Hi all, I have created a key vault with default access policy as mentioned in https://www.pulumi.com/registry/packages/azure-native/api-docs/keyvault/vault and I have even changed the permissions based on https://www.pulumi.com/registry/packages/azure/api-docs/keyvault/keyvault/#keyvaultaccesspolicy, I want to add the roles

Key Vault Crypto Officer

and

Key Vault Secrets Officer

to the objectId, but I cannot set it somehow. After running Pulumi using azure-pipelines, everytime I go to Secrets tab in Key vault, I see the following error:

The operation is not allowed by RBAC. If role assignments were recently changed, please wait several minutes for role assignments to become effective.

How can I make it visible with the objectId?

As far as I understand, the pulumi backend for Azure blog storage not support authenticating this way? https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory

When creating Postgresql instances in Azure, we’ve found that some Configuration settings require that the instance is rebooted after applying the setting. I suspect we’ll have to use the SDK directly to do the restart, but is there a natural way to do this in our Pulumi program?

Is it possible to do this using azure-native, or do I need to use azure-classic? https://learn.microsoft.com/en-us/azure/key-vault/secrets/overview-storage-keys#create-a-key-vault-managed-storage-account

Hi! Anyone know what's going on here? I'm trying to build a my provider; however, it's yelling at me that it can't find the resource group (almost as if it's trying to build the kubeconfig/provider before the resource group is even created). error:

Service returned an error. Status=404 Code="ResourceGroupNotFound" Message="Resource group '{resourceGroupName}' could not be found."

code:

kube_creds = Output.all(
    resource_group_name=networking.resource_group,
    aks_name=aks_cluster.aks_cluster).apply(
        lambda args: containerservice.list_managed_cluster_admin_credentials(
            resource_group_name=args['resource_group_name'].name,
            resource_name=args['aks_name'].name))

Anyone have issues with hanging when trying to create a

ManagedEnvironment

for ContainerApp? Using

AzureNative

, basically example from the docs. The env gets created but pulumi hangs.

looks like this is known issue: https://github.com/pulumi/pulumi-azure-native/issues/1738

How do I create a "Deployment Slot Setting" in configuration when creating a function app using Pulumi? (I'm using C#). I can add configuration settings, but they are typed as a NameValuePairArgs, so there's not an opportunity to set a Boolean for the deployment slot setting.

Hi! I'm having some issues creating a Application Gateway for AKS ingress. According to the documentation from MS; https://learn.microsoft.com/en-us/azure/application-gateway/tutorial-ingress-controller-add-on-existing It's possible to create the App gateway without specifying frontendport and backendpool:

az network application-gateway create -n myApplicationGateway -l eastus -g myResourceGroup --sku Standard_v2 --public-ip-address myPublicIp --vnet-name myVnet --subnet mySubnet --priority 100

This doesn't work through pulumi. This is the code I'm trying to use:

export class itssappgw extends ComponentResource {
    constructor(
        name: string,
        args: appgwArgs,
        options?: ComponentResourceOptions,
    ) {
        super(`pkg:ITSS:appgw`, `ITSS:appgw`)
        const AppGateway = new ApplicationGateway(name, {
            applicationGatewayName: name,
            resourceGroupName: args.resgrp,
            sku: {
                capacity: 3,
                name: "Standard_v2",
                tier: "Standard_v2"
            },
            frontendIPConfigurations: [{
                name: "appGatewayFrontendIP",
                publicIPAddress: {
                    id: args.publicip
                },
            }],
            gatewayIPConfigurations: [{
                name: "appGatewayFrontendIP",
                subnet: {
                    id: args.subnet
                },
            }],
        }, { deleteBeforeReplace: true, parent: this }
        );
    }
}

But I get error that it's missing frontendport:

error: Code="ApplicationGatewayMustHaveAtleastOneResourceOfType" Message="At least one FrontendPort resource must be specified for the Application Gateway /subscriptions/xxxxxxxxxxx/resourceGroups/RG-Name/providers/Microsoft.Network/applicationGateways/GitHubActionRunnersAppGW." Details=[]

Shouldn't this be possible through pulumi too?

Hello, I am trying to set the Azure SQL Server Connection Policy. Is there any way to do this in pulumi? It doesn't seem to be an option in C#

Pulumi.AzureNative.Sql.Server

any help would be appreciated as this is something we have to change from default to proxy.

Hello All. I’m trying to create a string like this:

"<http://black-walnut-0f9d0590f-stg.eastus2.2.azurestaticapps.net|black-walnut-0f9d0590f-stg.eastus2.2.azurestaticapps.net>"

Using the following code:

Output.Tuple(staticSite.DefaultHostname, resourceGroup.Location)
      .Apply(x => x.Item1.ToSlotUrlWithEnvironment(env, x.Item2))

But the result is:

"black-walnut-0f9d0590f-stg.Pulumi.Input`1[System.String].<http://2.azurestaticapps.net|2.azurestaticapps.net>"

The

staticSite.DefaultHostname

is handled as expected, but

resourceGroup.Location

is using the object name instead of the expected value “eastus2” Am I doing something wrong?

Hello, All. I have a web app service that requires the

DefaultHostName

to be the value of a JWT based setting. Prior to this requirement, we’re injecting the app settings into the

WebApp

resource:

var apiAppService = new WebApp($"{appNamePart}-api-{_stackName}", new WebAppArgs
            {
                Location = resourceGroup.Location,
                ResourceGroupName = resourceGroup.Name,
                ServerFarmId = Output.Format($"{appServicePLan}"),
                HttpsOnly = true,
                
                SiteConfig = new SiteConfigArgs
                {
                    AppSettings = appSettings,
                    // 64 Bit not available on "Free" and "Shared" tiers only on "Basic," "Standard" and above.
                    // Change app service plan to enable
                    Use32BitWorkerProcess = false,
                    // az webapp list-runtimes --os-type linux
                    LinuxFxVersion = "DOTNETCORE|6.0",
                    MinTlsVersion = SupportedTlsVersions.SupportedTlsVersions_1_2,
                    FtpsState = FtpsState.FtpsOnly,
                    // Only support for the Basic and Standard plans disabled for now.
                    AlwaysOn = true,
                    VnetRouteAllEnabled = true
                },
                Identity = new ManagedServiceIdentityArgs
                {
                    Type = ManagedServiceIdentityType.UserAssigned,
                    UserAssignedIdentities = Helpers.GetManagedIdentity(_managedIdentities[_stackName])
                },
                Tags = standardTags
            });

However, because the

DefaultHostname

is a late arriving value, we’ll need to change how we push the app settings using the `WebAppApplicationSettings`:

var appServiceSetting = new WebAppApplicationSettings(
                $"{appNamePart}-api-{_stackName}-app-settings-jwt", 
                new WebAppApplicationSettingsArgs
                {
                    ResourceGroupName = resourceGroup.Name,
                    Name = apiAppService.Name,
                    Properties = appSettings.ToInputMap()
                },
                new CustomResourceOptions
                {
                    Parent = apiAppService,
                    DependsOn = apiAppService
                });

But it appears it’s not as simple as it sounds.

SiteConfigArgs.AppSettings

expects the type

InputList<NameValuePairArgs>

but

WebApplicationSettingsArgs.Properties

expects

InputMap<string>

. At first I tried to convert

appSettings

to the required input map with an extension method, but haven’t had success. This is my non working attempt:

public static InputMap<string> ToInputMap(this InputList<NameValuePairArgs> inputList)
        {
            var inputMap = inputList
                .Apply(list => Output
                    .All(list.Select(s => Output.Tuple(s.Name!, s.Value!))))
                .Apply(list =>
                {
                    var map = new InputMap<string>();
                    foreach (var (key, value) in list) 
                    {
                        map.Add(key, value);
                    }

                    return map;
                });

            return inputMap;
        }

The problem with my implementation is the returned result is

<Output<InputMap<string>>

instead of the expected

InputMap<string>

so I’m wondering, is it possible to convert a

InputList

to an

InputMap

? Also curious, what’s the reason for the two different types representing app settings between the

WebApp

and

WebAppApplicationSettings

?

If you are using our Azure Native provider with the Go SDK, please read the Go SDK deprecation and migration discussion on Github. Please provide any feedback you might have! 🙏🏼

Anyone successfully deploy HDInsights-kafka with the pulumi azure native? If so, could you share your pulumi code? I'm getting the error: "Internal error. Errors:The request payload is invalid.". Looking at the pulumi details and comparing it to an ARM export of an existing HDInsights-kafka cluster, I am not seeing a difference. Thanks

Tried searching a bit here, but couldn't really find it. We're hitting a bug (or well, documented limit) in azure - it is not possible to have more than 10 deployment locations (i.e. where the

deployment

itself is run from, not where the resources are). I do not see any option of setting

deploymentLocation

anywhere - I would think this could be a provider level command. In Bicep or throgh powershell/az-cli you can run stuff like this:

az deployment sub create --location <region> ---template file....

where the

<region>

is the region of the `deployment`NOT the actually deployed resources. I would very much like to know if a similar parameter is possible in pulumi. Source of limitation: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#management-group-limits

Hello, working on creating a SAS token for my Azure storage and using:

deployment_resources_container_sas = storage.list_storage_account_sas(
    account_name=storage_account.name,
    resource_group_name=resource_group,
...

However, account_name only excepts str | none. Is that a bug? Certainly, you would want to know that the storage account needs to be available first in the Pulumi background orchestration. Anyone else run into this? How did you get around it? Thanks.

hi. a little help request: how do I deploy an Azure Function using a Docker image with Pulumi Native?

thanks.

(I'm using Python - but I imagine no major changes across different languages)

Is there anu example of the Azure Native Provider resouce about how it is used in a Pulumi project? https://www.pulumi.com/registry/packages/azure-native/installation-configuration/#create-your-service-principal-and-get-your-tokens

Is it not possible to lock down

Pulumi,<stack>.yaml

in a way that you can encrypt secrets, but not decrypt them? Apparently having

Microsoft.KeyVault/vaults/keys/encrypt/action

is not enough, one also needs decrypt?

Hi all! New to pulumi, question for you all on getting access to nested map output. Hopefully an easy one. Using azure go. For a

ManagedCluster.IdentityProfile

, I want to get the nested

kubeletidentity.clientId

from the map. It seems like I use some variation of

ApplyT

but I'm not sure if it is idiomatic, see thread. Any tips?

Hi guys. I have a question or improvement suggestion. I have Python abstraction layer over Azure resources that looks like this:

sb_namespace = ServiceBusNamespace("playlist-357", resource_group)
main_topic = ServiceBusTopic("main", sb_namespace)

new_track_queue = ServiceBusQueue("new-track", sb_namespace)
track_play_queue = ServiceBusQueue("track-play", sb_namespace)
find_track_queue = ServiceBusQueue("find-track", sb_namespace)

main_topic.subscribe(new_track_queue),
main_topic.subscribe(track_play_queue)
main_topic.subscribe(find_track_queue)

The weird thing that happens is that Queues, Topics i Subscribe are created in parallel to Service Bus Namespace, but they cannot be created if there is no namespace. CLI Output:

❯ pulumi up
Previewing update (prod)

View Live: <https://app.pulumi.com/macieyng/playlist-357/prod/previews/bbd5b50d-4515-4f2b-a9a4-c34285b216f8>

     Type                                     Name               Plan       
     pulumi:pulumi:Stack                      playlist-357-prod             
 +   ├─ azure-native:servicebus:Topic         main-sbt           create     
 +   ├─ azure-native:servicebus:Namespace     playlist-357-sbns  create     
 +   ├─ azure-native:servicebus:Queue         track-play-sbq     create     
 +   ├─ azure-native:servicebus:Queue         new-track-sbq      create     
 +   ├─ azure-native:servicebus:Queue         find-track-sbq     create     
 +   ├─ azure-native:servicebus:Subscription  track-play-sbsub   create     
 +   ├─ azure-native:servicebus:Subscription  new-track-sbsub    create     
 +   └─ azure-native:servicebus:Subscription  find-track-sbsub   create     


Resources:
    + 8 to create
    1 unchanged

Do you want to perform this update? yes
Updating (prod)

View Live: <https://app.pulumi.com/macieyng/playlist-357/prod/updates/19>

     Type                                     Name               Status                  Info
     pulumi:pulumi:Stack                      playlist-357-prod  **failed**              1 error
 +   ├─ azure-native:servicebus:Topic         main-sbt           **creating failed**     1 error
 +   ├─ azure-native:servicebus:Namespace     playlist-357-sbns  created (65s)           
 +   ├─ azure-native:servicebus:Queue         track-play-sbq     **creating failed**     1 error
 +   ├─ azure-native:servicebus:Queue         new-track-sbq      **creating failed**     1 error
 +   ├─ azure-native:servicebus:Subscription  track-play-sbsub   **creating failed**     1 error
 +   ├─ azure-native:servicebus:Queue         find-track-sbq     **creating failed**     1 error
 +   ├─ azure-native:servicebus:Subscription  find-track-sbsub   **creating failed**     1 error
 +   └─ azure-native:servicebus:Subscription  new-track-sbsub    **creating failed**     1 error


Diagnostics:
  azure-native:servicebus:Queue (new-track-sbq):
    error: autorest/azure: Service returned an error. Status=404 Code="NamespaceNotFound" Message="Namespace 'playlist-357-sbns' already deleted"

  azure-native:servicebus:Subscription (track-play-sbsub):
    error: autorest/azure: Service returned an error. Status=404 Code="NamespaceNotFound" Message="Namespace 'playlist-357-sbns' already deleted"

  azure-native:servicebus:Subscription (new-track-sbsub):
    error: autorest/azure: Service returned an error. Status=404 Code="NamespaceNotFound" Message="Namespace 'playlist-357-sbns' already deleted"

  pulumi:pulumi:Stack (playlist-357-prod):
    error: update failed

  azure-native:servicebus:Topic (main-sbt):
    error: autorest/azure: Service returned an error. Status=404 Code="ParentResourceNotFound" Message="Can not perform requested operation on nested resource. Parent resource 'playlist-357-sbns' not found."

  azure-native:servicebus:Queue (track-play-sbq):
    error: autorest/azure: Service returned an error. Status=404 Code="NamespaceNotFound" Message="Namespace 'playlist-357-sbns' already deleted"

  azure-native:servicebus:Queue (find-track-sbq):
    error: autorest/azure: Service returned an error. Status=404 Code="NamespaceNotFound" Message="Namespace 'playlist-357-sbns' already deleted"

  azure-native:servicebus:Subscription (find-track-sbsub):
    error: autorest/azure: Service returned an error. Status=404 Code="NamespaceNotFound" Message="Namespace 'playlist-357-sbns' already deleted"

Resources:
    + 1 created
    1 unchanged

Duration: 1m11s

So other resources should be created after the Namespace exist, because it’s a parent resource and I had to run that two times to create resources. Is it possible to define resource creation steps?

Hi #azure! Is there a way to retrieve an Azure AppConfiguration Store access keys when creating it using Pulumi? I could not find it in the doc. Something along those lines: https://learn.microsoft.com/en-us/powershell/module/az.appconfiguration/get-azappconfigurationstorekey?view=azps-9.1.0

Can Azure App Service webjobs be configured/deployed with Pulumi? If so, how?

Hello all! Is it possible to create a "Child DNS Zone" from Pulumi?

I assume i am missing something......... Is anybody able to tell my the following Pulumi@1 task fails in the DeploymentJob 'Dev_Deploy' but works in the Job 'Review_Infrastructure'

message has been deleted

The error is as follows: ##[error]Error: There was an error when attempting to execute the process 'D:\a\_temp\aad4de70-6d76-49e4-9144-ad6e298b94f7\pulumi\bin\pulumi.exe'. This may indicate the process failed to start. Error: spawn D:\a\_temp\aad4de70-6d76-49e4-9144-ad6e298b94f7\pulumi\bin\pulumi.exe ENOENT

This is running on an Azure DevOps pipeline!