pulumi-community #google-cloud

quiet-wolf-18467

05/06/2020, 10:12 PM

But even when I got my permissions back, all the GCloud service agents were gone. Nothing worked

green-school-95910

05/06/2020, 10:12 PM

Yeah, you'll have to create them back manually

green-school-95910

05/06/2020, 10:13 PM

If you really want the project back it can be done

green-school-95910

05/06/2020, 10:13 PM

It's just a lot of work

quiet-wolf-18467

05/06/2020, 10:13 PM

I'll take 24 hours downtime and rebuild. It's not mission critical

quiet-wolf-18467

05/06/2020, 10:24 PM

Why didn't the preview show me this change, out of curiosity?

quiet-wolf-18467

05/08/2020, 3:57 PM

Copy code

const kamusKmsAdminPerms = new gcp.projects.IAMMember("kamus-kms-admin", {
        member: serviceAccount.email,
        role: "roles/cloudkms.admin", // May also need roles/cloudkms.cryptoKeyEncrypterDecrypter
        project: serviceAccount.project,
    });

quiet-wolf-18467

05/08/2020, 3:58 PM

This won't destroy my project again, will it? CC @green-school-95910 🙂

quiet-wolf-18467

05/08/2020, 3:58 PM

Sorry for the tag, but I don't want to ruin my weekend

hallowed-rain-9096

05/08/2020, 4:03 PM

isn't deploying on Fridays against the rules anyway? 😉

quiet-wolf-18467

05/08/2020, 4:06 PM

It worked 😮

green-school-95910

05/08/2020, 4:11 PM

Yes, that is the way to do it.

green-school-95910

05/08/2020, 4:13 PM

It links one member in one of the role bindings From my experience, in all IaaS that I have used, managing full bindings directly never ends well

green-school-95910

05/08/2020, 4:15 PM

It is not even limited to destroy, you create a IAMBinding for the same role on more than one place and they would replace each other on every change.

quiet-wolf-18467

05/08/2020, 4:17 PM

I don't know why

IAMPolicy

and

IAMBinding

exist, those are wild

green-school-95910

05/08/2020, 4:18 PM

They make sense on some very edge cases when you want to completely sync your permissions from somewhere else

hallowed-rain-9096

05/08/2020, 4:18 PM

i use IAMPolicy scoped to a cloud run service, because I know exactly who should have any kind of access to that service. At a global level...yikes... 😱

green-school-95910

05/08/2020, 4:18 PM

I believe the permission sync from LDAP uses them

green-school-95910

05/08/2020, 4:20 PM

Yeah as @hallowed-rain-9096 said, at resource level they make more sense, even if they are still dangerous. If you do that on AppEngine you can make a lot of its internals stop working

hallowed-rain-9096

05/08/2020, 4:24 PM

AppEngine is a weird beast anyway, especially with IAP

bland-lamp-16797

05/14/2020, 12:44 PM

pulumi destroy stack

? it's not same as

pulumi stack rm

eager-table-17755

05/16/2020, 11:30 AM

Hello 👋 I'm not sure, whether this is the right channel... I'm using Pulumi (❤️ I love it so far) to deploy a Cloud Run service. During the new version release, I'd like to perform DB migrations, but I haven't found the right place to do it. It could happen on every container start, but that introduces a significant startup overhead 😞 Is there something like a hook, to execute, when a new service version is being deployed?

limited-rainbow-51650

05/18/2020, 10:47 AM

On Gitlab, I can create a CI secret variable that will be created as a file. In my case, this worked perfectly for the

GOOGLE_APPLICATION_CREDENTIALS

. But how should I do it on Github Actions? Setting the secret to the content of the file doesn’t work. Should I create the file myself, passing the content of the secret and then setting an

env

variable in the workflow yaml script?

limited-rainbow-51650

05/18/2020, 10:48 AM

For completeness, yes I found this: https://github.com/marketplace/actions/setup-gcloud-environment But adding this to my setup adds to my total Github Actions run time just to have the env variable set….

limited-rainbow-51650

05/18/2020, 10:49 AM

@broad-dog-22463 any idea here?

broad-dog-22463

05/18/2020, 10:51 AM

When using GHA, I created a secret

GCP_CREDENTIALS

and the GCP provider read that

broad-dog-22463

05/18/2020, 10:51 AM

https://github.com/pulumi/examples/blob/master/.github/workflows/ci.yml#L28

broad-dog-22463

05/18/2020, 10:52 AM

FWIW, I also add the login

broad-dog-22463

05/18/2020, 10:52 AM

https://github.com/pulumi/examples/blob/master/.github/workflows/ci.yml#L77

limited-rainbow-51650

05/18/2020, 10:52 AM

But that latter line takes time by installing the gcloud binaries, no?