Hey, how do we update KeyVault Access Policies once a vault has been created?

Hey, is there a way to assign a system assigned identity to a SignalR service?

trying to create a container app and get this odd error - any ideas?

azure-native:app:ContainerApp elaway-easee-src-cnx creating 
@ Updating....
 +  azure-native:app:ContainerApp elaway-easee-src-cnx creating error: autorest/azure: Service returned an error. Status=<nil> <nil>
 +  azure-native:app:ContainerApp elaway-easee-src-cnx **creating failed** error: autorest/azure: Service returned an error. Status=<nil> <nil>
    pulumi:pulumi:Stack elaway-easee-src-cnx-staging running error: update failed
    pulumi:pulumi:Stack elaway-easee-src-cnx-staging **failed** 1 error; 18 messages

found the issue was our quota was reached, is there a way for pulumi to expose the underlying error, I had to go to the Azure UI and manually try and create it for me to see the error. cheers. @broad-dog-22463

Hi, does anyone have a working example of creating a subnet with delegation? I’m looking to add a delegation for integration with an App Service. The example provided in the docs doesn’t have the details: https://www.pulumi.com/registry/packages/azure-native/api-docs/network/subnet/#create-subnet-with-a-delegation and I’m aware there’s an open Pulumi + MS docs issue for MS to provide example params. I stumbled upon this SO post but unfortunately it doesn’t include the working solution. Stuck on what other params should be beyond the service name:

new DelegationArgs
{
    ServiceName = "Microsoft.Web/serverFarms",
}

hi , I’m trying to import a CDN Rule , but the current API version on Azure-Native doesn’t seem to support the RouteConfigurationOverride action …. My goal is to modify the Caching behaviour on some Azure Front Door Routes by using RuleSets and Rules …. Here’s the error I’m getting when trying to Pulumi Import:

this is the rule I am trying to import created via Azure Portal:

anyone faced similar issue when managing Front Door caching via Pulumi ?

Hello. we are using pulumi to deploy some AKS environments, and suddenly Pulumi wants to recreate the cluster. however i dont undestand why. Pulumi wants to change a value to the same value and that triggers the replace?

Is there a way to have Pulumi yml interact with Azure using Azure-Login? It works now by specifically adding each property of Azure credentials (Tenant ID, Sub ID, App ID, Cleint Secret) but to save space and time I wonder if this would work with Azure Login (with one GitHub secret for AZURE_CREDENTIALS) instead?

Hey, I'm trying to deploy VPN in Azure (OpenVPN + Certificates) but I cannot make the connection after all. If I generate certs manually with https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site-linux it's fine. I'm using the TLS package: https://www.pulumi.com/registry/packages/tls/ Anyony has a working code maybe?

is there a way to add to a container app’s env vars the url of the container app that is being created? You can get the url like so

Url      = Output.Format($"https://{app.Configuration.Apply(x => x!.Ingress).Apply(x => x!.Fqdn)}");

but obviously it’s cyclic dependency issue, you’re trying to add the url to the envvars but the url doesn’t exist yet

Has anyone added

IdentityProviders

to a

WebApp

. I've got it set up, but the portal says that no identity provider has been added

let createWebAppAuthSettingsV2 
        resourceNamer 
        resourceGroupName
        webAppName 
        webAppAuthSettings =
    WebAppAuthSettingsV2(resourceNamer "authsettings", WebAppAuthSettingsV2Args(
        Name = input webAppName,
        ResourceGroupName = input resourceGroupName,
        IdentityProviders = input (IdentityProvidersArgs(
            AzureActiveDirectory = input (AzureActiveDirectoryArgs(
                Enabled = input true,
                Registration = input (AzureActiveDirectoryRegistrationArgs(
                    ClientId = input webAppAuthSettings.ClientId,
                    ClientSecretSettingName = input webAppAuthSettings.ClientSecretSettingName,
                    OpenIdIssuer = input webAppAuthSettings.OpenIdIssuer
                ))
            ))
        )),
        Login = input (LoginArgs(
            TokenStore = input (TokenStoreArgs(
                Enabled = input true,
                FileSystem = input (FileSystemTokenStoreArgs(
                    Directory = input "tokens"
                ))
            ))
        )),
        HttpSettings = input (HttpSettingsArgs(
            RequireHttps = input true    
        )),
        GlobalValidation = input (GlobalValidationArgs(
            RequireAuthentication = input true,
            RedirectToProvider = input "Microsoft",
            UnauthenticatedClientAction = input (UnauthenticatedClientActionV2.Return403)
        ))
    ))

Clearly one has... what am I missing?

Is anyone facing issues when you create an AKS cluster and then run it again? Here it's trying to update the subnet, even if no updates were done in code. When some pool is added, there are some changes to the vnet regarding ipconfig. Pulumi is refreshing then, and it's trying to delete the subnet to recreate. What is non-sense, as the subnet is attached. For anyone interested in this. When you activate the virtual-node addon, Azure will enable private links and endpoints. Pulumi will recognize this change and it will try to recreate the vnet. After all, azure-native will try to recreate the vnet if any node_pool is added (which make changes to the ipConfiguration) and a refresh is triggered:

azure-native:network:Subnet ferrajoli-subnet updated [diff: +ipConfigurations~etag]

azure-native:network:VirtualNetwork ferrajoli-vnet updating [diff: -subnets]

To avoid an error in each run, we had to set ignore_changes to subnets in vnet.

Hi everyone! Using the pulumi automation API to run some tests - but up'ping one of my stacks. I often get the following errors: + azure-nativeauthorizationRoleAssignment role-assignment-IntTwkzlRG-acr-push creating error: autorest/azure: Service returned an error. Status=400 Code="PrincipalNotFound" Message="Principal a284d038836544ce8b186690db150566 does not exist in the directory 2b1d14a0-2c64-4c0f-ae25-b3195783fced. Check that you have the correct principal ID. If you are creating this principal and then immediately assigning a role, this error might be related to a replication delay. In this case, set the role assignment principalType property to a value, such as ServicePrincipal, User, or Group. Now, I'm aware it is telling me to wait... is there a reasonable way to achieve this magically/automatically with Pulumi? Thank you!

Is there any more movement on https://github.com/pulumi/pulumi-azure-native/discussions/1834 ?

Hey folks! I'm curious if anyone else has run into this issue. I'm trying to import some manually created resources into my stack: an Azure virtual network gateway, local network gateway, and connection config for a VPN setup. However, when I try to import them (or indeed anything at all), the CLI throws an error from the Azure API:

azure-native:network:V20201101:subnet (GatewaySubnet):
    error: Preview failed: autorest/azure: Service returned an error. Status=400 Code="MissingApiVersionParameter" Message="The api-version query parameter (?api-version=) is required for all requests."

It looks like the Azure Native plugin for

pulumi.exe

isn't passing along the API version parameter, and I can't for the life of me figure out if I can provide that myself. I've tried supplying a provider version when giving the import command, but that hasn't worked. The Azure CLI doesn't seem to accept an environment variable to append such a value to all requests, either. Am I missing something, or is this a bug?

This message was deleted.

Hey all, Does anyone have a working example of creating an App Service with custom domain and free Azure cert? It’s not clear how to go about this, but I’ve assumed it is to create a

web.Certificate

and then apply it to the App Service using a

web.WebAppHostNameBinding

, however there are no enum values for the cert

DomainValidationMethod

arg, and I can’t find any worked examples. Unfortunately Azure doesn’t return a helpful error message to help track this one down:

autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="The parameter Properties.DomainValidationMethod has an invalid value."

Any idea how to deal with circular dependencies like these? • The domain cert requires a binding to exist for the domain, or else cannot create the cert. • The binding cannot set the thumbprint at creation time because of the above If there was a way of updating the binding with thumbprint after cert has been created, I would be all set.

var binding = new WebAppHostNameBinding($"binding.api{stack}.<http://domain.app|domain.app>", new WebAppHostNameBindingArgs
{
    Name = app.Name,
    ResourceGroupName = resourceGroup.Name,
    CustomHostNameDnsRecordType = CustomHostNameDnsRecordType.CName,
    HostName = fulldomain,
    SiteName = app.Name,
    // Thumbprint = certificate.Thumbprint // Cannot set, need to create the managed domain cert first
    // SslState = SslState.SniEnabled // Cannot set, need to create the managed domain cert first
    
}, new CustomResourceOptions{ DependsOn = new CustomResource[] { txtRecord, cnameRecord }});

var certificate = new Certificate($"domain-app-cert-{stack}", new CertificateArgs
{
    ServerFarmId = appServicePlan.Id,
    ResourceGroupName = resourceGroup.Name,
    CanonicalName = fulldomain,
    HostNames = new[] { fulldomain }
}, new CustomResourceOptions {  DependsOn = binding}); // requires a hostname binding to exist for the domain

I don't know if you have heard of the Azure Developer CLI (azd, not to be confused with azure cli) which was released in public preview recently. It's a command line tool that can help you create, build, provision, and deploy a new application. Part of its scope is Infrastructure as Code of course, but it currently only supports bicep. Support for Terraform is coming next in their roadmap but support for Pulumi is currently not planned. One of the Azure Developer CLI PM has created an issue here to track the request for Pulumi support but it won't be prioritized without upvotes. This Azure Developer CLI looks promising and something I want to use it in the future, but with Pulumi code, not bicep or terraform code. Could you please upvote the issue to make this happen? Moreover, I think having support for Pulumi in such a tool would help Pulumi adoption for Azure users.

Has anyone got workload identity going with an AKS cluster? I’m looking for a way to do the equivalent of the following CLI command, but via Pulumi : az aks update \ --name $aksClusterName \ --resource-group $aksResourceGroupName \ --enable-oidc-issuer Thanks!

Does anyone know how I set the App Settings of a Static Site? I can't see the option in the docs.. https://www.pulumi.com/registry/packages/azure-native/api-docs/web/staticsite/#properties

Trying to create a storage account, I end up with this error. Am I doing something very wrong here (code in thread)?

azure-native:storage:StorageAccount (prometheus):
    error: resource partially created but read failed autorest/azure: Service returned an error. Status=404 Code="StorageAccountNotFound" Message="The storage account xfgewrprometheus was not found.": autorest/azure: Service returned an error. Status=404 Code="StorageAccountNotFound" Message="The storage account xfgewrprometheus was not found."

Hi there. I faced with an issue related to kubernetes provider. I have ManagedCluster configured and deployed to Azure. This cluster is used for Provider creation:

var aksProvider = new K8s.Provider("k8s-provider-dev", new ProviderArgs
            {
                KubeConfig = kubeConfig,
                Cluster = kubernetesCluster.Name,
            });

which I use for creation of kubernetes dashboard:

var kubeDashboard = new ConfigFile("my-kubernetes-dashboard", new ConfigFileArgs
            {
                File = "<https://raw.githubusercontent.com/kubernetes/dashboard/v2.5.0/aio/deploy/recommended.yaml>"
            },
            new ComponentResourceOptions
            {
                Provider = aksProvider,
                DependsOn = aksProvider!
            });

It works fine when deployment of cluster happens for the first time but if I'm trying to change Virtual Machine size (which requires recreation of cluster) and deploy this update I get an error:

error: resource complete event returned an error: failed to verify snapshot: resource urn:pulumi:dev::MyProject::kubernetes:yaml:ConfigFile$kubernetes:core/v1:Namespace::kubernetes-dashboard refers to unknown provider urn:pulumi:dev::MyProject::pulumi:providers:kubernetes::k8s-provider-dev::650f67b5-a3be-423f-81be-5e8453bf9c4f
    error: update failed

Is there any workaround how to fix this issue or maybe I'm doing something wrong? Thank you!

Q about azure-native: KeyVault & Certificates. I’ve created a cert in a KeyVault, which I can fetch via

GetSecret.Invoke()

. But I don’t see any function to retrieve the Certificate (I need the thumbprint, for example. Any ideas?

Does anyone else use

AzureNative.Cache.Redis

? And if so … does it always take 25 minutes to deploy via commandline but is actually created in a few seconds in ARM? Not sure if this is a Pulumi problem or on MSFT side

Hi, I am creating an azure container app with Pulumi native v1.66. My container app in azure 'subscription1' and azure container registry is in 'subscription2'. I am trying to add Registry when creating container app but it throws error ERROR: The resource with name 'testacr' and type 'Microsoft.ContainerRegistry/registries' could not be found in subscription 'subscription1'. var containerApp= new ContainerApp(appName, new ContainerAppArgs { Configuration = new ConfigurationArgs { Dapr = new DaprArgs { AppPort = 80, AppProtocol = "http", Enabled = true, }, Ingress = new IngressArgs { External = false, TargetPort = 80 }, Secrets = new InputList<SecretArgs> { new SecretArgs { Name = "registry-password", Value = "testpassword"} }, Registries = new InputList<RegistryCredentialsArgs> // From other subscription { new RegistryCredentialsArgs { Server ="testacr.azurecr.io", Username = "testacr", PasswordSecretRef = "registry-password" } } } }

Trying to add an Azure Classic component to my stack which is mostly Azure Native components, I've configured the required

azure:*

auth settings for the same service principal that

azure-native:*

uses, but I'm getting the following error:

error: failed to load application credentials:
    Details: 1 error occurred:
        * A Subscription ID must be configured when authenticating as a Service Principal using a Client Secret.

azure:subscriptionId

is definitely configured, could this error be masking something else? Is there an issue with running Azure Native and Azure Classic side by side?

Hi all! 🙂 I am having an issue with Pulumi error handling using Typescript. I have created some resources on Azure: • Virtual Network + subnets • storage account • blob privatelink When I try to create several other privatelinks I am not able to validate if one of them already exists and only create the ones that don't exist yet. I have followed the following logic: • used a try-catch block • in the try block I validate if the private DNS zone exists with the respective get function ◦ This will result in passing for the blob one, but failing to retrieve that information for the other 3 that don't exist yet ◦ I try to catch the errors and execute additional logic on the catch block • in the catch block I implemented the logic to create the privatelinks ans DNS zone configurations, as well as private endpoints for the services that caused the error What happens: • the errors are not suppressed quietly by the catch block • when I run

pulumi up

the errors are thrown and provisioning fails Is there any way I can implement the logic I have mentioned without having those errors blocking my deployment?