

whenever I try and update the

masterAuthorizedNetworks

attribute of one of my GKE clusters. tried pulling detailed logs but nothing is clear to me to indicate why that's causing it to want to replace the cluster. Anyone got any tips for debugging?

prehistoric-account-60014

04/14/2020, 4:19 PM

Can anybody comment as to why it is not recommended to use the default node pool for

gcp.container.Cluster

and it is recommended to use

gcp.container.NodePool

instead? I know that this is also Terraform’s recommendation but I wasn’t able to find the rationale behind it.

adorable-action-51248

04/17/2020, 8:04 AM

Hoi ! I have the issue that the creation of pub/sub and datasets fail when i have configured an encryption key for them. This setup requires the Encrypter/Decryptor role for the particular service accounts of pubsub and bigquery. I use CryptoKeyIAMBinding to provide access the key for these services accounts. I also added these bindings as an explicit dependency to the construction of the pubsub topc and the dataset. When I look at the deployment, pulumi behaves as expected: it only starts the creation of the pubsub topics and the datasets after the key bindings are completed. so thats good. however, it seems that additional time needs to be waited. because when i rerun the deployment, it works just fine. does anybody have a good idea for mitigations/solutions ? is there a way to configure retires ? or to introduce a “sleep” 🙈 ?

faint-table-42725

04/20/2020, 8:50 PM

There’s no easy way today due to the fact that there’s no control over

package.json

in the mixin: https://github.com/pulumi/pulumi-gcp/blob/master/sdk/nodejs/cloudfunctions/zMixins.ts#L243

bland-lamp-16797

04/22/2020, 2:06 PM

I'm using GCP bucket for storing the state. The bucket has a custom kms for encryption and each time when I run

pulumi up

is says

warning: Could not get signed url for stack location: blob (key ".pulumi/stacks/deploy.json") (code=Unknown): to use SignedURL, you must call OpenBucket with a valid Options.GoogleAccessID and exactly one of Options.PrivateKey or Options.SignBytes

Any idea why pulumi uses SignedURL for the state?

clean-autumn-55516

04/23/2020, 4:14 AM

Is there a way to accomplish the follow? https://cloud.google.com/run/docs/tutorials/pubsub#integrating-pubsub I want to trigger a cloud run service when a topic message is published. I easily got this going (from examples) for cloud functions, but wondering how I can do the same for a cloud run service that will be exposing endpoints.

helpful-processor-86468

04/24/2020, 7:15 AM

https://www.pulumi.com/docs/reference/pkg/gcp/dns/managedzone/ Can somebody tell me how to get existing ManagedZone and what is this id field exactly?

clean-autumn-55516

04/24/2020, 11:04 PM

has anyone successfully enabled CORS on a cloud run service?

eager-vase-43200

04/26/2020, 7:46 AM

Hello everyone. I learnt about pulumi recently and would like to switch over from terraform. I am a developer who happens to also manage infrastructure. So, I hope that answers why pulumi. I just started working on mmigrating my gcp -> gke infrastructure management from terraform to pulumi using python sdk. The first problem I ran into this evening is that, I use two different gcp service accounts for terrform backend state management and infrastructure management. Looks like I can not do that in pulumi or can I? Today

little-photographer-65759

04/28/2020, 6:16 AM

Hi All , I am running into below issue while creating kubernetes cluster with pulumi. Version of Pulumi is 2.0.0. There was a clean npm install. Any pointers would be appreciated here. Thanks. Diagnostics:

pulumi:pulumi:Stack (gke-gke-medium):

error: Running program '/Users/raminder.kaler/gcloud/forgeops/cluster/pulumi/gcp/gke' failed with an unhandled exception:

TSError: ⨯ Unable to compile TypeScript:

cluster.ts(25,12): error TS2339: Property 'names' does not exist on type 'Promise<GetZonesResult>'.

cluster.ts(36,34): error TS2339: Property 'latestNodeVersion' does not exist on type 'Promise<GetEngineVersionsResult>'.

cluster.ts(95,43): error TS2339: Property 'latestMasterVersion' does not exist on type 'Promise<GetEngineVersionsResult>'.

clean-autumn-55516

04/29/2020, 3:39 AM

This error just started happening today. I haven't changed anything regarding infrastructure

Copy code

Diagnostics:
  gcp:cloudrun:Service (api):
    error: 1 error occurred:
    	* updating urn:pulumi:gcp-fn::gcp-functions::gcp:cloudrun/service:Service::api: Error updating Service "locations/us-central1/namespaces/[secret]-reach-collector/services/api-d7cc8a9": googleapi: Error 409: Revision named 'api-d7cc8a9-00031-pag' with different configuration already exists.

clean-autumn-55516

04/29/2020, 3:39 AM

I have tried

pulumi refresh

before doing a

pulumi up

but no luck.

hallowed-rain-9096

04/30/2020, 10:03 PM

so i'm encountering the 409 from GCP that's mentioned here: https://pulumi-community.slack.com/archives/CRFUR2DGB/p1581516688055000 It seems like there wasn't any traction on this thread. I remember once upon a time convincing

pulumi up

to generate ludicrously verbose logs that included the HTTP responses from GCP's REST API. I might be able to bludgeon Cloud Run into submission if I can see the specific error that it returns with that 409 response. Can anyone help?

limited-rain-96205

05/01/2020, 5:53 PM

Hi all. I'm getting a timeout error from GCP when trying to do ... well, anything really:

Copy code

debug: Dismissed an error as retryable. marked as timeout - Post <https://oauth2.googleapis.com/token>: dial tcp: i/o timeout

This only happens when on our corporate VPN, but it's a little baffling because I can ping and telnet to https://oauth2.googleapis.com/ just fine (as well as any *.googleapis.com address). Is there any way to get more information about the token call it's making, beyond debug mode?

clean-autumn-55516

05/04/2020, 8:51 AM

Is it possible to get a google managed service account? I want to add a role to a pub/sub service account but I get a 404 that the SA does not exists:

Copy code

const pubSubPushAuth = new gcp.serviceAccount.IAMBinding('pub-sub-push-auth', {
  members: [
    `serviceAccount:<mailto:service-${gcpProjectNumber}@gcp-sa-pubsub.iam.gserviceaccount.com|service-${gcpProjectNumber}@gcp-sa-pubsub.iam.gserviceaccount.com>`,
  ],
  role: 'roles/iam.serviceAccountTokenCreator',
  serviceAccountId: `<mailto:projects/${gcp.config.project}/serviceAccounts/service-${gcpProjectNumber}@gcp-sa-pubsub.iam.gserviceaccount.com|projects/${gcp.config.project}/serviceAccounts/service-${gcpProjectNumber}@gcp-sa-pubsub.iam.gserviceaccount.com>`,
});

delightful-receptionist-13751

05/04/2020, 12:35 PM

Hi all, Is there a tutorial for working with GCP / firebase (mainly firebase hosting, authentication, google cloud run) for running a webapp and a nodejs base backend? I am looking around for information but I really having troubles to get anything together...

quiet-wolf-18467

05/06/2020, 9:14 PM

The documentation on GCP serviceAccounts and policies is sooo bad that I just locked myself out of my entire project 😢

quiet-wolf-18467

05/06/2020, 9:27 PM

To configure permissions for a service account to act as an identity that can manage other GCP resources, use the googleProjectIam set of resources.

quiet-wolf-18467

05/06/2020, 9:27 PM

^^ Nope

quiet-wolf-18467

05/06/2020, 9:51 PM

That resource, which I assume had been renamed from a crude Terraform script that renamed google_project_iam; updates the projects entire binding; removing all the internal service agents and it becomes FUBAR

green-school-95910

05/06/2020, 10:07 PM

That is not a problem with Pulumi or Terraform docs. It is how Google IAM API work. It is tricky and dangerous. And their docs are quite confusing

hallowed-rain-9096

05/06/2020, 10:07 PM

looks like you used a binding instead of an IAMMember? There was a thread in #general that was very similar: https://pulumi-community.slack.com/archives/C84L4E3N1/p1588781964417300

hallowed-rain-9096

05/06/2020, 10:08 PM

and yes, I second this:

It is how Google IAM API work. It is tricky and dangerous. And their docs are quite confusing

green-school-95910

05/06/2020, 10:10 PM

The terraform IAM resources comes from Google's Magic Modules which describes those resource for terraform, ansible and a few others. By proxy, that affects how it was created on Pulumi.

quiet-wolf-18467

05/06/2020, 10:11 PM

Well, the whole project is deleted now. I'll try to rebuild tomorrow. Hard lesson to learn

green-school-95910

05/06/2020, 10:11 PM

Did you create it with a personal account out in an organization?

quiet-wolf-18467

05/06/2020, 10:11 PM

Our organisation

green-school-95910

05/06/2020, 10:12 PM

If it was in a organization the admin can control the IAM and regain control over it