https://pulumi.com logo
Title
p

powerful-football-81694

10/31/2021, 6:25 PM
Next stumbling block in automating APIM creation… a bit of a deadlock. Our Pulumi program: 1. creates
ApiManagementService
and configures it to have a system-assigned managed identity 2. must specify the custom hostname at creation time in the
HostnameConfigurationArgs
property, which references a certificate in key vault 3. but APIM fails to create because to read the cert from key vault, it needs an access policy… 4. but the
KeyVaultAccessPolicy
to give the APIM managed identity access to read secrets from key vault can only be created after the APIM service has been created, which can’t happen… So, APIM resource creation depends on the key vault access policy, which depends on the APIM resource… deadlock. Any advice on what do do in this situation?
Any advice on this from you Pulumi folks?
g

gray-ambulance-59402

11/09/2021, 10:06 PM
Sounds like a circular dependency. There's a few of these in Azure unfortunately. E.g. https://github.com/pulumi/pulumi-azure-native/issues/578 is a similar scenario. There's a couple of options available that could work?: • Use a user assigned managed identity for APIM. This allows assigning permissions to the identity before creating APIM • Use a separate declaration for the APIM host configuration - not familiar with the setup but it looks like it can be declared independent of the APIM instance https://www.pulumi.com/registry/packages/azure-native/api-docs/apimanagement/gatewayhostnameconfiguration/
p

powerful-football-81694

11/10/2021, 11:10 AM
@gray-ambulance-59402 thank you!!! 👍 I tried both of these, and they both work! I’m going with the user-assigned managed identity solution, it’s just the simplest option given how our code is structured. Awesome answer. 🙏