pulumi-community #azure

damp-honey-93158

05/23/2022, 5:11 AM

has anyone encountered this exception before - and knows what's going on? Diagnostics: pulumipulumiStack (soxes-infra-ef-dev-cluster): error: Running program 'G:\src\src_x25_exploration\projects\cluster\bin\Debug\net6.0\cluster.dll' failed with an unhandled exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. at object RuntimeType.CreateInstanceOfT() at T Activator.CreateInstance<T>() at Task<int> Pulumi.Deployment+Runner.Pulumi.IRunner.RunAsync<TStack>(IServiceProvider serviceProvider)+() => { } at Task<int> Pulumi.Deployment+Runner.RunAsync<TStack>(Func<TStack> stackFactory) ---> Grpc.Core.RpcException: Status(StatusCode="Unknown", Detail="invocation of azure-native:authori zation:getClientConfig returned an error: getting authenticated object ID: Error parsing json result from the Azure CLI: Error retrieving running Azure CLI: WARNING: The underlying Active D irectory Graph API will be replaced by Microsoft Graph API in Azure CLI 2.37.0. Please carefully review all breaking changes introduced during this migration: https://docs.microsoft.com/cli /azure/microsoft-graph-migration") at async Task<InvokeResponse> Pulumi.GrpcMonitor.InvokeAsync(ResourceInvokeRequest request) at async Task<SerializationResult> Pulumi.Deployment.InvokeRawAsync(string token, SerializationResult argsSerializationResult, InvokeOptions options) x 2 at async Task<T> Pulumi.Deployment.InvokeAsync<T>(string token, InvokeArgs args, InvokeOptions options, bool convertResult) at async Task<Output<string>> Soxes.Azure.Components.AttachAcrToAks.GetAcrPullRoleDefinitionId() in G/src/src x25 exploration/ComponentLibrary/AcrAttachedToAks.csline 30 at new Soxes.Azure.Components.AttachAcrToAks(string name, Output<string> registryId, Output<string> clusterPrincipalId, CustomResourceOptions opts) in G:/src/src_x25_exploration/Comp onentLibrary/AcrAttachedToAks.cs:line 16 at new ClusterStack() in G/src/src x25 exploration/projects/cluster/ClusterStack.csline 25 at object RuntimeType.CreateInstanceOfT() --- End of inner exception stack trace ---

damp-honey-93158

05/23/2022, 5:12 AM

it happens during a call to this code, the GetClientConfig part...

damp-honey-93158

05/23/2022, 5:12 AM

Copy code

private async Task<Output<string>> GetAcrPullRoleDefinitionId()
{
    var configResult = await GetClientConfig.InvokeAsync();
    return RoleHelper.ScopedRoleId(configResult.SubscriptionId, RoleHelper.AcrPullRoleDefinitionId);
}

worried-knife-31967

05/23/2022, 9:06 AM

https://github.com/pulumi/pulumi-azure-native/issues/1324 Anyone come across this? and have a workaround?

worried-knife-31967

05/23/2022, 1:52 PM

Anyone? @tall-librarian-49374 maybe?

worried-knife-31967

05/24/2022, 11:10 AM

Is it possible to override the AuthorizationManagementClient for .NET like this post? https://leebriggs.co.uk/blog/2022/01/23/gha-cloud-credentials

worried-knife-31967

05/24/2022, 11:10 AM

@billowy-army-68599 maybe you can advise seeing as it's your post?

creamy-fall-88031

05/24/2022, 4:45 PM

Hi everyone, Quite new to Pulumi. Doing my first Azure (AKS) project with it. Everything so far went quite ok, but I got stuck on Application Gateway + Ingress Controller (AGIC). Is there anyone here who already worked on this resource? Maybe share the code ?

rough-helicopter-14190

05/25/2022, 3:39 PM

Hi everyone 🙂 , I am trying to set up ContainerApps with Pulumi but I am running into issues enabling the azure container api when executing

pulumi up

. See code snippet below. Any help is greatly appreciated! 🎉

Copy code

from pulumi_azure_native import web

container_app = web.ContainerApp("containerApp",
    configuration=web.ConfigurationArgs(
        ingress=web.IngressArgs(
            external=True,
            target_port=3000,
        ),
    ),
    kind="containerApp",
    kube_environment_id=managed_environment.id,
    location="East US",
    name="supacoda",
    resource_group_name=resource_group.name,
    template=web.TemplateArgs(
        containers=[web.ContainerArgs(
            image=f"{os.getenv('DOCKERHUB_USERNAME')}/image:latest",
            name="supacoda",
        )],
        scale=web.ScaleArgs(
            max_replicas=5,
            min_replicas=1,
            rules=[web.ScaleRuleArgs(
                custom=web.CustomScaleRuleArgs(
                    metadata={
                        "concurrentRequests": "50",
                    },
                    type="http",
                ),
                name="httpscalingrule",
            )],
        ),
    ))

I get the following error even after following azure instructions here to enable the extension and register resources. • I have looked everywhere and cannot find how to enable this api for the pulumi process. • Running via the AZ CLI works • By the way container apps is in preview but this feels more like an issue downstream with pulumi since I can set up container apps just fine via the CLI.

Copy code

Diagnostics:
  azure-native:web:ContainerApp (containerApp):
    error: Code="NotFound" Message="ContainerApps APIs are not enabled." Details=[{"Message":"ContainerApps APIs are not enabled."},{"Code":"NotFound"},{"ErrorEntity":{"Code":"NotFound","ExtendedCode":"67003","Message":"ContainerApps APIs are not enabled.","MessageTemplate":"ContainerApps APIs are not enabled.","Parameters":[]}}]

rough-window-15889

05/25/2022, 8:07 PM

Anyone have recommendations for AD authentication with Azure Sql Server? Any modules or resources out there that support it natively?

little-library-54601

05/26/2022, 6:16 PM

I need some direction on the right way to

pulumi import

an Azure SQL Server. I'm following the docs at: https://www.pulumi.com/registry/packages/azure-native/api-docs/azuredata/sqlserver/ The example import there is:

Copy code

pulumi import azure-native:azuredata:SqlServer testsqlserver /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/testrg/providers/Microsoft.AzureData/SqlServerRegistrations/testsqlregistration/sqlServers/testsqlserver

Note in particular the portion following

/providers

. In the Azure portal for the Azure SQL Server instance I'm trying to import, I can't find anything that includes

Microsoft.AzureData

or anything following that. The closest I can find is the "Resource ID", which for me looks like:

Copy code

/subscriptions/{subscription-guid}/resourceGroups/{rg-name}/providers/Microsoft.Sql/servers/{azure-sql-server-resource-name}

I could try to synthesize what's shown in the Pulumi docs example, but I don't now what value I should use (or where I would find it) for the example value

testsqlregistration

. Any guidance or suggestions?? Thanks.

little-library-54601

05/27/2022, 2:39 PM

I have a couple of questions about firewall rules for Azure SQL Servers: 1. Per these docs: https://www.pulumi.com/registry/packages/azure-native/api-docs/sql/firewallrule/ - is setting the "ServerName" property on the args object sufficient to "connect" the firewall rule to the desired Azure SQL Server instance? 2. Using Pulumi, how do I accomplish the equivalent of checking the "Allow Azure services and resources..." checkbox as seen in this Azure portal screenshot:

rich-airplane-20830

06/01/2022, 1:06 PM

Hi, I created an aks cluster with two nodepools (used pulumi_azure_native for it). It is only possible to set the kubernetes version on cluster level. If I change the kubernetes version to upgrade the cluster, the configuration kubernetes version is updated to the new version, but the nodepools are not upgraded. Can someone tell me, how I upgrade the kubernetes version of a nodepool by pulumi?

agreeable-notebook-99278

06/06/2022, 8:45 PM

Hey all, new to pulumi and also this side of azure — hope asking here is ok. I have a greenfield project at hand and want to implement rigorous continues delivery principles. I’m however new to infrastructure as code (but absolutely love the idea). • What I am struggling with, is how to deal with the data side of things (replicating data into staging, backups, migration). • In simple terms, I struggle to wrap my head around my (naive) idea: ◦ create a copy of the production system incl. data, users etc as “test group” ▪︎ apply database migrations / schema changes ▪︎ have tests run in that resource group (which changes data, adds, removes records) and ▪︎ if everything works fine, delete that “testing group” ◦ create a new resource group that again copies from production but only applies schema changes ▪︎ gets promoted to the new production system ◦ the old production system gets destroyed The stack is “simple”: Github Actions, Azure PostGres SQL, Codebase pure TypeScript / Node.js / React, Services are maybe Containers with Red Panda (kafka) and Materialize I’d like to implement this in a deterministic fashion with pulumi sweaty ham … but really have never pushed CI/CD through to infrastructure before. thank you very much

abundant-florist-34275

06/07/2022, 12:24 PM

Hey all, we are creating an aks cluster by using the azure_native package. We create the aks with

aks = containerservice.ManagedCluster( ... )

and different nodepools by using

ManagedClusterAgentPoolProfileArgs

. Now Pulumi creates the different virtualmachine scale sets for us. We also are setting

auto_upgrade_profile=ManagedClusterAutoUpgradeProfileArgs(upgrade_channel=UpgradeChannel.NODE_IMAGE)

which does`nt propagate an upgrade policy to the scaleset config. Finally we want to activate the auto reimaging process via pulumi, which seems to be in this property:

pulumi_azure_native.compute.VirtualMachineScaleSetArgs.upgrade_policy

But in the end we do not find a way set it directly while creation or later. Any Idea? Thanks a lot

crooked-king-6351

06/08/2022, 11:16 AM

I think the subscription id shouldn't be there in this doc reference, shouldn't it be replaced with

{subscription-id}

many-dress-54535

06/08/2022, 3:50 PM

Hi All, I am having an issue with creating a pulumi_azure_native.sql.server (python) and having this error

status code 400, {"error":{"code":"InvalidApiVersionParameter","message":"The api-version '2020-11-01-preview' is invalid. The supported versions are "..<other api versions>.."

do I need to specify the version explicitly for that to work?

few-diamond-68626

06/09/2022, 9:44 AM

Hello there! I have two security related questions: 1. If we deploy to Azure with a Service Principal, the deployment engine certainly needs to have those credentails. My question is: Is it guaranteed that those credentials are never transmitted or stored at Pulumi? So even if Pulumi was hacked, the only thing that would leak is the encrypted states and not the service principal credentials? 2. The documentation for secrets (https://www.pulumi.com/docs/intro/concepts/secrets/) details how to use an external encryption providers (e.g. Azure KeyVault) for secrets and this works obviously for inputs. But how does Pulumi handle sensitive output? Is that output stored directly to the encryption provider or will the output always end at Pulumi?

most-mouse-38002

06/10/2022, 12:18 PM

Hi all! We are considering a move to Pulumi for our IaC (while rolling out our new platform). However, for compliance reasons we have to run our k8s user nodes with confidential nodes. This creates an issue for us, because I cannot find the option to add the

ACCSGXDevicePlugin

confcom

addon when creating a cluster. Is it possible to define AKS addons that are not already defined by Pulumi?

agreeable-notebook-99278

06/12/2022, 6:13 AM

Hi all, what do you do on long running set-ups? One the first run it fails sometimes. On the second run it works. I.e. I’m adding a cname record to a generated azure static web apps — it did add it and its validating in the; but the an error is still occurring in CI (flaky). There is a

--no-wait

option in the azure CLI documentation, but on pulumis side there seems no such property available for

StaticSiteCustomDomain

resource. Is there a way to add that?

Copy code

// Linking custom domain to DNS zone
    return new azure_native.web.StaticSiteCustomDomain(
      tw.DOMAIN,
      {
        domainName: tw.DOMAIN,
        name: staticWebAppName,
        resourceGroupName: resourceGroupName,
        validationMethod: "cname-delegation",
      },
      {
        dependsOn: [systemDnsRecord],
      },

straight-sunset-92336

06/13/2022, 12:06 PM

I'm having some trouble with a Function App I'm trying to create. The Function App is created, but AlwaysOn is not enabled on it. This is the code I use to create the Function App:

Copy code

const defaultfunctionAppArgs = {
            name: name,
            resourceGroupName: args.resourcegroupname,
            serverFarmId: args.WebAppPlanID,
            kind: "functionapp,linux",
            isDisabled: false,
            linuxFxVersion: 'Python|3.9',
            alwaysOn: true,
            use32BitWorkerProcess: false,
            siteConfig: {
                appSettings: [
                    {
                        name: 'FUNCTIONS_WORKER_RUNTIME',
                        value: 'python'
                    },
                    {
                        name: 'FUNCTIONS_EXTENSION_VERSION',
                        value: '~4'
                    },
                    {
                        name: 'APPINSIGHTS_INSTRUMENTATIONKEY',
                        value: appinsightscomponent.instrumentationKey
                    },
                    {
                        name: 'AzureWebJobsStorage',
                        value: storageConnectionString
                    },
                    {
                        name: "WEBSITE_RUN_FROM_PACKAGE",
                        value: codeBlobUrl
                    },
                    {
                        name: 'WORKSPACE_ID',
                        value: args.wrkspaceid
                    },
                ]
            },
        };
        const functionAppArgs = FunctionAppModifier ? FunctionAppModifier(defaultfunctionAppArgs) : defaultfunctionAppArgs;
        const functionapp = new web.WebApp("Policycompliance-webapp", functionAppArgs, { deleteBeforeReplace: true });

gentle-camera-53119

06/13/2022, 1:45 PM

Hi Team, I am trying to create Azure Service principles in C# but I am getting this error

error CS0234: The type or namespace name 'AzureAD' does not exist in the namespace 'Pulumi' (are you missing an assembly reference?) [/Users/XXXXX/XXX/pulumi/cazure/cazure.csproj

most-mouse-38002

06/13/2022, 1:55 PM

Is it not possible to use a service principal to access Azure Blob Storage as the backend? All other requests will run through this principal, why can’t we use the same principal to store state?

powerful-printer-57241

06/15/2022, 3:16 PM

How does one refer to Diagnostic Settings? Let's say I need to import an existing one to Pulumi. In Azure Portal, you can't see its URI anywhere, so I'm not sure what I should pass to the import command.

clever-address-74879

06/15/2022, 8:52 PM

Hi #azure! I'm having issues authenticating using Workload Identity federation. I tried it out last week and everything worked great. When I run it now, I get a error 255

Copy code

Error: code: 255
... 
      error: building auth config: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).
  
      To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
      auth method - instructions for which can be found here: <https://www.pulumi.com/docs/intro/cloud-providers/azure/setup/#service-principal-authentication>
  
      Alternatively you can authenticate using the Azure CLI by using a User Account.

I ran this last week and everything worked. Now It's just impossible to get through. I noticed the pulumi cli got bumped a patch version since last week, but I tried to downgrade and that also did nothing. Does anyone have an idea what's going on?

clever-address-74879

06/15/2022, 8:55 PM

The whole point is to not have client secrets anywhere, so following the usual guide will not help 🙂

prehistoric-plumber-4881

06/16/2022, 5:30 PM

Hey there - if anyone is already using federated credentials - Is it possible to use federated credentials in Azure with branch wildcards?

mammoth-agency-10350

06/17/2022, 1:02 AM

Attempting to use the

Pulumi@1

Azure Devops Task with an Azure storage account backend, I receive the following error:

##[error]Couldn't determine which login method to use. This task extension supports Pulumi Service backend and self-managed backends. Learn more at <https://www.pulumi.com/docs/intro/concepts/state>.

I am providing the AZURE_STORAGE_CONTAINER env var (it's sourced form a variable group above). The code here implies that with this env provided, the azure backend should be picked. Am I missing an input or is there a working example someone could provide? I've also tried both linux and windows agents.

Copy code

steps:
  - task: Pulumi@1
    inputs:
      azureSubscription: <service principal connection>
      command: 'up'
      cwd: '$(ProjectDirectory)/'
      stack: '${{ parameters.stack }}'
      args: '--yes'
    env:
      PULUMI_CONFIG_PASSPHRASE: $(Pulumi.Passphrase)
      AZURE_STORAGE_CONTAINER: $(Pulumi.StorageContainer)
      AZURE_STORAGE_ACCOUNT: $(Pulumi.StorageAccount)
      AZURE_STORAGE_KEY: $(Pulumi.StorageKey)

swift-hamburger-98290

06/17/2022, 12:12 PM

Regarding

azure-native

, the typescript and python libraries are 100% identical? Or are there any differences? I think before

azure-native

, the typescript SDK was superior.

lively-gigabyte-52811

06/20/2022, 8:55 AM

I’m looking for ResourceProviderRegistration https://www.pulumi.com/registry/packages/azure/api-docs/core/resourceproviderregistration/ equivalent in

azure-native

. I was searching the

azure-native

api-docs but didn’t find anything. So I w It seems that I need to register the provider manually when I add DiagnosticSettings to resources. Initially I thought the registration happens automatically on first use. Does anyone have more insights and experience with ProviderRegistration? The goal is that our users don’t have to enable the providers manually before they run the pulumi programs (Which is what we do at the moment 🙂 ).