This repository uses the Python Get started with Pulumi & Google Cloud tutorial to investigate how to deploy infrastructure to GCP in an automated fashion with Pulumi Cloud from a GitHub repository.
There are a couple methods to accomplish deploying Pulumi based infrastructure to GCP from a GitHub repository:
- Pulumi Cloud backend + Pulumi Deployments + GitHub Repo
- Pulumi Cloud backend + GitHub Actions + GitHub Repo
- Self-managed backend in GCP + Pulumi Deployments + GitHub Repo
- Self-managed backend in GCP + GitHub Actions + GitHub Repo
This repository shows the setup for Pulumi Cloud backend + GitHub Actions + GitHub Repo.
Note
The first method, Pulumi Cloud backend + Pulumi Deployments + GitHub Repo, was attempted. However, I couldn't get the authentication for Pulumi Deployments and GCp setup properly.
The setup was done as follows:
- Pulumi Cloud manages the IaC state
- GitHub Actions automates the deployment of changes to the IaC
- GCP is where the infra is deployed.
The subsections describe the setup to accomplish deploying Pulumi based infrastructure to GCP with GitHub Actions.
To perform the setups I installed on my local machines:
- the Pulumi CLI following the Pulumi Download & install Pulumi docs
- the Google Cloud CLI (
gcloudCLI) following the GCP Install the gcloud CLI docs
I have a personal Pulumi Cloud account not an organization.
Note
In all the sections below my personal account was used whenever Pulumi asked for an organization account.
From following the Get started with Pulumi & Google Cloud tutorial I had already created a project in Pulumi Cloud called hello-pulumi with a stack called dev.
GitHub needs to authenticate with Pulumi Cloud that has the state. The authentication was setup through a Pulumi Cloud access token.
Warning
I couldn't get the authentication to work with OIDC for my personal account. It seems that the Pulumi auth GitHub Action expects a Pulumi org account instead of a personal.
The Creating Personal Access Tokens section of the following Pulumi docs walks through the steps on how to do create the token.
I had previously created a project in GCP with the Pulumi CLI, called hello-pulumi. The setup below is on this GCP project.
I configured direct workload identity federation following this section of the GCP auth GitHub Action README.
I enabled the required APIS for workload identity federation on the GCP project following the second step of this GCP docs. As pointed out by the Configuring OpenID Connect for Google Cloud Pulumi docs, those APIs are:
- Identity and Access Management (IAM) API,
- Cloud Resource Manager API,
- IAM Service account Credentials API and
- Security Token Service API enabled.
GitHub Actions needs to authenticate with GCP in order to deploy the IaC. The authentication was setup via the Workload Idnetity Federation setup in the previous section.
I followed the (Preferred) Direct Workload Identity Federation section of the google-github-actions/auth GitHub action.
The GitHub Actions Deploy IaC with Pulumi is set up such that it needs to be triggered manually in order to deploy to GCP. Every push to the master branch of the repo only generates a plan for any changes that the commit generated on the IaC.
Important
Make sure to destroy the created infrastructure on GCP since the code generates a publicly available bucket. Run pulumi destroy locally to destroy the created infrastructure in GCP.