breezy-apartment-46543
03/09/2021, 6:53 PMminiature-leather-70472
03/10/2021, 9:32 AMfull-winter-70537
03/10/2021, 9:38 AMDependsOn
and using ARM IDs, but nothing appears to work. (example output below)
Have you ever successfully created a Front Door and Rules engine or have advice on how to achieve this? It would be easy if I could create one, then update the other, but ComponentResources appear to be immutable once created.
Diagnostics:
azure-native:network:RulesEngine (mnurulesdev):
error: Code="ResourceNotFound" Message="The Resource 'Microsoft.Network/frontdoors/mnuorderdoordev' under resource group 'mnuedgedev' was not found. For more details please go to <https://aka.ms/ARMResourceNotFoundFix>"
azure-native:network:FrontDoor (mnuorderdoordev):
error: Code="BadRequest" Message="A resource reference was invalid: \"Routing rule RoutingRules contains an invalid reference to RulesEngine: \"/subscriptions/a2a556e1-0404-4b5d-b60d-a230044f4ff8/resourceGroups/mnuedgedev/providers/Microsoft.Network/frontDoors/mnuorderdoordev/rulesEngines/mnurulesdev\"\""
wet-noon-14291
03/10/2021, 9:15 PMfull-winter-70537
03/11/2021, 6:56 AMListTopicKeys.InvokeAsync()
passing in:
new ListTopicKeysArgs
{
NamespaceName = args.ServiceBusName,
AuthorizationRuleName = "RootManageSharedAccessKey",
ResourceGroupName = args.ResourceGroupName,
TopicName = "mytopic"
})
But I get the error:
Status=404 Code="NotFound" Message="The requested resource RootManageSharedAccessKey does not exist.
It's clearly available on the service bus under Shared Access Policies (see below).
I have placed the InvokeAsync() call into a ComponentResource
and made it DependOn the service bus, so it should exist by the time it is called.
Is my understanding of how ListTopicKeys works correct? Any idea how to retrieve the connection string from the service bus?best-hospital-12760
03/11/2021, 10:22 AMpowerful-football-81694
03/11/2021, 9:48 PMpulumi up
it fails:
error: Preview failed: refusing to delete protected resource 'urn:pulumi:dev::SvcStacks::azure-native:resources:ResourceGroup::orgflow-stacks-dev-rg'
I can’t do pulumi destroy
either:tall-needle-56640
03/12/2021, 6:52 AMNumber of namespaces: 448
Number of classes: 14686
Largest namespaces (most classes):
Pulumi.AzureNative.Network: 671
Pulumi.AzureNative.DataFactory.Outputs: 530
Pulumi.AzureNative.DataFactory.Inputs: 514
Pulumi.AzureNative.Web: 389
Pulumi.AzureNative.Network.Outputs: 303
Pulumi.AzureNative.ApiManagement: 274
Pulumi.AzureNative.Network.Inputs: 261
Pulumi.AzureNative.Sql: 255
Pulumi.AzureNative.DataMigration.Outputs: 179
Pulumi.AzureNative.Insights: 179
Pulumi.AzureNative.RecoveryServices.Outputs: 177
Pulumi.AzureNative.Compute: 173
Pulumi.AzureNative.DocumentDB: 170
Pulumi.AzureNative.Compute.Outputs: 152
Pulumi.AzureNative.ContainerRegistry: 147
Pulumi.AzureNative.Logic: 140
Pulumi.AzureNative.DataFactory: 135
Pulumi.AzureNative.Media: 135
Pulumi.AzureNative.Cdn: 128
Pulumi.AzureNative.RecoveryServices.Inputs: 128
Most used class names:
SystemDataResponse: 46
SkuResponse: 44
SkuArgs: 43
PrivateEndpointConnectionArgs: 39
GetPrivateEndpointConnection: 31
GetPrivateEndpointConnectionArgs: 31
GetPrivateEndpointConnectionResult: 31
PrivateEndpointConnection: 31
PrivateEndpointResponse: 26
PrivateLinkServiceConnectionStateResponse: 23
ResourceIdentityType: 23
PrivateLinkServiceConnectionStateArgs: 22
PrivateEndpointConnectionResponse: 21
SkuName: 20
IdentityArgs: 14
IdentityResponse: 14
PrivateEndpointServiceConnectionStatus: 13
Account: 13
AccountArgs: 13
GetAccount: 13
Number of class collisions if the 'Inputs' namespace were removed: 40
(example: 'Pulumi.AzureNative.CognitiveServices.PrivateEndpointConnectionArgs' and 'Pulumi.AzureNative.CognitiveServices.Inputs.PrivateEndpointConnectionArgs')
I started exploring this because a) I dislike having two namespaces for every resource I create (and remembering which classes are in where) and b) when creating multiple resources in a single stack, I often have to more fully qualify namespaces to deal with ambiguous class names.worried-knife-31967
03/12/2021, 9:22 AMbroad-dog-22463
03/12/2021, 9:32 AMsome-elephant-30417
03/13/2021, 11:21 AMpulumi-kubernetes
. However I get the value: {}
, from the kube_config_raw
and kube_config_admin_raw
outputs. Any idea what am I doing wrong? Thank you!
from pulumi_azure.containerservice import Registry, KubernetesCluster
...
cluster = KubernetesCluster(
f'aks-{args.resource_suffix}',
name=f'aks-{args.resource_suffix}',
location=args.resource_group.location,
resource_group_name=args.resource_group.name,
kubernetes_version='1.19.6',
dns_prefix='dns',
role_based_access_control={'enabled': 'true'},
linux_profile=(
{
'adminUsername': args.cluster_profile_admin_username,
'ssh_key': {
'keyData': args.cluster_profile_admin_ssh_key
}
}
),
service_principal=(
{
'clientId': args.application.application_id,
'clientSecret': args.service_principal_password,
}
),
default_node_pool=(
{
'name': 'default',
'node_count': 2,
'vm_size': 'Standard_D2s_v3',
'max_pods': 30,
'vnet_subnet_id': subnet.id,
}
),
network_profile=(
{
'networkPlugin': 'azure',
'serviceCidr': '10.10.0.0/16',
'dns_service_ip': '10.10.0.10',
'dockerBridgeCidr': '172.17.0.1/16'
}
),
tags=args.tags,
opts=ResourceOptions.merge(
child_opts,
ResourceOptions(depends_on=[container_registry_assignment, subnet_assignment])
),
)
self.cluster_name = cluster.name
self.cluster_network_profile = cluster.network_profile
self.kubeconfig = cluster.kube_admin_config_raw
self.register_outputs({})
powerful-football-81694
03/13/2021, 11:42 AM// Get a reference to our centralized key vault service which lives
// in another resource group. The key vault service itself is not created or maintained
// by this program.
var keyVault =
await GetKeyVault.InvokeAsync(
new GetKeyVaultArgs()
{
ResourceGroupName = centralResourceGroupName,
Name = keyVaultName
}).ConfigureAwait(false);
// Create an access policy in the key vault to allow the function app to read
// keys, secrets and certificates.
var keyVaultAccessPolicy = new AccessPolicy(
$"orgflow-licensing-{stackName}-keyVaultPolicy",
new AccessPolicyArgs()
{
TenantId = app.Identity.Apply(x => x.TenantId!),
ObjectId = app.Identity.Apply(x => x.PrincipalId!),
KeyPermissions = { "get", "sign" },
SecretPermissions = { "get" },
KeyVaultId = keyVault.Id
});
I can’t figure out how to create key vault access policies with the native provider (like, I can’t even find any resource type for it in the KeyVault namespace) - can someone give me a pointer?better-shampoo-48884
03/13/2021, 2:52 PMautorest/azure: Service returned an error. Status=<nil> Code="AnotherOperationInProgress" Message="Another operation on this or dependent resource is in progress. ... "
issue almost every time I recreate a stack - it's resolved simply by running pulumi up again, but isn't this sortof what pulumi could do for us? That message really means "try again later" - shouldn't there be some inbuilt retry with basic backoff to handle that?better-shampoo-48884
03/13/2021, 2:54 PMUpdating (modular):
Type Name Status Info
pulumi:pulumi:Stack modularity-modular **failed** 1 error
+ ├─ azure-native:network:Subnet sz2-n11024 created
+ └─ azure-native:storage:StorageAccount n11024storage01 **creating failed** 1 error
Diagnostics:
azure-native:storage:StorageAccount (n11024storage01):
error: autorest/azure: Service returned an error. Status=404 Code="StorageAccountNotFound" Message="The storage account n11024storage01 was not found."
and then running it again (just a new pulumi up, no changes):
Updating (modular):
Type Name Status
pulumi:pulumi:Stack modularity-modular
+ ├─ azure-native:storage:StorageAccount n11024storage01 created
+ └─ azure-native:storage:BlobContainer pulumi-state created
Resources:
+ 2 created
11 unchanged
better-shampoo-48884
03/13/2021, 2:56 PMtall-librarian-49374
03/13/2021, 3:10 PMpowerful-football-81694
03/13/2021, 5:08 PMAdministratorLoginPassword
property on the resource object is null
.
In the old provider, it would contain the password passed in with the ServerArgs
when creating the resource.
Easy enough to work around since I’m getting the password from configuration anyway, but still a bit unexpected, so worth raising the question whether this is a bug?better-shampoo-48884
03/13/2021, 8:56 PMconst diskKey = new azure.keyvault.Key("aks-des-key",{
keyName: "aks-des-key",
properties: {
kty: "RSA"
},
resourceGroupName: aksStack.parameters.name,
vaultName: aksStack.keyVault.parameters.name
})
const diskEncryption = new azure.compute.DiskEncryptionSet("aks-des", {
resourceGroupName: aksStack.parameters.name,
location: aksStack.parameters.location,
activeKey: {
keyUrl: diskKey.keyUriWithVersion
},
diskEncryptionSetName: "aks-des",
encryptionType: "EncryptionAtRestWithCustomerKey",
identity: {
type: "SystemAssigned"
}
})
So this is all fine - and in my AKS config I have `diskEncryptionSetID: diskEncryption.id,`which is also fine (I guess). But now, almost obviously, I'm getting:
Unable to access key vault resource 'https://(mykeyvaulthere).<http://vault.azure.net/keys/aks-des-key/31333607ad2b4cb3adfbcbbdd76a395d|vault.azure.net/keys/aks-des-key/31333607ad2b4cb3adfbcbbdd76a395d>' to enable encryption at rest. Please grant get, wrap and unwrap key permissions to disk encryption set 'aks-des'. Please visit <https://aka.ms/keyvaultaccessssecmk> for more information.
So I decide that I really should set up authorization for diskEncryption to access the diskKey. Note: I created my keyVault with enableRbacAuthorization: true,
. So here goes:
const diskEncryptionRoleAssignment = new azure.authorization.RoleAssignment("des-to-kv", {
scope: aksStack.keyVault.parameters.id,
roleDefinitionId: "Reader",
principalId: diskEncryption.identity // <--- should in not be able to access the principalid from diskEncryption somehow?!
})
I am absolutely a noob at this - not even sure I'm granting the right thing to the right stuff for any reason really, but I do know that if I want to use RoleAssignement for anything where I use SystemAssigned identity, I need to be able to reference it as expected.. From the Supporting Types of DiskEncryptionSet - EncryptionSetIdentity has the type
which I defined, but then EncryptionSetIdentityResponse has `principalId`and `tenantId`in addition - which I want.. but the outputs of DiskEncryptionSet say nothing about those fields! How.. do I access them?
Nevermind if I'm even on the right track..gray-nail-14734
03/14/2021, 5:37 PMAzure-Native
and trying to create an AKS cluster. All is good, until I try to set up my PodIdentityProfile
. In the AZ CLI, PodIdentity is set up in a separate step, and the Pulumi Azure-Native resource seems to follow the same paradigm. However, I can't seem to figure out how to set up my UserAssignedIdentity
after my ManagedCluster
is created. I've tried GetManagedCluster
, but the profile is an ImmutableArray
. I've tried creating a new resource (using the same name and resource group) but get a conflict.
Is there a recommended way to perform updates on existing resources? I'm looking through the Pulumi docs and don't really see this. I see how to create and destroy, but update isn't called out in many places.
BTW, I'm using C# in my scripts.
Thank you in advance for any guidance here!better-shampoo-48884
03/15/2021, 10:27 AMProjectNumber: 141206
but should have " to force it to string.. you'll see why..). So I noticed that it was set incorrectly - and I decided to just fix it by changing it back and applying the tag change..
Updating (newthing):
Type Name Status Info
pulumi:pulumi:Stack modularity-newthing **failed** 1 error
~ └─ azure-native:network:VirtualNetwork VnetName **updating failed** [diff: ~tags]; 1 error
Diagnostics:
pulumi:pulumi:Stack (modularity-newthing):
error: update failed
azure-native:network:VirtualNetwork (VnetName):
error: Code="InUseSubnetCannotBeDeleted" Message="Subnet xxxx is in use by /subscriptions/yyyy/resourceGroups/rgName/providers/Microsoft.Network/applicationGateways/appgwName/gatewayIPConfigurations/appGatewayIpConfig and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See <http://aka.ms/deletesubnet|aka.ms/deletesubnet>." Details=[]
Edit: seems to be an instance of https://github.com/pulumi/pulumi-azure-native/issues/611, setting ignoreChanges: ['subnets']
on opts
of the vnet worked well for me.better-shampoo-48884
03/16/2021, 1:55 PMpulumi destroy
), if I do choose to delete the keyvault, I can't recreate the same one because it's softDeleted and therefore "still there" (nevermind that the RG is gone..). So I have to create just the RG, then restore the keyvault into the rg - but now if I try to create the keyvault in pulumi (exact same) I can't because obviously it exists - and I can't refresh because it's not in the state.. so I have to use pulumi import azure-nativekeyvaultVault (vaultname) (vaultname).. and that doesn't even work because resource (vaultname) does not exist.. 😕better-shampoo-48884
03/16/2021, 2:04 PMwet-noon-14291
03/16/2021, 2:19 PMred-lighter-44012
03/16/2021, 5:18 PMerror: authorization.RoleAssignmentsClient#Get: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="RoleAssignmentNotFound" Message="The role assignment '<GUID>' is not found."
And if I run it again:
StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="RoleAssignmentExists" Message="The role assignment already exists."
worried-knife-31967
03/16/2021, 6:30 PMkind-mechanic-53546
03/16/2021, 9:56 PMbillingProfile: {
maxPrice: 0.03,
},
evictionPolicy: "Deallocate",
gives the error
error: Code="InvalidParameter" Message="Eviction policy can be set only on Azure Spot Virtual Machines. For more information, see <http://aka.ms/AzureSpot/errormessages>." Target="billingProfile"
Docs don't really mention much apart from those two elements around spot instancesred-lighter-44012
03/17/2021, 7:01 AMred-lighter-44012
03/17/2021, 7:08 AMminiature-leather-70472
03/17/2021, 8:50 AMworried-knife-31967
03/17/2021, 8:56 AM