https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# azure
s
This message was deleted.
b
can you elaborate? it should just be as simple as modifying the code?
a
as in one project has created a shared keyvault, then another project has inserted a secret, now a resource it creates needs to use a keyvault reference, the only way it can is if it has the access policy updated on the shared keyvault
b
you’ll need to update the original project
a
in pulumi
b
yes, there is a way, but that’s an imperative operation. pulumi is declarative If you modify the project with the keyvault in, it’ll basically perform the same API call as 
az keyvault set policy
a
Right, but if I continually re-deploy project 2 generating new system assigned ids - then I'll constantly have to update project 1... but that's no good. It sounds like pulumi doesn't expose an API like 
AccessPolicy
, where you can supply a key vault name, an object id and some policies, and it will just run the single command...
I think it's quite a common scenario, once you created resources in other projects, that they might need access back to that shared keyvault, so being able to add a 
AccessPolicy
pulumi resource to each of the projects that can update the keyvault seems like a good approach
b
generating new system assigned ids
Why would updating the policy generate new system assigned ids?
It sounds like pulumi doesn’t expose an API like AccessPolicy
Pulumi maps every ARM API to a resource, so it definitely does. I’m sure this is a misunderstanding. Can you share any code?
I think what you’re trying to do is have https://www.pulumi.com/registry/packages/azure-native/api-docs/keyvault/vault/#accesspolicyentry this be its own resource?
a
Why would updating the policy generate new system assigned ids?
other projects will create resources that will have their own system identities, these will be created if the resource is every re-created
It sounds like you can only create access policies when you create a vault - not after the fact - which is when you're likely to create other resources that need access to said vault
b
if you define a keyvault with an access policy
Copy code
vault = keyvault.KeyVault(
    "vault",
    resource_group_name=resource_group.name,
    sku_name="standard",
    tenant_id=tenant_id,
    access_policies=[keyvault.KeyVaultAccessPolicyArgs(
        tenant_id=tenant_id,
        object_id=current_principal,
        secret_permissions=["delete", "get", "list", "set"]
    )]
)
Then you want to add a new policy:
Copy code
vault = keyvault.KeyVault(
    "vault",
    resource_group_name=resource_group.name,
    sku_name="standard",
    tenant_id=tenant_id,
    access_policies=[
      keyvault.KeyVaultAccessPolicyArgs(
        tenant_id=tenant_id,
        object_id=current_principal,
        secret_permissions=["delete", "get", "list", "set"]
       ),
       keyvault.KeyVaultAccessPolicyArgs(
        tenant_id=new_tenant_id,
        object_id=new_current_principal,
        secret_permissions=["delete", "get", "list", "set"])
     
    ]
)
It’ll just update the policy.
it won’t create anything new, it just appends the new policy to the keyvault
i’m happy to jump on a call to explain this if it’ll help
a
that's a bit much for updating a single policy...
I might look at alternative patterns
4 Views
Open in Slack
PreviousNext
Powered by