pulumi-community #azure

azure

mysterious-australia-14256

04/06/2020, 3:23 PM

Hi All Can I configure the Azure App Service diagnostic settings though Pulumi? In particular I want to send HTTP and Console logs and All Metrics to a Log Analytics Workspace.

future-kite-91191

04/06/2020, 7:15 PM

Hi! Since the introduction of the Azure

WindowsVirtualMachineScaleSet

the scale set extensions are separated into a new resource:

VirtualMachineScaleSetExtension

. In the now deprecated

ScaleSet

resource type, the

Extensions

could be setup inline. Problem with the new way of working, is that some virtual machine extensions need to be added to the target VM scale set at the same time. The error I get now:

Scale Set extensions of handler '{handler name here}' can be added only at the time of VM Scale Set creation

How can I make sure the VM extension is added to the VMSS at the moment the latter is created? Or should I go back to using the

ScaleSet

colossal-room-15708

04/07/2020, 9:47 AM

I'm trying to encrypt a VM disk with Pulumi using a

DiskEncryptionSet

and I'm facing an issue:

des_key = keyvault.Key("des-key",
      name="des-key",
      key_vault_id=args.keyvault_id,
      key_type="RSA",
      key_size=2048,
      key_opts=[
        "decrypt",
        "encrypt",
        "sign",
        "unwrapKey",
        "verify",
        "wrapKey",
      ],
      tags=args.tags
    )

    des_set = compute.DiskEncryptionSet("disk_encryption_set",
      name="disk_encryption_set",
      resource_group_name=args.resource_group_name,
      key_vault_key_id=des_key.id
    )

I receive

TypeError: Missing required property 'identity'

on the

DiskEncryptionSet

Why? According to https://www.terraform.io/docs/providers/azurerm/r/disk_encryption_set.html#identity it's optional.

colossal-room-15708

04/08/2020, 1:36 PM

Is anybody able to reproduce this here? My VM's OS disk does not show up in the disk encryption set as an encrypted resource. The "same code" (or rather scenario) works on the terraform side.

colossal-room-15708

04/08/2020, 1:37 PM

Untitled

powerful-football-81694

04/11/2020, 10:46 AM

Hi guys - I am unable to create a Cosmos DB account lately. The issue seems to be that Pulumi is a bit too aggressive in its polling for resource creation status, or that it should handle HTTP 503 responses more gracefully in the context of such polling, or both. Here’s what I’m consistently getting:

Diagnostics:
  azure:cosmosdb:Account (orgflow-stacks-dev-cdb):
    error: Error creating CosmosDB Account "orgflow-stacks-dev-cdb" (Resource Group "orgflow-stacks-dev-rg"): Error waiting for the CosmosDB Account "orgflow-stacks-dev-cdb" (Resource Group "orgflow-stacks-dev-rg") to finish creating/updating: Code="ServiceUnavailable" Message="Sorry, we are currently experiencing high demand in this region, and cannot fulfill your request at this time. We work continuously to bring more and more capacity online, and encourage you to try again shortly. Please do not hesitate to contact us via Azure support at any time or for any reason using this link <http://aka.ms/azuresupport>.\r\nActivityId: a74b0d98-cc3c-44ed-b5b9-587168e7b8c2"

To be clear: the Cosmos DB account is eventually created on the Azure side, although it doesn’t seem to be complete (I suspect this might be because Pulumi gave up waiting on some part and therefore didn’t proceed to subsequent parts). As a result, we’re left with an incomplete Cosmos DB account that Pulumi doesn’t know about and doesn’t know what to do with in the next attempt - and as we know,

pulumi refresh

does not help in this situation. I suspect that the fix should be: • Handle 503 responses in the resource creation status polling more gracefully and retry • Do it with a back-off strategy to poll less frequently if these responses are coming out • Possibly also start with less frequent polling from the get-go

melodic-byte-32771

04/13/2020, 9:10 AM

I have a problem with setting the error page for the storage static website settings This is what I am doing:

storageAccount = new azure.storage.Account(`account`, {
    resourceGroupName: resourceGroup.name,
    accountReplicationType: 'LRS',
    accountTier: 'Standard',
    accountKind: 'StorageV2',
    staticWebsite: {
      indexDocument: 'index.html',
      error404Document: 'index.html'
    }
  });

this is what I receive

azure:storage/account:Account resource 'account' has a problem: static_website.0: invalid or unknown key: error404_document

enough-oil-63049

04/13/2020, 12:11 PM

This is probably pretty basic but I am stuck on the following Python code:

if peer:
            org = props.config.require('org')
            project = get_project()
            peer_stack = StackReference(f'{org}/{project}/{peer}')
            peer_hub_id = peer_stack.get_output('hub_id')
            peer_hub_name = peer_stack.get_output('hub_name')
            # need a reference to the peer hub VNet but the following statement doesn't work
            peer_hub = network.VirtualNetwork.get(peer_hub_name, peer_hub_id)
            peer_fw_ip = peer_hub.hub_fw_ip
            peer_dmz_ar = peer_hub.peer_dmz_ar 
            peer_hub_as = peer_hub.peer_hub_as

I know everything up to the point noted above works, but I need to get a reference to the peer_hub vnet in the other stack. The parameters are:

+ peer_hub_id  : "/subscriptions/subscription/resourceGroups/prod-vdc-rg-947d7dbf/providers/Microsoft.Network/virtualNetworks/hub-vn-f428d4f8"
  + peer_hub_name: "hub-vn-f428d4f8"

But when statement:

peer_hub = network.VirtualNetwork.get(peer_hub_name, peer_hub_id)

executes, the result is:

TypeError: Expected resource name to be a string

What am I doing wrong here? Going on API

<https://www.pulumi.com/docs/reference/pkg/azure/network/virtualnetwork/>

mysterious-australia-14256

04/14/2020, 2:55 PM

Hi. I'm after some getting started advice for working with Pulumi and Azure using C#. I am looking to roll out an Application Gateway that, over time, will have new rules (pools, listeners, routing rules etc) added to it. Rolling out the initial deploy seems straight forward enough but I am unsure how to manage the rules etc that get added to it over time. For example if tomorrow I roll out WebApp1 I will need to add some rules to the App Gateway to allow that to be published. If I later roll out WebApp2, it will need its own set of rules adding to the App Gateway. It would seem to make sense that these WebApp specific rules are handled by the Pulumi program/stack that is deploying each WebApp rather than the original project/stack that deployed the Application Gateway. How do I achieve this i.e. have one deployment that creates the Application Gateway and other projects that can add rules to it without destroying any existing rules. Ideally I would also like to be able to redeploy the original Application Gateway project itself without having it overwrite/erase any rules added by the WebApp projects.

thousands-megabyte-97545

04/17/2020, 4:53 PM

Does anyone have any experience using Pulumi to manage API Management Services? Even though I can import OpenAPI 3.0 documents in the Azure Portal, when I try to do the same with Pulumi, it always chokes on 3.0 (it works fine with old Swagger 2.x documents). Is there a property I'm missing somewhere?

colossal-room-15708

04/18/2020, 9:51 AM

Do you know your way around Azure? Do you know python and PowerShell? Do you know your way around Windows automation? At XIRUS we are in need of a contractor to help us migrate initially 3 customer applications to Azure in a 3 months engagement. There's a very high chance of an extension. This engagement will apply CI/CD practices to infrastructure using either GitHub Actions or Azure DevOps. Full remote, however, should be in Australian or NZ time zone. Reach out for more details.

👍 1

nutritious-judge-27316

04/21/2020, 1:10 PM

in c# best way of retrieving azure:location from config?

great-manchester-70568

04/21/2020, 9:20 PM

hi, trying to connect an iothub to an eventhub. pulumi succeeds in deploying but the custom endpoint is wrong in some way. if i create a custom endpoint in the portal and links it to the same eventhub it works. the difference i can find in the arm templates are that there is a new shared access policy, but that looks the same. I also get an error when trying to synchronize the keys for the pulumi created endpoint, where it complains about nested resourcxes. any ideas?

kind-agency-40925

04/22/2020, 1:00 PM

kind-agency-40925

04/22/2020, 1:00 PM

Does polumi support 'Commercial Marketplace partner and customer usage attribution' for Azure? (https://docs.microsoft.com/en-us/azure/marketplace/azure-partner-customer-usage-attribution)?

handsome-optician-50551

04/23/2020, 9:20 AM

Hello, my api management service has stopped working since tuesday when I updated to pulumi 2.0 locally. Here is my the service that I'm trying to create that has succeded in the past:

let service2 = new azure.apimanagement.Service("testams", {

resourceGroupName: "ddm-te-dev",

skuName: "Developer_1",

publisherName: "YourCompany",

publisherEmail: "<mailto:api@yourcompany.com|api@yourcompany.com>"

}, { customTimeouts: { create: "59m" } });

The error i get it: azure:apimanagement:Service (testams): error: unexpected unknown property value When I run pulumi preview it doesn't complain. Could you help me with this?

fancy-jelly-61092

04/24/2020, 4:02 PM

I'm trying to setup Azure SQL server (and eventually PostgresSQL) with Azure AD authentication. I've got the server created + the Azure AD Administrator setup (

azure.sql.ActiveDirectoryAdministrator

). I've no idea how to finish the setup and add the AD Logins to the database (i.e.

CREATE USER "Admin Group" FROM EXTERNAL PROVIDER;

) I created a custom SQL resource provider that allows executing the SQL, that is successful. I get the error

Principal 'Admin Group' could not be resolved. Error message: 'AADSTS65002: Consent between first party applications and resources must be configured via preauthorization. Visit <https://identitydocs.azurewebsites.net/static/aad/preauthorization.html> for details

From what I can tell (https://docs.microsoft.com/en-us/azure/sql-database/sql-database-aad-authentication-configure?tabs=azure-powershell#create-contained-database-users-in-your-database-mapped-to-azure-ad-identities) I cannot use a Service Principal login (I was using access tokens to sign in to the SQL instance). That means I need a user, which stops it from being useful to be used in a CI environment for example (Azure DevOps). Has anybody found a workaround for this issue?

breezy-answer-83664

04/24/2020, 7:12 PM

Hello, In one stack, I'm deploying a VNet (Spoke) in subscription A / resource group B. Now, I would like to peer this VNet (Spoke) to another VNet (Hub) in subscription C / resource group D. The service principal I'm using to run pulumi up has Contributor role on both resource groups B and D. I'm able to deploy the peering from VNet (Spoke) to VNet (Hub) as the pulumi up config is using subscription A. Of course when trying to deploy the peering in the other way, it's not working, resource group D is not known in subscription A. How could I deploy in multiple subscriptions inside the same stack? is it possible?

millions-journalist-34868

04/27/2020, 2:21 PM

What are the recommanded roles / permissions to give to the azure service principal that needs to be created to deploy azure ressources with Pulumi ? I was using my administrator account with az cli for pulumi deployments until now but now that I am using Azure DevOps, I had to create a Service Principal. However there are some permissions missing for my Service Principal.

little-kangaroo-50941

04/27/2020, 3:30 PM

Hi all! Seems that it is not possible to assign a FunctionAppIdentity, is it true?

limited-rainbow-51650

04/28/2020, 4:12 PM

Anyone an idea why a bump in AKS version leads to a changed

kubeconfig

output?

colossal-room-15708

04/29/2020, 2:46 AM

Anybody already got a pattern to use github actions with pulumi in staged deployments to multiple subscriptions? Some sort of approval?

breezy-answer-83664

04/29/2020, 8:57 AM

Hello, Is it possible to list the Azure resource groups in a subscription. I looked at Azure/core and can see getSubscriptions or getResources but there'e no getResourceGroups. Thanks for your help.

better-rainbow-14549

04/29/2020, 5:23 PM

warning: getEventhubNamespace is deprecated: azure.getEventhubNamespace has been deprecated in favour of azure.getNamespace
    warning: getEventhubNamespace is deprecated: azure.getEventhubNamespace has been deprecated in favour of azure.getNamespace
    warning: UserAssignedIdentity is deprecated: azure.UserAssignedIdentity has been deprecated in favour of azure.UserAssignedIdentity
    warning: Assignment is deprecated: azure.Assignment has been deprecated in favour of azure.Assignment
    warning: Assignment is deprecated: azure.Assignment has been deprecated in favour of azure.Assignment
    warning: Assignment is deprecated: azure.Assignment has been deprecated in favour of azure.Assignment

any ideas why this has just started, also that first one about eventhubnamespace seems peculiar

little-kangaroo-50941

04/29/2020, 7:02 PM

Hi all! after the first deploy of a function app using a blob with a FileArchive I have this error when I try the next

pulumi up

System.InvalidOperationException: Expected Pulumi.AssetOrArchive but got System.String deserializing Pulumi.Azure.Storage.Blob.source

at Pulumi.Serialization.Converter.ConvertObject(String context, Object val, Type targetType)

at Pulumi.Serialization.Converter.ConvertValue(String context, Value value, Type targetType)

`at Pulumi.Deployment.CompleteResourceAsync(Resource resource, ResourceArgs args, ResourceOptions options, ImmutableDictionary`2 completionSources)`

at Pulumi.Deployment.Runner.WhileRunningAsync()

var blob = new Blob("zipdeploy", new BlobArgs
{
StorageAccountName = storageAccount.Name,
StorageContainerName = container.Name,
Type = "Block",
Source = new FileArchive("../HRToolBot/bin/Debug/netcoreapp3.1/publish")
});

fierce-eye-99133

04/30/2020, 11:01 AM

Hey! Someone knows why after I updated Pulumi to from v1 -> v2 and Azure provider from v1 -> v3 it's trying to replace all my Azure Functions? Is there a way to avoid it? Created a new test project with v1, just a subscription, storage, service plan and azure function. Updated to v2/v3 and having the same behavior.

rhythmic-lighter-17156

05/04/2020, 12:28 PM

Hi team, Can someone explain how I can create a 'Modify' policy assignment for enforcing tag creation please using the InBuilt Microsoft policy definition in Azure? When I try and do this through the Pulumi API I can create the policy assignment correctly as follows:

const createAutoTaggingPolicyAssignment = (tag: string, 
        resourceGroup: azure.core.ResourceGroup, context: ExecutionContext) => {
            const policy = getPolicyDefintion({displayName: 'Inherit a tag from the resource group if missing'});
            new azure.policy.Assignment(`tag-${tag}`, {
                displayName: `enforce tagging with ${tag}`,
                description: `enforce the tagging of resources with the ${tag} tag`,
                location: context.region,
                identity: {
                    type: 'SystemAssigned'
                },
                policyDefinitionId: pulumi.interpolate`/subscriptions/${context.subscriptionId}${policy.then(p => p.id)}`,
                scope: pulumi.interpolate`/subscriptions/${context.subscriptionId}/resourceGroups/${resourceGroup.name}`, 
                parameters: `{"tagName" : {"value": "${tag}"} }`
            });
        }

The policy assignment is created however, it is not linked to the policy definition correctly? If i run the equivalent command through the az cli the policy gets created and is associated with the definition ok?

az policy assignment create --name tag-platform --scope /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/xxxxx --policy "ea3f2387-9b95-492a-a190-fcdc54f7b070" --params "{'tagName':{'value': 'tag'}}" --location northeurope --assign-identity

It has to be to do with how the policyDefinitionId is setup within the Pulumi createAssignment script, but it parses the Up process correctly? Many thanks.

nice-guitar-97142

05/05/2020, 5:58 PM

Any idea why replacing of an aks cluster is failing with unknown provider error? it almost seems as if it’s attempting to recreate all of the k8s resources using the old provider urn.

better-rainbow-14549

05/06/2020, 10:18 AM

has anybody had any issues with eventhubs / servicebus? I got the deprecation warning about azure.eventhub.EventHubNamespace being replace with azure.eventhub.Namespace so I changed that... now I'm getting

warning: Namespace is deprecated: azure.eventhub.Namespace has been deprecated in favour of azure.servicebus.Namespace

which seems odd but ok... but an actual error I'm now getting is that calls to eventhub.getNamespace are failing with a 404 because it's trying to find a servicebus

better-rainbow-14549

05/06/2020, 11:02 AM

https://github.com/pulumi/pulumi-azure/issues/550