bulky-afternoon-9964
09/18/2023, 6:01 PMmost-helmet-36442
09/21/2023, 2:13 AMeager-pillow-46253
09/21/2023, 2:57 PM{"code":400,"message":"Bad Request: User is not a member of Pulumi organization's backing identity provider."}
polite-ocean-13631
09/22/2023, 5:26 PMpulumi-docker
or similar with Pulumi Deployments? I'm thinking we'll need to set up QEMU in the pre-run commandseager-pillow-46253
09/22/2023, 5:31 PMeager-pillow-46253
09/22/2023, 5:33 PMpolite-ocean-13631
09/22/2023, 5:35 PMpulumi
locally, but we want to be able to use Pulumi Deployments for CI and gitopsdamp-magazine-59707
09/26/2023, 3:37 PMException: invoke of gcp:organizations/getProject:getProject failed: invocation of gcp:organizations/getProject:getProject returned an error: invoking gcp:organizations/getProject:getProject: 1 error occurred:
* Error when reading or editing Project "myproject": Get "<https://cloudresourcemanager.googleapis.com/v1/projects/myproject?alt=json&prettyPrint=false>": oauth2/google: unable to generate access token: Post "<https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/pulumi-dply-app-staging@myproject.iam.gserviceaccount.com:generateAccessToken>": oauth2/google: status code 400: {"error":"invalid_request","error_description":"Invalid value for \"audience\". This value should be the full resource name of the Identity Provider. See <https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token> for the list of possible formats."}
i found this, which hints that i'm using the wrong values for the workload pool ID and identity provider ID:
I was using project name and full names for provider and pool id. After changing to number and just the short id for both worked like a charmhowever, i've been unable to figure out the right format. https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token tells me that it expects
audience
to have the format <//iam.googleapis.com/projects/><project-number>/locations/global/workloadIdentityPools/<pool-id>/providers/<provider-id>
, which i've tried; i've also tried it without the <//iam.googleapis.com/>
prefix. i've tried a few other formats as well. can anyone help me figure out the exact format i should be using for those two values?damp-magazine-59707
09/26/2023, 8:24 PMaudience
?damp-magazine-59707
09/26/2023, 9:29 PMProject ID
field must have the numeric project ID
• The "Workload Pool ID" and "Identity provider ID" fields must each have just the short ID, not the fully-qualified <//iam.googleapis.com/>...
or even /projects/<project-number>/...
.
that's definitely what this comment says, i just didn't follow it. some help text on this would be super helpful....damp-magazine-59707
09/29/2023, 1:27 PMshy-rain-22908
10/04/2023, 7:21 PMabc
but with different branch in the settings.
stack 1: qa
branch in abc
repo
stack 2: main
branch in abc
repo
Now, every time I create PR for qa and merge it. pulumi preview
and pulumi up
triggers both stack to run.
Am I doing anything wrong here? I want want stack 1 to run when changing qa
branch and only run stack 2 when changing main
branch.damp-magazine-59707
10/05/2023, 3:44 PMpulumiservice
provider, i find that the changes aren't really "finalized" by the provider -- i have to go in to the console, make no changes, and click "Save deployment configuration." all of the settings are fully populated by the provider, so it certainly appears to have worked, but it doesn't work until I click that save button. has anyone else run into this? Is there a step i'm missing?clean-dusk-43198
10/07/2023, 2:11 PMDiagnostics:
18
pulumi:pulumi:Stack (smilingwords-gcp-management-prod):
19
warning: unable to detect a global setting for GCP Project;
20
Pulumi will rely on per-resource settings for this operation.
21
Set the GCP Project by using:
22
`pulumi config set gcp:project <project>`
23
warning: unable to detect a global setting for GCP Project;
24
Pulumi will rely on per-resource settings for this operation.
25
Set the GCP Project by using:
26
`pulumi config set gcp:project <project>`
27
error: Running program '/deployment/index.ts' failed with an unhandled exception:
28
[36m<ref *1>[39m Error: invocation of gcp:projects/getProject:getProject returned an error: invoking gcp:projects/getProject:getProject: 1 error occurred:
29
* Error retrieving projects: Get "<https://cloudresourcemanager.googleapis.com/v1/projects?alt=json&filter=name%3Asmw-bot+lifecycleState%3AACTIVE+labels.smw_bot%3Ay+labels.pulumi%3Ay>": oauth2/google: unable to generate access token: Post "<https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/smw-bot-serviceaccount@smw-bot-qowk5.iam.gserviceaccount.com:generateAccessToken>": oauth2/google: status code 400: {"error":"invalid_target","error_description":"The target service indicated by the \"audience\" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn't exist."}
30
31
32
at Object.callback [90m(/deployment/[39mnode_modules/[4m@pulumi[24m/runtime/invoke.ts:172:37[90m)[39m
33
at Object.onReceiveStatus [90m(/deployment/[39mnode_modules/[4m@grpc[24m/grpc-js/src/client.ts:360:26[90m)[39m
34
at Object.onReceiveStatus [90m(/deployment/[39mnode_modules/[4m@grpc[24m/grpc-js/src/client-interceptors.ts:458:34[90m)[39m
35
at Object.onReceiveStatus [90m(/deployment/[39mnode_modules/[4m@grpc[24m/grpc-js/src/client-interceptors.ts:419:48[90m)[39m
36
at [90m/deployment/[39mnode_modules/[4m@grpc[24m/grpc-js/src/resolving-call.ts:132:24
37
[90m at processTicksAndRejections (node:internal/process/task_queues:77:11)[39m {
38
promise: Promise { [36m<rejected>[39m [36m[Circular *1][39m }
39
}
What is the issue or how it can be solved?
It would be very nice if someone would have the answer!
Please help 😕
Thanks in advance!handsome-businessperson-23021
10/10/2023, 3:00 AMbland-dog-47600
10/12/2023, 9:37 PMType Name Plan Info
pulumi:pulumi:Stack infra-production 1 error; 133 messages
Diagnostics:
pulumi:pulumi:Stack (infra-production):
# <http://github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/compute|github.com/pulumi/pulumi-gcp/sdk/v6/go/gcp/compute>
fatal error: runtime: out of memory
runtime stack:
runtime.throw({0xd7b769?, 0x20306f3?})
runtime/panic.go:1077 +0x5c fp=0xc00008bdb0 sp=0xc00008bd80 pc=0x444e3c
runtime.sysMapOS(0xc1bd400000, 0x1000000?)
I’m not sure what I can do to deal with it… Locally, pulumi update
works without problems.handsome-businessperson-23021
10/13/2023, 1:22 AMgifted-gigabyte-53859
10/13/2023, 8:33 AM$ /pulumi-deploy-executor pulumi update --stackIdentity="pinpayments/vm-aws-go/dev" --workDir="/deployment/vm-aws-go"
2Updating (pinpayments/dev)
3
4 View Live: <https://app.pulumi.com/pinpayments/vm-aws-go/dev/updates/3>
5
6 @ Updating............................
7
8 @ Updating............
9 pulumi:pulumi:Stack vm-aws-go-dev go: <http://github.com/gogo/protobuf@v1.3.2|github.com/gogo/protobuf@v1.3.2> requires
10 pulumi:pulumi:Stack vm-aws-go-dev <http://github.com/kisielk/errcheck@v1.5.0|github.com/kisielk/errcheck@v1.5.0>: missing go.sum entry for go.mod file; to add it:
11 pulumi:pulumi:Stack vm-aws-go-dev go mod download <http://github.com/kisielk/errcheck|github.com/kisielk/errcheck>
12 pulumi:pulumi:Stack vm-aws-go-dev error: error in compiling Go: unable to run `go build`: exit status 1
13 pulumi:pulumi:Stack vm-aws-go-dev **failed** 1 error; 3 messages
14 Diagnostics:
15 pulumi:pulumi:Stack (vm-aws-go-dev):
16 go: <http://github.com/gogo/protobuf@v1.3.2|github.com/gogo/protobuf@v1.3.2> requires
17 <http://github.com/kisielk/errcheck@v1.5.0|github.com/kisielk/errcheck@v1.5.0>: missing go.sum entry for go.mod file; to add it:
18 go mod download <http://github.com/kisielk/errcheck|github.com/kisielk/errcheck>
19
20 error: error in compiling Go: unable to run `go build`: exit status 1
21
22 Resources:
23
24 Duration: 10s
25
26 Error: Update failed: [resource plugin aws-6.0.2] installing
icy-yacht-9491
10/18/2023, 1:27 AMhandsome-businessperson-23021
10/19/2023, 1:19 PMcuddly-flower-91328
10/25/2023, 4:28 PMsquare-airplane-92568
10/27/2023, 4:44 PMlemon-agent-27707
10/28/2023, 12:31 AMambitious-air-92938
10/31/2023, 2:20 PMError: Preview failed: error: getting stack configuration: get stack secrets manager: operation error KMS: Decrypt, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, canceled, context deadline exceeded
The IAM Role associated with the OIDC config and audience has admin privs across the whole AWS account.
Our stack config uses KMS as a secrets provider. The stack config is configured to use an AWS profile thus: awskms://alias/pulumi?region=eu-west-1&profile=<profile>&awssdk=v2
but I'm overriding that in the Deployment config with the mapping secretsprovider: <awskms://alias/pulumi?region=eu-west-1>
(at least I'm assuming that's overriding it). I've also verified that the KMS key has a policy attached to it that allows access from the whole AWS account.
Anyone have any ideas what I'm doing wrong?ambitious-air-92938
10/31/2023, 2:22 PMaws:profile
and aws-classic:profile
to empty in the environment variables Deployment config.ambitious-air-92938
10/31/2023, 2:22 PMambitious-air-92938
11/01/2023, 10:32 AMpreview
and it's taking on average 3-5 minutes before the preview is actually run (see attached). Running the same preview locally (but executed on Pulumi Cloud) takes only a few seconds for the preview to start, as does executing via Github Actions.ambitious-air-92938
11/01/2023, 10:33 AMhundreds-helmet-81573
11/21/2023, 3:05 AMincalculable-plastic-17510
11/24/2023, 3:11 AMpulumi/actions@v3
I create an ECR image like this
const imageWebDev = new awsx.ecr.Image(
`web-${env}-image`,
{
repositoryUrl: ecrRepo.repositoryUrl,
dockerfile: `Dockerfile`,
path: "../../"
},
{ protect: true }
);
And then pass it to my ec2 task definiton like this
const taskDefinition = new awsx.ecs.EC2TaskDefinition(
`web-${env}`,
{
containers: {
app: {
name: "app",
image: imageWebDev.imageUri,
cpu: 0,
portMappings: [
{
containerPort: 3000,
hostPort: 0,
protocol: "tcp",
},
],
.
.
.
This runs fine locally but when running in the Github action I get the following error:
error: 1 error occurred:
* failed creating ECS Task Definition (web-production): ClientException: Container.image should not be null or empty.
I have tried the following
• creating a whole new stack
• using promises to ensure the task does not begin it's update before the image is finished
• added in waiting to give things time to update
• assigned the uri to a new variable and passed that to the task definition
• hard coded in the latest
image uri
This is my pulumi action
- name: Pulumi Update
uses: pulumi/actions@v3
with:
command: up
stack-name: prod
comment-on-pr: true
work-dir: ${{ env.WORKDIR }}
upsert: true
env:
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}