pulumi-community #azure

bulky-oil-97030

01/17/2022, 12:04 PM

Hello everyone, I'm trying to import a B2C App Registration.

az ad app list

gives me the application I want with:

Copy code

{
    "acceptMappedClaims": null,
    "addIns": [],
    "allowGuestsSignIn": null,
    "allowPassthroughUsers": null,
    "appId": "0b89550a-4c40-4d95-91a3-753d8a823564",
    "appLogoUrl": null,
    "appPermissions": null,
    "appRoles": [],
    "applicationTemplateId": null,
    "availableToOtherTenants": true,
    "deletionTimestamp": null,
    "displayName": "analyticsapi",
    .....
    "objectId": "8366522d-204a-41b4-ba30-ef01c99c9fdf",
    "objectType": "Application",
    "odata.type": "Microsoft.DirectoryServices.Application",
    ....
}

However the import

Copy code

$ pulumi import azuread:index/application:Application analyticsapi 8366522d-204a-41b4-ba30-ef01c99c9fdf

comes back empty with:

Copy code

Previewing import (qa):
     Type                          Name           Plan       Info
     pulumi:pulumi:Stack           iam-import-qa             1 error
 =   └─ azuread:index:Application  analyticsapi   import     1 error
 
Diagnostics:
  pulumi:pulumi:Stack (iam-import-qa):
    error: preview failed
 
  azuread:index:Application (analyticsapi):
    error: Preview failed: resource '8366522d-204a-41b4-ba30-ef01c99c9fdf' does not exist

What am I doing wrong?

bulky-oil-97030

01/17/2022, 3:12 PM

Hey everyone, another question about azuread: When creating an application secret, trying to write its value to the output just gives me

[secret]

e.g.:

Copy code

Outputs:
....
  + graphApiApplicationSecretFull : {
      + applicationObjectId: "<the-app-id>"
      + displayName        : "User Onboarding Secret"
      + endDate            : "2024-01-17T14:33:11Z"
      + id                 : "<the-pw-id>"
      + keyId              : "<the-key-id>"
      + startDate          : "2022-01-17T14:33:11Z"
      + urn                : "urn:pulumi:qa::ti-iam-tenant-auth::azuread:index/applicationPassword:ApplicationPassword::graphApiAplicationSecret"
      + value              : "[secret]"
    }
....

What am I doing wrong?

abundant-potato-97520

01/20/2022, 2:31 PM

Hi, I'm trying to create an access policy for an existing keyvault. I'm using GetVault.Invoke from azure native using a different provider (our keyvaults are on a different subscription to the one I'm creating webapps on etc.) and then using the original azure package to create the access policy and everything works nicely when I pulumi up from my command line. I can find the access policies using resources.azure.com. However, when running the stack via azure pipelines this step fails claiming that it can't find the resource group that the keyvault belongs to:

retrieving Key Vault "xxxxx-xxx-xx" (Resource Group "xxxxxx-xxxxx-xx"): keyvault.VaultsClient#Get: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="ResourceGroupNotFound" Message="Resource group 'xxxxxx-xxxxx-xx' could not be found."

anyone an ideas why this is?

high-leather-15669

01/21/2022, 12:50 PM

Hello, I am trying to create a Disk Encryption Set in Azure, and get the following error:

Copy code

cannot check existence of resource '/subscriptions/xxx/resourceGroups/%2Fsubscriptions%xx%2FresourceGroups%2Fxxx/providers/Microsoft.Compute/diskEncryptionSets/des-xxx': status code 400, {"error":{"code":"InvalidApiVersionParameter","message":"The api-version '2020-12-01' is invalid. The supported versions are '2021-04-01,2021-01-01,2020-10-01,2020-09-01,2020-08-01,2020-07-01,2020-06-01,2020-05-01,2020-01-01,2019-11-01,2019-10-01,2019-09-01,2019-08-01,2019-07-01,2019-06-01,2019-05-10,2019-05-01,2019-03-01,2018-11-01,2018-09-01,2018-08-01,2018-07-01,2018-06-01,2018-05-01,2018-02-01,2018-01-01,2017-12-01,2017-08-01,2017-06-01,2017-05-10,2017-05-01,2017-03-01,2016-09-01,2016-07-01,2016-06-01,2016-02-01,2015-11-01,2015-01-01,2014-04-01-preview,2014-04-01,2014-01-01,2013-03-01,2014-02-26,2014-04'."}}

Any idea why?

big-sugar-92932

01/21/2022, 8:26 PM

I'm trying to create a role assignment that gives an existing app service access to a storage account. How do I get the principal id of that existing app service. #azure

big-sugar-92932

01/23/2022, 9:23 PM

Ok, now I'm trying to figure out how to configure the autoscale settings/rules for an AppServicePlan. Can't find any docs or samples on how to do that,

wet-noon-14291

01/24/2022, 1:26 PM

@tall-librarian-49374, looking at one example you posted, https://github.com/pulumi/pulumi-azure-native/blob/ae7f380268c97b951a76848ec45b3bafa22d4338/examples/postgres/index.ts, is it the SKU that defines that it is a flexible server?

refined-sugar-8079

01/26/2022, 1:28 PM

Has anyone tried applying a BlobContainerImmutabilityPolicy to a a AzureNative.Storage.BlobContainer? It appears whenever a BlobContainer is created it also creates the default BlobContainerImmutabilityPolicy but puts it in a Deleted state which prevents us for trying to import it, but it also fails when trying to create a new Policy. Even following the sample in https://www.pulumi.com/registry/packages/azure-native/api-docs/storage/blobcontainerimmutabilitypolicy/ will always result in:

Copy code

cannot create already existing resource '/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/xxx/blobServices/default/containers/container42/immutabilityPolicies/default

The only alternative I've found was to use Local Command to execute az using CLI, but that is not really an ideal solution

great-manchester-70568

01/27/2022, 7:45 AM

can anyone here verify if pulumi with azure native stack can provision azure keyvaults into an Azure lighthouse managed subscription. We have our application configured in Terraform and they cannot as they touch the data plane when creating the keyvault.

clean-alarm-24426

01/27/2022, 2:23 PM

I apologize if this is already addressed somewhere, I wasn't able to locate it. I'm on a project now where the client wants to provide some self-service options that match some reference architectures. It appears that the best option for what their trying to do is some Azure Managed Application Service Catalog offerings. I've been doing a bit of a five into Managed Applications. As best I can tell, the only format supported in a Managed Application definition is an ARM template. Please correct me and point me to some documentation if I'm wrong on this. Pulumi clearly provides a mechanism to create the offering, which is terrific. Most of the infrastructure that would be used in these offerings is already defined using Pulumi and I'd really like to avoid having to replicate the infrastructure as ARM templates, especially by hand. I have two main questions. 1. Am I missing something? Can I create an Azure Managed Application definition that refers to a Pulumi project instead of an ARM template? 2. If not, is there a viable way to simply generate an ARM template from a Pulumi project? This would allow the client to maintain Pulumi as the main definition and simply regenerate ARM templates for Managed Applications as needed.

quiet-hairdresser-18834

01/29/2022, 4:10 PM

Having issues with azure login via a service principal. Things were working but my secret expired. I created a new one and set it both in azure:clientSecret for my config and the $env:ARM_CLIENT_SECRET. Is there some sort of cache for this or am I missing something?

swift-hamburger-98290

01/31/2022, 9:07 AM

Is there a way to restart a WebApp after assigning a

RoleAssignment

(https://www.pulumi.com/registry/packages/azure-native/api-docs/authorization/roleassignment/)? We run into the following problem: 1. Create KeyVault and a secret; 2. Create WebApp; 3. Give

Key Vault Secrets User

to WebApp on the KeyVault; 4. WebApp crashes because it starts without having the permission yet. Is there a way to solve this?

millions-journalist-34868

01/31/2022, 10:54 PM

What is the proper way to grant permissions to add azure ad users/ applications on an azure sql database using Pulumi ? Doing that requires to execute an sql command on the database and I don't know where to put this code in my Pulumi program:

Copy code

CREATE USER [<identity-name>] FROM EXTERNAL PROVIDER;
ALTER ROLE db_datareader ADD MEMBER [<identity-name>];
ALTER ROLE db_datawriter ADD MEMBER [<identity-name>];
GO

I have seen there is a new Command package in Pulumi, could this be a good idea to use that? What are the other options? Dynamic provider?

ancient-eve-13947

02/03/2022, 11:23 AM

can anyone point me to an example or at least some hints how to upload a file to an Azure FileShare? I'm using the azure native provider.

ancient-eve-13947

02/04/2022, 9:26 AM

does anyone have a sample for how to set up an event-grid subscription to a web hook (not an Azure Function) for writes to a storage account?

ancient-eve-13947

02/04/2022, 10:37 AM

maybe this is worth a separate question: how do I make a pulumi resource depend on a (Azure native) `WebApp`not just having been provisioned, but having started?

high-leather-15669

02/04/2022, 5:04 PM

Hello all, We have the need that we need to move a "KeyVault" from one subscription to another. I thought I could probably use

azure_native.migrate.MoveResource

but it seems that it is only used if you want to move resources from one region to another? Is there any suggest approach to do this with pulumi?

millions-journalist-34868

02/06/2022, 9:00 AM

Do you have plans to create a native provider for Microsoft Graph? Microsoft Graph is heavily used when working with Microsoft and Azure so it would definitively make sense for Pulumi to support it. Moreover, provisioning resources in Azure Active Directory (User, App Registration, Groups) is now done through the Microsoft Graph so it would me more appropriate to do that through a native provider instead of using the current AzureAD provider which is a bridge from Terraform Provider. When creating a stack to provision resources on Azure it is really great to use a native provider for Azure (RM) with all the advantages it brings, yet we also have to use the "old" AzureAD provider alongside.

❤️ 2

shy-leather-86285

02/06/2022, 6:32 PM

Hi all, I tried deploying an Azure RedHat OpenShift (aro) cluster using the example in the API-Docs. When deploying the cluster, I get an azure "internal error 500". Has someone a working example? Creating a cluster via az-cli is working w/o issues. Unfortunately, even verbose output is not showing a better error:

I0206 18:48:08.909918   11014 provider_plugin.go:796] Provider[azure-native, 0xc000523860].Create(urn:pulumi:dev::aro-test::azure-native:redhatopenshift:OpenShiftCluster::aro2) success: id=/subscriptions/<subscription>/resourceGroups/aro2-test/providers/Microsoft.RedHatOpenShift/openShiftClusters/aro2; #outs=14

I0206 18:48:08.909956   11014 eventsink.go:86] eventSink::Error(<{%reset%}>1 error occurred:

* Code="InternalServerError" Message="Internal server error."

straight-sunset-92336

02/08/2022, 12:00 PM

I'm trying to achieve the same as this github-integration does: https://github.com/Azure/manage-azure-policy/blob/main/tutorial/azure-policy-as-code.md Any ideas how to solve this using Pulumi?

mysterious-australia-14256

02/09/2022, 4:34 PM

Hi all, has anyone noticed a performance issue recently running deployments from Azure DevOps on a hosted agent? "Pulumi ups" that take 20 seconds on my dev box are taking 20 minutes from DevOps.

mysterious-australia-14256

02/10/2022, 11:59 AM

I am experiencing an issue where my stack file is getting bloated i.e. it has jumped from 1.3MB to 430MB. This is causing very slow stack operations suck as pulumi up. If I export the stack and look inside the issue seems to be Azure service bus related. I have thousands of lines all relating to various service bus components repeated over and over for each combination of versions. This is a small section for one Service Bus Topic Rule)

Copy code

"urn:pulumi:<stack>::<project>::azure-native:resources/v20190701:ResourceGroup$azure-native:servicebus/v20150801:Namespace$azure-native:servicebus:Topic$azure-native:servicebus:Subscription$azure-native:servicebus/v20210101preview:Rule::<rulename>",
"urn:pulumi:<stack>::<project>::azure-native:resources/v20190701:ResourceGroup$azure-native:servicebus/v20150801:Namespace$azure-native:servicebus:Topic$azure-native:servicebus:Subscription$azure-native:servicebus/v20210601preview:Rule::<rulename>",
"urn:pulumi:<stack>::<project>::azure-native:resources/v20190701:ResourceGroup$azure-native:servicebus/v20150801:Namespace$azure-native:servicebus:Topic$azure-native:servicebus:Subscription$azure-native:servicebus/v20211101:Rule::<rulename>",
"urn:pulumi:<stack>::<project>::azure-native:resources/v20190701:ResourceGroup$azure-native:servicebus/v20150801:Namespace$azure-native:servicebus:Topic$azure-native:servicebus/v20140901:Subscription$azure-native:servicebus:Rule::<rulename>",
"urn:pulumi:<stack>::<project>::azure-native:resources/v20190701:ResourceGroup$azure-native:servicebus/v20150801:Namespace$azure-native:servicebus:Topic$azure-native:servicebus/v20140901:Subscription$azure-native:servicebus/v20170401:Rule::<rulename>",
"urn:pulumi:<stack>::<project>::azure-native:resources/v20190701:ResourceGroup$azure-native:servicebus/v20150801:Namespace$azure-native:servicebus:Topic$azure-native:servicebus/v20140901:Subscription$azure-native:servicebus/v20180101preview:Rule::<rulename>",
"urn:pulumi:<stack>::<project>::azure-native:resources/v20190701:ResourceGroup$azure-native:servicebus/v20150801:Namespace$azure-native:servicebus:Topic$azure-native:servicebus/v20140901:Subscription$azure-native:servicebus/v20210101preview:Rule::<rulename>",
"urn:pulumi:<stack>::<project>::azure-native:resources/v20190701:ResourceGroup$azure-native:servicebus/v20150801:Namespace$azure-native:servicebus:Topic$azure-native:servicebus/v20140901:Subscription$azure-native:servicebus/v20210601preview:Rule::<rulename>",
"urn:pulumi:<stack>::<project>::azure-native:resources/v20190701:ResourceGroup$azure-native:servicebus/v20150801:Namespace$azure-native:servicebus:Topic$azure-native:servicebus/v20140901:Subscription$azure-native:servicebus/v20211101:Rule::<rulename>",
"urn:pulumi:<stack>::<project>::azure-native:resources/v20190701:ResourceGroup$azure-native:servicebus/v20150801:Namespace$azure-native:servicebus:Topic$azure-native:servicebus/v20150801:Subscription$azure-native:servicebus:Rule::<rulename>",
"urn:pulumi:<stack>::<project>::azure-native:resources/v20190701:ResourceGroup$azure-native:servicebus/v20150801:Namespace$azure-native:servicebus:Topic$azure-native:servicebus/v20150801:Subscription$azure-native:servicebus/v20170401:Rule::<rulename>",
"urn:pulumi:<stack>::<project>::azure-native:resources/v20190701:ResourceGroup$azure-native:servicebus/v20150801:Namespace$azure-native:servicebus:Topic$azure-native:servicebus/v20150801:Subscription$azure-native:servicebus/v20180101preview:Rule::<rulename>",
"urn:pulumi:<stack>::<project>::azure-native:resources/v20190701:ResourceGroup$azure-native:servicebus/v20150801:Namespace$azure-native:servicebus:Topic$azure-native:servicebus/v20150801:Subscription$azure-native:servicebus/v20210101preview:Rule::<rulename>",
"urn:pulumi:<stack>::<project>::azure-native:resources/v20190701:ResourceGroup$azure-native:servicebus/v20150801:Namespace$azure-native:servicebus:Topic$azure-native:servicebus/v20150801:Subscription$azure-native:servicebus/v20210601preview:Rule::<rulename>",

How can I clean this up and prevent it from happening? Thanks Alan

orange-whale-70892

02/10/2022, 4:08 PM

how can I attach a container instance group to a virtual network/subnet?

orange-whale-70892

02/10/2022, 4:10 PM

in the yaml example https://docs.microsoft.com/en-us/azure/container-instances/container-instances-vnet#example---yaml you can add subnetIds. But i cannot find that settings in the ContainerGroupArgs

victorious-exabyte-70545

02/10/2022, 8:19 PM

Hey guys, I am wondering if anyone has experience using pulumi executing powershell scripts as a part of a deployment. I am trying to run the following:

victorious-exabyte-70545

02/10/2022, 8:19 PM

Copy code

# Download the update script

$baseUri="<https://raw.githubusercontent.com/DataDog/datadog-aas-extension/master/management-scripts/extension>"; Invoke-WebRequest -Uri "$baseUri/update-all-site-extensions.ps1" -OutFile "update-all-site-extensions.ps1"; Invoke-WebRequest -Uri "$baseUri/install-latest-extension.ps1" -OutFile "install-latest-extension.ps1"
Run the following command. All arguments are required.

# Run
.\update-all-site-extensions.ps1 -SubscriptionId <SUBSCRIPTION_ID> -ResourceGroup <RESOURCE_GROUP_NAME> -Username <USERNAME> -Password <PASSWORD>

victorious-exabyte-70545

02/10/2022, 8:20 PM

What resource should I use to run this?

victorious-exabyte-70545

02/10/2022, 8:20 PM

Ideally those lines would be inline and the script not in blobstore.

victorious-exabyte-70545

02/10/2022, 8:23 PM

This looks interesting:

victorious-exabyte-70545

02/10/2022, 8:23 PM

https://www.pulumi.com/registry/packages/command/