https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# getting-started
s
This message was deleted.
f
Or do I need to use the Azure Classic over Azure Native?
r
What language are you using? The access policies are set on the key vault itself according to the docs you linked. I have only used it on new key vaults, but it should work if you have an existing key vault as well. Run the import first and after that you should be able to add the access policies you want
f
typescript
well there is a chick egg problem here, so I need to modify the access policies after they have been created
I have been able to do so with the Azure Classic npm package based of terraform, but not the recommended npm package azure-native
m
Since the azure native provider is built on the OpenAPI spec Microsoft publishes, supporting access policies would require custom work. We have an open issue: https://github.com/pulumi/pulumi-azure-native/issues/594 For the time being, the best recommendation is to use the bridged (TF-based) provider for the policies, and you can use the native provider for everything else.
🙌 1
f
Thank you for the response @melodic-tomato-39005
@melodic-tomato-39005 there is a note in the documentation for 
azure.keyvault.AccessPolicy
NOTE: It’s possible to define Key Vault Access Policies both within the 
azure.keyvault.KeyVault
resource via the 
access_policy
block and by using the 
azure.keyvault.AccessPolicy
resource. However it’s not possible to use both methods to manage Access Policies within a KeyVault, since there’ll be conflicts.
Seemed to me like this led to issues with my policies defined when creating the key vault, so I changed to adding access policies with azure classic approach but then I get the error that no access policy is defined when trying to create the key vault 🤦‍♂️
I changed to creating the keyvault, secrets, policies etc with the azure classic package but I keep getting the errors
Copy code
azure:keyvault:Secret (storage-fa-dev.DataLakeConnectionString):
    error: 1 error occurred:
        * A resource with the ID "<https://kv-dev.vault.azure.net/secrets/storage-fa-dev-DataLakeConnectionString/11135227962c>" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_key_vault_secret" for more information.
However doing a 
pulumi refresh
does not help, and I have also resorted to deleting the whole keyvault, access policies, secrets etc, and then do a 
pulumi refresh
before 
pulumi up
and I keep getting this error 🤷‍♂️ I guess TF keeps some kind of state also but how do I refresh that state if pulumi doesn't do it for me?
b
@fancy-artist-45287 what is not working if you add access policies using the accessPolicies property, from azure_native provider: https://www.pulumi.com/registry/packages/azure-native/api-docs/keyvault/vault/#accesspolicyentry ? I mean on my side this is how i add new policies for a keyvault, and didn't see an issue so far.
f
when running 
pulumi up
multiple times it sometimes removes and adds policies even tho nothing has changed in the code as it seems to get confused after a 
pulumi refresh
However it’s not possible to use both methods to manage Access Policies within a KeyVault, since there’ll be conflicts.
Guess it's related to this note in the azure classic docs
To get rid of the Terraform error I had to completely delete my resource group in azure and my pulumi stack
b
Ok but if you maintain kevault only using azure-native?
f
then I cant add accesspolicies after the keyvault has been created, can only supply access policies when it is created as mentioned here by Thomas Kappler
b
ok, i will give it a try to import an existing kv and then try to add policies and see how this will work out
👍 1
f
Given this sudo code you can see my problem
Copy code
const kv = new keyvault();

const account = new storageaccont();
const secret = new secret(kv.id, account.connectionstring);

const app = new appservice();
const setting = new appsetting(app.id, secret.id);

const policy = new accesspolicy(kv.id, app.id, ['Get']);
so either I add the app settings post create of kv, app and accesspolicy or i create the policy post...
b
so your target is to map probably a file share to an web app service using the access key which will be stored in kv and from which the web app service will take it?
f
yeah among many other things
b
I didn't see any issue with having the access policies being managed under kv with azure native:
Copy code
const userAssignedIdentity = new azure_native.managedidentity.UserAssignedIdentity("userAssignedIdentity", {
    location: "westeurope",
    resourceGroupName: "1111111111111111111111111111111111",
    resourceName: "1111111111111111111111111111111111",
});

const kv1 = new azure_native.keyvault.Vault("kv1", {
    location: "westeurope",
    properties: {
        accessPolicies: [
        {
            tenantId: "1111111111111111111111111111111111",
            objectId: "1111111111111111111111111111111111",
            "permissions": {
              "certificates": [
                "Get",
              ],
              "keys": [
                "Get",
              ],
              "secrets": [
                "Get",
              ]
            }
          },{
            tenantId: "1111111111111111111111111111111111",
            objectId: userAssignedIdentity.clientId,
            "permissions": {
              "certificates": [
                "Get",
                "List",
              ],
              "keys": [
                "Get",
                "List",
              ],
              "secrets": [
                "Get",
                "List",
              ]
            }
          },],
        enablePurgeProtection: true,
        enableRbacAuthorization: false,
        enableSoftDelete: true,
        enabledForDeployment: false,
        enabledForDiskEncryption: false,
        enabledForTemplateDeployment: false,
Whatever pulumi refresh/up i did i was not able to see any issues with policies got deleted or recreated
f
and you added policies with azure classic afterwards?🤔
b
no, but what is the point to use it with azure classic? since i can maintain it with azure native...i suppose this part is missing to me
f
well since i dont know all access policies i need up front when creating the keyvault I need to add them afterwards? and azure native does not have that capability?
b
ok, but in my example i have created from the portal a keyvault, without any policy, and i've imported it into a pulumi project, and from the polumi project i started to add new policies, using the accessPolicies property
f
yeah that should probably work
b
So under the accessPolicies properties, you add additional ones:
f
So lets go through this step by step 1. Create Database 2. Create WebApp 3. Create KeyVault a. With secret Database connection string b. With access policy for WebApp 4. Add secret key vault reference from KeyVault to WebApp Step 4 can't be done before both the KeyVault and WebApp has been created, and I dont know of a way to add WebApp settings after it has been created. The other approach is 1. Create KeyVault 2. Create Database 3. Create Secret in KeyVault with Database Connectionstring 4. Create WebApp a. With secret we just created as app setting 5. Create AccessPolicy for WebApp to KeyVault Step 5 can't be done in Azure Native but can be done in Azure Classic
b
As long as you have resource references between them, i don't see why you will not be able to have option 1. Because pulumi is smart enough to know which resource needs to be created first, based on the references you do between resources. For accessing the keyvault from appservice i would recommend to use user assigned identity instead of system-assigned-identity
Also most of the time for these references you will need to make use of pulumi.interpolate which gives you flexibility for properties you want to use but are not available yet
14 Views
Open in Slack
PreviousNext
Powered by