https://pulumi.com logo
Join Slack
Powered by
Hi everyone, I am using azure storage blob for sav...
# general
n
Hi everyone, I am using azure storage blob for saving pulumi stack state as a backend. I use pulumi task in the Azure DevOps pipeline to perform any of the pulumi commands to update the state in any of our environments. Below is the task where I am doing pulumi commands as part of the bash script. I am trying to use 
azurekeyvault
as a secret provider. From the observation of the below task, first it set the secret provider as an azurekeyvault but when 
pulumi up
starts running, and during the run it changes the secret provider to 
passphrase
. I am not able to understand why it is changing the secret provider from azurekeyvault to passphrase. Can someone please let me know the reason ?
Copy code
- task: AzureCLI@2
  displayName: 'Pulumi stack select and up'
  inputs:
    azureSubscription: '${{ parameters.azureSubscription }}'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    addSpnToEnvironment: true
    inlineScript: |
      pulumi login --cloud-url azblob://$(PULUMI_STACKS_BLOB_CONTAINER)?storage_account=$(AMAP_DEV_STORAGE_ACCOUNT)
      cd $(Build.SourcesDirectory)/cicd/iac/
      pulumi stack select organization/ruc/$(stackName)
      pulumi stack change-secrets-provider $(AMAP_DEV_PULUMI_KEY_URL)
      pulumi up --yes --config-file=$(CONFIG_FILE_PATH) 
  env:
    AZURE_STORAGE_ACCOUNT: $(AMAP_DEV_STORAGE_ACCOUNT)
    AZURE_STORAGE_KEY: $(AMAP_DEV_STORAGE_ACCOUNT_KEY)
    ARM_CLIENT_ID: $(ARM-CLIENT-ID)
    ARM_TENANT_ID: $(ARM-TENANT-ID)
    ARM_CLIENT_SECRET: $(ARM-CLIENT-SECRET)
    ARM_ENVIRONMENT: '${{ variables.cloudEnvironment }}'
    AZURE_KEYVAULT_AUTH_VIA_CLI: 'true'
    PULUMI_CONFIG_PASSPHRASE:
Can someone please look into this? I might be missing something trivial. Thank you for the help in advance!
r
Hi Leena, a couple of things stick out to me here. First, you shouldn't need to do the 
change-secrets-provider
command every run, I believe it's a command you only need to run once and that change is saved to the state file (and config file for some providers). Second, in your bash script the 
$(VARIABLE)
syntax is being interpreted by bash directly and bash will try to execute the value of the variable. Azure Pipelines variables are passed as environment variables to scripts to you can refer to them using the 
$VARIABLE
syntax. For reference, I'm using a deploy script that looks much like this:
Copy code
cd "$(System.DefaultWorkingDirectory)/${{ parameters.workingDir }}"
pulumi login $STATE_BACKEND_URI
pulumi up --non-interactive -s $STACK_NAME
Open in Slack
PreviousNext
Powered by