Hi there, I'm hoping to get some advice on using Pulumi with our existing GCP infrastructure. In sh...

gifted-shoe-94703

02/24/2025, 9:26 AM

Hi there, I'm hoping to get some advice on using Pulumi with our existing GCP infrastructure. In short, this week I dove into Pulumi and used it to stand up a new environment in GCP. This was actually remarkably successful given my limited experience. However, now I'd like to import an existing environment which we've previously provisioned manually. My plan is to use the

pulumi preview --import-file

command to get the JSON, and substitute in the IDs for the existing environment. This has been far from a smooth experience so far though. I expect to have many more problems, but right now the main one is importing GCP Project IAM members. No matter what syntax I use, it cannot find the resource. I've tried a syntax like (among others) which seems to more closely match the import docs for this resource, but no dice:

pulumi import gcp:projects/iAMMember:IAMMember default "projects/{project-id}/iam/serviceAccounts/{email} roles/storage.objectViewer"

I even looked at the state YAML file for the successfully deployed environment, and I see an ID for these resources which looks like:

{project-id}/roles/storage.objectViewer/serviceAccount:email

However, even using that exact ID - self-reported by Pulumi - it doesn't work (which is profoundly confusing). If anyone has any ideas/clues as to how I can import these resources, then please let me know. I'm at my wits end here 😅

late-jordan-34904

02/25/2025, 5:21 PM

Let me know if you find any solution for this, I'm stuck on the same exact issue

adorable-house-61348

02/25/2025, 5:49 PM

Hey @gifted-shoe-94703, sorry you struggled here. Looks like our docs might be wrong. The pulumi GCP provider is based on the TF GCP provider. Here are the TF import docs: https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam#importing-iam-members They suggest importing as

"{{project_id}} roles/viewer user:<mailto:foo@example.com|foo@example.com>"

late-jordan-34904

02/25/2025, 5:50 PM

I was able to import the IAMMember role for the account with the following command:

pulumi import gcp:projects/iAMMember:IAMMember pulumiName "GCP_PROJECT_ID ROLE_NAME serviceAccount:SERVICE_ACCOUNT_EMAIL"

late-jordan-34904

02/25/2025, 5:50 PM

thanks @adorable-house-61348

adorable-house-61348

02/25/2025, 5:51 PM

Awesome, glad to hear!

adorable-house-61348

02/25/2025, 5:55 PM

Opened https://github.com/pulumi/pulumi-gcp/issues/3006 for the docs problem

3 Views

Open in Slack

Previous Next

Pulumi Community

No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.