Hi everyone wondering if anyone has gotten Pulumi Azure task Pulumi Community #azure

Hi everyone, wondering if anyone has gotten Pulumi...

many-pager-46142

02/08/2024, 7:13 PM

Hi everyone, wondering if anyone has gotten Pulumi Azure task extension for Azure Pipelines to work without setting

PULUMI_ACCESS_TOKEN

many-pager-46142

02/08/2024, 7:16 PM

I have azure storage and secrets backends setup instead of using pulumi cloud.

many-pager-46142

02/08/2024, 7:26 PM

Most relevant issue seems to be https://github.com/pulumi/pulumi-az-pipelines-task/issues/133

rhythmic-activity-46295

02/08/2024, 7:53 PM

hi Reuben, in our pipeline templates we use a ssl cert, setting up a few env variables in an AzureCli@2 inline script task: # Variables required by Pulumi's Azure providers. $certLocalPath = "${{ variables.cert_local_path }}" Write-Host "##vso[task.setvariable variable=ARM_SUBSCRIPTION_ID]$(PULUMISTORAGEACCOUNTSUBSCRIPTION)" Write-Host "##vso[task.setvariable variable=ARM_CLIENT_ID]$env:servicePrincipalId" Write-Host "##vso[task.setvariable variable=ARM_TENANT_ID]$env:tenantId" Write-Host "##vso[task.setvariable variable=ARM_CLIENT_CERTIFICATE_PATH]$certLocalPath" Write-Host "##vso[task.setvariable variable=AZURE_SUBSCRIPTION_ID]$(PULUMISTORAGEACCOUNTSUBSCRIPTION)" Write-Host "##vso[task.setvariable variable=AZURE_CLIENT_ID]$env:servicePrincipalId" Write-Host "##vso[task.setvariable variable=AZURE_TENANT_ID]$env:tenantId" Write-Host "##vso[task.setvariable variable=AZURE_CERTIFICATE_PATH]$certLocalPath" Then we download the service principal cert to $certLocalPath inlineScript: | $certData = try { [Convert]::FromBase64String('$(PRIMARYSERVICEPRINCIPALCERTIFICATE)') } catch {} if ($certData) { Write-Host '--- Decode & create service principal certificate ---' Set-Content ${{ variables.cert_local_path }} -Value $certData -AsByteStream } else { Write-Host '--- Certificate data is missing or invalid. Skipping certificate file creation. ---' Write-Host '--- This is fine if your pipeline does not create any Azure resources. ---' } of course rbac perms for the principal are required. We bootstrap that via pulumi as well on a different stack... Hope this helps!

many-pager-46142

02/08/2024, 8:00 PM

@rhythmic-activity-46295, what does your pipeline yaml look like?

rhythmic-activity-46295

02/08/2024, 8:05 PM

we use a common repo to contain main templates which are then referred by our pipelines in general. the following two tasks are required to use pulumi via service principal rbac perms

rhythmic-activity-46295

02/08/2024, 8:06 PM

there is a lot more to it but.. I guess I can leave here the idea of using the actual service principal to access the pulumi storage account via rbac. auth is done using the cert.

many-pager-46142

02/08/2024, 8:26 PM

Ok, thanks. The SSL cert auth is bit more complex than I'm ready for right now 🙂 . Esp since I'm not an admin and would have to request access. I wound up plugged in my current API token and as the issue stated, it still logs in via the azure storage backend. So now I just need to request the appropriate service connection access since the pipeline is failing when it attempts to fetch from azure storage.

many-pager-46142

02/08/2024, 8:27 PM

Copy code

# AZURE_STORAGE_CONTAINER is listed under variables

- job: Pulumi
  condition: in(variables['Build.Reason'], 'Manual')
  steps:
  - task: Pulumi@1
    inputs:
      azureSubscription: $(subscriptionConnectionName)
      command: up
      args: '--yes --logtostderr'
      cwd: $(cwd)
      stack: dev
    env:
      PULUMI_ACCESS_TOKEN: $(pulumiAccessToken)
      AZURE_STORAGE_ACCOUNT: $(storageAccount)

3 Views

Open in Slack

Previous Next