pulumi-community #azure

Channels

azure

glamorous-helmet-50600

05/10/2021, 1:48 PM

Hey guys, how do you normally manage Certificates through Pulumi? I find it weird that the response from

AzureNative.Web.GetCertificate.InvokeAsync

is not coming with the PfxBlob populated, which makes it impossible for me to regenerate the CertificateArgs properly, resulting in pulumi finding a diff where it shouldn't. I don't think this is necessarily an issue with Pulumi as I've tested getting the certificate using Postman and it also comes back without the pfxBlob populated...so I'm just wondering now how I should go about this.

white-cat-6621

05/10/2021, 2:03 PM

Hey folks, I'm trying to create a Kubernetes cluster (aks) with the network_configuration=AzureCni, and I don't find a way to choose an existing VNet. Is it possible? (notice that it is possible through the portal) and if so, how? Either way, how can we expose some of our pods/services with external IP - if it's possible?

enough-butcher-66045

05/10/2021, 8:40 PM

hey peeps, I was able to create Key Vault Access Policies directly before... what's the approach with azure native?

enough-butcher-66045

05/10/2021, 8:41 PM

the docs seem to suggest I need to do it w/the "new KeyVault" object, but if I set new access policies, wouldn't it delete the old ones as well?

enough-butcher-66045

05/10/2021, 8:41 PM

the idea is my "core" stack creates some policies and then each app defines it's own access policies on top of that

enough-butcher-66045

05/10/2021, 8:41 PM

it's obviously not practical for the apps to know the "core" policies

enough-butcher-66045

05/10/2021, 8:49 PM

var vault = await GetVault.InvokeAsync(new GetVaultArgs
            {
                ResourceGroupName = "blah",
                VaultName = "blah"
            });

            vault.Properties.AccessPolicies.Add();

enough-butcher-66045

05/10/2021, 8:49 PM

would I do something like that?

handsome-state-59775

05/10/2021, 8:51 PM

As part of storage account replacement, the nested file share as well was marked for replacement in preview, however, during the actual update, the following error stops it all:

Diagnostics:
  azure-native:storage:FileShare (fileShare):
    error: cannot check existence of resource '/subscriptions/****/resourceGroups/****/providers/Microsoft.Storage/storageAccounts/****/fileServices/default/shares/****': status code 400, {"error":{"code":"FeatureNotSupportedForAccount","message":"File is not supported for the account."}}

Any insights?

✅ 1

enough-butcher-66045

05/10/2021, 10:30 PM

I'm running into a bunch of issues 😞 When I run

pulumi up

I get an exception.

Exception 0xc0000005 0x0 0x7ffd826b0fff 0x1500ac40000
 
PC=0x1500ac40000
 
runtime: unknown pc 0x1500ac40000

If I run it again, then I get a different error: pulumi😛roviders:azure (default_4_1_0): error: could not read plugin [C:\Users\FabricioSodano\.pulumi\plugins\resource-azure-v4.1.0\pulumi-resource-azure.exe] stdout: EOF The plugin is there.

pulumi plugin install

doesn't do anything. pulumi plugin rm and then installing them again produces the same error. This application is using azure-native and azure because I can't create KeyVault Access policies as standalone resources, and hence need to use the azure provider. @tall-librarian-49374 says it should work.

enough-butcher-66045

05/10/2021, 10:34 PM

using pulumi v3.2.1

steep-beard-51313

05/11/2021, 1:03 PM

Hello everybody, I am a bit stuck with automating an AKS deployment through pulumi. My specific pain is that I would like to use the "azure cni" network plugin, but I can't figure out the right options for KubernetesClusterNetworkProfile to make it use an existing subnet within an existing vnet. I would also be fine with creating a new vnet and / or subnet, but then I would need to control the addressing, such that I can peer it with another vnet afterwards. Its a piece of cake in azure portal, but I can't figure it out in Pulumi:

brave-winter-60074

05/11/2021, 1:59 PM

Hi everybody We are using pulumi for our IaC and Azure DevOps pipelines for build, Iac, deploy etc in one pipeline pr microservice. We now want to take the project further and start having staging and production environments as well. How to handle this in a smart way when using Pulumi? Azure DevOps Releases doesnt seem to fit our needs and we don’t think its a good idea that every develop can update the “prod” pulumi stacks and we would also like to have some kind of gate when going from staging to production. Any thoughts, articles or ideas? Thanx in advance

handsome-state-59775

05/12/2021, 8:39 AM

How can I add a GPU node pool to AKS? I'm looking to avoid creating a separate namespace, and the approach given in the link below requires passing custom headers - not sure how to do that via Pulumi: https://docs.microsoft.com/en-us/azure/aks/gpu-cluster#use-the-aks-specialized-gpu-image-on-existing-clusters-preview Any insights?

billowy-army-68599

05/12/2021, 11:37 PM

hi all. I would love to get some ideas from the community - what was most confusing about Azure when you got started? Is there any parts of Azure documentation that were "missing" ? I'm looking to create some content here that helps users - focusing mostly on Azure and not Pulumi

worried-knife-31967

05/13/2021, 2:37 PM

Has anyone seen an example of using pulumi to do a slot switch deployment?

❓ 1

worried-knife-31967

05/14/2021, 11:42 AM

@tall-librarian-49374 does the native provider allow for Deployment Slot settings or "sticky" configuration?

glamorous-lifeguard-90201

05/17/2021, 10:00 AM

Does anyone know where I can find best practices or examples with regard to mapping between Azure management groups, subscriptions and resource groups and Pulumi stacks? I am looking for a logical way to organize our Pulumi code base.

rhythmic-vegetable-87369

05/18/2021, 3:40 AM

Hi there, I would like to get the connection string of a sql database when I pass in the name. How can I go about achieving this?

rhythmic-vegetable-87369

05/18/2021, 3:41 AM

FYI, I'm using the Pulumi.Azure.MSSql namespace to create it

little-orange-65618

05/18/2021, 6:34 PM

Did something change, I keep getting this when creating storage account blob containers (and it didn't happen at all last week 0->100%):

azure-native:storage:BlobContainer silver creating error: cannot check existence of resource '/subscriptions/.../resourceGroups/cinsights-tiny-emea-rg/providers/Microsoft.Storage/storageAccounts/cinsightstinyemeasa/blobServices/default/containers/silver': status code 500, {"error":{"code":"InternalError","message":"Server encountered an internal error. Please try again after some time.\nRequestId:...\nTime:2021-05-18T18:05:15.3099349Z"}}

icy-jordan-58549

05/19/2021, 4:38 AM

Team, looks like typescript definitions embedded in one single package (azure-native) drains tons of resources on development machine, is it possible to divide the package into multi-package / plugin per namespace? Something like:

@pulumi/azure-native-network

. Another possible solutions would be to not create one giant input types definition file and make it per namespace. Thanks

melodic-byte-32771

05/19/2021, 7:28 AM

Hi 😉 is there a way to get the secret with the azure-native provider?

better-shampoo-48884

05/19/2021, 8:33 AM

Wondering if this is a bug worth reporting or if it's very particular to whatever I'm doing "wrong" 🙂 (pasting a screenshot rather than a text dump as it'll be easier to grok): All I'm trying to do is update a Tag on all resources (description: test2, changed from description: test1). The way I've set up the network is that I create the vnet first - then I create subnets + nsgs in paralell after that. It seems like for some godforsaken reason (though hopefully just a stupid error message rather than planned activity) it tries to DELETE an existing subnet in order to change its tags.. Anyone else encounter this?

handsome-state-59775

05/19/2021, 2:35 PM

As part of setting up an AKS cluster, I create a system node pool and one or more user node pools - with the system node pools to be reserved for system pods via a taint. For whatever reason, the first stack I brought up did not apply the taint to the system node pool (maybe I had a bug in there at the time), but every new stack gets it. Now that the taint is being applied properly, I expect it to be applied to the first stack when I do a

pulumi up -r --skip-preview -y

on it as an update - however, this is not the case. Code in thread; any insights?

worried-knife-31967

05/20/2021, 12:50 PM

https://github.com/pulumi/pulumi-azure/issues/896 this one is slightly worrying @tall-librarian-49374... State updated with empty information when Azure fails to create something... Very confusing. It was a mistake in my code that caused it, but I would have expected the library to not force me to do refreshes to remove an erroneously added thing. Is this potentially a wider thing?

limited-eve-38521

05/20/2021, 3:01 PM

Good morning, I was looking to do the pulumi equivalent of the az cdn command with min tls 1.2 and a managed cert (https://docs.microsoft.com/en-us/cli/azure/cdn/custom-domain?view=azure-cli-latest) AFDCustomDomain has exactly what i was expecting https://www.pulumi.com/docs/reference/pkg/azure-native/cdn/afdcustomdomain/

tlsSettings: {
        certificateType: "ManagedCertificate",
        minimumTlsVersion: "TLS12",
    },

But I dont see that with CustomDomain if i want to avoid FrontDoor? https://www.pulumi.com/docs/reference/pkg/azure-native/cdn/customdomain/ I was thinking of combining CustomDomain with ManagedCertificate https://www.pulumi.com/docs/reference/pkg/azure/appservice/managedcertificate/ but don't know how to get the min tls set as well?

eager-byte-63000

05/21/2021, 9:16 AM

Hello there! Is anybody aware about a proper way to migrate documentdb DatabaseAccountSqlDatabase and DatabaseAccountSqlContainer recourses to azure-native? TL;DR: Following the migration guide, when I try to execute

pulumi import azure-native:documentdb:DatabaseAccountSqlDatabase databaseName databaseName

I get the following error:

azure-native:documentdb:DatabaseAccountSqlDatabase:
    error: azure-native:documentdb:DatabaseAccountSqlDatabase resource '[dbname]' has a problem: missing required property 'options'
    error: azure-native:documentdb:DatabaseAccountSqlDatabase resource '[dbname]' has a problem: missing required property 'resource'
    error: Preview failed: one or more inputs failed to validate

If I execute

pulumi import azure-native:documentdb:SqlResourceSqlDatabase databaseName /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.DocumentDB/databaseAccounts/ddb1/sqlDatabases/databaseName

apparently it imports db successfully but it doesn't go well for containers: when I execute

pulumi import azure-native:documentdb:SqlResourceSqlContainer containerName /subscriptions/subid/resourceGroups/rg1/providers/Microsoft.DocumentDB/databaseAccounts/ddb1/sqlDatabases/databaseName/sqlContainers/containerName

I get the following error:

azure-native:documentdb:SqlResourceSqlContainer:
    error: Preview failed: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="The request path <https://cdbmgmtprodsg.documents.azure.com:450/subscriptions/[id]/resourceGroups/[resourceGroup]/providers/Microsoft.DocumentDB/databaseAccounts/[dbAccount]/sqlDatabases/uploaddb/sqlContainers/[containerName]?api-version=2021-01-15> is invalid.\r\nActivityId: 7d3e4a6e-0f4d-4fdf-9af7-e4951e98c388, Microsoft.Azure.Documents.Common/2.11.0"

Any help is very appreciated!

better-shampoo-48884

05/21/2021, 11:32 AM

Trying to figure out how to scope this to the correct subscription: https://www.pulumi.com/docs/reference/pkg/azure-native/containerservice/listmanagedclusteradmincredentials/ The code is inside a ComponentResource which has a provider attached:

const currentKubeconfig = pulumi.all([aks.name, args.group[group.location].name]).apply(([clusterName, rgName]) => {
                            return azure.containerservice.listManagedClusterAdminCredentials({
                                resourceGroupName: rgName,
                                resourceName: clusterName,
                            })
                        })

It seems I can attach a provider to the listManagedClusterAdmin - but how would I get that from the parent ComponentResource?

tall-scientist-89115

05/21/2021, 3:40 PM

Hey we noticed this morning our primary cluster was trying to swap out the vnet (and failing because it has resources), because someone on the team npm installed azure-native 1.7 and the (default) azure-native provider that created the resource was at 1.5. I guess locking versions would work.. but every time we upgrade azure-native we're going to have to rebuild the cluster? Did the arm interface change? I Was a bit surprised at this behavior from a minor release

Title

tall-scientist-89115

05/21/2021, 3:40 PM

billowy-army-68599

05/21/2021, 3:46 PM

can you share the diff?

limited-eve-38521

05/21/2021, 3:58 PM

Untitled

specifically

[provider: urn:pulumi:prod-cluster::infra::pulumi:providers:azure-native::default_1_5_0::5472e0f4-f1bc-4d9f-8aa5-4818dd7b1307 => urn:pulumi:prod-cluster::infra::pulumi:providers:azure-native::default_1_7_0::3726aa65-bea9-4a3e-93ed-6c7fd82df168]

billowy-army-68599

05/21/2021, 4:01 PM

can you open an issue for this? that doesn't look right

limited-eve-38521

05/21/2021, 4:05 PM

will do

tall-librarian-49374

05/21/2021, 4:08 PM

Sounds like https://github.com/pulumi/pulumi-azure-native/issues/611

Did you run a refresh before you got this diff?

limited-eve-38521

05/21/2021, 4:16 PM

ill try that

same diff after refresh

regarding the version change

tall-librarian-49374

05/21/2021, 4:26 PM

I don’t think it’s related to the version. You’ll get it on refresh without a version update.

We haven’t changed the API version of the virtual network resource since 1.0 https://github.com/pulumi/pulumi-azure-native/blame/master/sdk/dotnet/Network/VirtualNetwork.cs

limited-eve-38521

05/21/2021, 4:31 PM

regarding the subnet issue i believe https://github.com/pulumi/pulumi-azure-native/issues/611 is it

that happens whether we lock azure-native to 1.5 or not

adding
{ ignoreChanges: ["subnets"] },
to the VirtualNetwork fixed it for us for now

tall-scientist-89115

05/21/2021, 5:04 PM

so if we rebuild this cluster, what's the best practice to avoiding this bug for now? Use the classic provider for the vn and az native for the subnets?

the other workaround mentioned in that ticket,

{ ignoreChanges: ['subnets'] }

, just resulted in the preview not showing the subnet replacement, but the update itself trying to create one

I took it to the ticket

View count: 3