Trying to set up a tiller ServiceAccount and ClusterRoleBinding as part of setting up AKS, but it's not showing those as resources to be created when I do

pulumi up

How do I make it do it?

export const tillerSA = new ServiceAccount('tiller',
    {
        kind: 'ServiceAccount',
    });

// @ts-ignore
export const tillerCRB = new ClusterRoleBinding("tiller-cluster-admin",
    {
        roleRef: {
            apiGroup: "<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>",
            kind: "ClusterRole",
            name: 'cluster-admin'
        },
        subjects: [{
            kind: "ServiceAccount",
            name: 'tiller',
            namespace: "kube-system"
        }]
    })

How do I use Pulumi to set the AKS credentials with Kubectl after creating the AKS cluster so I can create the service account, etc?

slightly going crazy, trying to setup AKS with RBAC and AzureAD, but the resulting kubeconfig, asks me to do device login in browser, and then says I don't have permissons to anything (e.g.

kubectl get pod

must be doing something wrong :S

as soon as I disable

azureActiveDirectory

property under

roleBasedAccessControl

, but keeping rbac enabled things begin to behave as expected ... scratching my head 🤔

gahh ... think I finally figured it out ... need to use the the kubeAdminConfigRaw .. doh 🤦‍♂️

Trying to install a helm chart as part of my build:

let camelK = new Chart("camel-k", {
    repo: "camel-k",
    chart: "camel-k",
    values: {
        'platform.build.registry.address' : acr.loginServer,
        'platform.build.registry.insecure' : !acr.adminEnabled
    }
})

and I'm getting this error:

error: Error: Command failed: helm template /var/folders/_b/fnf5x33x71q84n1v5dtl90mw0000gn/T/tmp-45081RVV0QSVzTy32/camel-k --name-template camel-k --values /var/folders/_b/fnf5x33x71q84n1v5dtl90mw0000gn/T/tmp-45081RVV0QSVzTy32/camel-k/values.yaml --values /var/folders/_b/fnf5x33x71q84n1v5dtl90mw0000gn/T/tmp-45081cjOipuG2FUdg.yaml
    Error: apiVersion 'v2' is not valid. The value must be "v1"
 
    Error: apiVersion 'v2' is not valid. The value must be "v1"

Hi all, Is there some way to get Azure id to get existing resource? I feel that this could be part of Pulumi resource. Now I need to build manually:

azure.network.PublicIp.get(
    `${stackName}-public-ip`,
    `/subscriptions/${azureSubscriptionId}/resourceGroups/${aksResourceGroup.name}/providers/Microsoft.Network/publicIPAddresses/${azurePublicIPName}`
  );

Hi everyone, I’m trying to provision a CosmosDB database on the free tier via Pulumi. I can’t find anything in the Pulumi documentation about this, but the Microsoft ARM docs indicate there’s a property that needs to be set,

"enableFreeTier": true

. I can’t find an equivalent property in the Pulumi Typescript SDK. Any ideas?

I'm trying to get a containerized AppService for Linux to pull images from Azure Container Registry. Anyone know what's the right value for the

linuxFxVersion

that needs to be set? I've attempted the following, but each time the container settings get misconfigured. 1.

DOCKER|<http://registryname.azurecr.io/image:tag|registryname.azurecr.io/image:tag>

causes the app service to pull from docker hub rather than ACR. 2.

ACR|<http://registryname.azurecr.io/image:tag|registryname.azurecr.io/image:tag>

causes the app services to treat the app like a non-containerized (zip-deploy) app. https://www.pulumi.com/docs/reference/pkg/azure/appservice/appservice/

Is Azure Static Web Apps (Preview) also available inside Pulumi Azure Package ?

This message was deleted.

Hi there, if i import an existing resource in azure ( for example resource group) with the importId parameter inside the CustomResourceOptions, why does pulumi rename my resource ?

var resourceGroup = new ResourceGroup("resourceBla", new ResourceGroupArgs,
new CustomResourceOptions
{
 ImportId = "/subscriptions/4711/resourceGroups/resourceBla"
}); 

azure:core:ResourceGroup  resourceBla                  import     [diff: ~name]; 1 warning

Can I use multiple `ActiveDirectoryAdministrator`s for Azure SQL? The Azure CLI has at least a list functionality to retrieve multiple admins

az sql server ad-admin list --id

Hello, sorry for maybe a stupid question, but couldn't find exactly what I'm looking for in the docs. What's the best way to reference a resource that is not managed/created by Pulumi? I just want to get the secret from other Azure Function that lives in the same Azure Subscription. Using Terraform I could reference the resource using the

data

keyword, but in Pulumi i'm not sure what's the best approach. I'm using the Typescript library. Thanks!

Hi, how can i create a client secret from a service principal?

Not really a pulumi question, but more about the terraform provider/bridge.... I have a containerized app service that pulls from an ACR. When newer images become available, ACR's webhook notifies the app service's

serviceUri

. Anyone know how to fetch this

serviceUri

programmatically (yellow portion in diagram below) in a pulumi or terraform script? It's generally of the form:

https://$<container-registry-name>:XXXXXXXXXXXXX@<app-service-name>.<http://scm.azurewebsites.net/docker/hook|scm.azurewebsites.net/docker/hook>

Just curious if a pulumi stack should have 1:1 or 1:many relationship with an azure subscription? I have two separate azure subscriptions; one for testing and the other for production. FWIW: Maintaining two separate stacks seems a bit cumbersome since I must remember to: 1. Switch the stack while targeting production AND 2. Switch the subscription ID (via AZ CLI or environment variable or pulumi config). Thoughts?

Hey all! Apologies if this has already come up. Trying to get custom domain names on web apps set up and working with https and certificates and similarly want this on my azure app gateway. Has anyone got this working with Pulumi? I tried converting my web app to use a certificate from key vault but it seems like I may need to use key vault "secrets" with a passwordless pfx? Then can set the key vault secret Id through Pulumi

Folks, there's an innocuous thing that's annoying me. It seems that the Azure provider, when generating names by suffixing them with some random characters, doesn't use a hyphen separator between my name and that suffix. I vaguely remember that the AWS provider was not doing this. Is there something special about Azure (maybe limits?) so that the hyphen isn't used in the final generated names? For example, if I have a resource named

aks-cluster

it will generate something like

aks-clustere624bc72

, instead of

aks-cluster-e624bc72

.

Hi all! I'm trying to use pulumi in my release pipeline and use blobs to maintain state. My release pipeline keeps on throwing the "Pulumi CLI login command failed" error. I have configured the env variables as well. Any ideas as to how I could get this sorted out? Thanks in advance.

azure:authorization:Assignment (Documents_Storage_BlobContributor):
2020-06-02T03:34:10.4452081Z     error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '21b1f2bf-4c53-4095-9ce2-4af53127ba02' with object id '21b1f2bf-4c53-4095-9ce2-4af53127ba02' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/xxx/resourceGroups/matchnet-cloud-CI-rg/providers/Microsoft.Storage/storageAccounts/mndocs7bfc08c1/providers/Microsoft.Authorization/roleAssignments/412ec827-5f3e-8e4e-01d5-f62906xxx64c33b' or the scope is invalid. If access was recently granted, please refresh your credentials."
2020-06-02T03:34:10.4454670Z

Any ideas as to how I can get it fixed? Looks like the logged in user doesn't have permissions.

Hi, we keep receiving

Error checking if CosmosDB Account "ugplv-qamsdn-logs-db" already exists (Resource Group "r669-inspire-cloud"): documentdb.DatabaseAccountsClient#CheckNameExists: Failure responding to request: StatusCode=500 -- Original Error: autorest/azure: error response cannot be parsed: "" error: EOF

not sure if that's pulumi/terraform/azure problem.? But most likely seems like azure: https://docs.microsoft.com/en-us/rest/api/cosmos-db-resource-provider/databaseaccounts/checknameexists#code-try-0 ?

Hi! Is it possibe to import an Azure Key Vault Key from another Azure Key Vault?

https://www.pulumi.com/docs/reference/pkg/azure/appservice/functionappslot/ Is the FunctionAppSlot implemented? I just can't find it in the

azure.appservice

package. Using TypeScript with

"@pulumi/azure": "^3.7.0"

and

"@pulumi/pulumi": "^2.3.0"

. Thanks.

Hi! How can I access my output from the azure pulumi task in another task in the same release pipeline?

Having problems to provision new CosmosDB Instances, seems like the problem is happening on the azure go sdk/azure api. Terraform AzureRM created a PR with a workaround on this problem: https://github.com/terraform-providers/terraform-provider-azurerm/pull/7189 Any idea when it'll be reflected on Pulumi after it's merged? (Not demanding or something like that, just curious about how is the process when there are changes in the Terraform Providers. 🙂)

This is not strictly related to Pulumi (I think), but maybe someone can point me in the right direction. I'm trying to create a service principal (as part of a CI/CD pipeline) and this is run using a non-owner service principal (it has the Contributor and User Access Administrator roles assigned), but I'm getting a permission error. Any ideas?

azureadindexApplication (aks-app):

error: graphrbac.ApplicationsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2020-06-03T114137","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"97f0f1cd-7a27-4838-b226-534ce6003e08"}}]

Hi, does pulumi have an equivalent for

az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/SUBSCRIPTION_ID"

or what kind resources i have to create with pulumi to have a service principal, which is able to sign in to the subscription and has contributor rights to deploy new resources inside a cicd pipeline?