👋 Hello everybody, I wish to automate database, user, and grant resource provisioning on a PSQL Flex Server with VirtualNetwork integration. The DB instance is thus deployed on a delegated subnet, which means that automation with pulumi would require either: 1. To create Network Security Groups and Firewalls to allow access from outside the VNET. 2. To run pulumi inside the VNET. 3. To run a job inside a k8s cluster deployed in the same vnet (which is supposed to use PSQL Flex Server for persistence). 4. Some other solution I’m not aware of? Your ideas will be appreciated. Many thanks 🙂

I've had to do exactly that. In my situation, I want to run database provisioning (setting up user accounts for example), but also do database schema migrations. I've 'solved' it by having a separate container app job. This container app runs once before the rest of the deployment. Challenge is, now I have to much more orchestration of my deployment. (first deploy / run the container with the new initialization scripts, then deploy the actual app once it's completed successfully). I've been told you could do something similar with container initialization jobs, but haven't had a chance to look into that too much.

Solutions I've done in the past revolved around having CD "deployment" agents running connected to the VNET. e.g. a self-hosted GitHub Action agent. These deployment agents would be authorized to do deployment only activities (which would include database/data migration tasks). Never CI build jobs. They'd be locked down with very limited internet access (perhaps just back to GitHub actions), not directly addressable over internet etc. I also typically design my VNETs / VPCs such that there is an "ops VNET" upon which such hosts live and have peering to the various environment VNETs/VPCs.