https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# general
s
This message was deleted.
b
It would be a shame to switch from Pulumi to gcloud CLI just because of this 😞
I've managed to work around this by creating a function with Pulumi, then deploying it once with gcloud (to enable Allow Unauthenticated) and then deploy again with Pulumi, but this is madness...
b
Hi @broad-breakfast-39210 This sample deploys a public function - https://github.com/pulumi/examples/blob/master/gcp-ts-functions/index.ts - has this type of thing not worked for you?
b
@broad-dog-22463 nope, I think it's outdated, 
member: "allUsers"
is not enough anymore to be truly public
Looks like it changed sometime in late 2019 and Pulumi/Terraform didn't catch up with it yet
b
@broad-breakfast-39210 we have running tests at night that are testing this function that are passing so I'm confused here
our tests ensure we can curl the endpoint
Notice that I am attaching a FunctionIamMember to the function
b
@broad-dog-22463 Yes, I'm doing everything the same, I'm following the python example but it's doing the same thing pretty much in terms of FunctionIamMember https://github.com/pulumi/examples/blob/master/gcp-py-functions/__main__.py
b
are you getting an error? or it's just not invoking?
b
It does get the 
allUsers
or 
ALLOW_ALL
permissions, but with a function created by Pulumi it's impossible to get the 
Allow Unauthenticated
flag , this flag can only be set with gcloud CLI and it's actually not reflected in the JSON payload for the REST API
So when I call the function I get a 403 response, but if I create the same function with 
gcloud
and 
--allow-unauthenticated
flag, then it's fine
Weirdly, that flag doesn't seem to be related to 
member
or IAM permissions
It's already set to 
allUsers
so in theory it's public but somehow this flag is required to be able to invoke it publicly
@broad-dog-22463
Here's my exact code for creating a function:
Copy code
fxn = cloudfunctions.Function(
    "add_post_to_feeds",
    entry_point="add_post_to_feeds",
    environment_variables=config_values,
    region="us-central1",
    runtime="python37",
    source_archive_bucket=bucket.name,
    source_archive_object=source_archive_object.name,
    trigger_http=True)

invoker = cloudfunctions.FunctionIamMember(
    "invoker",
    project=fxn.project,
    region=fxn.region,
    cloud_function=fxn.name,
    role="roles/cloudfunctions.invoker",
    member="allUsers",
)

# Export the DNS name of the bucket and the cloud function URL.
pulumi.export("bucket_name", bucket.url)
pulumi.export("fxn_url", fxn.https_trigger_url)
b
interesting....
did you try allUnathenticated?
in the members?
b
Does this even exist? I don't want to just try random options 🙂
@broad-dog-22463 I'm trying to google for it and see nothing, so I assume this option doesn't exist
b
I can't see anywhere in the SDK that it can be anything else 😕 There is no validation around this either so I can't even seewhat values they would reject
b
Ok, I'll try
@broad-dog-22463 It didn't help... I still have to deploy a pulumi-created function once with 
gcloud
in ourder to enable that flag 😞
b
that's really bad!! 😕
Can you open an issue on this for us?
We need to escalate it it seems
b
I've figured it out, looks like the problem was that my service account used with Pulumi didn't have 
Cloud Functions Admin
role in IAM so it couldn't properly create the invoker. The weird thing is that Pulumi didn't show any errors about this until today for me, it was creating the function and invoker but I was getting 403 and redeploying a function with 
gcloud
CLI would solve the problem... But today Pulumi started failing to create the invoker specifically so this is how I've found by trial and error that adding that IAM role solves the problem...
b
Did you upgrade a version @broad-breakfast-39210?
b
@broad-dog-22463 no, I didn't, unless Pulumi auto-upgrades...
b
so this feels like something changed in the Google API?
🤷‍♂️ 1
3 Views
Open in Slack
PreviousNext
Powered by