https://pulumi.com logo
Title
r

ripe-eve-62815

04/07/2021, 4:35 PM
Hi, I'm looking to leverage the pulumi ado library and create a service endpoint with a custom variableGroup. variable group based on the documentation should obtain secrets from a keyvault. however i cannot seem to configure this to work, pulumi complains about conflicts. Documentation defines the variables block as required. 1 i've tried an empty array 2 tried with names not related to keyvault value //     new ado.VariableGroup(
sp-credentials-${resourceConfigs.env}
, { //         projectId: adoProject.id, //         description: "Elevated Service Principals Credentials for Migrations", //         allowAccess: true, //         variables: [{name: "foo", value: "bar", isSecret: false}], //         keyVault: {name: keyVault.name, serviceEndpointId: serviceEndpoint.id}, //     }, //     { //       dependsOn: [serviceEndpoint, servicePrincipal, keyVault] //     }); Can somebody offer some help?
g

gentle-diamond-70147

04/07/2021, 4:36 PM
Can you share your code?
Can you share the conflicts error you're getting as well?
r

ripe-eve-62815

04/07/2021, 5:03 PM
10:59:42 Info | error: azuredevops:index/variableGroup:VariableGroup resource 'sp-credentials-dev' has a problem: "variable.0.value": conflicts with key_vault 10:59:42 Info | error: azuredevops:index/variableGroup:VariableGroup resource 'sp-credentials-dev' has a problem: "variable.0.secret_value": conflicts with key_vault 10:59:42 Info | error: azuredevops:index/variableGroup:VariableGroup resource 'sp-credentials-dev' has a problem: "variable.0.is_secret": conflicts with key_vault
here's an attempt with an empty variable array. error: azuredevops:index/variableGroup:VariableGroup resource 'sp-credentials-dev' has a problem: variable: attribute supports 1 item as a minimum, config has 0 declared
variables foo bar is not a secret in our keyvault either
here's the full POC.
const servicePrincipal = new vznaz.aad.ServicePrincipal('octopus-sp', {
  name: vznaz.Naming.ServicePrincipal(     
${<http://resourceConfigs.app|resourceConfigs.app>}-octopus
,     resourceConfigs.env,     resourceConfigs.location,     resourceConfigs.instance   ), }, {   dependsOn: [resourceGroup] }); /***************************************************************************************************** */ // TODO: This is for POC for devops service connection import * as ado from "@pulumi/azuredevops"; import * as azmeta from '@vizientinc/azure-metadata';     var serviceEndpointName = 
EFMigrations-${resourceConfigs.env}
    const adoProject = vznpulumi.pulumi.output(ado.getProject({       name: 'ProjectAccess'     }));     if(resourceGroup){         new vznaz.azure.authorization.Assignment('ado-sp-rg-contributor',{             principalId: servicePrincipal.principal.objectId,             scope:  resourceGroup.id,             roleDefinitionName: 'Contributor',         });     }     const subInfo = azmeta.Subscription.getById(resourceConfigs.subscriptionId)     const serviceEndpoint = new ado.ServiceEndpointAzureRM(
azure-rp-${resourceConfigs.env}
, {         projectId: adoProject.id,         serviceEndpointName: serviceEndpointName,         description: "Managed by Pulumi",         credentials: {             //serviceprincipalid: servicePrincipal.principal.objectId,             serviceprincipalid: servicePrincipal.principal.applicationId,             serviceprincipalkey: servicePrincipal.password.result,         },         azurermSpnTenantid: vznaz.AADTenantId,         azurermSubscriptionId: subInfo.id,         azurermSubscriptionName: subInfo.displayName,     },     {         dependsOn: servicePrincipal.principal     }); //     new ado.VariableGroup(
sp-credentials-${resourceConfigs.env}
, { //         projectId: adoProject.id, //         description: "Elevated Service Principals Credentials for Migrations", //         allowAccess: true, //         variables: [{name: "foo", value: "bar", isSecret: false}], //         keyVault: {name: keyVault.name, serviceEndpointId: serviceEndpoint.id}, //     }, //     { //       dependsOn: [serviceEndpoint, servicePrincipal, keyVault] //     }); /***************************************************************************************************** */ new vznaz.azure.keyvault.Secret(   
octopus-clientId-${resourceConfigs.instance}
,   {     name: 
OctopusClientId
,     keyVaultId: keyVault.id,     tags: TAGS,     value: servicePrincipal.principal.applicationId,   },   {     dependsOn: [resourceGroup, ...keyVault.requiredPolicies],     protect: true,   } ); new vznaz.azure.keyvault.Secret(   
octopus-clientSecret-${resourceConfigs.instance}
,   {     name: 
OctopusClientSecret
,     keyVaultId: keyVault.id,     tags: TAGS,     value: servicePrincipal.password.result,   },   {     dependsOn: [resourceGroup, ...keyVault.requiredPolicies],     protect: true,   } );