The implementation of listStorageAccountSAS seems.... not great. Things like resource group and storage account name are strings rather than Input<string> and if you use the Enum types for permissions etc. you can only specify 1, because again their strings. Is this going to be improved?

Maybe it's me, but I find it difficult to find lot of examples of using Pulumi with Azure (especially in C#). Some sample from the classic provider have not been upgraded to Native provider so I have trouble to understand how do to do some basic things. For instance assigning a Storage Blob Data Reader role to an Azure Function (through its managed identity) seems complicated. It seems to me that RoleAssignment is what I am looking for but I am not sure how to use it, especially because I think I have to use the guid from this role. Anyone has already done that ?

Is there a way to attach ACR to AKS using pulumi as in the azure doc: https://docs.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli ?

Hi Guys, I’ve provisioned AKS cluster with

containerservice.ManagedCluster

with SystemAssigned MI. Something like:

const cluster = new containerservice.ManagedCluster(managedClusterName, {
  ...
  identity: {
    type: "SystemAssigned",
  }
  ...
});

How can I get it

principalId

for creating

authorization.RoleAssignment

?

Hello all, I am using Pulumi for the first time for a project hosted in Azure cloud. I am using Typescript for programming the resources. I currently have the following scenario: A project with a stack named ‘dev’ that creates a ResourceGroup in Azure. The code is as follows: Another project with a stack named ‘dev’ that should create a MariaDB database and map it to the ResourceGroup just created in the other projet. My current code is this:

export const databaseResourceGroup = new ResourceGroup(
  'resource-group-dev',
  {
    resourceGroupName: 'resource-group-dev',
    location: 'germanywestcentral',
    tags: {
      project: 'test',
      env: 'dev',
      type: 'resourcegroup'
    }
  }
)

My problem is that in the second project the ResourceGroup is not linked no matter how (getResourceGroup, Import, StackReference) but is always recreated, which leads to a fail because it just already exists.

// const resourceGroup = await getResourceGroup({
//   resourceGroupName: databaseResourceGroupName
// })

const resourceGroup = new ResourceGroup(
      'resource-group-dev',
      {
        resourceGroupName: 'resource-group-dev',
        location: 'germanywestcentral',
        tags: {
          project: 'test',
          env: 'dev',
          type: 'resourcegroup'
        }
      },
      {
        import: `/subscriptions/<subscription-id>/resourceGroups/<resourcegroupname>`
      }
    )

Do any of you here have an idea how I can link between resources without recreating them. I would now expect a similar pattern as in the AWS CDK where I can access ARN with from methods.

Hi. Just sharing an article I wrote that talks about Azure Functions and where I use Azure Native provider to build and deploy a Function App using its Managed Identity to acess the storage. https://www.techwatching.dev/posts/azure-functions-without-azurewebjobsstorage

Any way of dumping raw ARM API call data while performing a stack.up (I'm using automation API)? I'm in conversation with Azure support and they want this to help debug an issue I'm facing with public static IP provisioning.

Hey guys. Is there a way to grant access permissions to all pipelines for a service endpoint? I didn't find this option on the azuredevops.ServiceEndpointAzureRM api.

I'm creating some VM's in Azure using pulumi and I wan't to use som certificates on thos VM's that I've already got. Anyone knowing how I easily can pass those certificates down to the VM from pulumi?

Hi to everyone. This chat is the last resort I expect to find help. After spending 2 days I cannot make work creating an API operation. When I create it using

using ApiManagement = Pulumi.AzureNative.ApiManagement.V20210101Preview;
...
var operation2 = new ApiManagement.ApiOperation($"{apiName}/send",
    new ApiManagement.ApiOperationArgs
    {
        ApiId = api.Id,
        ResourceGroupName = resourceGroup.Name,
        ServiceName = apiManagementService.Name,
        DisplayName = "send",
        Method = "GET",
        OperationId = Output.Format($"{apiManagementService.Name}/PushNotificationApi/send"),
        UrlTemplate = "/send",
        TemplateParameters = new InputList<ParameterContractArgs>(),
        Responses = new InputList<ApiManagement.Inputs.ResponseContractArgs>()
    });

It fails with an error: error: autorest/azure: error response cannot be parsed: "" error: EOF I could deploy it only via ARM Template deployment:

var operation = CreateApiOperation($"{apiName}/push",
    new ApiManagement.ApiOperationArgs
    {
        ApiId = api.Id,
        ResourceGroupName = resourceGroup.Name,
        ServiceName = apiManagementService.Name,
        DisplayName = "Push",
        Method = "GET",
        //OperationId = Output.Format($"{apiManagementService.Name}/PushNotificationApi/push"),
        UrlTemplate = "/push",
        TemplateParameters = new InputList<ParameterContractArgs>(),
        Responses = new InputList<ApiManagement.Inputs.ResponseContractArgs>()
    });

...
private Output<string> CreateApiOperation(string name, ApiManagement.ApiOperationArgs args)
{
    var deployment = new AzureNative.Resources.Deployment($"deployment",
        new AzureNative.Resources.DeploymentArgs
        {
            DeploymentName = Output.Format($"deployment_operation_{args.DisplayName}"),
            Properties = new AzureNative.Resources.Inputs.DeploymentPropertiesArgs
            {
                Mode = DeploymentMode.Incremental,
                Template = new Dictionary<string, object>()
                {
                    {
                        "$schema",
                        "<http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#>"
                    },
                    {"contentVersion", "1.0.0.0"},
                    {"parameters", new Dictionary<string, object>()},
                    {
                        "resources", new[]
                        {
                            new Dictionary<string, object>()
                            {
                                {"type", "Microsoft.ApiManagement/service/apis/operations"},
                                {"apiVersion", "2021-01-01-preview"},
                                {"name", Output.Format($"{args.ServiceName}/{name}")},
                                {
                                    "properties", new Dictionary<string, object>()
                                    {
                                        {"displayName", args.DisplayName},
                                        {"method", args.Method},
                                        {"urlTemplate", args.UrlTemplate},
                                        {"templateParameters", args.TemplateParameters},
                                        {"responses", args.Responses}
                                    }
                                }
                            }
                        }
                    }
                },
            },
            ResourceGroupName = args.ResourceGroupName,
        });

    return null;
}

I suspect the problem is in OperationId. I tried all possible combinations. I appreciate any help. Thanks a lot.

if i use

pulumi_azure_native.containerservice.ManagedCluster

, how can I know which API version is being used?

pulumi_azure_native==1.28.0

Ideas? My

pulumi up

gets stuck into this. Waited yesterday for several HOURS but it did not proceed. I'm assuming it's due to this code

const dnsZone = azure.dns.Zone.get("thename", DNS_ZONE_ID);

but I'm not sure. Any ideas would be most welcome at this point

Hi Guys, I’m creating an AKS cluster with UserAssigned Managed identify and identity for kubelet as well. My code looks like:

...
const controlPlaneIdentity = new managedidentity.UserAssignedIdentity("controlPlaneIdentity", {...});
const kubeletIdentity = new managedidentity.UserAssignedIdentity("kubeletIdentity", {...});

const cpManagedIdentityOperator = new authorization.RoleAssignment("controlPlane-ManagedIdentityOperator", {
  principalId: controlPlaneIdentity.principalId,
  principalType: "ServicePrincipal",
  roleDefinitionId:
    "/subscriptions/xxxxxxxx/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830",
  scope: resourceGroup.id,
});


const cluster = new containerservice.ManagedCluster( "cluster", {
  ...
    identity: {
      type: "UserAssigned",
      userAssignedIdentities: controlPlaneIdentity.id.apply((id) => {
        const dict: { [key: string]: any } = {};
        dict[id] = {};
        return dict;
      }),
    },
    identityProfile: {
      kubeletidentity: {
        clientId: kubeletIdentity.clientId,
        resourceId: kubeletIdentity.id,
        objectId: kubeletIdentity.principalId,
      },
    },
    ...
  },
  { dependsOn: [cpManagedIdentityOperator, kubeletDnsZoneContributor] }
);

Even thou I have dependencies on cluster resources I got an error on fresh stack creation:

The cluster user assigned identity must be given permission to assign kubelet identity /subscriptions/xxxxxxxxxx/resourcegroups/poc-aks/providers/Microsoft.ManagedIdentity/userAssignedIdentities/poc-aks-kubeletIdentity. Check access result not allowed for action Microsoft.ManagedIdentity/userAssignedIdentities/assign/action.

Am I missing something?

I would like to write command line tooling to do what the pulumi cli does. Specifically the up functionality but with checks in place. Can someone point me to the python documentation on how to accomplish this? Thanks much!

I like the Azure Native provider, I think the better coverage is great, and reflecting the ARM API directly is a good idea. However, where it does suffer is where the ARM API is either badly designed or missing a feature. In the Terraform provider the extra abstraction meant it was possible to build additional functionality to deal with this, where as the native provider doesn't have this. I appreciate that issues with the ARM api are not Pulumi's fault, but the lack of the extra layer does mean that we're having to resort to either using the old Azure provider, or call the REST api directly to work around these issues. Has there been any thought around being able to have the native api have additional features on top of the ARM API to smooth out some of these issues?

Hi guys, has anyone done Workflows/logic apps with Pulumi azure native? The example (c#) on the docs seems to have a syntax error that's hard to spot, I'm also wondering if there's a nicer way of providing a definition for the workflow (e.g., loading from a json file for example)

hi everyone, i have few question, i use pulumi since 1 year now and i love it. But in certain case, it’s very hard to understand how to code without example. see my problem : I write my code with typescript, and i’am on Azure I use web.webaap for create a function app, and i want to add an identity provider. I use azuread.Application (App registration) who its work fine, but when i want to associate my function app with this App registration, i used WebAppAuthSettingsV2. And its very hard to understand how used it. Somebody have an working example ?

Hi, I'm after some advice on how to best handle the following... I am deploying a Virtual Machine to Azure using Pulumi/C#. As part of the deployment I need to run a custom script which I am doing by deploying a VirtualMachineExtension/CustomScriptExtension. In order to do this I need to specify the Uri of the script so as part of the deployment so I plan to first upload the script file to Azure Storage and then delete it after the deployment completes. I planed to use the Azure storage sdk to upload and delete the file to blob storage. How can I ensure that the file is uploaded before the Pulumi VirtualMachineExtension/CustomScriptExtension code runs? Also how can I ensure that the VirtualMachineExtension/CustomScriptExtension deployment has finished running before I delete the file?

Hi, does anyone know if there is a similar

azure-native

“Contacts” block for the existing

azure

provider option https://www.pulumi.com/docs/reference/pkg/azure/keyvault/keyvault/#contacts_csharp I want to utilise the UI feature for adding email addresses for certificate expiration notifications, however I can’t seem to find an equivalent for the new providers. Or if anyone knows if this will be supported going forward with the API? https://www.pulumi.com/docs/reference/pkg/azure-native/keyvault/vault/ The cli command for configuring this email notification list is: https://docs.microsoft.com/bs-cyrl-ba/cli/azure/keyvault/certificate/contact?view=azure-cli-latest

Hi! I tried to update my Azure SQL Server and added "Admininstrators".

var sqlServer = new Server("myServer", new ServerArgs
{
    AdministratorLogin = administratorLogin,
    AdministratorLoginPassword = administratorLoginPassword,
    ResourceGroupName = resourceGroup.Name,
    Identity = new ResourceIdentityArgs { Type = IdentityType.SystemAssigned },
    Administrators = new ServerExternalAdministratorArgs { PrincipalType = PrincipalType.User, Login = "MyLoginAADAccountName", Sid = "SomeGuid" } // I added this line
});

Why did pulumi removed my Azure SQL Server and recreated it?

I just ran into this bug in azure-ad, and I was wondering if there's any known workaround or timeline for a fix? https://github.com/pulumi/pulumi-azuread/issues/147

Hey 👋 I need to rotate the app password before it expires so, I’ve use the

rotateWhenChanged

input to trigger a rotation but it deletes the existing resource when it rotates causing any services using those credentials to fail. Is there a way to not remove the existing resource when the app password is being rotated or is there a better approach to this problem? This is the code that creates the app passwords

const appPassword = new azad.ApplicationPassword(
            `app-client-credentials`,
            {
                applicationObjectId: app.objectId,
                displayName: 'App',
                endDateRelative: '4380h', // 6 months
                // When the endTimestamp changes which is every 2 months,
                // it will trigger the resource to be recreated
                rotateWhenChanged: {
                    endTimestamp: futureEndTimestamp(2),
                },
            }
        )

Hi, I'm hoping for some guidance on how to correctly implement the following... I am deploying an Integration Runtime to an Azure Data Factory using Pulumi.AzureNative.DataFactory.IntegrationRuntime. Once the integration runtime has been deployed I then need to obtain the AuthKey from it. There is a function for this ( Pulumi.AzureNative.DataFactory.ListIntegrationRuntimeAuthKeys) but it requires the Integration Runtime Name to be specified as a string. The Integration Runtime deployment returns an object with a Name property of type Output<string> which the ListIntegrationRuntimeAuthKeys won't accept. I am guessing that I need to make use of something like Apply here to get the name back as a string but am unsure how to do it in such a way that I get the authKey correctly returned (also as a string not an Output<string>)? This doesn't work for example as authKey is only available within the Apply block and I need it available outside of that (so I can pass it in to another deployment that also wants it as a string)

integrationRuntime.Name.Apply(n =>
{
    var authKey = Pulumi.AzureNative.DataFactory.ListIntegrationRuntimeAuthKeys.InvokeAsync(new Pulumi.AzureNative.DataFactory.ListIntegrationRuntimeAuthKeysArgs
    {
        FactoryName = runtimeSettings.DataFactoryName,
        ResourceGroupName = runtimeSettings.DataFactoryResourceGroup,
        IntegrationRuntimeName = n
    }).Result.AuthKey1;
    return n;
});

just updated azuread to newest version 5.3.0, and now I get,

panic: Unknown kind: bool
    goroutine 33 [running]:
    <http://github.com/hashicorp/terraform-plugin-sdk/v2/terraform.(*ResourceConfig).get(0xc0008a14d0|github.com/hashicorp/terraform-plugin-sdk/v2/terraform.(*ResourceConfig).get(0xc0008a14d0>, 0xc0008aeba0, 0x1f, 0xc0008a13b0, 0x0, 0x1f, 0x17791560598)
        /home/runner/go/pkg/mod/github.com/pulumi/terraform-plugin-

Someone else experience this?

Hi all. I am trying to enable multi-dimension metrics on an Application Insights instance (https://docs.microsoft.com/en-us/azure/azure-monitor/app/get-metric#multi-dimensional-metrics) and I can't figure out how to do it via Pulumi. Any help would be appreciated. Here's our AI instance definition:

var cliAppInsights = new Component(
	$"xxx-{stackName}-cli-ai",
	new ComponentArgs()
	{
		ResourceName = $"xxx-{stackName}-cli-ai",
		Location = location,
		ResourceGroupName = resourceGroup.Name,
		Kind = "web",
		ApplicationType = ApplicationType.Web,
		RetentionInDays = config.GetInt32("CliApplicationInsightsRetentionInDays"), 
	});

I have noticed that when specifying CustomResourceOptions for calls, depandsOn can be specified as an Input type (i.e. InputList<Resource>) but Provider can't i.e. provider has to be a ProviderResource and can't be an Input<ProviderResource). Is there a reason for this difference? I am trying to pass the ID of a resource to a function and return the appropriate provider from that. Because the resource Id is of type Output<string> the resultant provider I get back is of type Output<Provider> which I then can't pass in as an arg to CustomResourceOptions.

Hi all, I am trying to create a rabbitMq bitnami chart that is needed later in some kubernetes deployments. Everything does deploy correctly, the only problem we are facing is, that the kubernetes deployments cannot access the rabbitmq on startup as it seems to be created but it's not live yet. According to the docu the helm chart does await the creation an checks the resources are available. But as said, the rabbitmq is not started on deployment. I tried to depend on the resources of the chart, but with no luck. I tried to just start the deployments when the chart is set to ready (chart.ready.apply()), but it did not lead to the wished result. I also tried to wait for a connection to be established before the kubernetes deployment, but even after 15 minutes no connection could be achieved via amqp. Does anybody have any ideas how to ensure the rabbitmq is up and running before deployment? Thanks

Hey 🙂 , will the there be a new release of the azuread provider, there is currently a bug in the existing version 5.3.0, making it impossible to create ad groups. there is a temp hack to solve this, in the 12.1.0 version of the terraform provider. https://github.com/hashicorp/terraform-provider-azuread/issues/588