https://pulumi.com logo
Docs
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
azure
  • w

    worried-knife-31967

    03/09/2021, 2:38 PM
    https://www.pulumi.com/docs/reference/pkg/azure-native/apimanagement/backend/ That example doesn't compile @tall-librarian-49374
  • p

    powerful-football-81694

    03/09/2021, 3:40 PM
    Having migrated a whole infrastructure to the new native provider, on the first
    pulumi up
    it sees fit to delete and recreate every resource (even though for most, the only change is to the new provider). What are my options for avoiding that? Can I somehow import these resources into the same stack where they already live?
    t
    • 2
    • 4
  • b

    breezy-apartment-46543

    03/09/2021, 6:53 PM
    I am using the azure sdk inside an azure function to upload a blob to a container and when trying to run pulumi up I receive the following message. Does anyone know how to solve this problem?
    g
    t
    t
    • 4
    • 12
  • m

    miniature-leather-70472

    03/10/2021, 9:32 AM
    Is there a way to specify the version of the Terraform Azure module the older Azure provider uses? Terraform have deprecated a feature in the newer version that should not have been deprecated
    t
    • 2
    • 1
  • f

    full-winter-70537

    03/10/2021, 9:38 AM
    @tall-librarian-49374 (since you seem to be the Network expert 😄 ), I am back to square one with creating this Azure Front Door. What I previously thought was working turned out not to during testing. The relationship between the Front Door and the Rules Engine is circular. I was able to create both resources but not add the association between them. I have tried numerous combinations of creating the objects, applying
    DependsOn
    and using ARM IDs, but nothing appears to work. (example output below) Have you ever successfully created a Front Door and Rules engine or have advice on how to achieve this? It would be easy if I could create one, then update the other, but ComponentResources appear to be immutable once created.
    Diagnostics:
      azure-native:network:RulesEngine (mnurulesdev):
        error: Code="ResourceNotFound" Message="The Resource 'Microsoft.Network/frontdoors/mnuorderdoordev' under resource group 'mnuedgedev' was not found. For more details please go to <https://aka.ms/ARMResourceNotFoundFix>"
    
      azure-native:network:FrontDoor (mnuorderdoordev):
        error: Code="BadRequest" Message="A resource reference was invalid: \"Routing rule RoutingRules contains an invalid reference to RulesEngine: \"/subscriptions/a2a556e1-0404-4b5d-b60d-a230044f4ff8/resourceGroups/mnuedgedev/providers/Microsoft.Network/frontDoors/mnuorderdoordev/rulesEngines/mnurulesdev\"\""
    t
    m
    r
    • 4
    • 21
  • w

    wet-noon-14291

    03/10/2021, 9:15 PM
    If I update kubernetesversion of an aks cluster using the native-azure provider, will the cluster be updated in place or how does that work?
  • f

    full-winter-70537

    03/11/2021, 6:56 AM
    Hi, I am trying to create a service bus and grab the connection string so I can consume it elsewhere. I'm trying to use the
    ListTopicKeys.InvokeAsync()
    passing in:
    new ListTopicKeysArgs
                            {
                                NamespaceName = args.ServiceBusName,
                                AuthorizationRuleName = "RootManageSharedAccessKey",
                                ResourceGroupName = args.ResourceGroupName,
                                TopicName = "mytopic"
                            })
    But I get the error:
    Status=404 Code="NotFound" Message="The requested resource RootManageSharedAccessKey does not exist.
    It's clearly available on the service bus under Shared Access Policies (see below). I have placed the InvokeAsync() call into a
    ComponentResource
    and made it DependOn the service bus, so it should exist by the time it is called. Is my understanding of how ListTopicKeys works correct? Any idea how to retrieve the connection string from the service bus?
    t
    • 2
    • 6
  • b

    best-hospital-12760

    03/11/2021, 10:22 AM
    Hi, does anyone know if the azure-native provider works with Azure Stack Hub? The terraform azurestack provider is practically abandoned so wanting to see if using this newer azure native was an option but can't see any mention of being able to specify an arm_endpoint. The trouble has been searching for Azure Stack with Pulumi is difficult to find results due to Pulumi's use of "stack" terminology 😄
    t
    • 2
    • 3
  • p

    powerful-football-81694

    03/11/2021, 9:48 PM
    I’ve painted myself into a corner with the manual migration of existing resources to the native provider. I followed the instructions here https://www.pulumi.com/docs/intro/cloud-providers/azure/from-classic/ I only imported 3 resources: the resource group, an AppInsights account and a Cosmos DB account. The rest of my stack I’m happy for Pulumi to recreate. The imported resources were marked as protected (which is OK I guess). But when I do
    pulumi up
    it fails:
    error: Preview failed: refusing to delete protected resource 'urn:pulumi:dev::SvcStacks::azure-native:resources:ResourceGroup::orgflow-stacks-dev-rg'
    I can’t do
    pulumi destroy
    either:
    s
    t
    • 3
    • 32
  • t

    tall-needle-56640

    03/12/2021, 6:52 AM
    Who likes stats? Here are stats for the (unversioned) namespaces in AzureNative:
    Number of namespaces: 448
    Number of classes: 14686
    Largest namespaces (most classes):
        Pulumi.AzureNative.Network: 671
        Pulumi.AzureNative.DataFactory.Outputs: 530
        Pulumi.AzureNative.DataFactory.Inputs: 514
        Pulumi.AzureNative.Web: 389
        Pulumi.AzureNative.Network.Outputs: 303
        Pulumi.AzureNative.ApiManagement: 274
        Pulumi.AzureNative.Network.Inputs: 261
        Pulumi.AzureNative.Sql: 255
        Pulumi.AzureNative.DataMigration.Outputs: 179
        Pulumi.AzureNative.Insights: 179
        Pulumi.AzureNative.RecoveryServices.Outputs: 177
        Pulumi.AzureNative.Compute: 173
        Pulumi.AzureNative.DocumentDB: 170
        Pulumi.AzureNative.Compute.Outputs: 152
        Pulumi.AzureNative.ContainerRegistry: 147
        Pulumi.AzureNative.Logic: 140
        Pulumi.AzureNative.DataFactory: 135
        Pulumi.AzureNative.Media: 135
        Pulumi.AzureNative.Cdn: 128
        Pulumi.AzureNative.RecoveryServices.Inputs: 128
    Most used class names:
        SystemDataResponse: 46
        SkuResponse: 44
        SkuArgs: 43
        PrivateEndpointConnectionArgs: 39
        GetPrivateEndpointConnection: 31
        GetPrivateEndpointConnectionArgs: 31
        GetPrivateEndpointConnectionResult: 31
        PrivateEndpointConnection: 31
        PrivateEndpointResponse: 26
        PrivateLinkServiceConnectionStateResponse: 23
        ResourceIdentityType: 23
        PrivateLinkServiceConnectionStateArgs: 22
        PrivateEndpointConnectionResponse: 21
        SkuName: 20
        IdentityArgs: 14
        IdentityResponse: 14
        PrivateEndpointServiceConnectionStatus: 13
        Account: 13
        AccountArgs: 13
        GetAccount: 13
    Number of class collisions if the 'Inputs' namespace were removed: 40
      (example: 'Pulumi.AzureNative.CognitiveServices.PrivateEndpointConnectionArgs' and 'Pulumi.AzureNative.CognitiveServices.Inputs.PrivateEndpointConnectionArgs')
    I started exploring this because a) I dislike having two namespaces for every resource I create (and remembering which classes are in where) and b) when creating multiple resources in a single stack, I often have to more fully qualify namespaces to deal with ambiguous class names.
    👍 2
  • w

    worried-knife-31967

    03/12/2021, 9:22 AM
    This will all be on the exam right?
  • b

    broad-dog-22463

    03/12/2021, 9:32 AM
    100%!
  • s

    some-elephant-30417

    03/13/2021, 11:21 AM
    Hi! I am trying to deploy AKS and use the kubeconfig output to provision the cluster with
    pulumi-kubernetes
    . However I get the value:
    {}
    , from the
    kube_config_raw
    and
    kube_config_admin_raw
    outputs. Any idea what am I doing wrong? Thank you!
    from pulumi_azure.containerservice import Registry, KubernetesCluster
    
    ...
    
            cluster = KubernetesCluster(
                f'aks-{args.resource_suffix}',
                name=f'aks-{args.resource_suffix}',
                location=args.resource_group.location,
                resource_group_name=args.resource_group.name,
                kubernetes_version='1.19.6',
                dns_prefix='dns',
                role_based_access_control={'enabled': 'true'},
                linux_profile=(
                    {
                        'adminUsername': args.cluster_profile_admin_username,
                        'ssh_key': {
                            'keyData': args.cluster_profile_admin_ssh_key
                        }
                    }
                ),
                service_principal=(
                    {
                        'clientId': args.application.application_id,
                        'clientSecret': args.service_principal_password,
                    }
                ),
                default_node_pool=(
                    {
                        'name': 'default',
                        'node_count': 2,
                        'vm_size': 'Standard_D2s_v3',
                        'max_pods': 30,
                        'vnet_subnet_id': subnet.id,
                    }
                ),
                network_profile=(
                    {
                        'networkPlugin': 'azure',
                        'serviceCidr': '10.10.0.0/16',
                        'dns_service_ip': '10.10.0.10',
                        'dockerBridgeCidr': '172.17.0.1/16'
                    }
                ),
                tags=args.tags,
                opts=ResourceOptions.merge(
                    child_opts,
                    ResourceOptions(depends_on=[container_registry_assignment, subnet_assignment])
                ),
            )
    
            self.cluster_name = cluster.name
            self.cluster_network_profile = cluster.network_profile
            self.kubeconfig = cluster.kube_admin_config_raw
            self.register_outputs({})
    • 1
    • 1
  • p

    powerful-football-81694

    03/13/2021, 11:42 AM
    Hi folks, I used to do this with the classic Azure provider to give the provisioned app access to a central KeyVault:
    // Get a reference to our centralized key vault service which lives
    // in another resource group. The key vault service itself is not created or maintained
    // by this program.
    var keyVault =
    	await GetKeyVault.InvokeAsync(
    		new GetKeyVaultArgs()
    		{
    			ResourceGroupName = centralResourceGroupName,
    			Name = keyVaultName
    		}).ConfigureAwait(false);
    
    // Create an access policy in the key vault to allow the function app to read
    // keys, secrets and certificates.
    var keyVaultAccessPolicy = new AccessPolicy(
    	$"orgflow-licensing-{stackName}-keyVaultPolicy",
    	new AccessPolicyArgs()
    	{
    		TenantId = app.Identity.Apply(x => x.TenantId!),
    		ObjectId = app.Identity.Apply(x => x.PrincipalId!),
    		KeyPermissions = { "get", "sign" },
    		SecretPermissions = { "get" },
    		KeyVaultId = keyVault.Id
    	});
    I can’t figure out how to create key vault access policies with the native provider (like, I can’t even find any resource type for it in the KeyVault namespace) - can someone give me a pointer?
    t
    b
    • 3
    • 3
  • b

    better-shampoo-48884

    03/13/2021, 2:52 PM
    I seem to be hitting the
    autorest/azure: Service returned an error. Status=<nil> Code="AnotherOperationInProgress" Message="Another operation on this or dependent resource is in progress. ... "
    issue almost every time I recreate a stack - it's resolved simply by running pulumi up again, but isn't this sortof what pulumi could do for us? That message really means "try again later" - shouldn't there be some inbuilt retry with basic backoff to handle that?
  • b

    better-shampoo-48884

    03/13/2021, 2:54 PM
    having a similar issue with recreating a deleted storage account (i delete the whole RG and recreate it to test..).. this was the run I made to pick up on the previous pulumi up which failed due to the subnet saying "another operation in progress":
    Updating (modular):
         Type                                    Name                Status                  Info
         pulumi:pulumi:Stack                     modularity-modular  **failed**              1 error
     +   ├─ azure-native:network:Subnet          sz2-n11024          created
     +   └─ azure-native:storage:StorageAccount  n11024storage01     **creating failed**     1 error
    
    Diagnostics:
      azure-native:storage:StorageAccount (n11024storage01):
        error: autorest/azure: Service returned an error. Status=404 Code="StorageAccountNotFound" Message="The storage account n11024storage01 was not found."
    and then running it again (just a new pulumi up, no changes):
    Updating (modular):
         Type                                    Name                Status
         pulumi:pulumi:Stack                     modularity-modular
     +   ├─ azure-native:storage:StorageAccount  n11024storage01     created
     +   └─ azure-native:storage:BlobContainer   pulumi-state        created
    
    Resources:
        + 2 created
        11 unchanged
  • b

    better-shampoo-48884

    03/13/2021, 2:56 PM
    seems so damned weird that we get an error message when creating a storage account saying that the storage account we are creating does not exist. yet running it again right afterwards, no such complaint.
  • t

    tall-librarian-49374

    03/13/2021, 3:10 PM
    @better-shampoo-48884 there are built-in retry mechanisms and they are developed my Microsoft in the library that we use. So, an error like this is deemed non-retriable at some point. This seems to warrant a github issue, especially if you have a relatively reliable repro.
    b
    • 2
    • 15
  • p

    powerful-football-81694

    03/13/2021, 5:08 PM
    Ran into a gotcha with the new provider that took me a while to track down. After creating a SQL Server resource, the
    AdministratorLoginPassword
    property on the resource object is
    null
    . In the old provider, it would contain the password passed in with the
    ServerArgs
    when creating the resource. Easy enough to work around since I’m getting the password from configuration anyway, but still a bit unexpected, so worth raising the question whether this is a bug?
    t
    b
    • 3
    • 6
  • b

    better-shampoo-48884

    03/13/2021, 8:56 PM
    I'm probably too tired to think straight at this point - but now I've gotten to the AKS stage, and I decided that I really wanted to add diskEncryption through a diskEncryptionSet. So.. ugh.. it'll be easier to read the code rather than me explaining it:
    const diskKey = new azure.keyvault.Key("aks-des-key",{
            keyName: "aks-des-key",
            properties: {
                kty: "RSA"
            }, 
            resourceGroupName: aksStack.parameters.name,
            vaultName: aksStack.keyVault.parameters.name
        })
        const diskEncryption = new azure.compute.DiskEncryptionSet("aks-des", {
            resourceGroupName: aksStack.parameters.name,
            location: aksStack.parameters.location,
            activeKey: {
                keyUrl: diskKey.keyUriWithVersion
            },
            diskEncryptionSetName: "aks-des",
            encryptionType: "EncryptionAtRestWithCustomerKey",
            identity: {
                type: "SystemAssigned"
            }
        })
    So this is all fine - and in my AKS config I have `diskEncryptionSetID: diskEncryption.id,`which is also fine (I guess). But now, almost obviously, I'm getting:
    Unable to access key vault resource 'https://(mykeyvaulthere).<http://vault.azure.net/keys/aks-des-key/31333607ad2b4cb3adfbcbbdd76a395d|vault.azure.net/keys/aks-des-key/31333607ad2b4cb3adfbcbbdd76a395d>' to enable encryption at rest. Please grant get, wrap and unwrap key permissions to disk encryption set 'aks-des'. Please visit <https://aka.ms/keyvaultaccessssecmk> for more information.
    So I decide that I really should set up authorization for diskEncryption to access the diskKey. Note: I created my keyVault with
    enableRbacAuthorization: true,
    . So here goes:
    const diskEncryptionRoleAssignment = new azure.authorization.RoleAssignment("des-to-kv", {
            scope: aksStack.keyVault.parameters.id,
            roleDefinitionId: "Reader",
            principalId: diskEncryption.identity // <--- should in not be able to access the principalid from diskEncryption somehow?!
        })
    I am absolutely a noob at this - not even sure I'm granting the right thing to the right stuff for any reason really, but I do know that if I want to use RoleAssignement for anything where I use SystemAssigned identity, I need to be able to reference it as expected.. From the Supporting Types of DiskEncryptionSet - EncryptionSetIdentity has the
    type
    which I defined, but then EncryptionSetIdentityResponse has `principalId`and `tenantId`in addition - which I want.. but the outputs of DiskEncryptionSet say nothing about those fields! How.. do I access them? Nevermind if I'm even on the right track..
    t
    • 2
    • 8
  • g

    gray-nail-14734

    03/14/2021, 5:37 PM
    Hi there - I've been looking at Pulumi for a while and finally have an opportunity to use it for a meaningful project. However, I'm stuck and am chalking it up to being new and hoping someone help show me the light. I'm using 
    Azure-Native
     and trying to create an AKS cluster. All is good, until I try to set up my 
    PodIdentityProfile
    . In the AZ CLI, PodIdentity is set up in a separate step, and the Pulumi Azure-Native resource seems to follow the same paradigm. However, I can't seem to figure out how to set up my 
    UserAssignedIdentity
    after my 
    ManagedCluster
    is created. I've tried 
    GetManagedCluster
    , but the profile is an 
    ImmutableArray
    . I've tried creating a new resource (using the same name and resource group) but get a conflict. Is there a recommended way to perform updates on existing resources? I'm looking through the Pulumi docs and don't really see this. I see how to create and destroy, but update isn't called out in many places. BTW, I'm using C# in my scripts. Thank you in advance for any guidance here!
    t
    a
    • 3
    • 11
  • b

    better-shampoo-48884

    03/15/2021, 10:27 AM
    Just hit on something scary.. I realized that I had a tag in yaml that was set as an int when it should be a string (was set as
    ProjectNumber: 141206
    but should have " to force it to string.. you'll see why..). So I noticed that it was set incorrectly - and I decided to just fix it by changing it back and applying the tag change..
    Updating (newthing):
         Type                                    Name                      Status                  Info
         pulumi:pulumi:Stack                     modularity-newthing       **failed**              1 error
     ~   └─ azure-native:network:VirtualNetwork  VnetName                  **updating failed**     [diff: ~tags]; 1 error
    
    Diagnostics:
      pulumi:pulumi:Stack (modularity-newthing):
        error: update failed
    
      azure-native:network:VirtualNetwork (VnetName):
        error: Code="InUseSubnetCannotBeDeleted" Message="Subnet xxxx is in use by /subscriptions/yyyy/resourceGroups/rgName/providers/Microsoft.Network/applicationGateways/appgwName/gatewayIPConfigurations/appGatewayIpConfig and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See <http://aka.ms/deletesubnet|aka.ms/deletesubnet>." Details=[]
    Edit: seems to be an instance of https://github.com/pulumi/pulumi-azure-native/issues/611, setting
    ignoreChanges: ['subnets']
    on
    opts
    of the vnet worked well for me.
    t
    • 2
    • 7
  • b

    better-shampoo-48884

    03/16/2021, 1:55 PM
    KeyVaults, especially with the new softDelete protection are becoming the bane of my existence.. If I protect keyvault, I have to pass the URN of 20+ other resources to delete them (note: I still want the "--exclude-protected" flag on
    pulumi destroy
    ), if I do choose to delete the keyvault, I can't recreate the same one because it's softDeleted and therefore "still there" (nevermind that the RG is gone..). So I have to create just the RG, then restore the keyvault into the rg - but now if I try to create the keyvault in pulumi (exact same) I can't because obviously it exists - and I can't refresh because it's not in the state.. so I have to use pulumi import azure-native:keyvault:Vault (vaultname) (vaultname).. and that doesn't even work because resource (vaultname) does not exist.. 😕
    t
    • 2
    • 5
  • b

    better-shampoo-48884

    03/16/2021, 2:04 PM
    Created https://github.com/pulumi/pulumi/issues/6539 FYI - didn't see any directly related issues at the moment.
  • w

    wet-noon-14291

    03/16/2021, 2:19 PM
    Hello. In azure-native, is there a way to create subscriptions with pulumi? Like this one with the "old" sdk: https://www.pulumi.com/docs/reference/pkg/azure/core/subscription/
    b
    t
    • 3
    • 7
  • r

    red-lighter-44012

    03/16/2021, 5:18 PM
    And this is why you run nightly builds and check for pulumi outdated packages. My nugets 🙂 were out of date. Now only a deprecation warning remains, but this I can handle 😄 original below. --- Out of nowhere I am getting errors when creating role assignments. The first time I get a 404:
    error: authorization.RoleAssignmentsClient#Get: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="RoleAssignmentNotFound" Message="The role assignment '<GUID>' is not found."
    And if I run it again:
    StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="RoleAssignmentExists" Message="The role assignment already exists."
    Edit: just to point out, this is code that previously worked correctly, I am deploying a cluster and assigning roles for a registry and for a "Network Contributor". Both role assignment creations fail now, I guess they did not get created in time or something along those lines.
  • w

    worried-knife-31967

    03/16/2021, 6:30 PM
    In C#, you end up with output<string> as the value if it's not determinable I believe.
  • k

    kind-mechanic-53546

    03/16/2021, 9:56 PM
    Any pointers on setting up a spot instance VM with azure-native? Adding the below to a VM
    billingProfile: {
                    maxPrice: 0.03,
                },
                evictionPolicy: "Deallocate",
    gives the error
    error: Code="InvalidParameter" Message="Eviction policy can be set only on Azure Spot Virtual Machines. For more information, see <http://aka.ms/AzureSpot/errormessages>." Target="billingProfile"
    Docs don't really mention much apart from those two elements around spot instances
    t
    • 2
    • 5
  • r

    red-lighter-44012

    03/17/2021, 7:01 AM
    I am on the classic Azure Pulumi provider and I cannot find a way to create more than one node pool on the cluster. This is the type im using: https://www.pulumi.com/docs/reference/pkg/azure/containerservice/kubernetescluster/ Whereas tutorials like that one seem to be referencing different packages and types: https://www.pulumi.com/docs/tutorials/kubernetes/aks/ Is this all for the nextgen provider? I would gladly switch to it gradually, but there should be some way to create multiple node pools with the Terraform provider, right? My guess is that I create the node pool separately and pass the AKS cluster as an argument.
  • r

    red-lighter-44012

    03/17/2021, 7:08 AM
    Got it: this should be it, was a bit harder to get the google terms right but im good to go 🙂 https://www.pulumi.com/docs/reference/pkg/azure/containerservice/kubernetesclusternodepool/ Edit: I know that we should be slowly migrating to the native provider, but I went through some posts and github issues yesterday and there was a mention of role assignments being more difficult now. If I remember correctly, roles cannot simply be specified by the definition name (eg "Network Contributor") but have to be looked up and passed by ID. Of course I cannot find the issue now, but are there many 'breaking changes' to past workflows or is it a matter of moving arguments from old to new parameters / properties?
Powered by Linen
Title
r

red-lighter-44012

03/17/2021, 7:08 AM
Got it: this should be it, was a bit harder to get the google terms right but im good to go 🙂 https://www.pulumi.com/docs/reference/pkg/azure/containerservice/kubernetesclusternodepool/ Edit: I know that we should be slowly migrating to the native provider, but I went through some posts and github issues yesterday and there was a mention of role assignments being more difficult now. If I remember correctly, roles cannot simply be specified by the definition name (eg "Network Contributor") but have to be looked up and passed by ID. Of course I cannot find the issue now, but are there many 'breaking changes' to past workflows or is it a matter of moving arguments from old to new parameters / properties?
View count: 3