breezy-book-15761
06/02/2022, 9:43 AM"""A Google Cloud Python Pulumi program"""
import pulumi
import pulumi_gcp as gcp
cloud_resource_manager_api = gcp.projects.Service('crm_api', service="<http://cloudresourcemanager.googleapis.com|cloudresourcemanager.googleapis.com>")
project = gcp.organizations.get_project_output(opts=pulumi.InvokeOptions(parent=cloud_resource_manager_api))
cloud_run_api = gcp.projects.Service('cloud_run_api', disable_dependent_services=True, disable_on_destroy=True, project=project.id.apply(lambda project_id: project_id), service="<http://run.googleapis.com|run.googleapis.com>")
"""A Google Cloud Python Pulumi program"""
import pulumi
import pulumi_gcp as gcp
cloud_resource_manager_api = gcp.projects.Service('crm_api', service="<http://cloudresourcemanager.googleapis.com|cloudresourcemanager.googleapis.com>")
def set_up():
project = gcp.organizations.get_project_output(opts=pulumi.InvokeOptions(parent=cloud_resource_manager_api))
cloud_run_api = gcp.projects.Service('cloud_run_api', disable_dependent_services=True, disable_on_destroy=True, project=project.id.apply(lambda project_id: project_id), service="<http://run.googleapis.com|run.googleapis.com>")
cloud_resource_manager_api.id.apply(lambda x: set_up())
pulumi up
and pulumi destroy
would be pretty much useless"""A Google Cloud Python Pulumi program"""
import pulumi
import pulumi_gcp as gcp
cloud_resource_manager_api = gcp.projects.Service('crm_api', service="<http://cloudresourcemanager.googleapis.com|cloudresourcemanager.googleapis.com>")
def get_running_project():
project = gcp.organizations.get_project()
return project
project = cloud_resource_manager_api.id.apply(lambda _: get_running_project())
cloud_run_api = gcp.projects.Service('cloud_run_api', disable_dependent_services=True, disable_on_destroy=True, project=project.id, service="<http://run.googleapis.com|run.googleapis.com>")
prehistoric-activity-61023
06/02/2022, 12:59 PMdepends_on
breezy-book-15761
06/02/2022, 1:33 PMgcp.organizations.get_project()
prehistoric-activity-61023
06/02/2022, 1:33 PMgcp.organizations.get_project()
actually do? Get the currently active GCP project?breezy-book-15761
06/02/2022, 1:34 PMprehistoric-activity-61023
06/02/2022, 1:34 PMService
instance without specifying project
I thinkbreezy-book-15761
06/02/2022, 1:35 PMprehistoric-activity-61023
06/02/2022, 1:35 PMproject_id
in stack values and discover it dynamically based on the env config?breezy-book-15761
06/02/2022, 1:35 PMprehistoric-activity-61023
06/02/2022, 1:36 PMbreezy-book-15761
06/02/2022, 1:36 PMprehistoric-activity-61023
06/02/2022, 1:37 PMbreezy-book-15761
06/02/2022, 1:37 PMprehistoric-activity-61023
06/02/2022, 1:38 PMbreezy-book-15761
06/02/2022, 1:38 PMprehistoric-activity-61023
06/02/2022, 1:38 PMgcp-project-bootstrap
that’s supposed to be run by organization administratorbreezy-book-15761
06/02/2022, 1:38 PMprehistoric-activity-61023
06/02/2022, 1:39 PMdepends_on
everywhere…), create some high-level IAM stuff (including some service accounts for managing it) and VPC (cause I can 😛)gcp-project
project that setups the rest of the infrastructure like GKE, CloudSQL etc.breezy-book-15761
06/02/2022, 1:40 PMprehistoric-activity-61023
06/02/2022, 1:40 PMbreezy-book-15761
06/02/2022, 1:41 PMprehistoric-activity-61023
06/02/2022, 1:41 PMbreezy-book-15761
06/02/2022, 1:41 PMprehistoric-activity-61023
06/02/2022, 1:41 PMbreezy-book-15761
06/02/2022, 1:42 PMprehistoric-activity-61023
06/02/2022, 1:42 PMproject = gcp.organizations.Project(
"project",
name=config.project_name,
project_id=config.project_id,
billing_account=config.billing_account,
auto_create_network=False,
folder_id=config.folder_id,
)
#
# Enable Google APIs
#
apis = set(config.activate_apis)
# Ensure required APIs for VPC are enabled
apis.add("<http://compute.googleapis.com|compute.googleapis.com>")
apis.add("<http://servicenetworking.googleapis.com|servicenetworking.googleapis.com>")
enabled_apis = [enable_service_api(api, project) for api in apis]
#
# Create default svc account for compute nodes with access to shared GCR
#
default_service_account = gcp.serviceaccount.Account(
"default",
account_id="default",
display_name="Default service account for compute nodes",
project=project.project_id,
)
if config.gcr_project_id:
gcp.projects.IAMMember(
"sa-default-gcr-read-access",
role="roles/storage.objectViewer",
member=pulumi.Output.concat("serviceAccount:", default_service_account.email),
project=config.gcr_project_id,
opts=pulumi.ResourceOptions(parent=default_service_account),
)
default_sa_roles = set(config.default_sa_extra_roles)
# Ensure svc account has required roles
for role in {
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
"roles/monitoring.viewer",
}:
default_sa_roles.add(role)
for role in default_sa_roles:
gcp.projects.IAMMember(
f"sa-default-{simple_role_name(role)}",
member=pulumi.Output.concat("serviceAccount:", default_service_account.email),
project=project.project_id,
role=role,
opts=pulumi.ResourceOptions(parent=default_service_account),
)
breezy-book-15761
06/02/2022, 1:45 PMprehistoric-activity-61023
06/02/2022, 1:46 PMauto_create_network=False
),
• create a default svc account for nodes (so you have better control over what nodes can access) and allow it to access shared GCR project (that’s a good strategy if you’re gonna have multiple projects for prod/staging/qa environment)
• activates some APIs (as you can see, it ensures that 2 hardcoded ones are enabled no matter what)set
so it ensures there are no duplicated (when I manually add compute
and servicenetworking
)breezy-book-15761
06/02/2022, 1:47 PMgcp-project
?prehistoric-activity-61023
06/02/2022, 1:53 PMbreezy-book-15761
06/02/2022, 1:53 PMprehistoric-activity-61023
06/02/2022, 1:53 PMbreezy-book-15761
06/02/2022, 1:53 PMprehistoric-activity-61023
06/02/2022, 1:53 PMbreezy-book-15761
06/02/2022, 1:55 PM