nice-application-79035
04/08/2024, 4:39 PMazurekeyvault
as a secret provider. From the observation of the below task, first it set the secret provider as an azurekeyvault but when pulumi up
starts running, and during the run it changes the secret provider to passphrase
. I am not able to understand why it is changing the secret provider from azurekeyvault to passphrase. Can someone please let me know the reason ?
- task: AzureCLI@2
displayName: 'Pulumi stack select and up'
inputs:
azureSubscription: '${{ parameters.azureSubscription }}'
scriptType: 'bash'
scriptLocation: 'inlineScript'
addSpnToEnvironment: true
inlineScript: |
pulumi login --cloud-url azblob://$(PULUMI_STACKS_BLOB_CONTAINER)?storage_account=$(AMAP_DEV_STORAGE_ACCOUNT)
cd $(Build.SourcesDirectory)/cicd/iac/
pulumi stack select organization/ruc/$(stackName)
pulumi stack change-secrets-provider $(AMAP_DEV_PULUMI_KEY_URL)
pulumi up --yes --config-file=$(CONFIG_FILE_PATH)
env:
AZURE_STORAGE_ACCOUNT: $(AMAP_DEV_STORAGE_ACCOUNT)
AZURE_STORAGE_KEY: $(AMAP_DEV_STORAGE_ACCOUNT_KEY)
ARM_CLIENT_ID: $(ARM-CLIENT-ID)
ARM_TENANT_ID: $(ARM-TENANT-ID)
ARM_CLIENT_SECRET: $(ARM-CLIENT-SECRET)
ARM_ENVIRONMENT: '${{ variables.cloudEnvironment }}'
AZURE_KEYVAULT_AUTH_VIA_CLI: 'true'
PULUMI_CONFIG_PASSPHRASE:
nice-application-79035
04/10/2024, 6:32 AMripe-park-70944
04/10/2024, 8:35 AMchange-secrets-provider
command every run, I believe it's a command you only need to run once and that change is saved to the state file (and config file for some providers). Second, in your bash script the $(VARIABLE)
syntax is being interpreted by bash directly and bash will try to execute the value of the variable. Azure Pipelines variables are passed as environment variables to scripts to you can refer to them using the $VARIABLE
syntax.
For reference, I'm using a deploy script that looks much like this:
cd "$(System.DefaultWorkingDirectory)/${{ parameters.workingDir }}"
pulumi login $STATE_BACKEND_URI
pulumi up --non-interactive -s $STACK_NAME