Next stumbling block in automating APIM creation… a bit of a deadlock. Our Pulumi program: 1. creates

ApiManagementService

and configures it to have a system-assigned managed identity 2. must specify the custom hostname at creation time in the

HostnameConfigurationArgs

property, which references a certificate in key vault 3. but APIM fails to create because to read the cert from key vault, it needs an access policy… 4. but the

KeyVaultAccessPolicy

to give the APIM managed identity access to read secrets from key vault can only be created after the APIM service has been created, which can’t happen… So, APIM resource creation depends on the key vault access policy, which depends on the APIM resource… deadlock. Any advice on what do do in this situation?

Sounds like a circular dependency. There's a few of these in Azure unfortunately. E.g. https://github.com/pulumi/pulumi-azure-native/issues/578 is a similar scenario. There's a couple of options available that could work?: • Use a user assigned managed identity for APIM. This allows assigning permissions to the identity before creating APIM • Use a separate declaration for the APIM host configuration - not familiar with the setup but it looks like it can be declared independent of the APIM instance https://www.pulumi.com/registry/packages/azure-native/api-docs/apimanagement/gatewayhostnameconfiguration/

@gray-ambulance-59402 thank you!!! 👍 I tried both of these, and they both work! I’m going with the user-assigned managed identity solution, it’s just the simplest option given how our code is structured. Awesome answer. 🙏