https://www.pulumi.com/docs/reference/pkg/azure-native/apimanagement/backend/ That example doesn't compile @tall-librarian-49374

Having migrated a whole infrastructure to the new native provider, on the first

pulumi up

it sees fit to delete and recreate every resource (even though for most, the only change is to the new provider). What are my options for avoiding that? Can I somehow import these resources into the same stack where they already live?

I am using the azure sdk inside an azure function to upload a blob to a container and when trying to run pulumi up I receive the following message. Does anyone know how to solve this problem?

Is there a way to specify the version of the Terraform Azure module the older Azure provider uses? Terraform have deprecated a feature in the newer version that should not have been deprecated

@tall-librarian-49374 (since you seem to be the Network expert 😄 ), I am back to square one with creating this Azure Front Door. What I previously thought was working turned out not to during testing. The relationship between the Front Door and the Rules Engine is circular. I was able to create both resources but not add the association between them. I have tried numerous combinations of creating the objects, applying

DependsOn

and using ARM IDs, but nothing appears to work. (example output below) Have you ever successfully created a Front Door and Rules engine or have advice on how to achieve this? It would be easy if I could create one, then update the other, but ComponentResources appear to be immutable once created.

Diagnostics:
  azure-native:network:RulesEngine (mnurulesdev):
    error: Code="ResourceNotFound" Message="The Resource 'Microsoft.Network/frontdoors/mnuorderdoordev' under resource group 'mnuedgedev' was not found. For more details please go to <https://aka.ms/ARMResourceNotFoundFix>"

  azure-native:network:FrontDoor (mnuorderdoordev):
    error: Code="BadRequest" Message="A resource reference was invalid: \"Routing rule RoutingRules contains an invalid reference to RulesEngine: \"/subscriptions/a2a556e1-0404-4b5d-b60d-a230044f4ff8/resourceGroups/mnuedgedev/providers/Microsoft.Network/frontDoors/mnuorderdoordev/rulesEngines/mnurulesdev\"\""

If I update kubernetesversion of an aks cluster using the native-azure provider, will the cluster be updated in place or how does that work?

Hi, I am trying to create a service bus and grab the connection string so I can consume it elsewhere. I'm trying to use the

ListTopicKeys.InvokeAsync()

passing in:

new ListTopicKeysArgs
                        {
                            NamespaceName = args.ServiceBusName,
                            AuthorizationRuleName = "RootManageSharedAccessKey",
                            ResourceGroupName = args.ResourceGroupName,
                            TopicName = "mytopic"
                        })

But I get the error:

Status=404 Code="NotFound" Message="The requested resource RootManageSharedAccessKey does not exist.

It's clearly available on the service bus under Shared Access Policies (see below). I have placed the InvokeAsync() call into a

ComponentResource

and made it DependOn the service bus, so it should exist by the time it is called. Is my understanding of how ListTopicKeys works correct? Any idea how to retrieve the connection string from the service bus?

Hi, does anyone know if the azure-native provider works with Azure Stack Hub? The terraform azurestack provider is practically abandoned so wanting to see if using this newer azure native was an option but can't see any mention of being able to specify an arm_endpoint. The trouble has been searching for Azure Stack with Pulumi is difficult to find results due to Pulumi's use of "stack" terminology 😄

I’ve painted myself into a corner with the manual migration of existing resources to the native provider. I followed the instructions here https://www.pulumi.com/docs/intro/cloud-providers/azure/from-classic/ I only imported 3 resources: the resource group, an AppInsights account and a Cosmos DB account. The rest of my stack I’m happy for Pulumi to recreate. The imported resources were marked as protected (which is OK I guess). But when I do

pulumi up

it fails:

error: Preview failed: refusing to delete protected resource 'urn:pulumi:dev::SvcStacks::azure-native:resources:ResourceGroup::orgflow-stacks-dev-rg'

I can’t do

pulumi destroy

either:

Who likes stats? Here are stats for the (unversioned) namespaces in AzureNative:

Number of namespaces: 448
Number of classes: 14686
Largest namespaces (most classes):
    Pulumi.AzureNative.Network: 671
    Pulumi.AzureNative.DataFactory.Outputs: 530
    Pulumi.AzureNative.DataFactory.Inputs: 514
    Pulumi.AzureNative.Web: 389
    Pulumi.AzureNative.Network.Outputs: 303
    Pulumi.AzureNative.ApiManagement: 274
    Pulumi.AzureNative.Network.Inputs: 261
    Pulumi.AzureNative.Sql: 255
    Pulumi.AzureNative.DataMigration.Outputs: 179
    Pulumi.AzureNative.Insights: 179
    Pulumi.AzureNative.RecoveryServices.Outputs: 177
    Pulumi.AzureNative.Compute: 173
    Pulumi.AzureNative.DocumentDB: 170
    Pulumi.AzureNative.Compute.Outputs: 152
    Pulumi.AzureNative.ContainerRegistry: 147
    Pulumi.AzureNative.Logic: 140
    Pulumi.AzureNative.DataFactory: 135
    Pulumi.AzureNative.Media: 135
    Pulumi.AzureNative.Cdn: 128
    Pulumi.AzureNative.RecoveryServices.Inputs: 128
Most used class names:
    SystemDataResponse: 46
    SkuResponse: 44
    SkuArgs: 43
    PrivateEndpointConnectionArgs: 39
    GetPrivateEndpointConnection: 31
    GetPrivateEndpointConnectionArgs: 31
    GetPrivateEndpointConnectionResult: 31
    PrivateEndpointConnection: 31
    PrivateEndpointResponse: 26
    PrivateLinkServiceConnectionStateResponse: 23
    ResourceIdentityType: 23
    PrivateLinkServiceConnectionStateArgs: 22
    PrivateEndpointConnectionResponse: 21
    SkuName: 20
    IdentityArgs: 14
    IdentityResponse: 14
    PrivateEndpointServiceConnectionStatus: 13
    Account: 13
    AccountArgs: 13
    GetAccount: 13
Number of class collisions if the 'Inputs' namespace were removed: 40
  (example: 'Pulumi.AzureNative.CognitiveServices.PrivateEndpointConnectionArgs' and 'Pulumi.AzureNative.CognitiveServices.Inputs.PrivateEndpointConnectionArgs')

I started exploring this because a) I dislike having two namespaces for every resource I create (and remembering which classes are in where) and b) when creating multiple resources in a single stack, I often have to more fully qualify namespaces to deal with ambiguous class names.

This will all be on the exam right?

100%!

Hi! I am trying to deploy AKS and use the kubeconfig output to provision the cluster with

pulumi-kubernetes

. However I get the value:

{}

, from the

kube_config_raw

and

kube_config_admin_raw

outputs. Any idea what am I doing wrong? Thank you!

from pulumi_azure.containerservice import Registry, KubernetesCluster

...

        cluster = KubernetesCluster(
            f'aks-{args.resource_suffix}',
            name=f'aks-{args.resource_suffix}',
            location=args.resource_group.location,
            resource_group_name=args.resource_group.name,
            kubernetes_version='1.19.6',
            dns_prefix='dns',
            role_based_access_control={'enabled': 'true'},
            linux_profile=(
                {
                    'adminUsername': args.cluster_profile_admin_username,
                    'ssh_key': {
                        'keyData': args.cluster_profile_admin_ssh_key
                    }
                }
            ),
            service_principal=(
                {
                    'clientId': args.application.application_id,
                    'clientSecret': args.service_principal_password,
                }
            ),
            default_node_pool=(
                {
                    'name': 'default',
                    'node_count': 2,
                    'vm_size': 'Standard_D2s_v3',
                    'max_pods': 30,
                    'vnet_subnet_id': subnet.id,
                }
            ),
            network_profile=(
                {
                    'networkPlugin': 'azure',
                    'serviceCidr': '10.10.0.0/16',
                    'dns_service_ip': '10.10.0.10',
                    'dockerBridgeCidr': '172.17.0.1/16'
                }
            ),
            tags=args.tags,
            opts=ResourceOptions.merge(
                child_opts,
                ResourceOptions(depends_on=[container_registry_assignment, subnet_assignment])
            ),
        )

        self.cluster_name = cluster.name
        self.cluster_network_profile = cluster.network_profile
        self.kubeconfig = cluster.kube_admin_config_raw
        self.register_outputs({})

Hi folks, I used to do this with the classic Azure provider to give the provisioned app access to a central KeyVault:

// Get a reference to our centralized key vault service which lives
// in another resource group. The key vault service itself is not created or maintained
// by this program.
var keyVault =
	await GetKeyVault.InvokeAsync(
		new GetKeyVaultArgs()
		{
			ResourceGroupName = centralResourceGroupName,
			Name = keyVaultName
		}).ConfigureAwait(false);

// Create an access policy in the key vault to allow the function app to read
// keys, secrets and certificates.
var keyVaultAccessPolicy = new AccessPolicy(
	$"orgflow-licensing-{stackName}-keyVaultPolicy",
	new AccessPolicyArgs()
	{
		TenantId = app.Identity.Apply(x => x.TenantId!),
		ObjectId = app.Identity.Apply(x => x.PrincipalId!),
		KeyPermissions = { "get", "sign" },
		SecretPermissions = { "get" },
		KeyVaultId = keyVault.Id
	});

I can’t figure out how to create key vault access policies with the native provider (like, I can’t even find any resource type for it in the KeyVault namespace) - can someone give me a pointer?

I seem to be hitting the

autorest/azure: Service returned an error. Status=<nil> Code="AnotherOperationInProgress" Message="Another operation on this or dependent resource is in progress. ... "

issue almost every time I recreate a stack - it's resolved simply by running pulumi up again, but isn't this sortof what pulumi could do for us? That message really means "try again later" - shouldn't there be some inbuilt retry with basic backoff to handle that?

having a similar issue with recreating a deleted storage account (i delete the whole RG and recreate it to test..).. this was the run I made to pick up on the previous pulumi up which failed due to the subnet saying "another operation in progress":

Updating (modular):
     Type                                    Name                Status                  Info
     pulumi:pulumi:Stack                     modularity-modular  **failed**              1 error
 +   ├─ azure-native:network:Subnet          sz2-n11024          created
 +   └─ azure-native:storage:StorageAccount  n11024storage01     **creating failed**     1 error

Diagnostics:
  azure-native:storage:StorageAccount (n11024storage01):
    error: autorest/azure: Service returned an error. Status=404 Code="StorageAccountNotFound" Message="The storage account n11024storage01 was not found."

and then running it again (just a new pulumi up, no changes):

Updating (modular):
     Type                                    Name                Status
     pulumi:pulumi:Stack                     modularity-modular
 +   ├─ azure-native:storage:StorageAccount  n11024storage01     created
 +   └─ azure-native:storage:BlobContainer   pulumi-state        created

Resources:
    + 2 created
    11 unchanged

seems so damned weird that we get an error message when creating a storage account saying that the storage account we are creating does not exist. yet running it again right afterwards, no such complaint.

@better-shampoo-48884 there are built-in retry mechanisms and they are developed my Microsoft in the library that we use. So, an error like this is deemed non-retriable at some point. This seems to warrant a github issue, especially if you have a relatively reliable repro.

Ran into a gotcha with the new provider that took me a while to track down. After creating a SQL Server resource, the

AdministratorLoginPassword

property on the resource object is

null

. In the old provider, it would contain the password passed in with the

ServerArgs

when creating the resource. Easy enough to work around since I’m getting the password from configuration anyway, but still a bit unexpected, so worth raising the question whether this is a bug?

I'm probably too tired to think straight at this point - but now I've gotten to the AKS stage, and I decided that I really wanted to add diskEncryption through a diskEncryptionSet. So.. ugh.. it'll be easier to read the code rather than me explaining it:

const diskKey = new azure.keyvault.Key("aks-des-key",{
        keyName: "aks-des-key",
        properties: {
            kty: "RSA"
        }, 
        resourceGroupName: aksStack.parameters.name,
        vaultName: aksStack.keyVault.parameters.name
    })
    const diskEncryption = new azure.compute.DiskEncryptionSet("aks-des", {
        resourceGroupName: aksStack.parameters.name,
        location: aksStack.parameters.location,
        activeKey: {
            keyUrl: diskKey.keyUriWithVersion
        },
        diskEncryptionSetName: "aks-des",
        encryptionType: "EncryptionAtRestWithCustomerKey",
        identity: {
            type: "SystemAssigned"
        }
    })

So this is all fine - and in my AKS config I have `diskEncryptionSetID: diskEncryption.id,`which is also fine (I guess). But now, almost obviously, I'm getting:

Unable to access key vault resource 'https://(mykeyvaulthere).<http://vault.azure.net/keys/aks-des-key/31333607ad2b4cb3adfbcbbdd76a395d|vault.azure.net/keys/aks-des-key/31333607ad2b4cb3adfbcbbdd76a395d>' to enable encryption at rest. Please grant get, wrap and unwrap key permissions to disk encryption set 'aks-des'. Please visit <https://aka.ms/keyvaultaccessssecmk> for more information.

So I decide that I really should set up authorization for diskEncryption to access the diskKey. Note: I created my keyVault with

enableRbacAuthorization: true,

. So here goes:

const diskEncryptionRoleAssignment = new azure.authorization.RoleAssignment("des-to-kv", {
        scope: aksStack.keyVault.parameters.id,
        roleDefinitionId: "Reader",
        principalId: diskEncryption.identity // <--- should in not be able to access the principalid from diskEncryption somehow?!
    })

I am absolutely a noob at this - not even sure I'm granting the right thing to the right stuff for any reason really, but I do know that if I want to use RoleAssignement for anything where I use SystemAssigned identity, I need to be able to reference it as expected.. From the Supporting Types of DiskEncryptionSet - EncryptionSetIdentity has the

type

which I defined, but then EncryptionSetIdentityResponse has `principalId`and `tenantId`in addition - which I want.. but the outputs of DiskEncryptionSet say nothing about those fields! How.. do I access them? Nevermind if I'm even on the right track..

Hi there - I've been looking at Pulumi for a while and finally have an opportunity to use it for a meaningful project. However, I'm stuck and am chalking it up to being new and hoping someone help show me the light. I'm using 

Azure-Native

 and trying to create an AKS cluster. All is good, until I try to set up my 

PodIdentityProfile

. In the AZ CLI, PodIdentity is set up in a separate step, and the Pulumi Azure-Native resource seems to follow the same paradigm. However, I can't seem to figure out how to set up my 

UserAssignedIdentity

after my 

ManagedCluster

is created. I've tried 

GetManagedCluster

, but the profile is an 

ImmutableArray

. I've tried creating a new resource (using the same name and resource group) but get a conflict. Is there a recommended way to perform updates on existing resources? I'm looking through the Pulumi docs and don't really see this. I see how to create and destroy, but update isn't called out in many places. BTW, I'm using C# in my scripts. Thank you in advance for any guidance here!

Just hit on something scary.. I realized that I had a tag in yaml that was set as an int when it should be a string (was set as

ProjectNumber: 141206

but should have " to force it to string.. you'll see why..). So I noticed that it was set incorrectly - and I decided to just fix it by changing it back and applying the tag change..

Updating (newthing):
     Type                                    Name                      Status                  Info
     pulumi:pulumi:Stack                     modularity-newthing       **failed**              1 error
 ~   └─ azure-native:network:VirtualNetwork  VnetName                  **updating failed**     [diff: ~tags]; 1 error

Diagnostics:
  pulumi:pulumi:Stack (modularity-newthing):
    error: update failed

  azure-native:network:VirtualNetwork (VnetName):
    error: Code="InUseSubnetCannotBeDeleted" Message="Subnet xxxx is in use by /subscriptions/yyyy/resourceGroups/rgName/providers/Microsoft.Network/applicationGateways/appgwName/gatewayIPConfigurations/appGatewayIpConfig and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See <http://aka.ms/deletesubnet|aka.ms/deletesubnet>." Details=[]

Edit: seems to be an instance of https://github.com/pulumi/pulumi-azure-native/issues/611, setting

ignoreChanges: ['subnets']

on

opts

of the vnet worked well for me.

KeyVaults, especially with the new softDelete protection are becoming the bane of my existence.. If I protect keyvault, I have to pass the URN of 20+ other resources to delete them (note: I still want the "--exclude-protected" flag on

pulumi destroy

), if I do choose to delete the keyvault, I can't recreate the same one because it's softDeleted and therefore "still there" (nevermind that the RG is gone..). So I have to create just the RG, then restore the keyvault into the rg - but now if I try to create the keyvault in pulumi (exact same) I can't because obviously it exists - and I can't refresh because it's not in the state.. so I have to use pulumi import azure-native:keyvault:Vault (vaultname) (vaultname).. and that doesn't even work because resource (vaultname) does not exist.. 😕

Created https://github.com/pulumi/pulumi/issues/6539 FYI - didn't see any directly related issues at the moment.

Hello. In azure-native, is there a way to create subscriptions with pulumi? Like this one with the "old" sdk: https://www.pulumi.com/docs/reference/pkg/azure/core/subscription/

And this is why you run nightly builds and check for pulumi outdated packages. My nugets 🙂 were out of date. Now only a deprecation warning remains, but this I can handle 😄 original below. --- Out of nowhere I am getting errors when creating role assignments. The first time I get a 404:

error: authorization.RoleAssignmentsClient#Get: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="RoleAssignmentNotFound" Message="The role assignment '<GUID>' is not found."

And if I run it again:

StatusCode=409 -- Original Error: autorest/azure: Service returned an error. Status=409 Code="RoleAssignmentExists" Message="The role assignment already exists."

Edit: just to point out, this is code that previously worked correctly, I am deploying a cluster and assigning roles for a registry and for a "Network Contributor". Both role assignment creations fail now, I guess they did not get created in time or something along those lines.

In C#, you end up with output<string> as the value if it's not determinable I believe.

Any pointers on setting up a spot instance VM with azure-native? Adding the below to a VM

billingProfile: {
                maxPrice: 0.03,
            },
            evictionPolicy: "Deallocate",

gives the error

error: Code="InvalidParameter" Message="Eviction policy can be set only on Azure Spot Virtual Machines. For more information, see <http://aka.ms/AzureSpot/errormessages>." Target="billingProfile"

Docs don't really mention much apart from those two elements around spot instances

I am on the classic Azure Pulumi provider and I cannot find a way to create more than one node pool on the cluster. This is the type im using: https://www.pulumi.com/docs/reference/pkg/azure/containerservice/kubernetescluster/ Whereas tutorials like that one seem to be referencing different packages and types: https://www.pulumi.com/docs/tutorials/kubernetes/aks/ Is this all for the nextgen provider? I would gladly switch to it gradually, but there should be some way to create multiple node pools with the Terraform provider, right? My guess is that I create the node pool separately and pass the AKS cluster as an argument.