the stack in question has around 90 resources in total

hello, can someone please confirm if a "Pulumi Azure Pipelines Task" works with service principals and certificates (with password). Currently have an Azure Cli task working on my pipeline against a certificate and password but try what I may, could not get the pulumi task to work. IF it works , can someone please send me the required environment configuration?!

Hi, How can it be that

pulumi stack ls

does not show any stacks while the states are inside Azure Storage Account. If I run

az storage blob list

using the same container / account / key. I can view the files? I did just create another storage account for testing, and everything works fine. How can I find out what is wrong with the first storage Account?

hi 🙂 I'm having trouble using the file archive in pulumi, and keep getting this error:

Error: Invalid archive encountered when unmarshaling resource property
        at deserializeProperty (C:\...\node_modules\@pulumi\azure-native\node_modules\@pulumi\pulumi\runtime\rpc.js:482:31)

I think it has something to do with Pulumi not being able to read a blob in a storage account correct. (Which is weird due to it being made in an earlier iteration by the same Pulumi-script.) But I have no idea on how to fix this. Has anyone encountered this error before?

I've noticed that this might be linked to me first executing

pulumi refresh

, after that any `pulumi up`seems to fail consistent - can it be that the refresh is not able to validate blobs and corrupts the pulumi state after that?

How do I bypass autonaming for an azure-native containerservice.ManagedCluster in Python?

Hey I'm having a hard time finding the ARM type

Microsoft.OperationalInsights/workspaces/providers/diagnosticSettings

in azure native. It's in the azure library at

azure.monitoring.DiagnosticSetting

This is not a huge deal, the old provider does update every

pulumi up

thanks to an inexplicable "logs" diff, and weirdness like that makes me want to purge all non-azure-native. I was able to find LogAnalytics right where it should be so it's weird to me that this one bit wouldn't exist.

Hi! I'm working in a restricted customer environment but we've managed to get us at least some privileges to do stuff in their Azure. I'm trying to setup an AKS there and I've managed to confirm that yes, I have necessary privileges to do just that but only when binding AKS to managed identities instead of service principals (which is apparently also the recommended way these days). I've been going around Pulumi documentation, examples etc and haven't yet found a reasonable way to create an AKS cluster with Pulumi which uses managed identities. I'm pretty certain this should be possible so I decided to ask here if someone could just point me in the correct direction with this. Cheers!

hi 🙂 I'm having trouble using the file archive in pulumi, and keep getting this error:

Error: Invalid archive encountered when unmarshaling resource property
        at deserializeProperty (C:\...\node_modules\@pulumi\azure-native\node_modules\@pulumi\pulumi\runtime\rpc.js:482:31)

I think it has something to do with Pulumi not being able to read a blob in a storage account correct. It might be caused by me first executing 

pulumi refresh

, after that any `pulumi up`seems to fail consistent - can it be that the refresh is not able to validate blobs and corrupts the pulumi state after that? Which is weird due to it being made in an earlier iteration by the same Pulumi-script. Has anyone encountered this error before?

hi 🙂 another completely unrelated question to the one above: How do you guys deal with race conditions? I've a pulumi script to make an event grid topic, upload a function, and subscribe the function the grid. This doesn't work when updating the function already exists. Then the upload / update function isn't finished yet when pulumi tries to make the subscription. However, Azure points out that it cannot make the subscription yet due to that the function hook does not exist (yet). As a result, the pulumi script crashes. Is there a prefered way to deal with these kind of sequential constraints?

I'm having a few issues with Pulumi on Azure. Would this be the right place to ask questions? If not, where would be the correct place? I don't want to spam you guys in this channel 🙂

Is there an official migration path from azure nextgen to azure native without having to run

pulumi import

statements? Can aliases work?

Attempting to use a ManagedIdentity.principalID as the string input for a KeyVault access policy but getting the error

<pulumi.output.Output object> has type Output, but expected one of: bytes, unicode

. I've tried with and without .apply lambda's (

self.principal_id = self.identity.principal_id.apply(lambda v: v or "<preview>")

) but it aways errors.

Question about deployments beyond the initial one. In this example... https://github.com/pulumi/examples/tree/master/azure-cs-functions If the deployment zip is updated, would the function pick up the change? I've not seen anything that suggests it would, so I'm curious as to how that would work.

So this is somewhat bothersome.. Not quite sure how or why this is happening now, I could have sworn I've been able to do this before - but essentially I do not have permissions to delete keys I myself have created:

Destroying (internal.infra.test-one):
     Type                          Name                                    Status                  Info
     pulumi:pulumi:Stack           baseline-infra-internal.infra.test-one  **failed**              1 error
 -   └─ azure-native:keyvault:Key  N77701-aks-des-key                      **deleting failed**     1 error

Diagnostics:
  azure-native:keyvault:Key (N77701-aks-des-key):
    error: keyvault.BaseClient#DeleteKey: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=04b07795-8ddb-461a-bbee-02f9e1bf7b46;oid=89e2f048-d079-42f2-8267-0565e431ba96;iss=<https://sts.windows.net/bf7cb870-b378-42ab-a618-31704bc2e9b7/>\r\nAction: 'Microsoft.KeyVault/vaults/keys/delete'\r\nResource: '/subscriptions/xx/resourcegroupsyy/providers/microsoft.keyvault/vaults/n70771vaultprimary/keys/aks-des-key-redsjiee'\r\nAssignment: (not found)\r\nVault: n70771vaultprimary;location=westeurope\r\n" InnerError={"code":"ForbiddenByRbac"}

I'm looking at function app deployments, and there's a note on using the

WEBSITE_RUN_FROM_PACKAGE

method with windows app services:

When running a function app on Windows, the external URL option yields worse cold-start performance. When deploying your function app to Windows, you should set WEBSITE_RUN_FROM_PACKAGE to 1 and publish with zip deployment.

All the pulumi examples show this method. Is there anything within pulumi to publish in that way? I'm not sure "how" that works, but it seems like an important usecase for windows publishing.

Hello, in old azure provider there was a way how to add access policies to Keyvault after it was created. We are struggling to find similliar option in in azure-native. Is there a way how we can achieve that?

Im really confuse on how to build out an expressroute to talk to my companies datacenter. Can someone help me understand what I need? There are a lot of express route options here and I dont know what Im doing 😅 https://www.pulumi.com/docs/reference/pkg/azure-native/network/

Alright, after doing a few tests I have made the conclusion that pulumi doesnt seem to have the ability to create ExpressRoutes circuits. I used the documentation and found that it doesnt work even though if done via Bash, Powershell, Python and BICEP it does indeed work. Is there any built in way to debug pulumi itself?

Hi everyone, new here! At a big bank in the Netherlands we’re starting to adopt Pulumi, but in our first PoC we’re running into some strange issues that we cannot explain. Here it goes: We deploy a small stack that contains storage accounts, databricks, vnets, subnets, log analytics and some diagnostic settings. The latter, the diagnostic settings, prove a bit… buggy. While deploying everything is deployed correctly in Azure, and all the stack information is persisted. There’s one exception: the diagnostic settings. We create 2 (with unique names) of them, but after the first one

pulumi up

fails with the message:

cannot create already existing resource

Note: we start with an empty state, and an empty resources group. The diagnostic settings are created successfully in Azure but are not written to the state. And it fails complaining it already exists. We use the latest release of pulumi (3.1.0) and the azure-native provider (1.3.0). We’ve tried with a storage container as backend, as well as local storage. We also use KeyVault as encryption provider and run everything in Azure Pipelines. What could be the cause of that? We noticed it specifically in the diagnostic settings, nowhere else….

having trouble deploying Azure Storage Account with nfs

const storageAccount = new azure_native.storage.StorageAccount(`storage-account`, {
            accountName: accountName,
            enableNfsV3: true,
            kind: "FileStorage",
            location: "westeurope",
            minimumTlsVersion: "TLS1_2",
            resourceGroupName: resourceGroupName,
            sku: {
                name: "Premium_LRS"
            },
            networkRuleSet: {
                bypass: "AzureServices",
                defaultAction: "Allow",
                ipRules: [],
                virtualNetworkRules: [{
                    virtualNetworkResourceId: subnetId,
                }],
            }
        }

Getting following error Code="InvalidRequestPropertyValue" Message="The value 'True' is not allowed for property isNfsv3Enabled."

How should I apply

PodNodeSelector

admission controller to AKS with Pulumi? AKS supports it. I'm looking through Pulumi typescript types and docs and can't find anything related to it

I upgraded to Azure Native 1.3.0 and are now getting this error when I try to run my Pulumi code that lists the storage account access keys error: Running program ‘/Users/sejensen/dev/chipper-incident-aggregate/infra/bin/Debug/netcoreapp3.1/services-incident.dll’ failed with an unhandled exception: System.TypeLoadException: Could not load type ‘Pulumi.AzureNative.Storage.Outputs.StorageAccountKeyResponseResult’ from assembly ‘Pulumi.AzureNative, Version=1.3.0.0, Culture=neutral, PublicKeyToken=null’. at Dk.Nuuday.PulumiHelper.Domain.<>c__DisplayClass14_0.<GetConnectionString>b__1(ListStorageAccountKeysResult keys) at Pulumi.Output`1.ApplyHelperAsync[U](Task`1 dataTask, Func`2 func) at Pulumi.Output`1.Pulumi.IOutput.GetDataAsync() Code: Any thoughts

Hi guys, I'm using

AzureNative.Web.GetCertificate.InvokeAsync(...)

to retrieve an existing certificate, and the expected output has a "PfxBlob" but it's coming always empty - I'm wondering if this is expected at all? On the first pulumi run I create the certificate and include the PfxBlob so I was expecting to be able to retrieve it.

Hey folks, I'm trying to find a particular key

WorkspaceResourceId

on

azureNative.insights.Component

. This would let me tie it to a particular LogAnalytics workspace..

I've just ran into a scenario where one of my resources was depending on azure-native plugin 1.4.0 and other resources were depending on version 1.5.0 for which I've lost a good part of the last 2 hours trying to fix 🙃 I'd like to understand: a) The only resource that still had 1.4.0 was marked as protected -- is this why it didn't get updated? b) I'm running pulumi up while testing in my local (deploying to test environment) and I also run the same commands on the CICD pipeline. Was this what caused the plugin upgrade? c) How can I prevent plugin upgrades? thank you!

(the error caused by the above scenario is that it was saying it couldn't find the plugin, even when both of them were installed)

Hey guys, how do you normally manage Certificates through Pulumi? I find it weird that the response from

AzureNative.Web.GetCertificate.InvokeAsync

is not coming with the PfxBlob populated, which makes it impossible for me to regenerate the CertificateArgs properly, resulting in pulumi finding a diff where it shouldn't. I don't think this is necessarily an issue with Pulumi as I've tested getting the certificate using Postman and it also comes back without the pfxBlob populated...so I'm just wondering now how I should go about this.

Hey folks, I'm trying to create a Kubernetes cluster (aks) with the network_configuration=AzureCni, and I don't find a way to choose an existing VNet. Is it possible? (notice that it is possible through the portal) and if so, how? Either way, how can we expose some of our pods/services with external IP - if it's possible?