Hi,
if I use the project_creation layout I've the following behaviour:

1. Creation with compute.googleapis.com enabled:
   $ gcloud deployment-manager deployments create my_dm --config project.yaml
   The project and service account <project_number>@cloudservices.gserviceaccount.com are created
2. Update the iam-policy (without manage the above service account)
   $ gcloud deployment-manager deployments update my_dm --config project.yaml
   The iam-policy is updated BUT the above service account <project_number>@cloudservices.gserviceaccount.com are deleted (or the role associated is revoked, i don't know)

I think the unique alternative is that, before the update step, I've to modify project.yaml and insert the relative iam policy about service account <project_number>@cloudservices.gserviceaccount.com (I don't have the project_number until the creation step and I can't refer it from the beginning because the project are not created)

The same may be usefull for the following service accounts:

• <project_number>[email protected]
• service-<project_number>@container-engine-robot.iam.gserviceaccount.com
• service-<project_number>@containerregistry.iam.gserviceaccount.com
• ...

Do you have some advice for a better solution?
Thanks

Hi,
some supported resources has fileds that cannot be update with a "gcloud deployment-manager deployments update" execution.

For example:

ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1507190273341-55ac814d9f648-efa866de-deec4e38]: errors:
- code: NO_METHOD_TO_UPDATE_FIELD
  message: No method found to update field 'localTrafficSelector' on resource 'resources-tmp-tunnel'
    of type 'compute.v1.vpnTunnel'. The resource may need to be recreated with the
    new field.

VPNTunnel has, as well as firewall/routes/... , fields not updatable, in this case what is the best solution?

• Separate in different config deployment this resources from other, so that be able to delete and recreate them when necessary
• Change manually the resource on the web console e syncronize the code deployment "offline"
• Others?

Thanks

I have a deployment manager script as follows:
cluster.py creates a kubernetes cluster and when the script was run only for the k8 cluster creation, it was successful -- so it means the cluster.py had no issues in creation of a k8 cluster

cluster.py also exposes ouputs:
A small snippet of the cluster.py is as follows:

outputs.append({
        	'name': 'v1endpoint' ,
        	'value': type_name + type_suffix })
    
return {'resources': resources, 'outputs': outputs}

If I try to access the exposed output inside dmnginxservice resource below as $(ref.dmcluster.v1endpoint) I get an error as resource not found

imports:
- path: cluster.py 
- path: nodeport.py

resources:
- name: dmcluster
  type: cluster.py
  properties:
   zone: us-central1-a
      
- name: dmnginxservice
  type: nodeport.py
  properties:
   cluster: $(ref.dmcluster.v1endpoint)
   image: gcr.io/pr1/nginx:latest
   port: 342
   nodeport: 32123
    

ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1519960432614-566655da89a70-a2f917ad-69eab05a]: errors:
- code: CONDITION_NOT_MET
  message: Referenced resource yaml%dmcluster could not be found. At resource
    gke-cluster-dmnginxservice.

Hi,
I'm trying to delete the default firewall rules by "default" network.
If I try the following code on a new project:

resources:
- name: default-allow-rdp-delete
  action: gcp-types/compute-beta:compute.firewalls.delete
  properties:
    firewall: default-allow-rdp
  metadata:
    runtimePolicy:
    - CREATE

I've the error:

$ gcloud deployment-manager deployments create resources --project "$DMPROJECT" --config resources.yaml 
The fingerprint of the deployment is oDv7WHIA0lxF3zD2ag7WtA==
Waiting for create [operation-1518687221117-5653cec56f04c-e57265ab-09aff176]...failed.                                                                                                                                                                                                                                       
ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1518687221117-5653cec56f04c-e57265ab-09aff176]: errors:
- code: RESOURCE_ERROR
  location: /deployments/resources/resources/default-allow-rdp-delete
  message: "{\"ResourceType\":\"gcp-types/compute-beta:compute.firewalls.delete\"\
    ,\"ResourceErrorCode\":\"404\",\"ResourceErrorMessage\":{\"code\":404,\"errors\"\
    :[{\"domain\":\"global\",\"message\":\"The resource 'projects/<projectID>/global/firewalls/default-allow-rdp'\
    \ was not found\",\"reason\":\"notFound\"}],\"message\":\"The resource 'projects/<projectID>/global/firewalls/default-allow-rdp'\
    \ was not found\",\"statusMessage\":\"Not Found\",\"requestPath\":\"https://www.googleapis.com/compute/beta/projects/<projectID>/global/firewalls/default-allow-rdp\"\
    ,\"httpMethod\":\"GET\"}}"

And from logs it seems that the action is executed twice (9 seconds between them) by DM.
Is a bug?

Thanks

Hi,

I am struggling a bit lately with my deployment based on the following code:
https://github.com/GoogleCloudPlatform/deploymentmanager-samples/tree/master/examples/v2/gke

The problem is that deployment manager sometimes reports:

Waiting for create [operation-1523455329129-5699315b95229-abb36a8f-75ba2e65]...failed.
ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1523455329129-5699315b95229-abb36a8f-75ba2e65]: errors:
- code: DESCRIPTOR_URL_FETCH_ERROR
  location: /typeProviders/prod-cluster-type->$.descriptorUrl
  message: "{\"originalResponse\":\"{\\\"kind\\\":\\\"Status\\\",\\\"apiVersion\\\"\
    :\\\"v1\\\",\\\"metadata\\\":{},\\\"status\\\":\\\"Failure\\\",\\\"message\\\"\
    :\\\"Unauthorized\\\",\\\"reason\\\":\\\"Unauthorized\\\",\\\"code\\\":401}\"\
    ,\"reason\":\"The descriptor url 'https://192.0.2.10/swaggerapi/api/v1' for\
    \ type provider 'prod-cluster-type' could not be fetched.\"}"

(note: IP address is obfuscated)

Note that the type is actually deployed using another deployment, so it isn't an issue of dependency resolution. Also, what is weird, is that if I re-run the deployment a few times, it suddenly works. Maybe a timeout issue? That swaggerapi endpoint is quite big...

cd deploymentmanager-samples/examples/v2/internal_lb/python
gcloud deployment-manager deployments create first-internal-lb --config config.yaml

Issue1:
- code: CONDITION_NOT_MET location: /deployments/first-internal-lb/resources/first-internal-lb-healthcheck->$.properties message: '"/type": domain: validation; keyword: enum; message: value not found in enum; enum: ["HTTP","HTTPS","INVALID","SSL","TCP"]; value: "tcp"'
At the internal_lb.py the healthcheck type should be capitaly (TCP).

Issue2:

- code: RESOURCE_ERROR
  location: /deployments/first-internal-lb/resources/us-central1-first-internal-lb-allow-internal-traffic-firewall-rule
  message: '{"ResourceType":"compute.v1.firewall","ResourceErrorCode":"400","ResourceErrorMessage":{"code":400,"errors":[{"domain":"global","message":"Invalid
    value for field ''resource.name'': ''us-central1-first-internal-lb-allow-internal-traffic-firewall-rule''.
    Must be a match of regex ''(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)''","reason":"invalid"}],"message":"Invalid
    value for field ''resource.name'': ''us-central1-first-internal-lb-allow-internal-traffic-firewall-rule''.
    Must be a match of regex ''(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?)''","statusMessage":"Bad Request","requestPath":"https://www.googleapis.com/compute/v1/projects/xxx-privatetestproject/global/firewalls"}}'

The Firewall rule name is too long, the regexp only allows 62 character.
This means the stack name can be maximum 15 character long.

Issue3:

- code: RESOURCE_ERROR
  location: /deployments/first-i-lb/resources/us-central1-first-i-lb-allow-internal-traffic-firewall-rule
  message: '{"ResourceType":"compute.v1.firewall","ResourceErrorCode":"400","ResourceErrorMessage":{"code":400,"errors":[{"domain":"global","message":"This
    feature is not yet supported.","reason":"badRequest"}],"message":"This feature
    is not yet supported.","statusMessage":"Bad Request","requestPath":"https://www.googleapis.com/compute/v1/projects/xxx-privatetestproject/global/firewalls"}}'

I have no clue for this error

Currently I'm trying to use the following template to create service account and set roles for them:

service-account.jinja:

{#
{% set BASE_NAME = env['deployment'] + '-' + env['name'] %}

resources:
- name: {{ BASE_NAME }}
  type: iam.v1.serviceAccount
  properties:
    accountId: {{ BASE_NAME }}
    displayName: {{ BASE_NAME }} service account

- name: set-account-roles
  action: gcp-types/iam-v1:iam.projects.serviceAccounts.setIamPolicy
  metadata:
    runtimePolicy:
    - CREATE
    dependsOn:
    -  {{ BASE_NAME }}
  properties:
    resource: $(ref.{{ BASE_NAME }}.name)
    policy:
      bindings:
      - role: 'roles/viewer'
        members:
        - serviceAccount:$(ref.{{ BASE_NAME }}.email)

outputs:
  - name: email
    value: $(ref.{{ BASE_NAME }}.email)

I'm running gcloud to deploy it under user with owner role, but it fails with a following error:

{
  "ResourceType": "gcp-types/iam-v1:iam.projects.serviceAccounts.setIamPolicy",
  "ResourceErrorCode": "403",
  "ResourceErrorMessage": {
    "code": 403,
    "message": "Permission iam.serviceAccounts.setIamPolicy is required to perform this operation on service account projects/project-555/serviceAccounts/[email protected].",
    "status": "PERMISSION_DENIED",
    "statusMessage": "Forbidden",
    "requestPath": "https://iam.googleapis.com/v1/projects/project-555/serviceAccounts/[email protected]:setIamPolicy",
    "httpMethod": "POST"
  }
}

What am I doing wrong?

Hi,
if I try to update a cloudkms deployment (for example modifying accessControl.gcpIamPolicy.bindings) I've the following error:

- code: RESOURCE_ERROR
  location: /deployments/resources/resources/my-keyring
  message: '{"ResourceType":"gcp-types/cloudkms-v1:projects.locations.keyRings","ResourceErrorCode":"404","ResourceErrorMessage":{"statusMessage":"Not
    Found","requestPath":"https://cloudkms.googleapis.com/v1/projects/my-project/locations/global/keyRings/my-keyring","httpMethod":"POST"}}'

Do you know how to avoid this behaviour?
Thanks

I used the following yaml to create a project

imports:
- path: project.py
resources:
- name: qibinzhou-test-dm-20171009
type: project.py
properties:
organization-id: "OUR_ORGANIZATION_ID"
billing-account-name: billingAccounts/OUR_BILLING_ACCOUNT
- compute.googleapis.com
- deploymentmanager.googleapis.com
- pubsub.googleapis.com
- storage-component.googleapis.com
- monitoring.googleapis.com
- logging.googleapis.com
service-accounts:
- qibinzhou-test-dm-1
bucket-export-settings:
create-bucket: true
iam-policy:
bindings:
- role: roles/owner
members:
- serviceAccount:[email protected]
- user:MY_ACCOUNT

And I got the following error:

ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1507647406494-55b32841c5131-8e991c04-414d4a33]: errors:

• code: RESOURCE_ERROR
  location: /deployments/qibinzhou-test-dm-1/resources/qibinzhou-test-dm-20171009
  message: '{"ResourceType":"cloudresourcemanager.v1.project","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"User is not authorized.","status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.ResourceInfo","resourceType":"ORGANIZATION","resourceName":"OrganizationId{toLong=,getResourceType=ORGANIZATION}"}],"statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects","httpMethod":"POST"}}'

I have set project as the DM create project in gcloud config. But I set my own account, instead of the cloudservices service account or the so-called DM Service Account, in gcloud config. I don't quite understand how to use the DM Service Account. It is an internal account and has no external keys that can be generated. Then we cannot activate it on our local machine.

Thanks,

Qibin

Is there a way to set 'auditConfigs' in project resources?
If I inject in 'gcpIamPolicy' (file project.py) the 'auditLogConfigs' json tree doesn't works.
Like 'iam-policy' and 'gcpIamPolicy'.

Thanks

Creating a deployment with deploymentmanager-samples/examples/v2/gke/python/ works perfectly whereas updating the deployment (eg increasing number of nodes) will return an error:

ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1490030492265-54b2cc2322a2a-e276ea11-d8776693]: errors:
- code: CONDITION_NOT_MET
  location: /deployments/cluster4/resources/cluster4-test-cluster-1->$.properties
  message: '"": domain: validation; keyword: properties; message: required property(ies)
    not found; missing: ["clusterId"]; required: ["clusterId","zone"]'

Is this not supported or a mistake on my side?

I am trying to deploy multiple bigtable instances but I am not sure of the format to do that. Here is what I have. I have also tried creating multiple entries under resources but that did not work either.
'''
imports:

• path: bigtable.py

• name: helper.py
  path: ../../../helper.py

resources:

• name: permissions
  type: bigtable.py
  properties:
  instanceId: permissions
  instance:
  - name: dev-permissions
  displayName: dev-permissions
  type: PRODUCTION
  - name: qa-permissions
  displayName: qa-permissions
  type: PRODUCTION
  - name: stage-permissions
  displayName: stage-permissions
  type: PRODUCTION
  clusters:
  initial:
  location: us-central1
  defaultStorageType: SSD
  serveNodes: 3
  tables:
  arns:
  columnFamiles:
  features:
  parents:

Hi,
is it possible to use reference object informations in python template at runtime?
For example cycle on the returned bindigs of the “cloudresourcemanager.projects.getIamPolicy” resource and create a dictionary, dependent on these values, for a “cloudresourcemanager.projects.setIamPolicy” resource?

Thanks

I ran through the instructions from the README here: https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/master/examples/v2/gke/README.md. After completing the two-step process outlined in the doc, I had a cluster with 4 nodes. However after the second step deploying the Kube Service & ReplicationController, I visit the "Workloads" tab in the GCP web UI, and I see "Unschedulable".

Update: checked again and it appears that the problem is only happening when the project we try to add a cluster to was itself created through Deployment Manager. The example does actually work with a project created using the GUI. I did a quick comparison of enabled APIs and Service Accounts, they seem to be the same across both projects.

I am trying to use the api exposed by a k8 cluster in other resources.

I want the k8 cluster to be up first and later other resources make use of the api exposed by this k8 cluster.
I tried to use the references to lay out an implicit order on the resource creation, but I see that even before the k8 cluster is fully up, another resource is trying to access an api exposed by the k8 cluster.

More details:
https://gist.github.com/VarunkumarManohar/508454c42afa481771e2c600120ca7ac

Unsure of why this is happening ..

The /swagger.json endpoint is the more recent OpenAPI spec endpoint as described here

Suggest updating the GKE samples to utilize it instead of 1.2 /swaggerapi/

I was able to start a container vm cos-stable-65-10323-69-0. using Google Deployment Manager.

When I specify the docker image to be started in the gce-container-declaration metadata key for resource type compute.v1.instanceTemplate, the docker container starts correctly when the compute engine vm instance boots but the host and container ports passed as parameters are not being used
in running the docker image.

manifest = {
        'apiVersion': 'v1',
        'kind': 'Pod',
        'metadata': {
            'name': context.env['name']
        },
        'spec': {
            'containers': [{
                'name': context.env['name'],
                'image': context.properties['dockerImage'],
                'ports': [{
                    'hostPort': context.properties['hostPort'],
                    'containerPort': context.properties['containerPort']
                }],
            }]
        }
    }

HostPort and containerports are not being used while running the docker image as a result the docker container ends up running on 8080 port and not the hostport passed as a parameter

Is this a known issue or is some setting being missed out ?

When updading a GKE cluster previously created with DM, get the error.

I've enabled the k8s dashboard manually in the GKE web console, and I'd like to update the DM configuration and I ran the updating command.

Here's the error message:

{"ResourceType":"container.v1.cluster","ResourceErrorCode":"400","ResourceErrorMessage":{"code":400,"message":"addons_config must specify values for http_load_balancing and/or horizontal_pod_autoscaling.","status":"INVALID_ARGUMENT","statusMessage":"Bad Request","requestPath":"https://container.googleapis.com/v1/projects/............./clusters/gke-cluster/addons", "httpMethod":"POST"}}

the expanded config looks like:

resources:
- name: gke-cluster
  properties:
    cluster:
      addonsConfig:
        horizontalPodAutoscaling:
          disabled: false
        httpLoadBalancing:
          disabled: false
        kubernetesDashboard:
          disabled: false                  # used to be true when I previously created the gke cluster
      initialClusterVersion: 1.8.9-gke.1
      legacyAbac:
        enabled: true
      name: gke-cluster
      nodePools:
      - autoscaling:
          enabled: true
          maxNodeCount: 15
          minNodeCount: 1
        config:
          diskSizeGb: 100
          imageType: cos
          oauthScopes:
          - https://www.googleapis.com/auth/compute
          - https://www.googleapis.com/auth/devstorage.read_only
          - https://www.googleapis.com/auth/logging.write
          - https://www.googleapis.com/auth/monitoring
        initialNodeCount: 2
        management:
          autoRepair: false
          autoUpgrade: false
        name: default-pool
    zone: us-central1-c
  type: container.v1.cluster

The addonsConfig is there.

Hi,
I'm trying to deploy a NAT gateway pool with the relative routes but I can't deploy the route when the instance have status RUNNING.

My configuration (the instanceTemplate is omitted):

{% for zone_natgw in properties["zones"] %}
{% set NAME_SUFFIX = zone_natgw[-2:] %}
- name: {{ IGM + NAME_SUFFIX }}
  type: compute.v1.instanceGroupManager
  properties:
    baseInstanceName: {{ env["deployment"] }}-instance
    instanceTemplate: $(ref.{{ INSTANCE_TEMPLATE }}.selfLink)
    targetSize: 1
    zone: {{ zone_natgw }}

- name: {{ MI + NAME_SUFFIX }}
  action: gcp-types/compute-v1:compute.instanceGroupManagers.listManagedInstances
  properties:
    zone: {{ zone_natgw }}
    instanceGroupManager: {{ IGM + NAME_SUFFIX }}
    project: {{ env["project"] }}
  metadata:
    dependsOn:
    - {{ IGM + NAME_SUFFIX }}

- name: {{ IR + NAME_SUFFIX }}
  type: compute.v1.route
  properties:
    network: $(ref.{{ properties["network"] }}.selfLink)
    nextHopInstance: $(ref.{{ MI + NAME_SUFFIX }}.managedInstances[0].instance)
    priority: 900
    destRange: 0.0.0.0/0
    tags:
      - to-natgw

{% endfor %}

I think the only solution is to use RuntimeConfig in startupscript and wait in the deployment for that resource.
Is there a better and easy way?
Thanks

Hi,
I know that cloudresourcemanager.v1.project API doesn't support folders and so I've to move the project by hand from org to folder, but after that I can't update deployment (for example to change iam bindings on project or create service account) because I've the following error:

ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1505398303589-55926db218288-6c7b630d-56dd0f1d]: errors:
- code: RESOURCE_ERROR
  location: /deployments/<deployment>/resources/project
  message: '{"ResourceType":"cloudresourcemanager.v1.project","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"User
    is not authorized.","status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.ResourceInfo","resourceType":"FOLDER","resourceName":"FolderId{toLong=<folderid>,
    getResourceType=FOLDER}"}],"statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/<project>","httpMethod":"PUT"}}'

Thanks

https://github.com/GoogleCloudPlatform/deploymentmanager-samples/tree/master/examples/v2/project_creation

Step 2:
I would add the following gcloud commands for easier API enablement:

 gcloud services enable deploymentmanager.googleapis.com
 gcloud services enable cloudresourcemanager.googleapis.com  
 gcloud services enable cloudbilling.googleapis.com
 gcloud services enable iam.googleapis.com   
 gcloud services enable servicemanagement.googleapis.com

Not sure if this is the right place or way to report this, but here goes:

cd deploymentmanager-samples/examples/v2/gke/jinja
gcloud deployment-manager deployments create cluster --config cluster.yaml

edit ./cluster.jinja.schema (change number of nodes from 4 to 2)

gcloud deployment-manager deployments update cluster --config cluster.yaml
The fingerprint of the deployment is tv3Y40Z8rRXCnMy8jxgj8A==
Waiting for update [operation-1499161746927-5537acb62ed98-16269ef3-6106d074]...failed.
ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1499161746927-5537acb62ed98-16269ef3-6106d074]: errors:
- code: RESOURCE_ERROR
  location: /deployments/cluster/resources/cluster-leo1
  message: '{"ResourceType":"container.v1.cluster","ResourceErrorCode":"400","ResourceErrorMessage":{"code":400,"message":"Invalid
    JSON payload received. Unknown name \"cluster\": Cannot find field.","status":"INVALID_ARGUMENT","details":[{"@type":"type.googleapis.com/google.rpc.BadRequest","fieldViolations":[{"description":"Invalid
    JSON payload received. Unknown name \"cluster\": Cannot find field."}]}],"statusMessage":"Bad
    Request","requestPath":"https://container.googleapis.com/v1/projects/102xyzxyz238/zones/europe-west1-b/clusters/cluster-leo1"}}'

The same thing happens when doing ...update cluster --config cluster.yaml --preview followed by ... update cluster

Cannot create a google deployment manager runtime config variable

resources:
- name: star-config
  type: runtimeconfig.v1beta1.config
  properties:
    name: star-config

- name: igurl_variable
  type: runtimeconfig.v1beta1.variable
  properties:
   name: igurl_variable
   value: 'trek'
   parent: $(ref.star-config.name)

I checked the logs and I see that the status is set to bad_request when I create the above deployment.

Audit log
status: {
message: "BAD_REQUEST"

}
What could be the reason for the error ? Just does not seem obvious.

I also see that when I try to invoke the config create and variable create apis from the Google explorer I see 400 errors..

I can not operate the container_igm example, even with default configuration. Here is the logs:
http://pastebin.com/mKCchMtV

My google cloud version is up to date and properly configured.
% gcloud version
Google Cloud SDK 93.0.0
bq 2.0.18
bq-nix 2.0.18
core 2016.01.14
core-nix 2015.11.24
gcloud
gsutil 4.16
gsutil-nix 4.15

Am I doing something wrong ?

I have tried to use the deployment manager to create everything I need for our deployment, but I failed at a nginx ingress controller deployment that needs a new ClusterRole and ClusterRoleBinding. It seems that adding Clusterroles and ClusterRoleBindings doesn't work via deployment manager. I always run into permission issues, in spite of the fact that I have full owner / cluster admin rights in IAM.

See also: https://stackoverflow.com/questions/44349987/error-from-server-forbidden-error-when-creating-clusterroles-rbac-author

I also tried adding first a ClusterRoleBinding for me and cluster-admin, but that doesn't work either. It works with kubectl though...

Is it possible to enable required service APIs during the deployment the same way as gcloud services enable <xxx> does?

I am exploring the usage of gcp-types/cloudkms-v1:cloudkms.projects.locations.keyRings.cryptoKeys.decrypt" to automatically decrypt secrets at deploy time, as can be seen in this code snippet: kms.jinja.

Something that doesn't seem to work right is the use of the base64Decode() method in a $(ref). I get:

 The resource 'test-decrypt' exists, but the reference value does not, details: Unrecognized function base64Decode

@shuainie-google : maybe you could help?

Hi,
I've created a GKE cluster with container.v1.cluster, 1 default node with container.v1.nodePool and minimum 2 (for HA) custom node with container.v1.nodePool.

This setup permit to update the custom nodepool creating a new one, cordon and drain the old nodes and finally remove the old custom nodepool.

I wonder if there's a way to obtain this features and behaviour without the 1 default node container.v1.nodePool (VM not needed)

Thanks

Hi,
I'm trying without success to remove the default 'root@%' CloudSQL user with DM.

Is there a method to call "sqladmin.user.delete" on 'sqladmin-v1beta4' provider?

Thanks

Hi

I am trying to run the 'Create a Network Load-Balanced Logbook Application' sample (https://cloud.google.com/deployment-manager/docs/create-advanced-deployment)

I have tried both the jinja and python deployments. I have all the code files located under the same folder but receive the same error message

The fingerprint of the deployment is 1mvqf3s6yrOhKfKRdKnNug==
Waiting for create [operation-1516010515250-562cdb43cbb50-a581b455-4a176701]...failed.
ERROR: (gcloud.deployment-manager.deployments.create) Error in Operation [operation-1516010515250-562cdb43cbb50-a581b455
-4a176701]: errors:
- code: INVALID_CONFIG
  message: 'Invalid config files: Template fetching failed: Failed to find imported
    template ''container_vm.jinja'' for resource {name=advanced-configuration-backend,
    properties={containerImage=container-vm-v20160217, dockerImage=gcr.io/deployment-manager-examples/mysql,
    port=8080, zone=us-central1-a}, type=container_vm.jinja}..'

This is the jinja error, with python the template is ''container_vm.py''

Any ideas on this? thanks

Hi,
I'v tried to manage the Record sets in a zone on CloudDNS with the following config:

- name: goog-resourcerecordsets
  type: gcp-types/dns-v1:changes
  properties:
    project: {{ env["project"] }}
    managedZone: $(ref.goog.name)
    additions:
    - name: prod.name.it.
      type: A
      ttl: 300
      rrdatas:
      - <IP>

But I've the following error when change additions:

The fingerprint of the deployment is JDiKhbhYE0QxhypamHP3Ng==
Waiting for update [operation-1510672393864-55df2d3688341-d0f6966a-176378ae]...failed.                                                                                                                                                                                                                                    
ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1510672393864-55df2d3688341-d0f6966a-176378ae]: errors:
- code: NO_METHOD_TO_UPDATE_FIELD
  message: No method found to update field 'additions' on resource 'goog-resourcerecordsets'
    of type 'dns-v1'. The resource may need to be recreated with the new field.

Is there a method to manage creation, updates and deletion of DNS records with DM?
Without the workaround to rename the DM resources.

Thanks

https://github.com/GoogleCloudPlatform/deploymentmanager-samples/tree/master/examples/v2/project_creation

Prerequisites > Step 2 says:
"Find the Cloud Services service account associated with the DM Creation Project. It will be in the form <project_number>@cloudservices.gserviceaccount.com. This will be called the "DM Service Account" for the rest of these instructions."

The instruction should say where and how to find it:
https://cloud.google.com/iam/docs/service-accounts
"[email protected]

This service account is designed specifically to run internal Google processes on your behalf and is not listed in the Service Accounts section of GCP Console. "

The gcp-types/sqladmin-v1beta4:users interfact does not have a GET method.

When updating a big DM configuration that contains a database user resource like this:

resources:
# No GET method for user, resulting update error
- name: {{ env['name'] }}
  type: gcp-types/sqladmin-v1beta4:users
  properties:
    name: {{ properties['userName'] }}
    instance: {{ properties['instanceName'] }}
    host: ""
    password: {{ properties['password'] }}

There must be an update error:

ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1522961826387-569202eab1438-48567386-60db63f3]: errors:
- code: MISSING_METHOD_IN_COLLECTION
  message: Method 'get' does not exists for collection 'users' in descriptor url 'https://www.googleapis.com/discovery/v1/apis/sqladmin/v1beta4/rest'

I have to remove the user configuration from that bit DM configuration

The example has a default http trigger, I'm struggling to set a Pub/Sub topic trigger. I add to the schema:

eventTrigger:
type: array
items:
type: object
required:
- eventType
properties:
eventType:
type: string
resource:
type: string
service:
type: string

And add to the .yaml

eventTrigger:
- eventType: topic
resource: [TOPIC_NAME]
service: google.pubsub.topic.publish

But the function created remains with an HTTP trigger. Could you please point me what am I missing.

Hi there!

I have docker installed on the VM image I am using for my HTCondor compute jobs. I want to issue a docker run command as part of my compute job. The jobs are executed currently as the user nobody. So in the startup-compue.sh script I have added usermod -aG docker nobody which is a hacky workaround. Can you suggest something better / maybe more secure? or ideally maybe have the jobs execute as a slot user as suggested http://research.cs.wisc.edu/htcondor/manual/v8.6/3_8Security.html#SECTION004813000000000000000 and provide a way to give this slot user access to a single container maybe?

Thanks,

https://github.com/GoogleCloudPlatform/deploymentmanager-samples/blob/master/examples/v2/gke/jinja/cluster.jinja#L34

The DaemonSet example presumably gets deployed into the default namespace.

I suspect we need a new inputMapping for namespace, but the format is tough to follow and underdocumented.

I have tried the following (and various variants of it):

- name: {{ NAME_PREFIX }}-bucket
  type: gcp-types/storage-v1:buckets
  properties:
    location: europe-west3
    storageClass: NEARLINE

I always get permission errors:

message: '{"ResourceType":"gcp-types/storage-v1:buckets","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"errors":[{"domain":"global","message":"[email protected]
  does not have storage.buckets.get access to db-backup-bucket.","reason":"forbidden"}],"message":"[email protected]
  does not have storage.buckets.get access to db-backup-bucket.","statusMessage":"Forbidden","requestPath":"https://www.googleapis.com/storage/v1/b/db-backup-bucket","httpMethod":"GET","suggestion":"Consider
  granting permissions to [email protected]"}}'

I did give the "Storage Admin" role to the service account in IAM.

Using this replication service template YAML and Jinja fails. The creation failing I could understand, maybe I made a mistake. But now the failed replication service is stuck in my Deployment manager and I cannot remove it:

Timeout after 180000 ms when fetching URL https://35.199.152.98/api/v1/namespaces/default/replicationcontrollers/gke-quickflask-repl-service-v1-replicated-service-v1-rc, reason: TIMEOUT_WEB
gke-quickflask-repl-service-v1 has resource warnings
gke-quickflask-repl-service-v1-replicated-service-v1-rc: Timeout after 180000 ms when fetching URL https://35.199.152.98/api/v1/namespaces/default/replicationcontrollers/gke-quickflask-repl-service-v1-replicated-service-v1-rc, reason: TIMEOUT_WEB

It would seem a replication controller and service could be handled by Kubernetes itself (with kubectl and Kubernetes based YAML templates, not necessarily by GKE. In any case, this seems like a bug.

#Kubernetes replication service template
#DEPLOY Kubernetes replication service
#gcloud deployment-manager deployments create gke-quickflask-repl-service-v1 --config replicatedservice.yaml

#kubectl delete replicationcontroller gke-quickflask-repl-service-v1

#gcloud deployment-manager deployments delete gke-quickflask-repl-service-v1
imports:

• path: replicatedservice.jinja

resources:

• name: replicated-service-v1
  type: replicatedservice.jinja
  properties:
  clusterType: gke-cluster-demo-v1-type
  image: gcr.io/$PROJECT_ID/quickflask-image:v1

There are no examples for Google AppEngine Flex. We'd like to provision a particular GAE app for all instances of a project type and don't have much in the way of docs or examples to go on.

In both the jinja2 and python folders the cloud-functions are referenced as gs://cloud-function-sample/function.zip. This sounds like one you need to zip whatever is in the functions dir (with or without the directory) and use gsutil to upload it.
It would be nice to change the example to have the cloud-bucket uploading step as part of the deployment manager script.

Step 3:Create the project. If using the CLI:

gcloud deployment-manager deployments create --config config.yaml

should be
gcloud deployment-manager deployments create NAME_OF_YOUR_DEPLOYMENT --config config.yaml

Can you provide an example about uploading an object to a Cloud Storage bucket?

Thanks

Hi,
I'm trying to manage an existing CloudSQL database with DM.
My config is:

-  type: sqladmin.v1beta4.database
   name: db-test-mysql-dbname
   properties:
     instance: $(ref.db-test-mysql.name)
     name: dbname
     charset: utf8
     collation: utf8_general_ci
     project: <mi_project>
   metadata:
     dependsOn:
     - db-test-mysql

and I've the following error after :

ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1509978536738-55d51464cfcd0-f415ec62-9971347b]: errors:
- code: RESOURCE_ERROR
  location: /deployments/resources/resources/db-test-mysql-dbname
  message: '{"ResourceType":"sqladmin.v1beta4.database","ResourceErrorCode":"INTERNAL_ERROR","ResourceErrorMessage":""}'

Where is the issue? I can't understand the problem.

Hi,
I've the following code:

- name: nat-gw-it
  properties:
    properties:
      canIpForward: true
      disks:
      - autoDelete: true
        boot: true
        deviceName: boot
        initializeParams:
          sourceImage: https://www.googleapis.com/compute/v1/projects/<my_image_path>
        type: PERSISTENT
      machineType: f1-micro
      networkInterfaces:
      - accessConfigs:
        - name: External-IP
          type: ONE_TO_ONE_NAT
        network: $(ref.my-net.selfLink)
        subnetwork: $(ref.my-net-australia-southeast1-natgw.selfLink)
      scheduling:
        automaticRestart: true
        onHostMaintenance: MIGRATE
        preemptible: false
      serviceAccounts:
      - email: my-svc@<my_project>.iam.gserviceaccount.com
        scopes:
        - https://www.googleapis.com/auth/compute
        - https://www.googleapis.com/auth/devstorage.read_only
        - https://www.googleapis.com/auth/logging.write
        - https://www.googleapis.com/auth/monitoring
        - https://www.googleapis.com/auth/cloudruntimeconfig
      tags:
        items:
        - natgw
    zone: australia-southeast1-a
  type: compute.v1.instanceTemplate
  metadata:
    dependsOn:
    - my-net
    - my-net-australia-southeast1-natgw
- name: nat-gw-igm-a
  properties:
    baseInstanceName: nat-gw-instance
    instanceTemplate: $(ref.nat-gw-it.selfLink)
    targetSize: 1
    zone: australia-southeast1-a
  type: compute.v1.instanceGroupManager
  metadata:
    dependsOn:
    - nat-gw-it
- action: gcp-types/compute-v1:compute.instanceGroupManagers.listManagedInstances
  metadata:
    dependsOn:
    - nat-gw-igm-a
  name: nat-gw-mi-a
  properties:
    instanceGroupManager: nat-gw-igm-a
    project: <my_project>
    zone: australia-southeast1-a
- metadata:
    dependsOn:
    - my-net
    - nat-gw-mi-a
  name: nat-gw-route-a
  properties:
    destRange: 0.0.0.0/0
    network: $(ref.my-net.selfLink)
    nextHopInstance: $(ref.nat-gw-mi-a.managedInstances[0].instance)
    priority: 900
    tags:
    - to-natgw
  type: compute.v1.route

In the past months (weeks?) this works great.
Now I've delete the deployment (with --delete-policy=abandon) and recreated, but I've the folowing error:

The fingerprint of the deployment is wdvBVr6JNMij4oDxck0Qdw==
Waiting for update [operation-1517232148895-563ea2346d518-ee36a40a-e14c3f5e]...failed.                                                                                                                                                                                                                                     
ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1517232148895-563ea2346d518-ee36a40a-e14c3f5e]: errors:
- code: CONDITION_NOT_MET
  location: /deployments/resources/resources/nat-gw-route-a->$.properties
  message: '"/nextHopInstance": domain: validation; keyword: type; message: instance
    does not match any allowed primitive type; allowed: ["string"]; found: "null"'

Is changed something? I can't understand what I'm ding wrong.

Thanks

deploymentmanager-samples/examples/v2/project_creation/config.yaml
deploymentmanager-samples/examples/v2/project_creation/config_shared_vpc.yaml

"(DEPRECATED) The service-management enable command has been replaced by services enable."
https://cloud.google.com/sdk/gcloud/reference/service-management/enable
gcloud service-management list >> gcloud services list

Hi,
I've some issues creating bucket from the "DM Creation Project" in the new project.

The expanded config are something like that (simplified) :

- metadata:
    dependsOn:
    - project
    - storage-component.googleapis.com
    - patch-iam-policy
  name: log-$(ref.project.projectNumber)
  properties:
    name: log-$(ref.project.projectNumber)
    project: $(ref.project.projectId)
  type: gcp-types/storage-v1:buckets

The resulting bucket is created in the "DM Creation Project" and not in the "ref.project.projectId". The same is for log sink :

- metadata:
    dependsOn:
    - project
    - log-$(ref.project.projectNumber)
  name: log-sink-log-$(ref.project.projectNumber)
  properties:
    destination: storage.googleapis.com/log-$(ref.project.projectNumber)
    filter: ''
    parent: projects/$(ref.project.projectId)
    sink: log-sink-log-$(ref.project.projectNumber)
    uniqueWriterIdentity: true
  type: logging.v2.sink

My use case is to create a default bucket for exported logs of the new project.

Thanks

Hi! We're moving all samples to be included in docs into single repos by language. If you could move this to GoogleCloudPlatform/python-docs-samples/deployment-manager. That would be great! Alternatively I can move this for you and assign you an issue to update the documentation, which you can assign back to me when it's safe to delete this repository.

Thanks!

In the examples/v2/quick_start/README.MD file the cli command has a typo:
gcloud deployment-manager deployments create quick-start-deployment --config/vm.yaml

It should be:
gcloud deployment-manager deployments create quick-start-deployment --config vm.yaml

Super minor: consider adding a README for this cloud router sample since the check-in comment references other unrelated code.

When using the following template to create database user referenced name property in output contains database name instead of expected user name:

database.jinja:

{% set DATABASE_NAME = 'database' %}
{% set DATABASE_USER = 'username' %}

- name: create-user
  type: gcp-types/sqladmin-v1beta4:users
  properties:
    name: {{ DATABASE_USER }}
    instance: {{ DATABASE_NAME }}
    host: "cloudsqlproxy~%"

outputs:
- name: user
  value: $(ref.create-user.name)

It will return database instead of username.