This message was deleted Pulumi Community #azure

Join Slack

This message was deleted.

# azure

sparse-intern-71089

04/07/2021, 4:35 PM

This message was deleted.

gentle-diamond-70147

04/07/2021, 4:36 PM

Can you share your code?

gentle-diamond-70147

04/07/2021, 4:38 PM

Can you share the conflicts error you're getting as well?

ripe-eve-62815

04/07/2021, 5:03 PM

105942 Info | error: azuredevopsindex/variableGroupVariableGroup resource 'sp-credentials-dev' has a problem: "variable.0.value": conflicts with key_vault 105942 Info | error: azuredevopsindex/variableGroupVariableGroup resource 'sp-credentials-dev' has a problem: "variable.0.secret_value": conflicts with key_vault 105942 Info | error: azuredevopsindex/variableGroupVariableGroup resource 'sp-credentials-dev' has a problem: "variable.0.is_secret": conflicts with key_vault

ripe-eve-62815

04/07/2021, 5:05 PM

here's an attempt with an empty variable array. error: azuredevopsindex/variableGroupVariableGroup resource 'sp-credentials-dev' has a problem: variable: attribute supports 1 item as a minimum, config has 0 declared

ripe-eve-62815

04/07/2021, 5:06 PM

variables foo bar is not a secret in our keyvault either

ripe-eve-62815

04/07/2021, 5:35 PM

here's the full POC.

const servicePrincipal = new vznaz.aad.ServicePrincipal('octopus-sp', {

name: vznaz.Naming.ServicePrincipal(

${<http://resourceConfigs.app|resourceConfigs.app>}-octopus

, resourceConfigs.env, resourceConfigs.location, resourceConfigs.instance ), }, { dependsOn: [resourceGroup] }); /***************************************************************************************************** */ // TODO: This is for POC for devops service connection import * as ado from "@pulumi/azuredevops"; import * as azmeta from '@vizientinc/azure-metadata'; var serviceEndpointName =

EFMigrations-${resourceConfigs.env}

const adoProject = vznpulumi.pulumi.output(ado.getProject({ name: 'ProjectAccess' })); if(resourceGroup){ new vznaz.azure.authorization.Assignment('ado-sp-rg-contributor',{ principalId: servicePrincipal.principal.objectId, scope: resourceGroup.id, roleDefinitionName: 'Contributor', }); } const subInfo = azmeta.Subscription.getById(resourceConfigs.subscriptionId) const serviceEndpoint = new ado.ServiceEndpointAzureRM(

azure-rp-${resourceConfigs.env}

, { projectId: adoProject.id, serviceEndpointName: serviceEndpointName, description: "Managed by Pulumi", credentials: { //serviceprincipalid: servicePrincipal.principal.objectId, serviceprincipalid: servicePrincipal.principal.applicationId, serviceprincipalkey: servicePrincipal.password.result, }, azurermSpnTenantid: vznaz.AADTenantId, azurermSubscriptionId: subInfo.id, azurermSubscriptionName: subInfo.displayName, }, { dependsOn: servicePrincipal.principal }); // new ado.VariableGroup(

sp-credentials-${resourceConfigs.env}

, { // projectId: adoProject.id, // description: "Elevated Service Principals Credentials for Migrations", // allowAccess: true, // variables: [{name: "foo", value: "bar", isSecret: false}], // keyVault: {name: keyVault.name, serviceEndpointId: serviceEndpoint.id}, // }, // { // dependsOn: [serviceEndpoint, servicePrincipal, keyVault] // }); /***************************************************************************************************** */ new vznaz.azure.keyvault.Secret(

octopus-clientId-${resourceConfigs.instance}

, { name:

OctopusClientId

, keyVaultId: keyVault.id, tags: TAGS, value: servicePrincipal.principal.applicationId, }, { dependsOn: [resourceGroup, ...keyVault.requiredPolicies], protect: true, } ); new vznaz.azure.keyvault.Secret(

octopus-clientSecret-${resourceConfigs.instance}

, { name:

OctopusClientSecret

, keyVaultId: keyVault.id, tags: TAGS, value: servicePrincipal.password.result, }, { dependsOn: [resourceGroup, ...keyVault.requiredPolicies], protect: true, } );

4 Views

Open in Slack

Previous Next