Hi everybody I ve been struggling to import a `gcp pubsub Su Pulumi Community #google-cloud

Hi everybody, I've been struggling to import a `gc...

fast-easter-23401

11/30/2021, 6:59 PM

Hi everybody, I've been struggling to import a

gcp.pubsub.SubscriptionIAMBinding

resource. I got first this error:

Copy code

gcp:pubsub:SubscriptionIAMBinding (communications-applications-worker-iam-binding):
    error: Preview failed: importing projects/<my-project-id>/subscriptions/<my-subscription-name>/roles/pubsub.subscriber: Wrong number of parts to Binding id [projects/<my-project-id>/subscriptions/<my-subscription-name>/roles/pubsub.subscriber]; expected 'resource_name role [condition_title]'.

Then, at the suggestions of @green-school-95910 (many thanks), I used a two-part string including the resource name and the role attached to the binding separated by a whitespace. But then I got the following error:

Copy code

gcp:pubsub:SubscriptionIAMBinding (communications-applications-worker-iam-binding):
    error: Preview failed: importing projects/<my-project-id>/subscriptions/<my-subscription-name> roles/pubsub.subscriber: project: required field is not set

I'm a bit puzzled, as the resource name does indeed contain a reference to the project. Here's my code (I'm using TS):

Copy code

const communicationsApplicationsWorker = new gcp.pubsub.SubscriptionIAMBinding(
  'communications-applications-worker-iam-binding',
  {
    project: projectId,
    members: [
      `serviceAccount:${serviceAccountEmail}`,
    ],
    role: 'roles/pubsub.subscriber',
    subscription: subscriptionName,
  },
  {
    import:
      `projects/${projectId}/subscriptions/${subscriptionName} roles/pubsub.subscriber`,
    protect: true,
  }
);

Any ideas what I'm doing wrong? Many thanks 🙂

prehistoric-activity-61023

11/30/2021, 7:01 PM

🤔 I could try to replicate that tomorrow on my GCP subscription

prehistoric-activity-61023

11/30/2021, 7:02 PM

do you use default GCP provider or you explicitly create one in your project?

prehistoric-activity-61023

11/30/2021, 7:02 PM

do you have project set there?

prehistoric-activity-61023

11/30/2021, 7:03 PM

it’s a blind guess but that’s the only thing that came to my mind

fast-easter-23401

11/30/2021, 7:09 PM

Hi @prehistoric-activity-61023, Thanks for replying so quickly. 1. I'm using gcp (classic) provider. 2. The projectId is passed as a resource arg.

prehistoric-activity-61023

11/30/2021, 7:11 PM

How is your provider configured within the project though? Does it have a default project set?

prehistoric-activity-61023

11/30/2021, 7:11 PM

(btw, can you paste the full import command you’re trying to use?)

green-school-95910

11/30/2021, 7:11 PM

There is a comment on the code with a not so gentle indication that this is unnecessary. I didn't read up to that point the last time

green-school-95910

11/30/2021, 7:12 PM

😅 1

green-school-95910

11/30/2021, 7:30 PM

Now for this specific error. During the import it doesn't use the value you provide on the resource. That is used on a later stage of the planning, when it calculates the diff. What the provider is doing is trying to get the

project

field out of the return of the API. If it does not exist it falls back to the provider value. If the provider does not have a project ID it fails with the message you sent. Problem is, the method it uses on the API does not include a

project

field on the response. So importing only works for pubsub subscriptions on the project set on the provider. It could get it from the resource path you are trying to import, but it doesn't. You can open an issue on Terraform's google-beta provider for that.

prehistoric-activity-61023

11/30/2021, 7:31 PM

@green-school-95910 so basically what I was guessing was right?

prehistoric-activity-61023

11/30/2021, 7:31 PM

that’s why I asked how the provider is initialised and whether it has a default project set

green-school-95910

11/30/2021, 7:31 PM

Yeah, only works for the provider project. You were right

prehistoric-activity-61023

11/30/2021, 7:32 PM

so I guess as a workaround for @fast-easter-23401, he can explicitly set the project why executing the

import

command

green-school-95910

11/30/2021, 7:33 PM

As the comment says, and I had totally forgot, IAMBinding and IAMMember resources are idempotent, there is no need to import them

👍 1

green-school-95910

11/30/2021, 7:33 PM

Creating over the existing ones do not fail and don't change anything

prehistoric-activity-61023

11/30/2021, 7:33 PM

I forgot about that as well 😅

prehistoric-activity-61023

11/30/2021, 7:34 PM

anyway, I wonder if setting up a project would resolve the issue

prehistoric-activity-61023

11/30/2021, 7:34 PM

I’d even try to pass it temporarily using env variable (I guess it might work)

prehistoric-activity-61023

11/30/2021, 7:35 PM

something like:

Copy code

GOOGLE_PROJECT=use-this-you-blind-import-command pulumi import ...

😉

green-school-95910

11/30/2021, 7:36 PM

If it is the default global provider than yes, if it is an instance I don't think it reads from the environment

prehistoric-activity-61023

11/30/2021, 7:36 PM

I guess so

fast-easter-23401

11/30/2021, 7:37 PM

Very much appreciated, @green-school-95910 and @prehistoric-activity-61023.

prehistoric-activity-61023

11/30/2021, 7:37 PM

if you explicitly created a provider (that’s usually my case), you need to pass the project there

prehistoric-activity-61023

11/30/2021, 7:37 PM

(but then again, you have to execute

pulum import

with

--provider

flag)

prehistoric-activity-61023

11/30/2021, 7:38 PM

Anyway, if that operation is idempotent and you already have to specify all the data needed to create this resource while importing it… you might as well just write the resources yourself and forget about importing them 😄

fast-easter-23401

11/30/2021, 7:41 PM

That was my first reflex.

fast-easter-23401

11/30/2021, 7:44 PM

@future-nail-59564 ☝️

👍 1

👀 1

7 Views

Open in Slack

Previous Next