search

pulumi / pulumi-google-native

Apache License 2.0
71 stars 18 forks source link

*.IamMember causes errors #836

Open valkum opened 1 year ago

valkum commented 1 year ago

What happened?

I am trying to create a policy binding for a Workload Identity and kept receiving Error 404: Unknown service account Running Pulumi with pulumi up --logtostderr --logflow -v=9 2> out.txt some errors revealed themselves.

First: A post call to /v1/projects/{PROJECT}/serviceAccounts/%7BserviceAccountsId%7D:getIamPolicy?optionsRequestedPolicyVersion=3 returns 

I0221 18:53:34.697798   45611 log.go:71] eventSink::Infoerr(<{%reset%}>{
I0221 18:53:34.697810   45611 log.go:71] eventSink::Infoerr(<{%reset%}>  "error": {
I0221 18:53:34.697823   45611 log.go:71] eventSink::Infoerr(<{%reset%}>    "code": 400,
I0221 18:53:34.697847   45611 log.go:71] eventSink::Infoerr(<{%reset%}>    "message": "Invalid JSON payload received. Unknown name \"optionsRequestedPolicyVersion\": Cannot bind query parameter. Field 'optionsRequestedPolicyVersion' could not be found in request message.",
I0221 18:53:34.697862   45611 log.go:71] eventSink::Infoerr(<{%reset%}>    "status": "INVALID_ARGUMENT",
I0221 18:53:34.697878   45611 log.go:71] eventSink::Infoerr(<{%reset%}>    "details": [
I0221 18:53:34.697893   45611 log.go:71] eventSink::Infoerr(<{%reset%}>      {
I0221 18:53:34.697905   45611 log.go:71] eventSink::Infoerr(<{%reset%}>        "@type": "type.googleapis.com/google.rpc.BadRequest",
I0221 18:53:34.697917   45611 log.go:71] eventSink::Infoerr(<{%reset%}>        "fieldViolations": [
I0221 18:53:34.697930   45611 log.go:71] eventSink::Infoerr(<{%reset%}>          {
I0221 18:53:34.697945   45611 log.go:71] eventSink::Infoerr(<{%reset%}>            "description": "Invalid JSON payload received. Unknown name \"optionsRequestedPolicyVersion\": Cannot bind query parameter. Field 'optionsRequestedPolicyVersion' could not be found in request message."
I0221 18:53:34.697959   45611 log.go:71] eventSink::Infoerr(<{%reset%}>          }
I0221 18:53:34.697974   45611 log.go:71] eventSink::Infoerr(<{%reset%}>        ]
I0221 18:53:34.697986   45611 log.go:71] eventSink::Infoerr(<{%reset%}>      }

I0221 18:53:34.698000   45611 log.go:71] eventSink::Infoerr(<{%reset%}>    ]
I0221 18:53:34.698012   45611 log.go:71] eventSink::Infoerr(<{%reset%}>  }
I0221 18:53:34.698024   45611 log.go:71] eventSink::Infoerr(<{%reset%}>}

I removed the <{%reset%}>) lines.

Second: A POST call to /v1/projects/{PROJECT}/serviceAccounts/%7BserviceAccountsId%7D:getIamPolicy which looks like the identifier serviceAccountsId is used and not properly replaced with the name property of ServiceAccountIamMember or the serviceAccountId sdk property is missing from ServiceAccountIamMember

These are the endpoint and sdkProperties metadata for the ServiceAccountIamMember lookup (formatted for visibility reason):

Endpoint:{SelfLinkProperty: Template:https://iam.googleapis.com/v1/projects/{projectsId}/serviceAccounts/{serviceAccountsId}:setIamPolicy Values:[{Name:projectsId SdkName:project Kind:path Optional:false} {Name:serviceAccountsId SdkName:serviceAccountId Kind:path Optional:false}]} 
  SDKProperties:map[
    auditConfigs:{
      Ref: Format: Required:false Items:<nil> AdditionalProperties:<nil> Container:policy Flatten:false SdkName: CopyFromOutputs:false Pattern: ForceNew:false
      } bindings:{
      Ref: Format: Required:false Items:<nil> AdditionalProperties:<nil> Container:policy Flatten:false SdkName: CopyFromOutputs:false Pattern: ForceNew:false
      } etag:{
      Ref: Format: Required:false Items:<nil> AdditionalProperties:<nil> Container:policy Flatten:false SdkName: CopyFromOutputs:false Pattern: ForceNew:false
      } updateMask:{
      Ref: Format:google-fieldmask Required:false Items:<nil> AdditionalProperties:<nil> Container: Flatten:false SdkName: CopyFromOutputs:false Pattern: ForceNew:false
      } version:{
      Ref: Format: Required:false Items:<nil> AdditionalProperties:<nil> Container:policy Flatten:false SdkName: CopyFromOutputs:false Pattern: ForceNew:false
      }
  ]

Expected Behavior

I expect the resource to be created.

Steps to reproduce

Have GKE setup with Workload Identity enabled. Create a ServiceAccount in GCP and in k8s. Try to create a resource like:

  new google-native.iam.v1.ServiceAccountIamMember(
      `k8s-to-gcp-iam-binding`,
      {
        name: gcpServiceAccount,
        member: pulumi.interpolate`serviceAccount:${PROJECT}.svc.id.goog[default/${k8sServiceAccount.metadata.name}]`,
        role: "roles/iam.workloadIdentityUser",
      }
    )
  }

Output of pulumi about

CLI
Version      3.55.0
Go Version   go1.19.5
Go Compiler  gc

Plugins
NAME    VERSION
nodejs  unknown

Host
OS       darwin
Version  13.1
Arch     arm64

This project is written in nodejs: executable='/Users/rudi/.nix-profile/bin/node' version='v18.12.1'

Backend
Name           pulumi.com
URL            https://app.pulumi.com/valkum
User           valkum
Organizations  valkum, EpicGames, instantdomains

Pulumi locates its logs in /var/folders/ry/k3dgpd7s3pxbnvx3r3twz9yh0000gn/T/ by default
warning: Failed to get information about the Pulumi program's dependencies: could not find either /Users/rudi/git/work/bolt/pulumi/instant-k8s/yarn.lock or /Users/rudi/git/work/bolt/pulumi/instant-k8s/package-lock.json

We have the yarn.lock in a yarn workspace.

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

danielrbradley commented 1 year ago

Hi @valkum thanks for logging this detail. Unfortunately we're not in a position to work on this provider right now as we're focusing on the pulumi-gcp provider while this provider is only in preview. Are you able to work around this by using the gcp provider for now?

valkum commented 1 year ago

Yeah, we switched to the classic version for now. At least for the things that don't work in the native one.