02/04/2023, 7:31 PM
Additional note; my suggestion is to utilise stacks. For Google Cloud Best practices the enablement of services should be tightly bound to the establishment of a project. Consider the creation of a Pulumi stack that setups your base GCP projects. Enable Service APIs within that stack. Consider this as a Stack that operates as a GCP project factory. Creates project in a given org or folder; enables service APIs and then configures appropriate IAM and project dedicated service accounts as well as any Project specific Org Policies. Then going forward use the service account created in this stack as the runner for the follow on Pulumi Stacks that in turn build out project specific content such as VMs networks and GKE or Firestore; This gives time for stack A to enable APIs before stack B runs. Your stack B can even have logic to confirm APIs are enabled before commencing. Additionally it follows Google’s best practice project management and security by separating concerns and futures for security.