https://pulumi.com logo
r

rhythmic-finland-36256

09/19/2019, 12:36 PM
Question: How to create database specific users when using
azure.sql.SQLServer
and inside of it some `azure.sql.Database`s with pulumi?
The
SQLServer
has an admin user, but I’m missing the way of creating specific users for the databases I create inside the server to hand those restricted users to some service / container instance that should use the database. Technically it works with the SQL admin user but I want each service to have a dedicated user to its database.
Doing this outside of the pulumi context (or even manually) destroys all mechanisms of passing the credentials to the service.
I found this blog post (https://mikhail.io/2018/06/programmable-cloud-provisioning-azure-app-service-with-pulumi/) by @tall-librarian-49374 which also has an example application here: https://github.com/pulumi/examples/blob/21e672e577c82a0df4b7e6e5d0184e78fdefe0c6/azure-ts-appservice/index.ts#L97 but it also uses the admin credentials inside the
AppService
.
t

tall-librarian-49374

09/19/2019, 12:43 PM
Yes, guilty!
r

rhythmic-finland-36256

09/19/2019, 12:43 PM
Thanks for that blog post. No blaming intended!
t

tall-librarian-49374

09/19/2019, 12:44 PM
You should totally create non-admin users. I guess you should probably have a SQL script for this and run it out of pulumi program?
r

rhythmic-finland-36256

09/19/2019, 12:44 PM
I’d like to automate that inside the pulumi program but looking for a good way to do it. For terraform, there is this
nullresource
“hack” that executes code. https://stackoverflow.com/questions/54326033/add-azure-sql-user-with-terraform
t

tall-librarian-49374

09/19/2019, 12:46 PM
If you need a hack, you could make a dynamic provider for this.
r

rhythmic-finland-36256

09/19/2019, 12:46 PM
As we have a real programming language and access to all server names and credentials, we should be able to execute this logic from within the pulumi program (and even create some random passwords for those users).
My question is more if I need to do such a hack or if there are easier ways of executing code. I’m wondering what I need to take care of to work nicely within the preview phase. I assume this could cause some issues as the code can only be executed when in the real execution.
I read about
isDryRun
but not sure if that’s a good practice for that.
t

tall-librarian-49374

09/19/2019, 12:48 PM
A dynamic provider would take care of this. It's not really a hack, just that it's manual work.
r

rhythmic-finland-36256

09/19/2019, 12:49 PM
Yes, sure. This is not a failure of pulumi, but more of a missing feature on the azure api I guess.
I’m fine with implementing this part.
Then I’ll have a look at the DynamicProvider documentation. Thanks for this direction! 👍
t

tall-librarian-49374

09/19/2019, 12:51 PM
In terms of Azure, this is clearly a data plane thing, ARM doesn't know about SQL users.
Like you can't create a Blob with ARM. But you can with Pulumi 🙂
There is https://github.com/pulumi/pulumi-mysql so I guess there could be a provider for SQL Server/Database
r

rhythmic-finland-36256

09/19/2019, 1:08 PM
Thanks. I’ll have a look at those.
b

better-rainbow-14549

09/19/2019, 2:34 PM
i started on a dynamic provider for sql server but never finished it
hit variuos issues with trying to create MSI users 'from external provider' but i've since found a workaround