https://pulumi.com logo
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
google-cloud
  • e

    eager-pillow-75917

    04/09/2020, 12:57 PM
    I dont want to have to create a bunch of copied and pasted code for each service.
    s
    • 2
    • 1
  • e

    eager-pillow-75917

    04/09/2020, 5:26 PM
    I am trying to import a bucket that is sitting in another gcp project. My service account has the correct permissions, because I have been using this bucket to manage the stacks fine. but when I try to import I get a difference in project. Can I have in my stack a resource sitting in a gcp project different from the stack it self?
    f
    • 2
    • 8
  • p

    prehistoric-account-60014

    04/09/2020, 11:05 PM
    Is there planned support for
    gs://
    URLs when using
    RemoteAsset
    or
    RemoteArchive
    for the
    BucketObject
    source
    ?
    w
    f
    c
    • 4
    • 15
  • a

    abundant-airplane-93796

    04/13/2020, 2:00 PM
    I keep receiving a
    panic: fatal: An assertion has failed: Expected diff to not require deletion or replacement during Update of urn:pulumi:production::irisvr::gcp:container/cluster:Cluster::core
    whenever I try and update the
    masterAuthorizedNetworks
    attribute of one of my GKE clusters. tried pulling detailed logs but nothing is clear to me to indicate why that's causing it to want to replace the cluster. Anyone got any tips for debugging?
    g
    • 2
    • 3
  • p

    prehistoric-account-60014

    04/14/2020, 4:19 PM
    Can anybody comment as to why it is not recommended to use the default node pool for
    gcp.container.Cluster
    and it is recommended to use
    gcp.container.NodePool
    instead? I know that this is also Terraform’s recommendation but I wasn’t able to find the rationale behind it.
    b
    • 2
    • 4
  • a

    adorable-action-51248

    04/17/2020, 8:04 AM
    Hoi ! I have the issue that the creation of pub/sub and datasets fail when i have configured an encryption key for them. This setup requires the Encrypter/Decryptor role for the particular service accounts of pubsub and bigquery. I use CryptoKeyIAMBinding to provide access the key for these services accounts. I also added these bindings as an explicit dependency to the construction of the pubsub topc and the dataset. When I look at the deployment, pulumi behaves as expected: it only starts the creation of the pubsub topics and the datasets after the key bindings are completed. so thats good. however, it seems that additional time needs to be waited. because when i rerun the deployment, it works just fine. does anybody have a good idea for mitigations/solutions ? is there a way to configure retires ? or to introduce a “sleep” 🙈 ?
    l
    • 2
    • 6
  • c

    clean-autumn-55516

    04/20/2020, 5:24 PM
    message has been deleted
    f
    • 2
    • 4
  • b

    bland-lamp-16797

    04/22/2020, 2:06 PM
    I'm using GCP bucket for storing the state. The bucket has a custom kms for encryption and each time when I run
    pulumi up
    is says
    warning: Could not get signed url for stack location: blob (key ".pulumi/stacks/deploy.json") (code=Unknown): to use SignedURL, you must call OpenBucket with a valid Options.GoogleAccessID and exactly one of Options.PrivateKey or Options.SignBytes
    Any idea why pulumi uses SignedURL for the state?
    g
    • 2
    • 2
  • c

    clean-autumn-55516

    04/23/2020, 4:14 AM
    Is there a way to accomplish the follow? https://cloud.google.com/run/docs/tutorials/pubsub#integrating-pubsub I want to trigger a cloud run service when a topic message is published. I easily got this going (from examples) for cloud functions, but wondering how I can do the same for a cloud run service that will be exposing endpoints.
    • 1
    • 1
  • h

    helpful-processor-86468

    04/24/2020, 7:15 AM
    https://www.pulumi.com/docs/reference/pkg/gcp/dns/managedzone/ Can somebody tell me how to get existing ManagedZone and what is this id field exactly?
    l
    b
    • 3
    • 4
  • c

    clean-autumn-55516

    04/24/2020, 11:04 PM
    has anyone successfully enabled CORS on a cloud run service?
  • e

    eager-vase-43200

    04/26/2020, 7:46 AM
    Hello everyone. I learnt about pulumi recently and would like to switch over from terraform. I am a developer who happens to also manage infrastructure. So, I hope that answers why pulumi. I just started working on mmigrating my gcp -> gke infrastructure management from terraform to pulumi using python sdk. The first problem I ran into this evening is that, I use two different gcp service accounts for terrform backend state management and infrastructure management. Looks like I can not do that in pulumi or can I? Today
    w
    • 2
    • 1
  • l

    little-photographer-65759

    04/28/2020, 6:16 AM
    Hi All , I am running into below issue while creating kubernetes cluster with pulumi. Version of Pulumi is 2.0.0. There was a clean npm install. Any pointers would be appreciated here. Thanks.
    Diagnostics:
     
    pulumi:pulumi:Stack (gke-gke-medium):
      
    error: Running program '/Users/raminder.kaler/gcloud/forgeops/cluster/pulumi/gcp/gke' failed with an unhandled exception:
      
    TSError: ⨯ Unable to compile TypeScript:
      
    cluster.ts(25,12): error TS2339: Property 'names' does not exist on type 'Promise<GetZonesResult>'.
      
    cluster.ts(36,34): error TS2339: Property 'latestNodeVersion' does not exist on type 'Promise<GetEngineVersionsResult>'.
      
    cluster.ts(95,43): error TS2339: Property 'latestMasterVersion' does not exist on type 'Promise<GetEngineVersionsResult>'.
    f
    g
    • 3
    • 2
  • c

    clean-autumn-55516

    04/29/2020, 3:39 AM
    This error just started happening today. I haven't changed anything regarding infrastructure
    Diagnostics:
      gcp:cloudrun:Service (api):
        error: 1 error occurred:
        	* updating urn:pulumi:gcp-fn::gcp-functions::gcp:cloudrun/service:Service::api: Error updating Service "locations/us-central1/namespaces/[secret]-reach-collector/services/api-d7cc8a9": googleapi: Error 409: Revision named 'api-d7cc8a9-00031-pag' with different configuration already exists.
    h
    • 2
    • 2
  • c

    clean-autumn-55516

    04/29/2020, 3:39 AM
    I have tried
    pulumi refresh
    before doing a
    pulumi up
    but no luck.
  • h

    hallowed-rain-9096

    04/30/2020, 10:03 PM
    so i'm encountering the 409 from GCP that's mentioned here: https://pulumi-community.slack.com/archives/CRFUR2DGB/p1581516688055000 It seems like there wasn't any traction on this thread. I remember once upon a time convincing
    pulumi up
    to generate ludicrously verbose logs that included the HTTP responses from GCP's REST API. I might be able to bludgeon Cloud Run into submission if I can see the specific error that it returns with that 409 response. Can anyone help?
    c
    • 2
    • 6
  • l

    limited-rain-96205

    05/01/2020, 5:53 PM
    Hi all. I'm getting a timeout error from GCP when trying to do ... well, anything really:
    debug: Dismissed an error as retryable. marked as timeout - Post <https://oauth2.googleapis.com/token>: dial tcp: i/o timeout
    This only happens when on our corporate VPN, but it's a little baffling because I can ping and telnet to https://oauth2.googleapis.com/ just fine (as well as any *.googleapis.com address). Is there any way to get more information about the token call it's making, beyond debug mode?
    g
    • 2
    • 8
  • c

    clean-autumn-55516

    05/04/2020, 8:51 AM
    Is it possible to get a google managed service account? I want to add a role to a pub/sub service account but I get a 404 that the SA does not exists:
    const pubSubPushAuth = new gcp.serviceAccount.IAMBinding('pub-sub-push-auth', {
      members: [
        `serviceAccount:<mailto:service-${gcpProjectNumber}@gcp-sa-pubsub.iam.gserviceaccount.com|service-${gcpProjectNumber}@gcp-sa-pubsub.iam.gserviceaccount.com>`,
      ],
      role: 'roles/iam.serviceAccountTokenCreator',
      serviceAccountId: `<mailto:projects/${gcp.config.project}/serviceAccounts/service-${gcpProjectNumber}@gcp-sa-pubsub.iam.gserviceaccount.com|projects/${gcp.config.project}/serviceAccounts/service-${gcpProjectNumber}@gcp-sa-pubsub.iam.gserviceaccount.com>`,
    });
    h
    • 2
    • 1
  • d

    delightful-receptionist-13751

    05/04/2020, 12:35 PM
    Hi all, Is there a tutorial for working with GCP / firebase (mainly firebase hosting, authentication, google cloud run) for running a webapp and a nodejs base backend? I am looking around for information but I really having troubles to get anything together...
  • q

    quiet-wolf-18467

    05/06/2020, 9:14 PM
    The documentation on GCP serviceAccounts and policies is sooo bad that I just locked myself out of my entire project 😢
  • q

    quiet-wolf-18467

    05/06/2020, 9:27 PM
    To configure permissions for a service account to act as an identity that can manage other GCP resources, use the googleProjectIam set of resources.
  • q

    quiet-wolf-18467

    05/06/2020, 9:27 PM
    ^^ Nope
  • q

    quiet-wolf-18467

    05/06/2020, 9:51 PM
    That resource, which I assume had been renamed from a crude Terraform script that renamed google_project_iam; updates the projects entire binding; removing all the internal service agents and it becomes FUBAR
  • g

    green-school-95910

    05/06/2020, 10:07 PM
    That is not a problem with Pulumi or Terraform docs. It is how Google IAM API work. It is tricky and dangerous. And their docs are quite confusing
  • h

    hallowed-rain-9096

    05/06/2020, 10:07 PM
    looks like you used a binding instead of an IAMMember? There was a thread in #general that was very similar: https://pulumi-community.slack.com/archives/C84L4E3N1/p1588781964417300
  • h

    hallowed-rain-9096

    05/06/2020, 10:08 PM
    and yes, I second this:
    It is how Google IAM API work. It is tricky and dangerous. And their docs are quite confusing
  • g

    green-school-95910

    05/06/2020, 10:10 PM
    The terraform IAM resources comes from Google's Magic Modules which describes those resource for terraform, ansible and a few others. By proxy, that affects how it was created on Pulumi.
  • q

    quiet-wolf-18467

    05/06/2020, 10:11 PM
    Well, the whole project is deleted now. I'll try to rebuild tomorrow. Hard lesson to learn
  • g

    green-school-95910

    05/06/2020, 10:11 PM
    Did you create it with a personal account out in an organization?
  • q

    quiet-wolf-18467

    05/06/2020, 10:11 PM
    Our organisation
Powered by Linen
Title
q

quiet-wolf-18467

05/06/2020, 10:11 PM
Our organisation
View count: 2