ensureRequiredAPIs adopts the GCP APIs the deploy depends on as Pulumi-managed services. Encoding them as Pulumi resources makes the dependency explicit and protects against drift (an org policy reset or accidental disable). Note: bootstrap APIs (storage, cloudresourcemanager, container — see deplo
(ctx *pulumi.Context, projectID string, resourceOpts []pulumi.ResourceOption)
| 78 | // Returns the Cloud Resource Manager API resource specifically, since the node-SA |
| 79 | // IAM bindings need to DependsOn it (SetIamPolicy is gated on CRM). |
| 80 | func ensureRequiredAPIs(ctx *pulumi.Context, projectID string, resourceOpts []pulumi.ResourceOption) (*projects.Service, error) { |
| 81 | // Service Usage API (which projects.NewService itself uses) is enabled by default |
| 82 | // on GCP projects, so we don't need to manage it here. |
| 83 | |
| 84 | // CRM is created explicitly (not in the loop below) because callers need a |
| 85 | // direct reference to it for DependsOn — projects.NewIAMMember calls |
| 86 | // SetIamPolicy under the hood, which is gated on CRM. |
| 87 | crm, err := projects.NewService(ctx, "crm-api", &projects.ServiceArgs{ |
| 88 | Project: pulumi.String(projectID), |
| 89 | Service: pulumi.String("cloudresourcemanager.googleapis.com"), |
| 90 | DisableOnDestroy: pulumi.Bool(false), |
| 91 | DisableDependentServices: pulumi.Bool(false), |
| 92 | }, resourceOpts...) |
| 93 | if err != nil { |
| 94 | return nil, fmt.Errorf("failed to ensure cloudresourcemanager.googleapis.com is enabled: %w", err) |
| 95 | } |
| 96 | |
| 97 | otherAPIs := []struct { |
| 98 | resourceName string |
| 99 | serviceName string |
| 100 | }{ |
| 101 | // Required for compute.GetDefaultServiceAccount and the GKE cluster. |
| 102 | {"compute-api", "compute.googleapis.com"}, |
| 103 | // Required for the GKE cluster. |
| 104 | {"container-api", "container.googleapis.com"}, |
| 105 | // Required for fluentbit-gke to ship container logs. |
| 106 | {"logging-api", "logging.googleapis.com"}, |
| 107 | // Required for the managed Prometheus collector to ship metrics. |
| 108 | {"monitoring-api", "monitoring.googleapis.com"}, |
| 109 | } |
| 110 | |
| 111 | for _, api := range otherAPIs { |
| 112 | _, err := projects.NewService(ctx, api.resourceName, &projects.ServiceArgs{ |
| 113 | Project: pulumi.String(projectID), |
| 114 | Service: pulumi.String(api.serviceName), |
| 115 | DisableOnDestroy: pulumi.Bool(false), |
| 116 | DisableDependentServices: pulumi.Bool(false), |
| 117 | }, resourceOpts...) |
| 118 | if err != nil { |
| 119 | return nil, fmt.Errorf("failed to ensure %s is enabled: %w", api.serviceName, err) |
| 120 | } |
| 121 | } |
| 122 | return crm, nil |
| 123 | } |
| 124 | |
| 125 | // grantNodeServiceAccountRoles grants the default compute service account the standard |
| 126 | // GKE node roles required for log shipping (fluentbit-gke) and metrics scraping |
no test coverage detected
searching dependent graphs…