https://pulumi.com logo
Powered by
f

fast-easter-23401

11/30/2021, 6:59 PM
Hi everybody, I've been struggling to import a 
gcp.pubsub.SubscriptionIAMBinding
resource. I got first this error:
Copy code
gcp:pubsub:SubscriptionIAMBinding (communications-applications-worker-iam-binding):
    error: Preview failed: importing projects/<my-project-id>/subscriptions/<my-subscription-name>/roles/pubsub.subscriber: Wrong number of parts to Binding id [projects/<my-project-id>/subscriptions/<my-subscription-name>/roles/pubsub.subscriber]; expected 'resource_name role [condition_title]'.
Then, at the suggestions of @green-school-95910 (many thanks), I used a two-part string including the resource name and the role attached to the binding separated by a whitespace. But then I got the following error:
Copy code
gcp:pubsub:SubscriptionIAMBinding (communications-applications-worker-iam-binding):
    error: Preview failed: importing projects/<my-project-id>/subscriptions/<my-subscription-name> roles/pubsub.subscriber: project: required field is not set
I'm a bit puzzled, as the resource name does indeed contain a reference to the project. Here's my code (I'm using TS):
Copy code
const communicationsApplicationsWorker = new gcp.pubsub.SubscriptionIAMBinding(
  'communications-applications-worker-iam-binding',
  {
    project: projectId,
    members: [
      `serviceAccount:${serviceAccountEmail}`,
    ],
    role: 'roles/pubsub.subscriber',
    subscription: subscriptionName,
  },
  {
    import:
      `projects/${projectId}/subscriptions/${subscriptionName} roles/pubsub.subscriber`,
    protect: true,
  }
);
Any ideas what I'm doing wrong? Many thanks 🙂
p

prehistoric-activity-61023

11/30/2021, 7:01 PM
🤔 I could try to replicate that tomorrow on my GCP subscription
do you use default GCP provider or you explicitly create one in your project?
do you have project set there?
it’s a blind guess but that’s the only thing that came to my mind
f

fast-easter-23401

11/30/2021, 7:09 PM
Hi @prehistoric-activity-61023, Thanks for replying so quickly. 1. I'm using gcp (classic) provider. 2. The projectId is passed as a resource arg.
p

prehistoric-activity-61023

11/30/2021, 7:11 PM
How is your provider configured within the project though? Does it have a default project set?
(btw, can you paste the full import command you’re trying to use?)
g

green-school-95910

11/30/2021, 7:11 PM
There is a comment on the code with a not so gentle indication that this is unnecessary. I didn't read up to that point the last time
😅 1
Now for this specific error. During the import it doesn't use the value you provide on the resource. That is used on a later stage of the planning, when it calculates the diff. What the provider is doing is trying to get the 
project
field out of the return of the API. If it does not exist it falls back to the provider value. If the provider does not have a project ID it fails with the message you sent. Problem is, the method it uses on the API does not include a 
project
field on the response. So importing only works for pubsub subscriptions on the project set on the provider. It could get it from the resource path you are trying to import, but it doesn't. You can open an issue on Terraform's google-beta provider for that.
p

prehistoric-activity-61023

11/30/2021, 7:31 PM
@green-school-95910 so basically what I was guessing was right?
that’s why I asked how the provider is initialised and whether it has a default project set
g

green-school-95910

11/30/2021, 7:31 PM
Yeah, only works for the provider project. You were right
p

prehistoric-activity-61023

11/30/2021, 7:32 PM
so I guess as a workaround for @fast-easter-23401, he can explicitly set the project why executing the 
import
command
g

green-school-95910

11/30/2021, 7:33 PM
As the comment says, and I had totally forgot, IAMBinding and IAMMember resources are idempotent, there is no need to import them
👍 1
Creating over the existing ones do not fail and don't change anything
p

prehistoric-activity-61023

11/30/2021, 7:33 PM
I forgot about that as well 😅
anyway, I wonder if setting up a project would resolve the issue
I’d even try to pass it temporarily using env variable (I guess it might work)
something like:
Copy code
GOOGLE_PROJECT=use-this-you-blind-import-command pulumi import ...
😉
g

green-school-95910

11/30/2021, 7:36 PM
If it is the default global provider than yes, if it is an instance I don't think it reads from the environment
p

prehistoric-activity-61023

11/30/2021, 7:36 PM
I guess so
f

fast-easter-23401

11/30/2021, 7:37 PM
Very much appreciated, @green-school-95910 and @prehistoric-activity-61023.
p

prehistoric-activity-61023

11/30/2021, 7:37 PM
if you explicitly created a provider (that’s usually my case), you need to pass the project there
(but then again, you have to execute 
pulum import
with 
--provider
flag)
Anyway, if that operation is idempotent and you already have to specify all the data needed to create this resource while importing it… you might as well just write the resources yourself and forget about importing them 😄
f

fast-easter-23401

11/30/2021, 7:41 PM
That was my first reflex.
@future-nail-59564 ☝️
👍 1
👀 1
6 Views
Powered by