https://pulumi.com logo
#general
Title
# general
o

orange-tailor-85423

10/22/2018, 5:52 PM
Struggling a bit with something that seems pretty simple in TF - building a service account then calling the ID of that account. I think I'm miissing something simple but could use some review
c

creamy-potato-29402

10/22/2018, 6:37 PM
@orange-tailor-85423 what do you mean “calling the ID of that account”?
o

orange-tailor-85423

10/22/2018, 6:37 PM
what that API expects - it wants the service account ID; /projects/mindbody/etc/etc/serviceaccount
So I created that account - now I need to get that serviceAccountID and pass it to the function that creates the IAM/permissions
c

creamy-potato-29402

10/22/2018, 6:38 PM
Uh, in the code below you’re populating
serviceAccountId
with
newserviceaccount.metadata.get()
, which does not seem right. You uprobably want
newserviceaccount.metadata.apply(m => m.name)
or something like that.
o

orange-tailor-85423

10/22/2018, 6:38 PM
ok
c

creamy-potato-29402

10/22/2018, 6:39 PM
But, that does not look like what you’re doing before?
er, below?
What is
google_service_account.k8s_node.name
?
Is that equivalent to
.metadata.name
?
Because it looks like that’s actually supposed to be a
google_service_account
, not a Kubernetes
ServiceAccount
o

orange-tailor-85423

10/22/2018, 6:40 PM
yea, I think just bad naming on our part
c

creamy-potato-29402

10/22/2018, 6:41 PM
No, I mean that the GCP API seems to be asking for the ID of a GCP service account.
o

orange-tailor-85423

10/22/2018, 6:41 PM
ok - so I guess more general - I want to do this in a function rather than static const
c

creamy-potato-29402

10/22/2018, 6:41 PM
You’re making a Kubernetes service account.
o

orange-tailor-85423

10/22/2018, 6:42 PM
Here's what the service account looks like in another project
it's an IAM account (GCP)
c

creamy-potato-29402

10/22/2018, 6:43 PM
Yes, the IAM account is bound to a GCP service account. But you’re making a Kubernetes service account, right?
@orange-tailor-85423 in other words, look at your code, you’re using
new k8s.core.v1.ServiceAccount
, but you need new
new gcp.serviceAccount.Account(...)
right?
o

orange-tailor-85423

10/22/2018, 7:39 PM
yep - working on this too late at night
ugh
now what if I do those operations in a function....how can I leverage that object that the 1st function created?
just do a return of the var object?
c

creamy-potato-29402

10/22/2018, 7:41 PM
hmm, not sure I understand.
oh you mean
you want to put it into a function
o

orange-tailor-85423

10/22/2018, 7:41 PM
yes
for example
export function createNodeServiceAccount(clustername: string){ var sa = new gcp.serviceAccount.Account("k8s_node", { accountId:
${clusterName}-k8s-node1
, displayName:
Service Account - ${clusterName} - K8s node
} ) return sa }
then call what got created to pass into this function:
export function createServiceAccountIamMember(serviceAccountID: string){ var sam = new gcp.serviceAccount.IAMMember("k8s_node_account_iam", { serviceAccountId: sa.serviceAccountId, role: "roles/iam.serviceAccountUser", member: "serviceAccount:terraform@mindbody-admin.iam.gserviceaccount.com" } ) return sam }
c

creamy-potato-29402

10/22/2018, 7:43 PM
even something like this should work:
Copy code
function foo() {
    return [new gcp.serviceAccount.Account(...), new gcp.serviceAccount.IAMMember(...)]
}
o

orange-tailor-85423

10/22/2018, 7:43 PM
oh I see - just called inside the other function
that way I can just create an account or do both operations
c

creamy-potato-29402

10/22/2018, 7:44 PM
Yeah
o

orange-tailor-85423

10/22/2018, 7:45 PM
trying
thanks Alex
I'm showing this to some people later on so need to get something working - hehe
c

creamy-potato-29402

10/22/2018, 7:46 PM
or you could write your own component class:
Copy code
export class IamServiceAccouunt extends pulumi.ComponentResource {
    private readonly sa: gcp.serviceAccount.Account;
    private readonly iam: gcp.serviceAccount.IAMMember;
    constructor(...) {
        <http://this.sa|this.sa> = new gcp.serviceAccount.Account(...)
        this.iam = new gcp.serviceAccount.IAMMember(...)
    }
}
Then you could just do something like
new IamServiceAccount(...)