I'm trying to migrate from Azure to Azure Native following this guide - https://www.pulumi.com/docs/intro/cloud-providers/azure/from-classic/#move-resources-from-classic-azure-to-azure-native and I must be missing something obvious. I've run pulumi import and that worked as expected, updated my code, but when I try and run Pulumi up it wants to delete the new Azure Native resource group, rather than showing no changes. What am I missing?

How does Azure-> Azure Native migration work for component resources, do you need to import each sub resource of the component resource individually?

Just to be sure - you don’t have to migrate if everything works with your existing resources, the classic provider isn’t going away.

has anyone had luck to use openshift with pulumi? I cant get a cluster running with this example https://www.pulumi.com/docs/reference/pkg/azure-native/redhatopenshift/openshiftcluster

So, I’m trying to get zero-downtime deployments for Azure Functions … it appears that just changing the blob in the appSettings causes a few seconds of downtime while it starts up the new deployment. It seems like the way around this might be to use deployment slots … create a new slot, deploy to that slot, let it start up then switch the active slot. Has anyone done this before? Does this work? Is there an easier way to do something that Azure should really just do for us? 🤔 Thoughts much appreciated!

It seems that the ManagedServiceIdentityArgs object for App Gateway is an InputMap that expects the key to be the ID of the managed identity, which needs to be a string. As you might expect, I want to create the Managed Identity using Pulumi so the ID is Output<string>, is there any way to get this into App Gateway without having to wrap the entire App GW object in an apply statement? I really don't want to do that as the Managed Identity is an optional setting, so I'd have to have two full copies of all the app gw code.

I’d like to move from one ASE to another in Azure, but problem is you can’t update an app service to move from one ASE to another if it is in a different webspace is my understanding I just get errors. I’d like to delete the underlying app services from the current app service plan and have them created in the new one but when I run the code it triggers the app service to update instead of replace and fails when it tries to update to the new app service plan. Almost seems like I’d want a “deletebeforeupdate” rather than a “deletebeforereplace” but not sure what causes the difference between an update and a replace.

I'm looking at the typescript

@pulumi/azure-native

web.StaticSite and would like to deploy some appsettings along with the static site, but don't see a way to set them in the web.StaticSiteArgs object. Is there any guidance for this?

Has anyone worked with Azure Functions Proxies? I really want to deploy it using pulumi, can’t find any examples or even what kind of resources I need to use.

Any plans to include support for Synapse Analytics serverless pools into Pulumi Azure provider? Or am I just blind and can't find it from docs or code?

I am trying to update an Azure ACI container group and I am getting the following error:

azure-native:containerinstance:ContainerGroup (spl-outputs):
error: Code="InvalidContainerGroupUpdate" Message="The updates on container group 'spl-outputs' are invalid. If you are going to update the os type, restart policy, network profile, CPU, memory or GPU resources for a container group, you must delete it first and then create a new one."

I updated the ContainerGroup definition to include

opts=pulumi.ResourceOptions(delete_before_replace=True)

(as per https://www.pulumi.com/docs/intro/concepts/resources/#deletebeforereplace) but it doesn't seem to have any effect

Is there a better way of handling azuread calls? We end up having to run Pulumi twice; once to create the resource and then once again to have azuread call resolve to the right objectId correctly. We have used a placeholder of ‘11111111-1111-1111-1111-111111111111’ temporarily to allow the first run through but that’s an issue when creating multiple resources you get a collision with multiple resources getting the all 1s placeholder.

How to debug this warning? It isn't exactly informative

pulumi:pulumi:Stack (myproject-azure-dev):
    warning: provider config warning: Deprecated Attribute

I need help regarding the azure data explorer (kusto / adx). Inside the documentation there are several database objects. https://www.pulumi.com/docs/reference/pkg/azure-native/kusto/ What database obect is actual / newest one ? And depending on the database, what is the right one for one for the data ingestion to an eventhub? There are two object types. If i use the EventHubDataConnection, i got the error "Code="ResourceNotFound" Message="The resource with identifier" for the database.

I'm using Pulumi to configure an Azure AKS managed cluster. It's a test cluster, and so I'm using some ephemeral volumes in my pods with

emptyDir

, and I needed more disk space. I haven't figured out a way to do that so that the existing nodes get replaced with nodes that have the amount of disk space I need. What I've tried: • update

os_disk_size_gb

in

agent_pool_profiles

and run

pulumi up

- this doesn't seem to have any effect • change

count

to 0 in

agent_pool_profiles

and run

pulumi up

- this results in an error that

count

is invalid • change

name

in

agent_pool_profiles

to try to have the pool replaced - this also results in an error (see thread)

Now I'm trying to create a

RecordSet

and getting this error:

azure-native:network:RecordSet (application-record):
    error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="The request was invalid."

This is the code in Python for the

RecordSet

:

RecordSet(
    'application-record',
    cname_record=CnameRecordArgs(cname=azure_fqdn),
    record_type='CNAME',
    relative_record_set_name=seeq_subdomain,
    resource_group_name=azure_zone_resource_group,
    zone_name=azure_zone_name
)

Is there a good way to troubleshoot that?

If I am using a service principal to authenticate, should I need to run az login? I am getting this error: Building AzureAD Client: obtain tenant() from Azure CLI: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 1: Please run 'az login' to setup account. I have tried two different service principals with the same issue

same settings work if I set it via an environment variable but fail when it is set via config

I have a problem during deployment of an azure data explorer with

AzureNative.Kusto.Script

i always get the error:

azure-native:kusto:Script (script1):

error: autorest/azure: Service returned an error. Status=404 Code="ResourceNotFound" Message="The resource with identifier

Re-posting in case people missed it before. Can someone help me get to the bottom of this?

Has anybody been able to deploy a storage account with customer managed keys? If I try and use the Python example from the Pulumi documentation (https://www.pulumi.com/docs/reference/pkg/azure-native/storage/storageaccount/#storageaccountcreateuserassignedencryptionidentitywithcmk) I get an error:

error: Code="CannotSetResourceIdentity" Message="Resource type 'Microsoft.Storage/storageAccounts' does not support creation of 'UserAssigned' resource identity. The supported types are 'SystemAssigned'."

If I change the identity to 'SystemAssigned' and remove the user_assigned_identities, the storage account them fails to build with this error instead:

error: Code="InvalidValuesForRequestParameters" Message="Values for request parameters are invalid: properties.encryption.identity."

Here's the proof-of-concept code I've been playing with:

import pulumi

import pulumi_azure_native as azure_native
import pulumi_azuread as azuread


config = pulumi.Config()

tenant_id = config.get('azure-native:tenantId')

resource_group = azure_native.resources.ResourceGroup("test-resource-group",
                                                      location="usgovvirginia",
                                                      resource_group_name="test-resource-group",
                                                      tags={'ENV': 'test'},
                                                      )


storage_security_group = azuread.Group("storage_security_group", display_name="storage_security_group")


key_vault = vault = azure_native.keyvault.Vault("Ish5booweur",
                                                location="usgovvirginia",
                                                properties=azure_native.keyvault.VaultPropertiesArgs(
                                                    access_policies=[azure_native.keyvault.AccessPolicyEntryArgs(
                                                            object_id=storage_security_group.id,
                                                            permissions=azure_native.keyvault.PermissionsArgs(
                                                                certificates=[],
                                                                keys=[
                                                                    "wrapKey",
                                                                    "unwrapKey",
                                                                    "get",
                                                                ],
                                                                secrets=[],
                                                            ),
                                                            tenant_id=tenant_id,
                                                        )],
                                                    enable_soft_delete=False,
                                                    soft_delete_retention_in_days=15,
                                                    enabled_for_deployment=False,
                                                    enabled_for_disk_encryption=True,
                                                    enabled_for_template_deployment=False,
                                                    network_acls=azure_native.keyvault.NetworkRuleSetArgs(
                                                        bypass="AzureServices",
                                                        default_action="Allow",
                                                    ),
                                                    sku=azure_native.keyvault.SkuArgs(
                                                        family="A",
                                                        name="Premium",
                                                    ),
                                                    tenant_id=tenant_id,
                                                ),
                                                resource_group_name=resource_group.name,
                                                vault_name="Ish5booweur",
                                                tags={'ENV': 'test'},
                                                )


storage_key = azure_native.keyvault.Key("storage-encryption-key",
                                        key_name="storage-encryption-key",
                                        properties=azure_native.keyvault.KeyPropertiesArgs(
                                            kty="RSA-HSM",
                                            key_size=4096,
                                        ),
                                        resource_group_name=resource_group.name,
                                        vault_name=key_vault.name,
                                        tags={'ENV': 'test'},
                                        )


storage_account_managed_identity = azure_native.managedidentity.UserAssignedIdentity("storage-account-managed-id",
                                                                                     location="usgovvirginia",
                                                                                     resource_group_name=resource_group.name,
                                                                                     tags={'ENV': 'test'},
                                                                                     )

cmk_storage_account = azure_native.storage.StorageAccount("storeaccount01",
                                                        account_name="storeaccount01",
                                                        allow_blob_public_access=False,
                                                        encryption=azure_native.storage.EncryptionArgs(
                                                            require_infrastructure_encryption=True,
                                                            encryption_identity=azure_native.storage.EncryptionIdentityArgs(
                                                                encryption_user_assigned_identity=storage_account_managed_identity.id,
                                                                ),
                                                            key_source="Microsoft.Keyvault",
                                                            key_vault_properties=azure_native.storage.KeyVaultPropertiesArgs(
                                                                key_name=storage_key.name,
                                                                key_vault_uri=key_vault.properties.vault_uri,  # "<https://Ish5booweur.vault.usgovcloudapi.net/>",
                                                                ),
                                                            services=azure_native.storage.EncryptionServicesArgs(
                                                                blob=azure_native.storage.EncryptionServiceArgs(
                                                                    enabled=True,
                                                                    key_type="Account",
                                                                    ),
                                                                file=azure_native.storage.EncryptionServiceArgs(
                                                                    enabled=True,
                                                                    key_type="Account",
                                                                    ),
                                                                ),
                                                            ),
                                                        identity=azure_native.storage.IdentityArgs(type="SystemAssigned"),
                                                        # identity=azure_native.storage.IdentityArgs(type="UserAssigned",
                                                        #                                            user_assigned_identities={str(storage_account_managed_identity.id): {}},
                                                        #                                            ),
                                                        kind="StorageV2",
                                                        location="usgovvirginia",
                                                        minimum_tls_version="TLS1_2",
                                                        network_rule_set=azure_native.storage.NetworkRuleSetArgs(bypass="AzureServices",
                                                                                                                 default_action="Deny",
                                                                                                                 ),
                                                        resource_group_name=resource_group.name,
                                                        sku=azure_native.storage.SkuArgs(name="Standard_ZRS"),
                                                        tags={'ENV': 'test'},
                                                        )

Hey there. We're using Pulumi to manage hundreds of Azure resources and so far it's been amazing. Thanks for such an awesome product. Just recently we hit an issue though that is blocking us and we can't figure it out. We are using Pulumi to provision an Azure KeyVault and some associated Access Policies. The issue is with the access policies. Provisioning access policies for "users" works just fine but when setting an access policy for an "app" things break down. Seems Azure does not recognize the provisioning as being an app and instead classifies it as unknown (see screenshot). The access policy does not work in this mode. Doing the same operation via the az command works just fine.

How do you pass --aks-custom-headers when creating an AKS cluster? To enable the CSI storage driver. https://docs.microsoft.com/en-us/azure/aks/csi-storage-drivers (azure native)

Anyone ever run into an issue moving a sql database to an elastic pool? I get the error “Elastic pool ‘xxxxx’ and service level objective ‘GP_Gen5_2’ combination is invalid. Code: 40860. Google hasn’t been much help. I changed the code so that the requestedServiceObjectiveName for the DB is now set to ElasticPool but now it is stuck. Two identical DB with different names migrated over fine but one will not.

Hi. I'm trying to deploy a function app with azure AD authentication, using an azure.web.WebApp and azure.web.WebAppAuthSettings. The deploy works fine, but when pulumi tries to destroy the WebAppAuthSettings resource, it fails with:

azure-native:web:WebAppAuthSettings (func-acmebot-auth-gdbp1-dev-eastus2):
    error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="SiteAuthSettings object is not present in the request body." Details=[{"Message":"SiteAuthSettings object is not present in the request body."},{"Code":"BadRequest"},{"ErrorEntity":{"Code":"BadRequest","ExtendedCode":"01008","Message":"SiteAuthSettings object is not present in the request body.","MessageTemplate":"{0} object is not present in the request body.","Parameters":["SiteAuthSettings"]}}]

The logs show that pulumi is doing a

PUT /subscriptions/.../resourceGroups/rg-main-gdbp1-dev-eastus26bb88e07/providers/Microsoft.Web/sites/func-acmebot-gdbp1-dev-eastus2cc94d39c/config/authsettings?api-version=2020-12-01 HTTP/1.1

with a body of just

{}

, which it looks like the Azure API doesn't like. What are my options here? I don't really care if the WebAppAuthSettings resource destruction fails as it will be cleaned up when the WebApp is destroyed anyway.

I'm trying to create an Integration Account using the following code from the Pulumi website

using Pulumi;
using AzureNative = Pulumi.AzureNative;

class MyStack : Stack
{
    public MyStack()
    {
        var integrationAccount = new AzureNative.Logic.IntegrationAccount("integrationAccount", new AzureNative.Logic.IntegrationAccountArgs
        {
            IntegrationAccountName = "testIntegrationAccount",
            Location = "westus",
            ResourceGroupName = "testResourceGroup",
            Sku = new AzureNative.Logic.Inputs.IntegrationAccountSkuArgs
            {
                Name = "Standard",
            },
        });
    }

}

I get an error back saying error: autorest/azure: Service returned an error. Status=400 Code="InvalidIntegrationAccount" Message="The provided integration account definition is not valid." Anyone know of a fix for this? Thanks Alan

I'm trying to follow this instruction: https://discourse.ubuntu.com/t/ubuntu-ha-cluster-in-microsoft-azure-cloud/18191 and set up a cluster on azure. The ssh for accessing the gateway vm woks fine but I can not ssh to my other vm. Can anyone help?

Does anyone have a suggestion of how to associate an AKS network security group with a subnet with azure native? I have this circular dependency I don’t know how to solve for. 1. Create a virtual network with a subnet 2. Create an AKS cluster setting 

VnetSubnetID

 to the subnet. AKS automatically creates an NSG. 3. Associate the AKS NSG to the vnet’s subnet

Hi All! I can't seem to find a way to create App Service Managed Certificates using the newer Azure-Native API's (specifically in C#). In the older Azure API's there is a ManagedCertificate class, but it does not seem to exist in the new Azure-Native API's. I have found Certificate and WebAppPublicCertificate, but neither of these seem support the same use case. Can anyone provide any guidance on how to create App Service Managed Certificates on Azure-Native?

Hi All, unable to create state in azure blob.. Getting this error stack name: (dev) Sorry, could not create stack ‘dev’: could not create stack: An IO error occurred while writing the new snapshot file: blob (key “.pulumi/stacks/dev.json”) (code=Unknown): write error: -> github.com/Azure/azure-storage-blob-go/azblob.newStorageError, /Users/brew/Library/Caches/Homebrew/go_mod_cache/pkg/mod/github.com/!azure/azure-storage-blob-go@v0.13.0/azblob/zc_storage_error.go:42 ===== RESPONSE ERROR (ServiceCode=InvalidResourceName) ===== Description=The specifed resource name contains invalid characters. RequestId:14ac4b96-d01e-0129-05d0-6b0ac5000000 Time2021 06 28T0349:25.6010176Z, Details: Code: InvalidResourceName PUT https://securitydatabricks.blob.core.windows.net/securitydatabricks.blob.core.windows.net/securityaudit/.pulumi/stacks/dev.json?blockid=iWNUqgnHTOG%2FSRSfaF%2Fo7gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%3D%3D&amp;comp=block&amp;timeout=61 Authorization: REDACTED Content-Length: [70] User-Agent: [go-cloud/blob/0.1.0 Azure-Storage/0.13 (go1.16.5; darwin)] X-Ms-Client-Request-Id: [b75d64ef-6480-4425-4e0a-6053b7173af0] X-Ms-Date: [Mon, 28 Jun 2021 034925 GMT] X-Ms-Version: [2019-12-12]