Hi Pulumi community, I'm having a bit of trouble deploying my ScheduledQueryRule I'm setting the

LogMetricTriggerArgs

with a

ThresholdOperator

of

ConditionOperator.GreaterThanOrEqual.ToString()

with a

Threshold

of 1 The rule gets deployed but in Azure, the rule changes to simply be Greater than 1

In Azure, there actually doesn't seem to be an option for

Greater Than or Equal

anyway, should I use

Greater Than

0 instead?

Greater Than 0 didn't seem to work, it still defaults to Greater than 1

Hello, I am working on creating an AKS cluster using the native provider. Two issues I have ran into is how to enable the application gateway ingress controller and enable azure policy for the cluster. The classic (terraform) provider includes options for that but I am unable to find those options for the native provider https://www.pulumi.com/registry/packages/azure-native/api-docs/containerservice/managedcluster/

greetings everyone, Is there any way we can dump the kubeconfig file of AKS so that i can use it in Pulumi.Command provider?. I am basically trying to install argocd using autopilot for which kubeconfig file needs to be provided as argument

Hi Pulumi Community, I'm wanting to deploy an Azure logical app using Pulumi but it looks like the only way to do this is via the workflow api https://www.pulumi.com/registry/packages/azure-native/api-docs/logic/workflow/ This is quite cumbersome for large logic apps, is there anyway to simply take the JSON generated within Azure's logic app designer and have pulumi load that json instead?

Has anyone tried managing their Azure AD Groups and PIM assignments with Pulumi?

Hello everyone, any guru can share some pointers on how might one create an API key for AppInsight using the Azure Native provider?

Anyone know if there is a way to run a shell command in the Azure Cloud shell from Pulumi? I am asking because I need to connect a WAN to another network in another tenant but it seems like this is only possible with Powershell right now

@billowy-army-68599 will this affect us at all?

From a Pulumi perspective, if you manage identities like App tokens or AADDS from Pulumi

Hi, as suggested by @billowy-army-68599, I'm posting my issue with a stack that I have. I want to update an AKS stack, when I look at the details of the update, I have this (see first image). I don't understand why pulumi wants to delete the subnet from the vnet (did another Dev did a refresh or something else, I don't know). If I try to do the update, Azure is not happy, because the subnet contains agent pool from AKS (see second image). I'm kind of stucked. I tried stack export, change json, import the stack, did worked. I'm not sure how to "fix" this.

Has anyone had the issue with listWebAppPublishingCredentials not waiting on the resource creation of the appService name? Anytime I run preview I get an error invoking the function because it isn't acting like it is awaiting the app service resource creation. Of course the resource isn't found because I am running preview. I have tried to appService.name.apply() but it has the name ready so it attempts to make the network call which returns back an error because the resource doesn't exist yet. The error I get is Error: invocation of azure-native:web:listWebAppPublishingCredentials returned an error: request failed /subscriptions/xxxx/resourceGroups/xxx/providers/Microsoft.Web/sites/xxxx/config/publishingcredentials/list: autorest/azure service returned an error Code=“ResourceNotFound”

@tall-librarian-49374 is there a way to get subscription id for the default azure-native provider? (in typescript). Or can I only get the subscription id if I create the provider myself?

I'm somewhat stuck on using azure-native:subscriptionId / tenantId / client and clientSecret. The docs state that this can be used to auth via a service principal. I've found it to be true, but ONLY if I login via the az cli first. I tried using the ARM_xxxx env vars, and this worked well - in the sense that I could be completely logged out of the "az cli" tool, and the deployments succeeded. But that means I need to set up the ARM env vars, which is really only good in a CI/CD sense. Am I missing something? I do actually need to be logged into the az cli system, and Pulumi will then pick out those azure-native values for use by the provider? Ref: https://www.pulumi.com/registry/packages/azure-native/installation-configuration/#option-2-use-a-service-principal

Hi and thanks in advance. I’m playing with Azure Container Apps and I have a .NET 6 worker (https://docs.microsoft.com/en-us/dotnet/core/extensions/workers) app with a pretty standard DockerFile. Following the C# example on GitHub, https://github.com/pulumi/examples/tree/master/azure-cs-containerapps, the Pulumi stack builds the docker image using https://www.pulumi.com/registry/packages/docker/api-docs/image/ . Then pushes the image into an azure container registry, using always the same tag,

latest

. I expect that if I make a change to the app code this will be detected, and a new docker image is then created (maybe just a few layers). This will trigger a change in the

Template

of the container app, which leads to the creation of a new revision https://docs.microsoft.com/en-us/azure/container-apps/revisions . Imagining to trigger the

pulumi up

from an Azure DevOps pipeline with the Pulumi task, this should be almost perfect for the CI-CD. So which is the problem: seems that Pulumi detects a change in the container app template also if there are no changes (at least not from the point of view of the source code). For example, trying to do a

pulumi preview

leads to the creation of a new docker image that is then pushed to the registry with the latest tag plus an identifier. I think this is the culprit of the change in the container app template. Could you please help me understand this? @tall-librarian-49374 what I’m missing this time 😅? What i would like is an idempotent behavior, I want to create a revision only in case of a real change in the app source code.

Hi - does anyone know if it is possible to create a BlobContainer SAS URL with Pulumi?

How are people handling KeyVault deletes? When I delete my KV it gets soft deleted and when I go to Pulumi up again it detects the old keyvault and complains I need to either purge or restore it. I know the classic provider you could specify what you'd like to do. How have people been handling this?

Hi, is there a way with the Azure Native package to mark individual appsettings in a WebApp to be a "Deployment slot setting" i.e. a sticky setting that doesn't get swapped when you swap slots?

Hi, How can I create a host key for a function app via Pulumi? e.g. the equivalent of

{
  "type": "Microsoft.Web/sites/host/functionKeys",
  "apiVersion": "2018-11-01",
  "name": "[concat(parameters('functionAppName'), '/default/keyname')]",
  "properties": {
    "name": "keyname"
  }
}

I'm trying to create a Management Group, but it fails no matter what I try. This is the code for creating it:

const managementGroup = new management.ManagementGroup("managementGroup", {
            details: {
                parent: {
                    id: "/providers/Microsoft.Management/managementGroups/<id of parent group>",
                },
            },
            displayName: args.groupname,
            groupId: groupid,
            name: groupid,
        });

groupid is prepared like this:

const groupid = randomUuid.id.apply(id => {
            if (id === undefined) {
                throw new Error("Id is undefined");
            }
            return id;
        });

This is the error message I get:

error: cannot check existence of resource '/providers/Microsoft.Management/managementGroups/<group id of new group>': status code 403, {"error":{"code":"AuthorizationFailed","message":"The client '<my serviceprincipal object id>' with object id '<my serviceprincipal object id>' does not have authorization to perform action 'Microsoft.Management/managementGroups/read' over scope '/providers/Microsoft.Management/managementGroups/<group id of new group>' or the scope is invalid. If access was recently granted, please refresh your credentials."}}

The servicePrincipal has "Management Group Contributor" role on the Tenant Root Group

Does anyone have some ideas/samples of how I can create a storage account policy and off that a SAS token - allowing the rest of my build pipeline to use that as a connection string? End goal: don't expose the account keys, make it possible for the build pipeline to publish a nuget package (via sleet - which uses a connection string).

new day, new question: 10 points for the answer! I find myself writing resource ID's too often, in order to create a RoleAssignment. E.g. role assignment for key vault crypto officer is "14b46e9e-c2b7-41b4-b07b-48a6ebf60603" - where's the SDK that I can include/use to get these, or even better generate the combined resource string with the role ID in it? e.g surely I am not the first one to write something like:

private string SubScope(string id) =>
    $"{SubscriptionScope}/providers/Microsoft.Authorization/roleDefinitions/{id}";

Good afternoon, I'm trying to assign a system managed identity access to keyvault (using azure native) but for the life of me I can't seem to find how to do this. I've seen a sample on how to do this using azure classic, but that doesn't appear to work in azure native. Am I just overlooking something? Thanks for any help 🙂

Question: has anyone else ran into an issue with diagnostic settings not getting created but pulumi showing it in state as being created and throwing an error it cannot create a duplicate diagnostic setting?

Hi all 😀, do you know if there is a way to achieve exactly this specific case with Pulumi? https://docs.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-quick-task What I want is to mimic the behavior of

az acr build --registry myRegistry --image hello:v1 .

With this specific command the local build context is directly uploaded to the registry and the build will be done by ACR. I see that we have https://www.pulumi.com/registry/packages/azure-native/api-docs/containerregistry/taskrun/ that can be configured with a

DockerBuildRequestArgs

like this

var buildContextArchive = new FileArchive(buildContext);
const string buyBuildTaskRunName = "buy-build-task-run";
var buyBuildTaskRun = new TaskRun(buyBuildTaskRunName, new TaskRunArgs
{
    TaskRunName = buyBuildTaskRunName,
    RegistryName = containerRegistry.Name,
    ResourceGroupName = resourceGroup.Name,
    ForceUpdateTag = buyImageNameFull,
    RunRequest = new DockerBuildRequestArgs
    {
        SourceLocation = "here I need the url after the uplaod of the local context",
        DockerFilePath = "Dockerfile.buy",
        ImageNames = 
        {
            buyImageNameFull
        },
        IsPushEnabled = true,
        NoCache = false,
        Type = "DockerBuildRequest",
        Platform = new PlatformPropertiesArgs
        {
            Architecture = "amd64",
            Os = "Linux"
        }
    }
});

but the problem is that

SourceLocation

must be a valid url so someway I need to uplaod the local context somewhere (doesn’t work with local hard drive paths). I do not want to point directly to the github repo url (imagine this inside an azure devops pipeline for example…the source code is local, already pulled by the pipeline)

I found in the azure virtual network deployment using automation-api that when I run the stack repeatedly, there is a phenomenon that the resources are rebuilt. In fact, I have not changed the network configuration. My output is as follows： Refreshing (network): ~ pulumi😛ulumi:Stack pulumi-prod-network refreshing pulumi😛ulumi:Stack pulumi-prod-network running ~ azure-native:resources:ResourceGroup cnn3-pulumi-network-rg refreshing ~ azure-native:network:RouteTable cnn3-pulumi-prod-app-rb01 refreshing ~ azure-native:network:VirtualNetwork cnn3-pulumi-prod-vnet01 refreshing ~ azure-native:network:Subnet app-subnet refreshing ~ azure-native:network:RouteTable cnn3-pulumi-prod-db-rb01 refreshing ~ azure-native:network:Subnet db-subnet refreshing ~ azure-native:network:NetworkSecurityGroup cnn3-pulumi-prod-app-nsg01 refreshing ~ azure-native:network:NetworkSecurityGroup cnn3-pulumi-prod-db-nsg01 refreshing azure-native:resources:ResourceGroup cnn3-pulumi-network-rg ~ azure-native:network:RouteTable cnn3-pulumi-prod-app-rb01 updated [diff: +subnets~etag] azure-native:network:Subnet app-subnet ~ azure-native:network:VirtualNetwork cnn3-pulumi-prod-vnet01 updated [diff: ~etag,subnets] ~ azure-native:network:NetworkSecurityGroup cnn3-pulumi-prod-db-nsg01 updated [diff: +subnets~defaultSecurityRules,etag] ~ azure-native:network:NetworkSecurityGroup cnn3-pulumi-prod-app-nsg01 updated [diff: +subnets~defaultSecurityRules,etag] ~ azure-native:network:RouteTable cnn3-pulumi-prod-db-rb01 updated [diff: +subnets~etag] azure-native:network:Subnet db-subnet pulumi😛ulumi:Stack pulumi-prod-network Resources: ~ 5 updated 4 unchanged Duration: 5s Refreshing (resources): ~ pulumi😛ulumi:Stack pulumi-prod-resources refreshing pulumi😛ulumi:Stack pulumi-prod-resources running pulumi😛ulumi:Stack pulumi-prod-resources Resources: 1 unchanged Duration: 1s E0516 01:20:10.189403400 5621 socket_utils_common_posix.cc:223] check for SO_REUSEPORT: {"created":"@1652635210.189353600","description":"Protocol not available","errno":92,"file":"src/core/lib/iomgr/socket_utils_common_posix.cc","file_line":202,"os_error":"Protocol not available","syscall":"getsockopt(SO_REUSEPORT)"} E0516 01:20:10.193124300 5621 fork_posix.cc:76] Other threads are currently calling into gRPC, skipping fork() handlers Updating (network): pulumi😛ulumi:Stack pulumi-prod-network running azure-native:resources:ResourceGroup cnn3-pulumi-network-rg ~ azure-native:network:VirtualNetwork cnn3-pulumi-prod-vnet01 updating [diff: -subnets] ~ azure-native:network:VirtualNetwork cnn3-pulumi-prod-vnet01 updated [diff: -subnets] azure-native:network:NetworkSecurityGroup cnn3-pulumi-prod-app-nsg01 azure-native:network:RouteTable cnn3-pulumi-prod-app-rb01 azure-native:network:NetworkSecurityGroup cnn3-pulumi-prod-db-nsg01 azure-native:network:RouteTable cnn3-pulumi-prod-db-rb01 azure-native:network:Subnet app-subnet azure-native:network:Subnet db-subnet pulumi😛ulumi:Stack pulumi-prod-network Resources: ~ 1 updated 8 unchanged Duration: 10s E0516 01:20:26.896494800 5621 fork_posix.cc:76] Other threads are currently calling into gRPC, skipping fork() handlers E0516 01:20:28.804288700 5621 fork_posix.cc:76] Other threads are currently calling into gRPC, skipping fork() handlers E0516 01:20:30.265914000 5621 fork_posix.cc:76] Other threads are currently calling into gRPC, skipping fork() handlers network update summary: { "same": 8, "update": 1 }