pulumi-community #azure

great-breakfast-56601

10/07/2021, 10:06 AM

Hi Has anyone had difficulty getting an internal loadbalancer to create using a managedidentity?

great-breakfast-56601

10/07/2021, 10:06 AM

Living in pending state

worried-knife-31967

10/11/2021, 6:30 PM

Anyone seen any issues with role assigments and a race condition? It seems the deletion of role assignments completes asynchronously, and if you're doing Cosmos RBAC, there is as lock applied. That means that if there's a change applied and it needs to delete the role, you get an exception due to the delete locking the resource asynchronously.

👀 1

rhythmic-activity-46295

10/13/2021, 11:05 PM

Hello, anyone here know how to achieve deny role assignments with pulumi? I've a keyvault in our dev environment which all developers have access to but I want to deny access to a certificate?!

curved-pencil-86122

10/15/2021, 6:08 AM

When trying to create BlobServiceProperties I'm getting the following error with strange looking 10-starting ip address. Any ideas? What I'm doing wrong? self.my_storage_account = storage.StorageAccount( account_name=mystorageaccount, ... blob_service_properties.BlobServiceProperties( account_name=self.my_storage_account.name, ... error: autorest/azure: Service returned an error. Status=404 Code="HttpResourceNotFound" Message="The request url http://10.0.14.52:30044/...my_storageaccount?api-version=2021-04-01 is not found."

future-kite-91191

10/15/2021, 10:00 AM

When running a Pulumi program in Azure Devops against an AKS cluster, we see

To sign in, use a web browser to open the page <https://microsoft.com/devicelogin> and enter the code CG*****QW to authenticate.

How can I ensure the pipeline can run without interactive logins? Background: • The AKS cluster has "local k8s account" feature disabled, only AAD accounts can authenticate • The Azure Devops pipeline Service Principal is member of the AAD Group that has admin rights/roles assigned to it for the AKS cluster

many-dress-54535

10/15/2021, 6:34 PM

Hello, I am trying to update a

pulumi_azure_native.network.IpGroup()

by setting the

ip_addresses

and I am getting

AttributeError: can't set attribute

error, not sure if I am doing this right because it's the first time I try to set a property...

steep-addition-26630

10/18/2021, 7:35 AM

Hi, this was asked before but there was no conslusion. I have a function app where the code seems to be deleted on every update from pulumi, even minor changes to the configuration. I'd expect an app restart, but instead the entire application code seems to disappear. Is this expected? The pulumi preview is like this, and is what I would expect:

Copy code

~  azure-native:web:WebApp foo-func update [diff: ~siteConfig]
~  azure-native:web:WebAppSlot foo-func update [diff: ~siteConfig]

It's worth mentioning that I'm currently pushing the code via another pipeline. I'd like to use WebAppSourceControl but it seems we need a bit more setup for that to work (and a documented example wouldn't hurt...)

white-bear-32497

10/19/2021, 7:06 AM

Hi, I’m working with the example of app service with my simple nodejs app, all of the examples upload package to blob and use

WEBSITE_RUN_FROM_ZIP

to deploy, is there any way to directly deploy from local disk?

victorious-exabyte-70545

10/19/2021, 6:41 PM

Hi All, Question: Is there a way to unit test my pulumi azure IOC without network connectivity. When I worked with AWS I used a python library called boto to mock AWS's api. It was awesome because every cloud formation template generated was tested (all resources mock created). Would love to do this with pulumi and azure.

wet-noon-14291

10/20/2021, 10:01 PM

I based a small demo of deploying a typescript cloud function on this, https://github.com/pulumi/examples/blob/master/azure-ts-functions/index.ts example. It works fine if everything is done correct first time, but for me changing the value https://github.com/pulumi/examples/blob/master/azure-ts-functions/index.ts#L35 didn't update the actual cloud function it seemed. So to test it I had to delete the whole stack (just a demo) and deploy again. What is the right approach to update the function if the content of the blob is changed? @tall-librarian-49374 I noticed that you are one of the contributors to that example.

chilly-magazine-4507

10/21/2021, 12:11 AM

Hi all, I am specifying a name on the azure resource group, but I am still getting and autonamed resource group

witty-airport-81009

10/21/2021, 10:25 AM

If i add a provider to an azure-native stack that's already been deployed before the provider was added Pulumi wants to replace resources instead of just updating them. For a lot of resources in the stack that's fine, but for others, like db's this is not optimal. Is there anything I can do to make Pulumi think these are still the same resources, and all it needs to do is update the provider? The provider was added as we moved some resources in a stack across to a different azure subscription, whilst others (e.g. dns zone) remained in the old subscription.

blue-hair-13625

10/21/2021, 3:25 PM

Hi, is there a C# sample showing the correct format to assign a user assigned identity to a container instance? I've tried to follow the docs but no luck..

millions-journalist-34868

10/21/2021, 8:51 PM

Hi. How do you use existing Azure resources from your Pulumi program. In my context I would like to create the resource group that will contain my resources outside of my pulumi stack. The aim is to to the development team Contributor permissions but only on the resource group I created and not on the whole subscription. I have read about Resource getters in the documentation but it seems very specific to AWS. I also found this method on the docs I don't know if it's what I should use. If you have other suggestions, other ways of doing these kinds of things I am listening.

enough-butcher-66045

10/24/2021, 11:03 PM

👋 is there any way to specify the certificate management type for a FrontDoor Frontend Endpoint?

hallowed-traffic-28168

10/25/2021, 10:03 AM

Hi All, I am provisioning the azure storage account with pulumi (python and azure )and want to enforce the below security and best practice for an azure storage account. Please help. 1. Ensure that public access level is set to Private for a blob container. 2. Ensure that “Secure transfer required” is set to “Enabled”. 3. Ensure that Audit missing blob encryption for storage account is set to On. Thanks, Ravi

wooden-receptionist-75654

10/25/2021, 2:29 PM

Hi Guys, I’m using a

azure-native.containerservice

lib to create AKS cluster and I also would like deploy k8s RBAC objects with

kubernetes

lib. I have something like:

Copy code

# Creating AKS
const cluster = new containerservice.ManagedCluster(...)

# Getting a kubectlconfig
const creds = pulumi.all([cluster.name, resourceGroup.name]).apply(([clusterName, rgName]) => {
  return containerservice.listManagedClusterUserCredentials({
      resourceGroupName: rgName,
      resourceName: clusterName,
  });
});
const encoded = creds.kubeconfigs[0].value;
const kubeconfig = encoded.apply(enc => Buffer.from(enc, "base64").toString());

# Creating provider
const aksProvider = new k8s.Provider("aks", {
  kubeconfig: kubeconfig
})
# And deploying a role
const devsGroupRole = new k8s.rbac.v1.Role("pulumi-devs",{...},  {provider: aksProvider})

And it appears that

kubeconfig

is required

browser-based authentication

for first time. I got

To sign in, use a web browser to open the page <https://microsoft.com/devicelogin>

I have tried it with user auth (az login) and got the same in CI with Service Principal. Is there any way to skip it?

narrow-helmet-6313

10/25/2021, 5:44 PM

Hi Team,

narrow-helmet-6313

10/25/2021, 5:45 PM

Hi Team, is there any pulumi api to get the region for the given subscription or location for azure cloud.

proud-appointment-22284

10/27/2021, 6:56 PM

Hello everyone, It is possible to exclude the subnet resource from imported virtualnetwork in pulumi? (I cannot afford just re-create vnet resource through the pulumi) When I ran pulumi import "azure-nativenetworkVirtualNetwork name id", I got all resources associated with the vnet resource such as subnets.

Copy code

I want to take the subnets part outside of the virtualnetwork resource but the pulumi is not able to handle such extractions, so I end up with this configuration.                                                                   const VirtualNetwork = new network.VirtualNetwork("VirtualNetwork-test", {
    addressSpace: {
        addressPrefixes: ["10.49.184.0/23"],
    },
    enableDdosProtection: false,
    location: "westeurope",
    resourceGroupName: "rsg-network",
    subnets: [{
        addressPrefix: "10.49.185.0/27",
        name: "subnet-test",
        privateEndpointNetworkPolicies: "Enabled",
        privateLinkServiceNetworkPolicies: "Enabled",
        type: "Microsoft.Network/virtualNetworks/subnets",
    }],
    virtualNetworkName: "VirtualNetwork-test",
},);    

const subnet = new network.Subnet("subnet-test", {
    addressPrefix: "10.49.185.0/27",
    name: "subnet-test",
    privateEndpointNetworkPolicies: "Enabled",
    privateLinkServiceNetworkPolicies: "Enabled",
    resourceGroupName: "rsg-network",
    subnetName: "subnet-test",
    type: "Microsoft.Network/virtualNetworks/subnets",
    virtualNetworkName: "VirtualNetwork-test",
}, {
    parent: VirtualNetwork,
});
My goal is to achieve that the subnets part information would be just removed from the virtaulnetwork resource and I will have only standalone subnet resource, so the code should look like:                                           const VirtualNetwork = new network.VirtualNetwork("VirtualNetwork-test", {
    addressSpace: {
        addressPrefixes: ["10.49.184.0/23"],
    },
    enableDdosProtection: false,
    location: "westeurope",
    resourceGroupName: "rsg-network",
    virtualNetworkName: "VirtualNetwork-test",
},);    

const subnet = new network.Subnet("subnet-test", {
    addressPrefix: "10.49.185.0/27",
    name: "subnet-test",
    privateEndpointNetworkPolicies: "Enabled",
    privateLinkServiceNetworkPolicies: "Enabled",
    resourceGroupName: "rsg-network",
    subnetName: "subnet-test",
    type: "Microsoft.Network/virtualNetworks/subnets",
    virtualNetworkName: "VirtualNetwork-test",
}, {
    parent: VirtualNetwork,
});

brash-quill-35776

10/28/2021, 2:28 AM

Hi, just start to use azure-native, but seems like the args type are incorrect. Basically, the input type is now

string

, so I can't put

input

type to that then

output

type is

string

, which I think should be

output

type Please take a look If it's a legit issue, I can then create issue in Github

great-breakfast-56601

10/28/2021, 9:35 AM

Can anyone offer any reference for the correct casing of AddonProfiles?

great-breakfast-56601

10/28/2021, 9:35 AM

Copy code

{ "KubeDashboard", new ManagedClusterAddonProfileArgs
                {
                    Enabled = false,
                }
               },
               { "Azurepolicy", new ManagedClusterAddonProfileArgs
                {
                    Enabled = true,
                    Config = new InputMap<string>{ {"version", "v2"} }
                }
               },
               { "omsagent", new ManagedClusterAddonProfileArgs
                {
                    Enabled = true,
                    Config = new InputMap<string>{ {"logAnalyticsWorkspaceResourceID", partnerAnalyticsWorkspace.Id} }
                }
               },

great-breakfast-56601

10/28/2021, 9:36 AM

Are any of these valid?

great-breakfast-56601

10/28/2021, 9:37 AM

Working in C#. Does the casing change by language?

proud-dusk-33872

10/28/2021, 11:35 PM

Hi all - trying to better understand how Pulumi works under the good. Given the call

Pulumi.Deployment.Instance.InvokeAsync<ListConfigurationStoreKeysResult>("azure-native:appconfiguration:listConfigurationStoreKeys", ...)

, where is

azure-native:appconfiguration:listConfigurationStoreKeys

coming from? Is there a config/manifest file somewhere that is used to generate all the code that would contain those references? I couldn't find the string reference outside of code files.

proud-dusk-33872

10/28/2021, 11:54 PM

Separate question: my deployment requires that I perform an action after something has been deployed (eg. call an API endpoint on a webapp after it's deployed) but that action has no explicit return value. How does that work in terms of using Output? Should I still use Output.Apply for the dependency, but just return a dummy value (like bool / Unit) for my custom action?

powerful-football-81694

10/31/2021, 12:07 PM

Hi everyone! Does any one know how to create additional function app host keys using the native provider? I’ve figured out that we can query for existing ones using

Pulumi.AzureNative.Web.ListWebAppHostKeys

but I cannot seem to find how to create new one, neither during the initial deployment (using some options on

WebAppArgs

SiteConfigArgs

) nor as any kind of separate resource. It seems very easy to do this using ARM (see https://blog.eldert.net/create-and-retrieve-azure-functions-function-keys-in-arm-template/) so I’m guessing there’s a simple way also through Pulumi and I’m just struggling to find it… thankful for any help!

powerful-football-81694

10/31/2021, 6:25 PM

Next stumbling block in automating APIM creation… a bit of a deadlock. Our Pulumi program: 1. creates

ApiManagementService

and configures it to have a system-assigned managed identity 2. must specify the custom hostname at creation time in the

HostnameConfigurationArgs

property, which references a certificate in key vault 3. but APIM fails to create because to read the cert from key vault, it needs an access policy… 4. but the

KeyVaultAccessPolicy

to give the APIM managed identity access to read secrets from key vault can only be created after the APIM service has been created, which can’t happen… So, APIM resource creation depends on the key vault access policy, which depends on the APIM resource… deadlock. Any advice on what do do in this situation?