pulumi-community #azure

Docs

Join the conversation Join Slack

azure

lively-whale-42645

05/17/2022, 9:06 AM

Is there any way to swap a App Services deployment slots with Pulumi?

mysterious-australia-14256

05/17/2022, 1:08 PM

Duplicate URN Error I am routinely seeing the following when trying to run pulumi up pulumi😛roviders:azure-native <azure subscription guid> error: Duplicate resource URN 'urn😛ulumi:<stack_name>:😛ulumi:providers:azure-native::<azure subscription guid>'; try giving it a unique name I'm not quite sure what resource this is for as it doesn't seem to include a resource name, just the subscription guid. Also, if I run the pulumi up enough times it will eventually work without error. Anyone know what is going on here?

crooked-stone-6532

05/20/2022, 5:42 AM

Is there a way to add AccessPolicyEntry to Azure Keyvault/Vault after the initial creation? Im aware of this open issue on github, but hoping that someone has a workaround or similar: https://github.com/pulumi/pulumi-azure-native/issues/594

damp-honey-93158

05/23/2022, 5:11 AM

has anyone encountered this exception before - and knows what's going on? Diagnostics: pulumi😛ulumi:Stack (soxes-infra-ef-dev-cluster): error: Running program 'G:\src\src_x25_exploration\projects\cluster\bin\Debug\net6.0\cluster.dll' failed with an unhandled exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. at object RuntimeType.CreateInstanceOfT() at T Activator.CreateInstance<T>() at Task<int> Pulumi.Deployment+Runner.Pulumi.IRunner.RunAsync<TStack>(IServiceProvider serviceProvider)+() => { } at Task<int> Pulumi.Deployment+Runner.RunAsync<TStack>(Func<TStack> stackFactory) ---> Grpc.Core.RpcException: Status(StatusCode="Unknown", Detail="invocation of azure-native:authori zation:getClientConfig returned an error: getting authenticated object ID: Error parsing json result from the Azure CLI: Error retrieving running Azure CLI: WARNING: The underlying Active D irectory Graph API will be replaced by Microsoft Graph API in Azure CLI 2.37.0. Please carefully review all breaking changes introduced during this migration: https://docs.microsoft.com/cli /azure/microsoft-graph-migration") at async Task<InvokeResponse> Pulumi.GrpcMonitor.InvokeAsync(ResourceInvokeRequest request) at async Task<SerializationResult> Pulumi.Deployment.InvokeRawAsync(string token, SerializationResult argsSerializationResult, InvokeOptions options) x 2 at async Task<T> Pulumi.Deployment.InvokeAsync<T>(string token, InvokeArgs args, InvokeOptions options, bool convertResult) at async Task<Output<string>> Soxes.Azure.Components.AttachAcrToAks.GetAcrPullRoleDefinitionId() in G😕src/src_x25_exploration/ComponentLibrary/AcrAttachedToAks.cs:line 30 at new Soxes.Azure.Components.AttachAcrToAks(string name, Output<string> registryId, Output<string> clusterPrincipalId, CustomResourceOptions opts) in G:/src/src_x25_exploration/Comp onentLibrary/AcrAttachedToAks.cs:line 16 at new ClusterStack() in G😕src/src_x25_exploration/projects/cluster/ClusterStack.cs:line 25 at object RuntimeType.CreateInstanceOfT() --- End of inner exception stack trace ---

damp-honey-93158

05/23/2022, 5:12 AM

it happens during a call to this code, the GetClientConfig part...

damp-honey-93158

05/23/2022, 5:12 AM

private async Task<Output<string>> GetAcrPullRoleDefinitionId()
{
    var configResult = await GetClientConfig.InvokeAsync();
    return RoleHelper.ScopedRoleId(configResult.SubscriptionId, RoleHelper.AcrPullRoleDefinitionId);
}

worried-knife-31967

05/23/2022, 9:06 AM

https://github.com/pulumi/pulumi-azure-native/issues/1324 Anyone come across this? and have a workaround?

worried-knife-31967

05/23/2022, 1:52 PM

Anyone? @tall-librarian-49374 maybe?

worried-knife-31967

05/24/2022, 11:10 AM

Is it possible to override the AuthorizationManagementClient for .NET like this post? https://leebriggs.co.uk/blog/2022/01/23/gha-cloud-credentials

worried-knife-31967

05/24/2022, 11:10 AM

@billowy-army-68599 maybe you can advise seeing as it's your post?

creamy-fall-88031

05/24/2022, 4:45 PM

Hi everyone, Quite new to Pulumi. Doing my first Azure (AKS) project with it. Everything so far went quite ok, but I got stuck on Application Gateway + Ingress Controller (AGIC). Is there anyone here who already worked on this resource? Maybe share the code ?

rough-helicopter-14190

05/25/2022, 3:39 PM

Hi everyone 🙂 , I am trying to set up ContainerApps with Pulumi but I am running into issues enabling the azure container api when executing

pulumi up

. See code snippet below. Any help is greatly appreciated! 🎉

from pulumi_azure_native import web

container_app = web.ContainerApp("containerApp",
    configuration=web.ConfigurationArgs(
        ingress=web.IngressArgs(
            external=True,
            target_port=3000,
        ),
    ),
    kind="containerApp",
    kube_environment_id=managed_environment.id,
    location="East US",
    name="supacoda",
    resource_group_name=resource_group.name,
    template=web.TemplateArgs(
        containers=[web.ContainerArgs(
            image=f"{os.getenv('DOCKERHUB_USERNAME')}/image:latest",
            name="supacoda",
        )],
        scale=web.ScaleArgs(
            max_replicas=5,
            min_replicas=1,
            rules=[web.ScaleRuleArgs(
                custom=web.CustomScaleRuleArgs(
                    metadata={
                        "concurrentRequests": "50",
                    },
                    type="http",
                ),
                name="httpscalingrule",
            )],
        ),
    ))

I get the following error even after following azure instructions here to enable the extension and register resources. • I have looked everywhere and cannot find how to enable this api for the pulumi process. • Running via the AZ CLI works • By the way container apps is in preview but this feels more like an issue downstream with pulumi since I can set up container apps just fine via the CLI.

Diagnostics:
  azure-native:web:ContainerApp (containerApp):
    error: Code="NotFound" Message="ContainerApps APIs are not enabled." Details=[{"Message":"ContainerApps APIs are not enabled."},{"Code":"NotFound"},{"ErrorEntity":{"Code":"NotFound","ExtendedCode":"67003","Message":"ContainerApps APIs are not enabled.","MessageTemplate":"ContainerApps APIs are not enabled.","Parameters":[]}}]

rough-window-15889

05/25/2022, 8:07 PM

Anyone have recommendations for AD authentication with Azure Sql Server? Any modules or resources out there that support it natively?

little-library-54601

05/26/2022, 6:16 PM

I need some direction on the right way to

pulumi import

an Azure SQL Server. I'm following the docs at: https://www.pulumi.com/registry/packages/azure-native/api-docs/azuredata/sqlserver/ The example import there is:

pulumi import azure-native:azuredata:SqlServer testsqlserver /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/testrg/providers/Microsoft.AzureData/SqlServerRegistrations/testsqlregistration/sqlServers/testsqlserver

Note in particular the portion following

/providers

. In the Azure portal for the Azure SQL Server instance I'm trying to import, I can't find anything that includes

Microsoft.AzureData

or anything following that. The closest I can find is the "Resource ID", which for me looks like:

/subscriptions/{subscription-guid}/resourceGroups/{rg-name}/providers/Microsoft.Sql/servers/{azure-sql-server-resource-name}

I could try to synthesize what's shown in the Pulumi docs example, but I don't now what value I should use (or where I would find it) for the example value

testsqlregistration

. Any guidance or suggestions?? Thanks.

little-library-54601

05/27/2022, 2:39 PM

I have a couple of questions about firewall rules for Azure SQL Servers: 1. Per these docs: https://www.pulumi.com/registry/packages/azure-native/api-docs/sql/firewallrule/ - is setting the "ServerName" property on the args object sufficient to "connect" the firewall rule to the desired Azure SQL Server instance? 2. Using Pulumi, how do I accomplish the equivalent of checking the "Allow Azure services and resources..." checkbox as seen in this Azure portal screenshot:

rich-airplane-20830

06/01/2022, 1:06 PM

Hi, I created an aks cluster with two nodepools (used pulumi_azure_native for it). It is only possible to set the kubernetes version on cluster level. If I change the kubernetes version to upgrade the cluster, the configuration kubernetes version is updated to the new version, but the nodepools are not upgraded. Can someone tell me, how I upgrade the kubernetes version of a nodepool by pulumi?

agreeable-notebook-99278

06/06/2022, 8:45 PM

Hey all, new to pulumi and also this side of azure — hope asking here is ok. I have a greenfield project at hand and want to implement rigorous continues delivery principles. I’m however new to infrastructure as code (but absolutely love the idea). • What I am struggling with, is how to deal with the data side of things (replicating data into staging, backups, migration). • In simple terms, I struggle to wrap my head around my (naive) idea: ◦ create a copy of the production system incl. data, users etc as “test group” ▪︎ apply database migrations / schema changes ▪︎ have tests run in that resource group (which changes data, adds, removes records) and ▪︎ if everything works fine, delete that “testing group” ◦ create a new resource group that again copies from production but only applies schema changes ▪︎ gets promoted to the new production system ◦ the old production system gets destroyed The stack is “simple”: Github Actions, Azure PostGres SQL, Codebase pure TypeScript / Node.js / React, Services are maybe Containers with Red Panda (kafka) and Materialize I’d like to implement this in a deterministic fashion with pulumi 😒weaty-ham: … but really have never pushed CI/CD through to infrastructure before. thank you very much

abundant-florist-34275

06/07/2022, 12:24 PM

Hey all, we are creating an aks cluster by using the azure_native package. We create the aks with

aks = containerservice.ManagedCluster( ... )

and different nodepools by using

ManagedClusterAgentPoolProfileArgs

. Now Pulumi creates the different virtualmachine scale sets for us. We also are setting

auto_upgrade_profile=ManagedClusterAutoUpgradeProfileArgs(upgrade_channel=UpgradeChannel.NODE_IMAGE)

which does`nt propagate an upgrade policy to the scaleset config. Finally we want to activate the auto reimaging process via pulumi, which seems to be in this property:

pulumi_azure_native.compute.VirtualMachineScaleSetArgs.upgrade_policy

But in the end we do not find a way set it directly while creation or later. Any Idea? Thanks a lot

crooked-king-6351

06/08/2022, 11:16 AM

I think the subscription id shouldn't be there in this doc reference, shouldn't it be replaced with

{subscription-id}

many-dress-54535

06/08/2022, 3:50 PM

Hi All, I am having an issue with creating a pulumi_azure_native.sql.server (python) and having this error

status code 400, {"error":{"code":"InvalidApiVersionParameter","message":"The api-version '2020-11-01-preview' is invalid. The supported versions are "..<other api versions>.."

do I need to specify the version explicitly for that to work?

few-diamond-68626

06/09/2022, 9:44 AM

Hello there! I have two security related questions: 1. If we deploy to Azure with a Service Principal, the deployment engine certainly needs to have those credentails. My question is: Is it guaranteed that those credentials are never transmitted or stored at Pulumi? So even if Pulumi was hacked, the only thing that would leak is the encrypted states and not the service principal credentials? 2. The documentation for secrets (https://www.pulumi.com/docs/intro/concepts/secrets/) details how to use an external encryption providers (e.g. Azure KeyVault) for secrets and this works obviously for inputs. But how does Pulumi handle sensitive output? Is that output stored directly to the encryption provider or will the output always end at Pulumi?

most-mouse-38002

06/10/2022, 12:18 PM

Hi all! We are considering a move to Pulumi for our IaC (while rolling out our new platform). However, for compliance reasons we have to run our k8s user nodes with confidential nodes. This creates an issue for us, because I cannot find the option to add the

ACCSGXDevicePlugin

confcom

addon when creating a cluster. Is it possible to define AKS addons that are not already defined by Pulumi?

agreeable-notebook-99278

06/12/2022, 6:13 AM

Hi all, what do you do on long running set-ups? One the first run it fails sometimes. On the second run it works. I.e. I’m adding a cname record to a generated azure static web apps — it did add it and its validating in the; but the an error is still occurring in CI (flaky). There is a

--no-wait

option in the azure CLI documentation, but on pulumis side there seems no such property available for

StaticSiteCustomDomain

resource. Is there a way to add that?

// Linking custom domain to DNS zone
    return new azure_native.web.StaticSiteCustomDomain(
      tw.DOMAIN,
      {
        domainName: tw.DOMAIN,
        name: staticWebAppName,
        resourceGroupName: resourceGroupName,
        validationMethod: "cname-delegation",
      },
      {
        dependsOn: [systemDnsRecord],
      },

straight-sunset-92336

06/13/2022, 12:06 PM

I'm having some trouble with a Function App I'm trying to create. The Function App is created, but AlwaysOn is not enabled on it. This is the code I use to create the Function App:

const defaultfunctionAppArgs = {
            name: name,
            resourceGroupName: args.resourcegroupname,
            serverFarmId: args.WebAppPlanID,
            kind: "functionapp,linux",
            isDisabled: false,
            linuxFxVersion: 'Python|3.9',
            alwaysOn: true,
            use32BitWorkerProcess: false,
            siteConfig: {
                appSettings: [
                    {
                        name: 'FUNCTIONS_WORKER_RUNTIME',
                        value: 'python'
                    },
                    {
                        name: 'FUNCTIONS_EXTENSION_VERSION',
                        value: '~4'
                    },
                    {
                        name: 'APPINSIGHTS_INSTRUMENTATIONKEY',
                        value: appinsightscomponent.instrumentationKey
                    },
                    {
                        name: 'AzureWebJobsStorage',
                        value: storageConnectionString
                    },
                    {
                        name: "WEBSITE_RUN_FROM_PACKAGE",
                        value: codeBlobUrl
                    },
                    {
                        name: 'WORKSPACE_ID',
                        value: args.wrkspaceid
                    },
                ]
            },
        };
        const functionAppArgs = FunctionAppModifier ? FunctionAppModifier(defaultfunctionAppArgs) : defaultfunctionAppArgs;
        const functionapp = new web.WebApp("Policycompliance-webapp", functionAppArgs, { deleteBeforeReplace: true });

gentle-camera-53119

06/13/2022, 1:45 PM

Hi Team, I am trying to create Azure Service principles in C# but I am getting this error

error CS0234: The type or namespace name 'AzureAD' does not exist in the namespace 'Pulumi' (are you missing an assembly reference?) [/Users/XXXXX/XXX/pulumi/cazure/cazure.csproj

most-mouse-38002

06/13/2022, 1:55 PM

Is it not possible to use a service principal to access Azure Blob Storage as the backend? All other requests will run through this principal, why can’t we use the same principal to store state?

powerful-printer-57241

06/15/2022, 3:16 PM

How does one refer to Diagnostic Settings? Let's say I need to import an existing one to Pulumi. In Azure Portal, you can't see its URI anywhere, so I'm not sure what I should pass to the import command.

clever-address-74879

06/15/2022, 8:52 PM

Hi #azure! I'm having issues authenticating using Workload Identity federation. I tried it out last week and everything worked great. When I run it now, I get a error 255

Error: code: 255
... 
      error: building auth config: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).
  
      To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal'
      auth method - instructions for which can be found here: <https://www.pulumi.com/docs/intro/cloud-providers/azure/setup/#service-principal-authentication>
  
      Alternatively you can authenticate using the Azure CLI by using a User Account.

I ran this last week and everything worked. Now It's just impossible to get through. I noticed the pulumi cli got bumped a patch version since last week, but I tried to downgrade and that also did nothing. Does anyone have an idea what's going on?

clever-address-74879

06/15/2022, 8:55 PM

The whole point is to not have client secrets anywhere, so following the usual guide will not help 🙂

prehistoric-plumber-4881

06/16/2022, 5:30 PM

Hey there - if anyone is already using federated credentials - Is it possible to use federated credentials in Azure with branch wildcards?

Title

prehistoric-plumber-4881

06/16/2022, 5:30 PM

Hey there - if anyone is already using federated credentials - Is it possible to use federated credentials in Azure with branch wildcards?

clever-address-74879

06/16/2022, 7:36 PM

Hey John. AFAIK you are not able to do wildcards. You could do environments instead if you have the enterprise plan.

damp-honey-93158

06/18/2022, 7:13 PM

Hmmm, how do people then use federated credentials to handle all the builds for a non-master branch? Kinda assumes we're all living in a world of trunk based development, which sure as heck ain't what I've experienced in the field 🙂

and no, I don't wanna create a federated credential per branch.... hmmmmm... I wonder if I could get my azure devops system to tell me via webhook and then auto-create a federated credential that way... hmmmm...

clever-address-74879

06/19/2022, 6:35 PM

Did you manage to get it working at all? A few weeks back it worked for me, but after a while the Pulumi cli started complaining about using the CLI to login instead of a Service Principal 😒

prehistoric-plumber-4881

06/19/2022, 6:40 PM

I got it working for a main branch - but only ran it a couple of times before coming across the feature branch problem which made me stop in my tracks.

clever-address-74879

06/19/2022, 6:41 PM

Hmm It's just so weird. I started getting a

azure-native:resources:ResourceGroup rg-app-test  error: building auth config: Authenticating using the Azure CLI is only supported as a User (not a Service Principal).

... out of the blue

It worked the prior week and then suddenly not.

Do you mind me asking how you are authenticating to azure using workload identity federation?

prehistoric-plumber-4881

06/19/2022, 6:42 PM

Isn't that related to another env var, I've seen this. Can't reply right now as I'm at a swimming g pool. Hah.

😄 1

I've set a reminder in this chat for tomorrow.

clever-address-74879

06/19/2022, 6:44 PM

Hmm It might be, but doesn't make any sense I think 😄 Awesome, thanks for that. I would appreciate that.

I figured it out, finally!

This works:

Deployment.RunAsync<BigDayStack>();

This does not work

await Pulumi.Deployment.RunAsync(() => { ... });

View count: 19