pulumi-community #azure

Channels

azure

better-rainbow-14549

06/04/2020, 9:21 AM

think there's been a regression in 3.7.0:

warning: getEventhubNamespace is deprecated: azure.eventhub.getEventhubNamespace has been deprecated in favor of azure.eventhub.getNamespace
    warning: EventHubConsumerGroup is deprecated: azure.eventhub.EventHubConsumerGroup has been deprecated in favor of azure.eventhub.ConsumerGroup

those warnings are incorrect - those are both servicebus resources not eventhub (or at least they were last time this warning happened)

rhythmic-finland-36256

06/04/2020, 12:05 PM

Upgrading an IoTHub from

Basic

Standard

SKU fails with strange error message. Deleting and recreating with the same code worked though.

plain-tiger-79744

06/04/2020, 3:52 PM

Is it possible to delay the creation of Azure Key Vault Access Policies or to delay the creation of AppService Appsettings? Else I have a cyclic dependency. ("->" = depends on) AppService.AppSettings -> AKV Key AKV Key -> AKV AKV.AccessPolicies -> AppService.Identity

rough-tomato-98795

06/05/2020, 7:31 AM

Hi yesterday was kinda bad from azure. There was a lot of 500 status codes, which resulted into state that pulumi thought that resource was not created but azure in fact created it. After that every pulumi up failed because of that. What is correct way to handle these kind of situations.?

☝️🏻 1

able-beard-29160

06/05/2020, 12:13 PM

Folks, is there already a convenience layer in Pulumi for Azure that could save me from working with UUIDs when assigning API permissions? For example, something like this:

export const app = new azuread.Application('app', {
  requiredResourceAccesses: [
    Apps.WindowsAzureActiveDirectory.withRoles(roles => [
      roles.Application.ReadWrite.All,
      roles.Application.ReadWrite.OwnedBy,
    ]),
  ],
});

Instead of this:

export const app = new azuread.Application('app', {
  requiredResourceAccesses: [
    {
      resourceAppId: '00000002-0000-0000-c000-000000000000',
      resourceAccesses: [
        {
          id: "1cda74f2-2616-4834-b122-5cb1b07f8a59",
          type: "Role",
        },
        {
          id: "824c81eb-e3f8-4ee6-8f6d-de7f50d565b7",
          type: "Role",
        },
      ],
    },
  ],
});

acoustic-rose-89683

06/05/2020, 12:30 PM

Hi folks! Curious about using pulumi for solving integration testing problem, but not sure there is such ability. So, imagine the following setup: 1. A number of azure functions 2. Cosmos DB graph 3. Azure Search instance. Functions talk to both comsos db and azure search. I'd like to write kinda integration tests that will: 1. Spin-up needed function app(possibly in docker container) 2. Spin up a fresh cosmos db account + database + graph 3. Call the function and assert that smth was written to cosmos graph. Probably the framework will be xUnit 4. Teardown the resources. Is it possible anyhow to use pulumi in this case. The main problem for me here is that 1. The pulumi model is based on stacks thus it's not possible(at least I think so) to have per-test resources setup 2. Need to access pulumi cli somehow from the code. Thanks in advance :)

chilly-crayon-19101

06/07/2020, 9:04 PM

Hi there, been having a noddle around with Pulumi and liking the premise. I have some azure functions that I am deploying and so far so good. The only problem I am having is exporting the host keys for some downstream CI processes. I have a bunch of smoke tests I would like to run on deployment and to set up the config I need the key. However I have noticed that the function key is not automatically marked as a secret. I am struggling to see a way to mark it as such so it does not get blasted to the logs in my CI for everyone to see. For other settings we can use the additionalSecretOutputs properties. This is what I have so far:

import * as azure from "@pulumi/azure";
import * as configuration from "./IConfiguration";

let config = new pulumi.Config().requireObject<configuration.IConfiguration>("configuration");

const resourceGroup = new azure.core.ResourceGroup("resourceGroup", {
    name: config.resourceGroupName
});

const apiStorageAccount = new azure.storage.Account("cvStorageAccount", {
    name: `${config.appName}storage`,
    resourceGroupName: resourceGroup.name,
    accountReplicationType: "LRS",
    accountTier: "Standard",
    accountKind: "StorageV2"
}, {additionalSecretOutputs: ["primaryConnectionString"]});

const app = new azure.appservice.ArchiveFunctionApp("functionApp", {
    resourceGroup,
    name: `${config.appName}back`,
    archive: new pulumi.asset.FileArchive("../src/CurriculumVitaeApi/bin/Release/netcoreapp3.1/publish"),
    appSettings: {
        "runtime": "dotnet",
        "CvApiDataConnectionString": apiStorageAccount.primaryConnectionString,
        "GetBlobPath": "curriculumvitae/{id}.json",
        "ContainerName": "curriculumvitae"
    }
});

export let baseurl =  app.functionApp.defaultHostname.apply(x => `https://${x}`);
export let functionsHostKey = app.functionApp.getHostKeys().masterKey; //make me a secret please!
export let storageConnectionString = apiStorageAccount.primaryConnectionString;

mysterious-australia-14256

06/09/2020, 11:25 AM

Is it possible to assign a System Assigned Managed Identity to a Logic App using Pulumi.Azure.LogicApps.Workflow? If not is there another way to do it or would I need to fall back to a template deployment?

mysterious-australia-14256

06/09/2020, 1:23 PM

Hi All, how can I get the principalID of a System Assigned Managed Identity associated with an Azure Logic App?

numerous-artist-1705

06/10/2020, 5:34 PM

Hi folks, has anyone tried deploying Azure API management policies using Pulumi? There is no chance of pushing the code at the moment if you have some C# quotes in an attribute. I believe it's a Terraform bug, but I can't find a workaround. I tried pushing the whole policy to a file in blob storage and use XmlLink instead of XmlContent, but yet it doesn't work.

famous-jelly-72366

06/11/2020, 7:58 AM

anyone know how exactly to map

az ad sp create-for-rbac

to pulumi? Thinking it must be something with making an Application, ServicePrincipal and ServicePrincipalPassword

famous-jelly-72366

06/11/2020, 2:58 PM

gahh getting weird error when destroying service principal passwds:

ServicePrincipalPassword::k8s-dev-SpPassword-Client: Error parsing Application Password ID: Credential ID should be in 
the format {objectId}/{keyType}/{keyId} - but got "xxxx"

plain-tiger-79744

06/12/2020, 9:38 AM

How can I assign a role to a group? We have

Pulumi.Azure.Authorization.Assignment

, but when I try to user a group for

PrincipalId

I get the error message: Status=400 Code="UnmatchedPrincipalType" Message="The PrincipalId 'xyz' has type 'Group' , which is different from specified PrinciaplType 'ServicePrincipal'." I can not set a PrincipalType, there is no such property available.

limited-carpenter-34991

06/12/2020, 10:41 AM

Hi there, i need to know how i can connect a function app with an api management service.

var apiManagementService = new Pulumi.Azure.ApiManagement.Service($"{namePlaceHolder}", new Pulumi.Azure.ApiManagement.ServiceArgs
        {
            ResourceGroupName = resourceGroup,
            PublisherName = "my company",
            PublisherEmail = "<mailto:developer@mycompany.com|developer@mycompany.com>",
            SkuName = "Developer_1",
        });

I have also then a

var app = new FunctioApp ...

wet-noon-14291

06/13/2020, 7:55 PM

If I want to output the admin user name and password for azure container registry so I can reference it from another stack, how do I turn the admin password to a secret? I've tried:

let options = CustomResourceOptions()
        options.AdditionalSecretOutputs <- ["AdminPassword"] |> ResizeArray

        Registry(name, 
            RegistryArgs(
                Sku = input "basic",
                ResourceGroupName = io resourceGroup.Name,
                AdminEnabled = input true
            ), options = options)

but that doesn't seem to do the trick.

wet-noon-14291

06/13/2020, 8:29 PM

If I have built an image locally, not using pulumi, how do I push that to azure container registry? I guess I should use

Image

, but how do I do it with an existing image?

limited-carpenter-34991

06/15/2020, 12:52 PM

Can someone help me with https://www.pulumi.com/docs/reference/pkg/dotnet/Pulumi.Azure/Pulumi.Azure.ApiManagement.Backend.html

apimanagement.BackendClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="ValidationError" Message="One or more fields contain incorrect values:" Details=[{"code":"ValidationError","message":"Value should represent absolute http URL","target":"resourceId"}]

I create the backend with

var backend = new Backend($"{namePlaceHolder}", new BackendArgs
        {
            ApiManagementName = apiManagementService.Name,
            ResourceGroupName = resourceGroup,
            Protocol = "http",
            ResourceId = functionApp.Id,
            
            Description = "functionApp Backend",
            Title = "functionAppBackend",
            Url = "<https://backendname2644/>"
        });

curved-alarm-76356

06/15/2020, 5:09 PM

Hello, I am integrating our Pulumi python code in the Azure DevOps pipeline. In order to do it I am using the Pulumi task that is available for free on the MarketPlace. However I have struggled to make it work properly. The biggest problem that we have so far is the impossibility of installing the required Pulumi plugins. We are trying by using the Azure Cloud hosting agent for the moment, but we feel that (since the task is downloading Pulumi), the task should also install the required plugins (and maybe it could also do a pip install -r requirement.txt 😛 ). Am I missing something or it is indeed a missing functionality?

rhythmic-finland-36256

06/15/2020, 7:03 PM

Updating an existing AKS cluster causes issues due to unset outbound IP (loadBalancerProfile) which worked before and might have been caused by a hidden update of the providers used.

wet-noon-14291

06/16/2020, 7:59 PM

Let's say I create a servicebus namespace, queue, topics and subscriptions through pulumi. What is the best way to access the service bus from an application you write. Ideally I wouldn't like to hard code the name in this place since the name might be changed when deploying to a new stack. Do I in the application read the actual names from the pulumi output? Or is this one of the scenarios where you override the name of the resource to not include the suffix?

better-rainbow-14549

06/17/2020, 11:29 AM

I'm quite often writing utility functions which need to be able to take e.g. an azure.network.Subnet, or an azure.network.GetSubnetResult - so that the library can handle use cases of whether a resource is created within that stack or just queried and created elsewhere. I've solved this by defining a whole new type for each resource using a common generic function:

export type CommonProperties<A, B> = { [K in keyof A & keyof B]: A[K] extends B[K] ? K : never };

export type AzureSubnetResult = CommonProperties<azure.network.GetSubnetResult, azure.network.Subnet>;

but it does mean I have to specify it either long-form as a type in the function, or create a new type from it for each resource. Is this something that could be added to the generated TF code somehow? Any reasons why it's bad practice or not?

curved-alarm-76356

06/17/2020, 1:54 PM

Hello again, I am having problems in using Pulumi (Python) with an SP in conjunction with a KeyVault as a secret provider and a Blob Storage Account. Everything works fine when using my personal azure account. However when I move to the SP I have the following problems: 1. The

pulumi preview

command hangs (more than 20min). I have tried to add the

--debug

option but there is no output. 2. While I run the same command on the Azure Pipeline Task of Pulumi (using the same SP) I get a weird error:`error: getting secrets manager: secrets (code=InvalidArgument): azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to ********/decrypt?api-version=7.0: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"Identity not found"}.` I have triple checked and the SP has the correct rights on the KeyVault. 3. In the pipeline (using the Azure Pipeline Task of Pulumi) the

stack select

command fails almost 50% of the time to find my stack. What am I doing wrong?

wet-noon-14291

06/17/2020, 2:34 PM

I'm trying to deploy some Azure ServiceBus things from our CI server but I struggle with "Error building AzureRM Client". I have opened an issue, https://github.com/pulumi/pulumi/issues/4840, describing it more in detail.

rhythmic-vegetable-87369

06/18/2020, 8:15 AM

I'm trying to import my function to an api using the backend class in pulumi. Although the backend gets created, I don't see the linking take place in the frontend in the portal.

rhythmic-vegetable-87369

06/18/2020, 8:16 AM

any help here would be greatly appreciated

rhythmic-vegetable-87369

06/18/2020, 8:17 AM

var matchnetConfirmationsApiNamedValue = new NamedValue("matchnetconfirmationsapi-key", new NamedValueArgs
            {
                ResourceGroupName = resourceGroup.Name,
                ApiManagementName = confirmationApiService.Name,
                DisplayName = "matchnetconfirmationsapi-key",
                Value = "Qxxxx8g==",
                Secret = true,
                Name = "matchnetconfirmationsapi-key"
            });

            var backendApi = new Backend("ApiBackend", new BackendArgs
            {
                ResourceGroupName = resourceGroup.Name,
                ApiManagementName = confirmationApiService.Name,
                ResourceId = "<https://management.azure.com/subscriptions/xxx/resourceGroups/matchnet-assessments-rg/providers/Microsoft.Web/sites/MatchnetConfirmationsApi>",
                Protocol = "http",
                Url = "<https://matchnetconfirmationsapi.azurewebsites.net/api>",
                Credentials = new BackendCredentialsArgs
                {

                    Header = { { "x-functions-key", matchnetConfirmationsApiNamedValue.Name } }
                }
            },
              new CustomResourceOptions()
              {
                  DependsOn = { matchnetConfirmationsApiNamedValue }
              }

         );

future-kite-91191

06/18/2020, 2:28 PM

I'm trying to do an ARM template deployment via Pulumi, using TS

TemplateDeployment

resource. I'm getting this error:

Error validating Template for Deployment "adyen-sa" (Resource Group "uel-dev-rg"): Deployment template validation failed: 'Template parameter JToken type is not valid. Expected 'Integer'. Actual 'String'. Please see <https://aka.ms/resource-manager-parameter-files> for usage details.'.

This is caused by the ARM template input parameters that some of them expect an integer as input. Problem is that

TemplateDeploymentArgs

has field

readonly parameters?: pulumi.Input<{
        [key: string]: pulumi.Input<string>;
    }>;

..that ony accepts string parameter values? Is there a way to use integer ARM template parameters with ``TemplateDeployment` ? Here's a sample of the ARM json template:

{
    "$schema": "<http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#>",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "OutputErrorPolicy": {
            "type": "string",
            "allowedValues": [
                "Drop",
                "Stop"
            ]
        },
        "EventsLateArrivalMaxDelayInSeconds": {
            "type": "int"
        },
        "EventsOutOfOrderMaxDelayInSeconds": {
            "type": "int"
        },

So here

EventsOutOfOrderMaxDelayInSeconds

parameter is of type

int

but in the Pulumi code I cannot use

const asa = new azure.core.TemplateDeployment("blabla", {

    name: "blabla",
    deploymentMode: "Incremental",
    resourceGroupName: resourceGroup.name,
    templateBody: fs.readFileSync("template.json").toString(),
    parameters: {
        "OutputErrorPolicy": "Stop",
        "EventsOutOfOrderMaxDelayInSeconds": 0,
        "EventsOutOfOrderPolicy": "Adjust",
        "StreamingUnits": "6",

This does not compile at the line

EventsOutOfOrderMaxDelayInSeconds": 0,

should be provided as a string

enough-kite-69616

06/19/2020, 3:37 PM

Is there an example of building a postgres server on Azure then referencing it elsewhere? I'm trying to create a RandomPassword then stick that in a secret and also use the password to build a database url of the form

<postgres://username>:password@hostname:port/dbname

enough-kite-69616

06/19/2020, 3:38 PM

I'm getting this: "postgres://Calling [toString] on an [Output<T>] is not supported.\n\nTo get the value of an Output<T> as an Output<string> consider either:\n1: o.apply(v =>

prefix${v}suffix

)\n2: pulumi.interpolate `prefix${v}suffix`\n\nSee https://pulumi.io/help/outputs for more details."

numerous-artist-1705

06/21/2020, 8:21 AM

Hi everyone. What version of Terraform is Pulumi using under the hood? Can I find out from the CLI? (There is a closed bug in Terraform that is still present in Pulumi)

Title

numerous-artist-1705

06/21/2020, 8:21 AM

Hi everyone. What version of Terraform is Pulumi using under the hood? Can I find out from the CLI? (There is a closed bug in Terraform that is still present in Pulumi)

billowy-army-68599

06/21/2020, 2:23 PM

it depends on the provider. we don't use the terraform engine at all in our CLI, we only use the providers (eg

pulumi-aws

). You can see this in the provider's changelog which terraform bug are you referring to?

numerous-artist-1705

06/21/2020, 3:34 PM

pardon, I meant the Azure provider, I'm still hitting this bug: https://github.com/terraform-providers/terraform-provider-azurerm/issues/3918

I opened a new issue on Terraform GitHub, but apparently they claim they fixed it, but I still get the XML content issue in Pulumi on apply.

billowy-army-68599

06/21/2020, 7:35 PM

can you open an issue in our pulumi repo for this?

numerous-artist-1705

06/21/2020, 8:08 PM

sure

https://github.com/pulumi/pulumi-azure/issues/611

View count: 3