Our program creates two Cosmos DB data plane RBAC role assignments (similar to, yet distinct from, the standard Azure RBAC role assignment). These are created using the

SqlResourceSqlRoleAssignment

type from the

DocumentDB

namespace. It seems Cosmos is only able to create one of these at a time. One of them succeeds, the other gets:

error: Code="PreconditionFailed" Message="There is another user operation in progress which requires an exclusive lock on [orgflow-runner-runner-cdb]. Please retry after sometime.\r\nActivityId: af360631-3ac5-470a-897a-ba45563aabc7, Microsoft.Azure.Documents.Common/2.14.0"

If I retry the

pulumi up

then the next time the other one gets created. Now, our IaC code is very decomposed, with different microservices each owning and contributing their own chunks to the resource tree, and these two role assignments live in different and completely decoupled parts of the code. Therefore it’s not really feasible to have one of them simply do

DependsOn

on the other to serialize their creation. How can we solve this problem?

Hi, I posted this question in the general channel about AppSettings getting deleted from an Azure Function app during an unrelated update. If anyone can help I would be very grateful. https://pulumi-community.slack.com/archives/C84L4E3N1/p1657549693249239

what role do I need to give a service principal to use it to create azure ad apps? I created one with the role "owner", but I get a 403 when I try to use it creating an azure ad app.

is there a way to delete and create an existing queue in service bus?

i have a CI system in gitlab and all our repos use the same CI config in a central repo. My current problem in one of them is this error which may be a red herring but I’m not sure. ENVVAR are set for clientid, client secret, tenantid and subscription id. is there a way to get more verbose logs about this

azure-native:web:AppServicePlan Staging-homepage-appplan  error: building auth config: obtain subscription() from Azure CLI: Error parsing json result from the Azure CLI: Error waiting for the Azure CLI: exit status 1

found how to do verbose logging and still none the wiser 😞

Hi, I am having trouble with some Azure permissions for Pulumi. I have a python script which executes in two subscriptions, accessing the second subscription fails despite the app registration having contributor access to both subs. This is the error:

Exception: invoke of azure-native:storage:listStorageAccountKeys failed: invocation of azure-native:storage:listStorageAccountKeys returned an error: request failed /subscriptions/#######-####-####-####-##########/resourceGroups/rg-core-westeurope-management-81fc415a/providers/Microsoft.Storage/storageAccounts/filesad2a48ab/listKeys: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '<mailto:my.email@domain.com|my.email@domain.com>' with object id 'dd9058c3-b6eb-4368-9a1c-3572f102d292' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/listKeys/action' over scope '/subscriptions/#######-####-####-####-##########/resourceGroups/rg-core-westeurope-management-81fc415a/providers/Microsoft.Storage/storageAccounts/filesad2a48ab' or the scope is invalid. If access was recently granted, please refresh your credentials."

I've tried refreshing credentials as it says. I'm sure it has the right permissions. The client is my Azure account, which only had read access over these resources. If I provide myself with full access, then this works, but is not the solution. Does anyone know where to go from here?

Hello Azure users! We're planning a V2 release in the near future and can share this advanced plan with you https://github.com/pulumi/pulumi-azure-native/discussions/1834

If I have set all the

azure-native

properties in my

Pulumi.<stack>.yaml

file, I thought they would be used if I do

new azure.Provider(<name>)

in the code, but that doesn't seem to be the case in my case.... or maybe I've got it wrong?

Hi, I am creating Azure Container Registry using Pulumi Native 'new AzureNative.ContainerRegistry.Registry()'. but i don't see any Identity property to create service principal. My requirement is not to pass Container Registry Admin Password when pulling images here az containerapp up --name [--registry-password] [--registry-server] [--registry-username] Any work around?

Hey there, I'm trying to define an App Service (Linux) with an Azure Premium Files storage mount, but I can't seem to find anything in the documentation for Web App that will allow me to configure this.. Is there something I'm missing? 🤔

I am suddenly started getting this issue. Earlier it was working 2022-07-19T08:00:31.6135610Z Diagnostics: 2022-07-19T08:00:31.6136187Z azure:keyvault:KeyVault (vault): 2022-07-19T08:00:31.6138404Z error: Error reading resource group: resources.GroupsClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '63f4427e-993c-4160-9dd6-e5731454b566' with object id '63f4427e-993c-4160-9dd6-e5731454b566' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/c4ef5634-9b63-482c-9c5a-8a19aa8b47a6/resourcegroups/RG-CL-US-AppleServices-Dev' or the scope is invalid. If access was recently granted, please refresh your credentials." Microsoft.Resources/subscriptions/resourcegroups/read permissions already there. It works for same resource group from other stack

I'm importing a couple of large functioning subscriptions into pulumi then generalising the code so I can control all of my environments as stacks within the same project. I'm having a bit of trouble with ApplicationGateway as it is a huge resource with massive amounts of custom configuration. I've found that by using Azure Classic for the VirtualNetwork I can effectively break subnets out into separate pulumi resources even though they are really part of a big monolithic Azure Resource. I'm hoping there is some way to do something similar with ApplicationGateway to break it down into smaller pulumi resources to make it more manageable. Has anyone done something similar or know if it's possible? Thanks.

Anyone that has provisioned an aks cluster and then want to update the node pools? I thought changing the kubernetes version on the

ManagedCluster

would do, but apparently the node pools has their own version set somewhere else. I configure the node pools in the

agentPoolProfiles

property, but I can't see anything with version there.

Hi Team, Env- .Net Core and Pulumi What is role back mechanism for Partially created resources if application breaks with some exception. If we run again with same names it fails (using Key Vault) https://www.pulumi.com/docs/support/faq/ Is there any other way apart from manually deleting them?

has anyone got the pulumi code to enable container insights for a newly created AKS cluster? (I'm using C#). I've got the docs from m/soft on the subject (https://docs.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-onboard) just not sure how this translates to the ManagedCluster API or otherwise.

OK, here's a challenge question: I've created an AKS cluster, it uses cert-manager and external-dns in order to provision certs for ingress rules via Lets Encrypt. We are very much using "ephemeral" environments - so clusters come and go frequently. This in turn causes us to hit the Lets Encrypt rate limits rather quickly. We have a multitude of projects using this ephemeral style setup - and each one uses a simple subdomain from a wildcard cert we have for their project. For example; if my project is called "cats", then my DNS subdomain (for which I'll have an Azure DNS Zone) would be cats.contoso.com - and as a happy developer I'll start provisioning stuff at flying.cats.contoso.com or sleepy.cats.contoso.com and so on. The point being I can do what I want within the "cats" subdomain. Finally my question: how do we ensure we don't hit rate limits? The cert-manager docs indicate that we should simply back up / restore the secrets for the (in our case) ClusterIssuer and the Ingress objects. While this seems conceptually easy (my first reaction was to say: "ok, lets use a key vault for this), it means we have to write code to store / retrieve the secret values. Is this an already solved problem for k8s using LE with cert-manager?

Hi there, Wondering if there is native Pulumi support for using Azure KeyVault as the secrets store? I can only see it being used to store the encryption key, but I'd like to store our secret values there for better management of them. Aware I could use the Azure SDK to retrieve these secrets in code, but seems like there could/should be something built into the Pulumi to read/reference these secrets.

Hi, I have created an azure container registry 'acracr166usdevt' using pulumi native 1.66. I have used both the following methods to retrieve admin user and password var registry = GetRegistryCredentials.Invoke(new GetRegistryCredentialsInvokeArgs { ResourceGroupName = _settings.ResourceGroup, RegistryName = registryName }); but getting following errors 2022-07-25T18:32:48.1317669Z Grpc.Core.RpcException: Status(StatusCode="Unknown", Detail="invocation of azure-native:containerregistry:getRegistryCredentials returned an error: request failed /subscriptions/............./resourceGroups/.............../providers/Microsoft.ContainerRegistry/registries/acracr166usdevt/getCredentials: autorest/azure: Service returned an error. Status=404 Code="ParentResourceNotFound" Message="Can not perform requested operation on nested resource. Parent resource 'acracr166usdevt' not found."") and var registry = GetRegistryCredentials.InvokeAsync(new GetRegistryCredentialsArgs() { ResourceGroupName = _settings.ResourceGroup, RegistryName = registryName }).GetAwaiter().GetResult(); at Task<int> Pulumi.Deployment+Runner.Pulumi.IRunner.RunAsync<TStack>(IServiceProvider serviceProvider)+() => { } 2022-07-25T18:12:50.0562862Z at Task<int> Pulumi.Deployment+Runner.RunAsync<TStack>(Func<TStack> stackFactory) ---> Grpc.Core.RpcException: Status(StatusCode="Unknown", Detail="invocation of azure-native:containerregistry:getRegistryCredentials returned an error: request failed /subscriptions/......../resourceGroups/..................../providers/Microsoft.ContainerRegistry/registries/acracr166usdevt/getCredentials: autorest/azure: Service returned an error. Status=404 Code="ParentResourceNotFound" Message="Can not perform requested operation on nested resource. Parent resource 'acracr166usdevt' not found."") 2022-07-25T18:12:50.0564522Z at async Task<InvokeResponse> Pulumi.GrpcMonitor.InvokeAsync(ResourceInvokeRequest request) 2022-07-25T18:12:50.0565245Z at async Task<SerializationResult> Pulumi.Deployment.InvokeRawAsync(string token, SerializationResult argsSerializationResult, InvokeOptions options) x 2 2022-07-25T18:12:50.0566041Z at async Task<T> Pulumi.Deployment.InvokeAsync<T>(string token, InvokeArgs args, InvokeOptions options, bool convertResult) 2022-07-25T18:12:50.0567018Z at ContainerApp ....Pulumi.Resources.ContainerAppService.CreateContainerApp(string appName, Input<string> envId, Input<string> registryServer) in D😕a/1/s/build/pulumi/...Pulumi/Resources/ContainerAppService.cs:line 56 2022-07-25T18:12:50.0568101Z at void ........Pulumi.Resources.ContainerAppService.CreateContainerApp() in D😕a/1/s/build/pulumi/.......Pulumi/Resources/ContainerAppService.cs:line 30 2022-07-25T18:12:50.0569006Z at new ......Pulumi.CoreRuntimeStack() in D😕a/1/s/build/pulumi/.....Pulumi/CoreRuntimeStack.cs:line 18 2022-07-25T18:12:50.0569605Z --- End of inner exception stack trace

Hi! I’m trying to create a resource in Azure, that needs to be accessible from AKS. To do this, I’d like to look up the AKS vnet. Unfortunately, the azure-native.network.LookupVirtualNetwork() method takes a resource group name and the vnet name. The vnets for our AKS clusters have random names, but there should only be one vnet in the resource group. Is it possible to look up the vnet without knowing the name?

Hi, Is there any timeout constraint for Pulumi while creating large number of Azure resources? Sometime I see timeout error.

Hi I am looking to use Microsoft.Authorization/roleAssignmentScheduleRequests but it does not seem to be in the Pulumi azure-native api. Am I missing something? I thought the sdks always update to match Microsoft's APIs

Hello, I tried to use the ARM conversion tool but it failed. it said my code was valid but it couldn't convert it. I generated the template from an existing resource in the portal so I would expect it to be be valid. Any ideas what's wrong? Here's the template

{
    "$schema": "<https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#>",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "staticSites_Feedbapp_name": {
            "defaultValue": "Feedbapp",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.Web/staticSites",
            "apiVersion": "2022-03-01",
            "name": "[parameters('staticSites_Feedbapp_name')]",
            "location": "Central US",
            "tags": {},
            "sku": {
                "name": "Free",
                "tier": "Free"
            },
            "properties": {
                "repositoryUrl": <repo url>,
                "branch": "main",
                "stagingEnvironmentPolicy": "Enabled",
                "allowConfigFileUpdates": true,
                "provider": "GitHub",
                "enterpriseGradeCdnStatus": "Disabled"
            }
        }
    ]
}

Hi everyone 👋 I am created an Azure Web app with C# and can't find anyway of setting the Stack or .Net version for the App Am I missing something obvious? 🤔

I'm using the typescript library to create a Static Web App but I don't see a way to provide app settings. How do I do that?

Has anyone used Managed Identities through Pulumi?

Hello! I just joined this team to have someone to talk with about Azure module. Has anyone ever configured a Revision for a Container App?

Why is this a ghost town?