Slight off topic, but also sort of on topic. I was tasked with rewriting some ARM templates to Pulumi. I now have several Pulumi scripts working individually. They are originally based on the previous ARM templates, where the launch conditions depends on the users launch input in a powershell script. I am looking at the ps1 file and I am not sure which relevant Pulumi commands I can use to make the launch of the Pulumi scripts depend on the users input. I will include the full ps1 underneath, but mostly I am wondering the best practice for converting a ps1 script to a logical pulumi script where the user can trigger it from a pipeline cli. I.e. Commands such as

Get-AzWebApp

seems to have a Pulumi Azure native command described here: https://www.pulumi.com/registry/packages/azure-native/api-docs/web/getwebapp/ However, is there any way to make this accessible from a user CLI, in a "best practice" kind of way? Full example of a

deployAppService.ps1

script (only for reference to get a better understanding of what kind of logic I am trying to achieve):

Param(
[string]$namePrefix,
[string]$name,
[string]$VirtualDirectory,
[string]$appPlanName,
[string]$appInsightsKey,
[string]$SubscriptionID,
[string]$ResourceGroup,
[bool]$useCosmos = $false
)

Set-Location $PSScriptRoot
$firstimeDeployment = $false
$deploymentTime = (Get-Date).ToUniversalTime().ToString("yyyyMMddHHmmss")
$VirtualDirectory = $VirtualDirectory.Trim("/")
$paths = $VirtualDirectory -split '/'

$gatewaysubnetId = "/subscriptions/$SubscriptionID/resourceGroups/$ResourceGroup/providers/Microsoft.Network/virtualNetworks/$namePrefix-vnet/subnets/$namePrefix-gwsubnet"
$serverFarmId = "/subscriptions/$SubscriptionID/resourceGroups/$ResourceGroup/providers/Microsoft.Web/serverFarms/$namePrefix-$appPlanName"

$webapp = Get-AzWebApp -ResourceGroupName "$ResourceGroup" -Name "$namePrefix-$name" -ErrorAction SilentlyContinue
if(-not $webapp)
{
    write-host "web app does not exist, creating both app and slot"
    $firstimeDeployment = $true
}

$params = @{namePrefix = "$namePrefix"; name = "$name"; gatewaysubnetId = $gatewaysubnetId; serverFarmId = $serverFarmId; isFirsttimeDeployment = $firstimeDeployment; appInsightsKey = $appInsightsKey; EnableIdentity = $useCosmos}

if($VirtualDirectory -eq "")
{
    write-host "Virtual directory is empty, deploying root only template"
    $outputs = New-AzResourceGroupDeployment -name "$($name).$($deploymentTime)"  -ResourceGroupName "$ResourceGroup" -TemplateFile "..\RootOnly-ssl.json" -TemplateParameterObject $params
    $outputs
}
elseif($paths.count -eq 1)
{
    write-host "deploying standard template"
    $params.Add("VirtualDirectory","$VirtualDirectory")
    $outputs = New-AzResourceGroupDeployment -name "$($name).$($deploymentTime)" -ResourceGroupName "$ResourceGroup" -TemplateFile "..\standard-ssl.json" -TemplateParameterObject $params
    $outputs
}
elseif($paths.count -eq 2)
{
    write-host "Virtual directory contains folder, deploying: DirectoryandPath template"
    $params.Add("VirtualDirectory","$VirtualDirectory")
    $outputs = New-AzResourceGroupDeployment -name "$($name).$($deploymentTime)" -ResourceGroupName "$ResourceGroup" -TemplateFile "..\DirectoryandPath-ssl.json" -TemplateParameterObject $params
    $outputs
}
else
{
    Write-Error "Virtual directory is not valid. Virtualdirectory: [$VirtualDirectory]"
}


if($useCosmos)
{
    if(-not $outputs.Outputs["identity"].value -or -not $outputs.Outputs["developIdentity"].value){
        throw "template deployment outputs does not contain required identities"
    }
    write-host "cosmos enabled, giving permission to key vault"

    write-host "Variables: VaultName: $namePrefix-keyVault-cosmos. ResourceGroup: $ResourceGroup, identity: $($outputs.Outputs['identity'].value). developIdentity: $($outputs.Outputs['developIdentity'].value)"
    Set-AzKeyVaultAccessPolicy -VaultName "$namePrefix-keyVault-cosmos" -ResourceGroupName "$ResourceGroup" -ObjectId "$($outputs.Outputs['identity'].value)" -PermissionsToSecrets Get,List -BypassObjectIdValidation

    Set-AzKeyVaultAccessPolicy -VaultName "$namePrefix-keyVault-cosmos" -ResourceGroupName "$ResourceGroup" -ObjectId "$($outputs.Outputs['developIdentity'].value)" -PermissionsToSecrets Get,List -BypassObjectIdValidation
}

Hi does anybody know how to fetch an iothub's build in eventhub endpoint with pulumi? I need to get the connectionstring out and put it in a keyvault

Need a sample code: upload everything in a folder to azure storage.Blob container. I am trying to use pulumi.asset.FileArchive(build_output_folder) to work with TS. Is the for each files in FileArchive is right way to do?

Hello, does anyone know how to update an existing KV and add a network to it? I am following this example: https://www.pulumi.com/registry/packages/azure-native/api-docs/keyvault/vault/ However I am getting this error:

error: cannot create already existing resource

for the virtualNetworkRules

I am searching for something in Pulumi to do

az keyvault network-rule add

Hey! 🙂 I am using Container Apps and I will require some capabilities available at

2022-11-01-preview

API version for my Managed Environment . I have checked the Nodejs sdk and apparently this is not available yet (https://github.com/pulumi/pulumi-azure-native/tree/master/sdk/nodejs/app). Does anyone know when this preview version will be available?

Has anyone done any work around deploying resources to an AKS cluster that has local accounts disabled? How are you getting the credentials to connect to the cluster given you can't use the local admin?

What is the correct way to update the Pulumi IaC from v2 to v3? I am hitting a major roadblock with resources getting enough diffs as to warrant a recreate: Eg Blob Storage (Storage Account) no longer has a property called 'AllowBlobPublicAccess', apparently the new name is 'AllowNestedItemsToBePublic' (same as Terraform). When I update the code (no other changes) and do a refresh / up, I get a significant diff which ends up dropping the Storage Account (not what I want 😄 )

Pulumi.Azure Version="3.*" => "5.39.0"
---
+-azure:storage/account:Account: (replace)
[provider: urn:pulumi:*******::*****-Stack::pulumi:providers:azure::default_3_56_0::a73452a7-89a5-4665-b5a1-a7d472984f76 => urn:pulumi:*******::*****-Stack::pulumi:providers:azure::default_5_39_0::output<string>]
...
      + allowNestedItemsToBePublic     : true
      + crossTenantReplicationEnabled  : true
      + defaultToOauthAuthentication   : false
      + infrastructureEncryptionEnabled: false
      + publicNetworkAccessEnabled     : true
      + queueEncryptionKeyType         : "Service"
      + sftpEnabled                    : false
      + tableEncryptionKeyType         : "Service"

How can I update Pulumi without wrecking the storage account in the process? There should be some upgrade docs with breaking changes, but it seems that between Pulumi updates, Terraform provider versions and Azure API breaking changes, im in a quite the big mess. And this is just a simple Storage Account with an Azure CDN attached. Next up: AKS, databases and ServicePrincipals 😕

Hello, I am trying to create Postgresql flexible server using the package mentioned here : https://github.com/pulumi/pulumi-azure-native/blob/master/examples/postgres/index.ts, however I am getting

error: Code="InternalServerError" Message="An unexpected error occured while processing the request. Tracking ID: '1b8eb450-dc7a-4bc7-8007-43d69d7ea22e'"

. Any idea what could be the issue?

Hello, I am trying to setup a azure appconfiguration.ConfigurationStore. As far as I understand, there i no way using azure-native to get the connectionstrings (at least I cannot find any docs on it, also azure ARM resource definition seems not to have anything in that regard). That would mean I need to fallback using azure-classic for that one? I know there is the option of using a ManagedIdentity, and I am slowly progressing towards using that, but going step by step here. Thanks for your responses.

hi All, does anyone knows how to create a storage account container but with AAD authentication rather than access key?

Hello, we are using the Pulumi Action in GitHub Actions to preview and deploy the stacks, using a service principal authentication against Azure. I wanted to move away from using environment variables to having the authentication info defined in the stack itself, so moving from ARM_CLIENT_ID, ARM_CLIENT_SECRET, ARM_SUBSCRIPTION_ID and ARM_TENANT_ID to having

azure-native:clientId: ...
azure-native:clientSecret:
  secure: ...
azure-native:subscriptionId: ...
azure-native:tenantId: ...

in the stack's config file. However, with this change, we started getting this error in the GitHub Action:

azure-native:resources:ResourceGroup <resource-group-name> refreshing (22s) error: obtain subscription() from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.

What are we missing? I am pretty sure we authenticated in this way before in GitHub Actions.

Hello Team, I am trying to deploy Diagnostic Setting for Azure Function/AppInsight which will send logs to EventHub. Azure-native provider is used for this. If I use all options in Logs, (AppEvents, AppMetrics...) this is working but apparently I am NOT gettings logs, but if I select in Azure Portal AllLogs, in that case logs are working, strange.... I am getting errror :

autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="Category 'AllLogs' is not supported."

const diagnosticSetting = new insights.DiagnosticSetting("ds-horizon-dev-appinsights", {
        name: "ds-horizon-dev-appinsights",
        eventHubAuthorizationRuleId: "/subscriptions/70723351-c6d0-4159-b670-ae4aef2e3936/resourcegroups/craftsphere-dev-monitoringaa96adba/providers/Microsoft.EventHub/namespaces/craftsphere-dev-datadog/authorizationrules/craftsphere-dev",
        eventHubName: "craftsphere-dev-datadog",

        resourceUri: etlAppInsights.id,
        logs: [
            {
            category: "allLogs",  <====This part is failing !!!!!
            enabled: true,
            retentionPolicy: {
                days: 0,
                enabled: false,
            },
        }],
        metrics: [{
            category: "AllMetrics",
            enabled: true,
            retentionPolicy: {
                days: 7,
                enabled: false,
            },
        }],
    });

What is the best approach to moving resources to another subscription? Currently, all of our Azure resources are deployed in a single subscription, with multiple stacks that have interdependencies through their use of outputs. However, we've found it challenging to manage these resources effectively, and are planning to transition to an approach that leverages Azure Landing Zones with multiple subscriptions. To achieve this, we're exploring options to move our Pulumi-managed resources to a different subscription. While Azure offers its own resource mover, we've encountered issues with updating the subscriptionId configuration field: the refresh and up commands don't recognize the changes. We're looking for guidance or documentation to help us make the move to a new subscription with minimal downtime. Can you recommend any resources or best practices to help us achieve this?

Questions about Azure Functions. I've looked at this example: https://github.com/pulumi/examples/tree/master/azure-cs-functions. And I've read the API docs corresponding to the example's "WebApp" type at: https://www.pulumi.com/registry/packages/azure-native/api-docs/web/webapp/. I've also tried to find some more detailed examples, but the few things I can find seem to be relying on an older version of Pulumi's support for Azure Functions ("FunctionApp" ??). 1. Is "Azure Native" the correct, current provider that I should be using? Note that I've used a lot of Azure Native types for other Azure resources, so I'm fine with Azure Native. I just want to make sure I'm starting in the right place for Azure Functions. 2. Is "WebApp" the correct type from Azure Native for creating an Azure Function. The example seems clear, but I see a "WebAppFunction" in the API docs. Its documentation is pretty bare, so it's not clear what its purpose is. 3. Assuming "WebApp" is the correct type, are there more exhaustive docs or examples on using it specifically for Azure Functions. It looks like I have to set the "Kind" property, but I don't see a list of valid values for "Kind". Same with values for the "FUNCTIONS_WORKER_RUNTIME" app setting. Related to #3, this is an example of the biggest challenge I find in using Pulumi: simplistic examples coupled with incomplete documentation (at least in my view). My approach to overcoming those challenges typically involves manually creating the kind of resource I want within the Azure portal and then looking at the ARM template that the portal will generate or using "pulumi import" into a temporary stack to try to deduce valid values for properties I know about or figuring out properties that I need to be sure to set though they aren't used in the examples. Obviously, that's a very tedious way to have to go about writing the Pulumi program. If I'm missing anything that's out there that I can refer to, I'd appreciate pointers. Thank you.

Hello team, I just came across the support for using MSI https://www.pulumi.com/registry/packages/azure-native/installation-configuration/#authenticate-using-managed-service-identity-msi The instructions are pretty bland, and before diving further to use it, wondering if anyone has an example or detailed instructions already on how to enable this?

Anyone is using the ConnectedCluster from Azure Native? I'm having issues with it. What key are you using at agentPublicKeyCertificate? Do it need anything else to be installed?

Does somebody have a clue? It is making pulumi unusable if you can't rely on the pulumi to deploy your ifrastructure without babysitting the azure devops pipelines...

Hello folks, Anybody using OKTA as an identity provider? I was wondering if the OKTA- Azure AD integration could be handled with pulumi. The problem I see by reading the docs is that reproducing the same step in a pulumi stack may lead to circular references in code (e.g., the OKTA IDP requires the AD Application and the AD Application requires the OKTA IDP). Any ideas?

Hi all, since this morning I get error: obtain subscription() from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account. I update my azure cli to the latest version as well as the pulimi cli but to no avail. I also az logout and az login again. Any idea?

Hi all, We keep getting this error in further attempts to update our infrastructure:

2023-04-17T23:44:41.1995825Z [90m23:44:41[0m[90m [[0m[97;1mDBG[0m[90m] [0m-- kubernetes:<http://apiextensions.k8s.io/v1:CustomResourceDefinition|apiextensions.k8s.io/v1:CustomResourceDefinition> <http://azureassignedidentities.aadpodidentity.k8s.io|azureassignedidentities.aadpodidentity.k8s.io> deleting original error: '<http://azureassignedidentities.aadpodidentity.k8s.io|azureassignedidentities.aadpodidentity.k8s.io>' timed out waiting to be Ready[0m

At the first attempt we only had this error:

2023-04-17T22:29:50.9776370Z [90m22:29:50[0m[90m [[0m[97;1mDBG[0m[90m] [0m-- kubernetes:<http://helm.sh/v3:Release|helm.sh/v3:Release> tplat-neu-003-nginx-ingress-controller-router deleting original error: uninstall: Release not loaded: nginx-ingress-controller-router: release: not found

any suggestions on how to investigate further here?

This is mostly my fault, but it seems worth mentioning - at a minimum to set my expectations, and it could be a bug. I created an Azure WebApp that was intended to be an Azure Function. I did the pulumi up, and from pulumi's POV, everything looked right. However, in the Azure portal, it just showed as a regular "app service". Checking my code, I see that I forgot to set the "Kind" property to "FunctionApp" (sort of a big deal - I know). So I added the property, and pulumi preview said it would update based on that property change. However, when I ran "pulumi up," though it thinks it succeeded, the portal still shows it as an "app service." And the template shows that the value of "kind" is "app." FYI.

The azure-native version guide says that you can "switch between different API versions of a given resource, including to and from its top-level default representation, whenever you want". However, when I create a new resource using a specific version, it is created with a URN that contains the version name (i.e. v20230201). When I then change to use the default version and run pulumi up, the preview fails, because it wants to delete the version specific instance and create a new instance (the preview failure is due to the use of the protect flag on the original instance). How can I switch between different API versions without Pulumi indicating that it is going to delete and recreate?

Hi All, Im creating a managed cluster with a keyvault in Pulumi csharp and struggling to retrieve the clientID from the ManagedCluster AddonProfile Heres my AddonProfile creation:

AddonProfiles =
            {
                { "azureKeyvaultSecretsProvider", new Pulumi.AzureNative.ContainerService.V20220902Preview.Inputs.ManagedClusterAddonProfileArgs
                {
                    Config =
                    {
                        { "enableSecretRotation", "true" },
                    },
                    Enabled = true,
                } },
            },

Originally I had

AzureKVObjectId = cluster.AddonProfiles.Apply(x => x["azureKeyvaultSecretsProvider"].Identity.ClientId);

which worked but has since stopped working with a NullReferenceException. Any idea on the correct way to retrieve the ObjectID of the identity that this creates? Thanks!

I'd like to nudge this question of mine, as I've been unable to find an answer on my own 😞 https://pulumi-community.slack.com/archives/CRVK66N5U/p1678226131334199

I have an AKS cluster that has been created and is supposed to be managed by Pulumi, however Pulumi is really trigger-happy about replacing the cluster. For example right now the node pools are not in the exact order pulumi expects, which is causing it to want to replace the entire cluster. This is a bit impractical as I'm running stateful workloads on the cluster, where I would be really sad if they lost their state. Making Pulumi completely ignore the node pools is also not an option, as I do need to be able to apply some changes to them going forward, such as changing the min/max counts and such. Is there a way to make this experience better?

I'm hitting case-sensitive location diffs on Azure Sql Databases despite this issue being resolved: https://github.com/pulumi/pulumi-azure-native/issues/1809 Is this a regression? @tall-librarian-49374

Hi, I am adding SFTP Local Users through pulumi. I am giving one super user read, write, delete access to multiple containers which is working for a certain number of containers but If I do it for all, it gives me an error.

The above one is working because I am adding around 20 containers permissions here

However when I add the permissions for all of the containers (more than 100), the buid fails with this error message: error: autorest/azure: Service returned an error. Status=400 Code="MaxLimitReachedForRequestParameters" Message="Max limit has been reached for request parameters: Permission Scope