In order to namespace resources using ephemeral projects see Pulumi Community #google-cloud

In order to namespace resources, using ephemeral p...

damp-elephant-82829

06/24/2020, 9:03 AM

In order to namespace resources, using ephemeral projects seems reasonable on GCP. However, the project module does not contain any functionality to create a project straight from pulumi. Has anyone achieve something like that?

broad-dog-22463

06/24/2020, 9:08 AM

Hi @damp-elephant-82829 So the GCP provider and SDK require a project to work in - it doesn't give the top level ability to create a project - it assumes, one has already been created 😕

broad-dog-22463

06/24/2020, 9:09 AM

You could create a dynamic provider that shells out to te gcp cli to create a project as part of your pulumi up

damp-elephant-82829

06/24/2020, 9:21 AM

the one annoying thing with that is that you cannot use projects as environments in GCP

damp-elephant-82829

06/24/2020, 9:21 AM

which is what you would expect, especially if you use ephemeral environments

damp-elephant-82829

06/24/2020, 2:40 PM

@broad-dog-22463 do you believe it makes sense for me to create that dynamic provider or am I overlooking something?

green-school-95910

06/24/2020, 4:31 PM

You can create projects within Pulumi... No problems with that The thing is, you need credentials to do so. What we do is have one project called The Creators which only has service accounts. One of this accounts has Project Creator role in a folder of the organization, therefore it can create projects in that folder and be the owner of them, having full access.

damp-elephant-82829

06/24/2020, 8:54 PM

I have that , @green-school-95910 . So you suggest I keep going that way with a custom resource

green-school-95910

06/24/2020, 9:28 PM

What would be the custom resource? I don't see why you would need one

damp-elephant-82829

06/25/2020, 5:02 AM

Ti veste a new project dinamically in Gcp. One project per stack

damp-elephant-82829

06/25/2020, 7:24 PM

To create

green-school-95910

06/25/2020, 7:26 PM

Still, why a custom resource? You can just create the project with Pulumi normally as I said before

green-school-95910

06/25/2020, 7:27 PM

No need to reinvent the wheel

green-school-95910

06/25/2020, 7:28 PM

https://www.pulumi.com/docs/reference/pkg/gcp/organizations/project/

green-school-95910

06/25/2020, 7:36 PM

If you want better audit logs create a service account in the new project, use it on a new provider and make all your resource a child of it. I have a ComponentResource that does all that and configure AppEngine and those extras. Then I just use the component resource as parent to what would be root resources. It becomes quite neat and simple

green-school-95910

06/25/2020, 7:37 PM

Also easy to add more projects per stack

green-school-95910

06/25/2020, 7:38 PM

I can share it if you like

damp-elephant-82829

06/25/2020, 9:15 PM

If you can, that would be great

green-school-95910

06/25/2020, 9:52 PM

Here you go.

project_ts.ts

green-school-95910

06/25/2020, 9:54 PM

I was just removing some things specific for our need and adding the comments to help you out There is one dependency, the

pulumi-gcp-components

, which is a package that I made with some utilities. You could just replace it with a loop receiving all the APIs that should be enabled

green-school-95910

06/25/2020, 10:13 PM

Ooo, just now I got what was your original confusion. You ware looking for a

gcp.projects.Project

resource, but it is actually

gcp.organizations.Project

Indeed that is confusing, especially because there is a

gcp.projects.getProject

The

gcp.organizations

is for organization-wide IAM and resources (Policy and Projects) and for getting Organization and BillingAccount info. The

gcp.projects

module is for project-level IAM and enabling APIs. And there is the

gcp.folder

to organize those in (surprise surprise) folders. Sending it on the channel too in case someone else find this confusing

💯 3

damp-elephant-82829

06/26/2020, 7:39 AM

Thanks! I will try to do that in Python it shouldn’t be very difficult

damp-elephant-82829

06/27/2020, 7:31 AM

@green-school-95910 is it possible to spin off those project starting from another one? What I mean is that I would like to specify the project id of a root “qa” project, and use the billing account of that project

damp-elephant-82829

06/27/2020, 8:24 AM

Additionally, I’d like to make it “per branch” but unfortunately the second time the stack runs it fails: Requested entity already exists. Can this be done in an idempotent manner / if the project already exists, do not create it?

green-school-95910

06/27/2020, 6:20 PM

You can use the getProject to get the billing account of the project you are using to create. And you can create a stack for each branch (dinamically). On the example I added it includes a random suffix after the stack, so no name overlap even if you recreate a branch after it is destroyed

damp-elephant-82829

06/28/2020, 6:48 AM

I should call the getProject after I create the project ? It won’t have any billing account if I created it without billing account

green-school-95910

06/28/2020, 8:05 PM

You can call it to get the project you are creating a new one with. And copy the billing account from it

damp-elephant-82829

06/29/2020, 8:48 AM

I did it, excellent

2 Views

Open in Slack

Previous Next