When I use pulumi with my own state using Azure blob storage, do I have state per environment or is the blob storage for all environments(stacks)? Do I have to login (pulumi login ...) with the given blob url for each environment deployment? Is there a better example on how to setup pulumi with Azure blob storage? What kind of Url do I need to provide? What is meant by "azblob://", what follows after that?

Hello everyone.. I'm wondering if anyone has encountered/solved a problem of building a

.configMap

that can replace the

coredns-custom

configMap that is already in place in a new AKS cluster. I have this:

let corednsConfigMap = new k8s.core.v1.ConfigMap("coredns-custom", 
{
    metadata:{name: "coredns-custom", namespace:"kube-system"},
    data: {
        "test.server" : " | \
        <domain to rewrite>:53 { \
            errors \
            cache 30 \
            rewrite name substring <domain to rewrite> default.svc.cluster.local \
            forward .  /etc/resolv.conf # you can redirect this to a specific DNS server such as 10.0.0.10 \
        }"
    }
}, {provider: k8sProvider});

Pulumi wants to create this

configMap

, but because it is already in the cluster, it fails. When I

pulumi refresh

it doesn't see that this

configMap

is in the cluster, so it isn't able to sort itself out to change to an

update

I can't delete the

configMap

in the cluster because it is in a Deployment and gets recreated quickly. I'd rather not do the update via

kubectl

and am hoping that Pulumi has something I don't know about that would allow this.

I wonder, is there a way to tell pulumi "it's okay to create these resources here in parallel" or rather "please create these resources here in parallel"? Example: Creating a VPN Gateway and an ExpressRoute Gateway. Pulumi just decided to create them one after the other (no dependencies between them) which means the deployment will now take around an hour. Same goes for "delete" operation.

One more: I'm adding a new tag to a vnet and I'm receiving this error here:

~   └─ azure:network:VirtualNetwork  ssvc-vnet               **updating failed**     [diff: ~tags]; 1 error
 
Diagnostics:
  azure:network:VirtualNetwork (ssvc-vnet):
    error: 1 error occurred:
        * updating urn:pulumi:prod::azure-foundations::azure:network/virtualNetwork:VirtualNetwork::ssvc-vnet: Error Creating/Updating Virtual Network "ssvc-vnet-prod" (Resource Group "sharedservices-prod"): network.VirtualNetworksClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="InUseSubnetCannotBeDeleted" Message="Subnet GatewaySubnet is in use by /subscriptions/<subId>/resourceGroups/sharedservices-prod/providers/Microsoft.Network/virtualNetworkGateways/vpn-gw/ipConfigurations/vpn-gw-ipconf and cannot be deleted. In order to delete the subnet, delete all the resources within the subnet. See <http://aka.ms/deletesubnet|aka.ms/deletesubnet>." Details=[]

Anybody gotten that before?

Indeed works for a vnet where that subnet is not in use, but not where the subnet is in use.

The Pulumi State Case: Sadly pulumi stores properties from Azure Resources with secrets as clear text. Because of “trust no one” we tried to put the state to a restricted Azure Blob Storage (if that leaks it is our fail, we can’t prevent any leak from Pulumi). The Problem is that it seems cannot be used with the Identity of the User logged in with the

az-cli

This is kind of weird, because pulumi other wise works great with that Identity, I have to set the AZURE_STORAGE_KEY to make it work, which is not the Ideal Solution. Any Hints or Ideas?

have you tried setting the ARM_ env vars and seeing if those work

and give that service principal the perms on the storage obviously

$Env:ARM_SUBSCRIPTION_ID = $subscriptionId $Env:ARM_TENANT_ID = $tenantId; $Env:ARM_CLIENT_ID = $pulumiClientId; $Env:ARM_CLIENT_SECRET = $pulumiPassword; $Env:PULUMI_CONFIG_PASSPHRASE = $pulumiConfigPassword;

Has anyone been able to use Spot instances with AKS and a example to share?

How do I set the .NET Core Framework version for Azure AppServices? I would expect to find it under SiteConfig but there I can only set up DotnetFrameworkVersion (Fullframework). I would like to deploy a .NET Core App. When I serve the page I get an error HTTP Error 500.32 - ANCM Failed to Load dll

Trying to set up AKS in Azure, and running into this problem

Diagnostics:
  azure:core:ResourceGroup (RD-FoundationalServices-rg):
    error: Error ensuring Resource Providers are registered.

    Terraform automatically attempts to register the Resource Providers it supports to
    ensure it's able to provision resources.

    If you don't have permission to register Resource Providers you may wish to use the
    "skip_provider_registration" flag in the Provider block to disable this functionality.

    Please note that if you opt out of Resource Provider Registration and Terraform tries
    to provision a resource from a Resource Provider which is unregistered, then the errors
    may appear misleading - for example:

    > API version 2019-XX-XX was not found for Microsoft.Foo

    Could indicate either that the Resource Provider "Microsoft.Foo" requires registration,
    but this could also indicate that this Azure Region doesn't support this API version.

    More information on the "skip_provider_registration" flag can be found here:
    <https://www.terraform.io/docs/providers/azurerm/index.html#skip_provider_registration>

    Original Error: Cannot register provider Microsoft.DocumentDB with Azure Resource Manager: resources.ProvidersClient#Register: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client <mailto:'jcarreira@mtb.com|'jcarreira@mtb.com>' with object id 'a25caa95-0e42-47b3-99a0-47bc2ba17ceb' does not have authorization to perform action 'Microsoft.DocumentDB/register/action' over scope '/subscriptions/7e01b735-d940-4f45-953c-08f86d80d43f' or the scope is invalid. If access was recently granted, please refresh your credentials.".

The resource group already exists, which is maybe the problem?

So how do I make it make Terraform import my RG?

error: A resource with the ID "/subscriptions/7e01b735-d940-4f45-953c-08f86d80d43f/resourceGroups/RD-FoundationalServices-rg" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_resource_group" for more information.

export const resourceGroupName = "<your_resource_group_name>";
// get the Azure Resource Group
const resourceGroup = azure.core.ResourceGroup.get(resourceGroupName, `/subscriptions/<subscriptionId>/resourceGroups/${resourceGroupName}`);

@enough-kite-69616 ^^^

Has anyone been able to use a

publicIpAddress

from an azure resource when provisioning an Nginx Ingress Controller? I can't seem to get the nginx-ingress-controller to accept the one I provide in pulumi with this code.

// Deploy ingress-controller using helm to AKS Cluster
const nginxIngress = new k8s.helm.v3.Chart("nginx2", {
    chart: "nginx-ingress-controller",
    repo: "bitnami",
    values: {
        "controller.service.loadBalancerIP": infra.getOutput("publicIpAddress"),
        serviceType: "LoadBalancer",
        nodeCount: 2,
    }
}, {provider: k8sProvider});

I've also tried but that doesn't seem to work either

// Deploy ingress-controller using helm to AKS Cluster
const nginxIngress = new k8s.helm.v3.Chart("nginx2", {
    chart: "nginx-ingress-controller",
    repo: "bitnami",
    values: {
        controller:{ service: { loadBalancerIP": infra.getOutput("publicIpAddress")}},
        serviceType: "LoadBalancer",
        nodeCount: 2,
    }
}, {provider: k8sProvider});

My load balancers always provision a new IP address from Azure, which doesn't help with setting up the public DNS entries

@gorgeous-egg-16927 ^^^

Okay, running into a new issue. How do I tell which thing it's saying I don't have rights to create?

Updating (dev):
     Type                                             Name             Status                  Info
     pulumi:pulumi:Stack                              dapr-poc-dev     **failed**              1 error; 2 warnings
 +   ├─ azuread:index:Application                     aks              **creating failed**     1 error
 +   └─ azure:operationalinsights:AnalyticsWorkspace  aksloganalytics  created

Diagnostics:
  pulumi:pulumi:Stack (dapr-poc-dev):
    warning: resource plugin azure is expected to have version >=2.3.1, but has ; the wrong version may be on your path, or this may be a bug in the plugin
    warning: resource plugin azuread is expected to have version >=1.8.0, but has ; the wrong version may be on your path, or this may be a bug in the plugin
    error: update failed

  azuread:index:Application (aks):
    error: graphrbac.ApplicationsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2020-04-01T19:53:21","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"d1c7500a-eb0c-4bd7-b182-86b214c1eb15"}}]

Looks like it's Azure AD

@enough-kite-69616 you are right. How are you running this command? With an user or with an SP (with an CI)?

@astonishing-afternoon-15745 You lost me... I'm just getting started with Azure and Pulumi

alright. Are you running this command in your terminal or with an build server like Azure Devops?

Terminal

Alright. Then you have authenticated with the AZ CLI tool.

Yes, it will let me create the analytics