-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2 from pablordoricaw/readme
feat: Deploy Infra with Pulumi GitHub Actions Workflow
- Loading branch information
Showing
2 changed files
with
79 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| name: Deploy IaC with Pulumi | ||
| on: | ||
| push: | ||
| branches: | ||
| - master | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| preview: | ||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| name: Preview | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - uses: google-github-actions@v2 | ||
| with: | ||
| project_id: ${{ env.GCP_PROJECT_ID }} | ||
| workload_identity_provider: /projects/491900032446/locations/global/workloadIdentityPools/pulumi-cloud-pool/providers/pulumi-cloud | ||
| service_account: [email protected] | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v4 | ||
| with: | ||
| python-version: 3.10 | ||
|
|
||
| - name: Install dependencies | ||
| run: pip3 install -r requirements.txt | ||
|
|
||
| - name: Deploy infra | ||
| uses: pulumi/actions@v6 | ||
| with: | ||
| command: preview | ||
| stack-name: pablordoricaw/dev | ||
| env: | ||
| PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -40,3 +40,45 @@ I enabled the required APIS for workload identity federation on the GCP project | |
| Then I proceeded to configure workload identity federation following the Pulumi docs linked above. | ||
|
|
||
| Then I moved to configure the Deployment settings for the `dev` stack of the Pulumi Cloud project. | ||
|
|
||
| ### Pulumi Deployments & GCP Error | ||
|
|
||
| I ran into the error below when deploying the `hello-pulumi` project with Pulumi Cloud and GCP. | ||
|
|
||
| ``` | ||
| Type Name Status Info | ||
| pulumi:pulumi:Stack hello-pulumi-dev **failed** 1 error; 1 message | ||
| + ├─ gcp:storage:Bucket my-bucket **creating failed** 1 error | ||
| └─ gcp:storage:Bucket my-bucket | ||
| **failed** 1 error | ||
| Diagnostics: | ||
| pulumi:pulumi:Stack (hello-pulumi-dev): | ||
| error: update failed | ||
| Error creating bucket my-bucket-0274da0: Post "https://storage.googleapis.com/storage/v1/b?alt=json&prettyPrint=false&project=hello-pulumi-435400": oauth2/google: unable to generate access token: Post "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken": oauth2/google: status code 400: {"error":"invalid_target","error_description":"The target service indicated by the \"audience\" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn't exist."} | ||
| gcp:storage:Bucket (my-bucket): | ||
| error: 1 error occurred: | ||
| * Post "https://storage.googleapis.com/storage/v1/b?alt=json&prettyPrint=false&project=hello-pulumi-435400": oauth2/google: unable to generate access token: Post "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken": oauth2/google: status code 400: {"error":"invalid_target","error_description":"The target service indicated by the \"audience\" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn't exist."} | ||
| gcp:storage:Bucket (my-bucket | ||
| ): | ||
| error: sdk-v2/provider2.go:385: sdk.helper_schema: Post "https://storage.googleapis.com/storage/v1/b?alt=json&prettyPrint=false&project=hello-pulumi-435400": oauth2/google: unable to generate access token: Post "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/[email protected]:generateAccessToken": oauth2/google: status code 400: {"error":"invalid_target","error_description":"The target service indicated by the \"audience\" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn't exist."}: [email protected] | ||
| Resources: | ||
| 1 unchanged | ||
| ``` | ||
|
|
||
| Additionally, I missed the deployment happening right next to my code. I wasn't a big fan of having to go into Pulumi Cloud to check the deployment. | ||
|
|
||
| The PR chatbot feature was cool though... | ||
|
|
||
| ### GitHub Actions to the Rescue! | ||
|
|
||
| After a few unsuccessful tries to fix the issue with Pulumi Deployments and GCP cloud, I gave GitHub Actions a run. | ||
|
|
||
| #### GitHub and Pulumi Cloud | ||
|
|
||
| First thing, I stored a Pulumi Cloud access token in the secrets of the repo for GitHub actions to authenticate with Pulumi Cloud. This token expires on 12/20/204 | ||
|
|
||
|
|
||