No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

The `SQLServer` has an admin user, but I’m missing the way of creating specific users for the databases I create inside the server to hand those restricted users to some service / container instance that should use the database. Technically it works with the SQL admin user but I want each service to have a dedicated user to its database.

Doing this outside of the pulumi context (or even manually) destroys all mechanisms of passing the credentials to the service.

I found this blog post (<https://mikhail.io/2018/06/programmable-cloud-provisioning-azure-app-service-with-pulumi/>) by <@UB39JFCKC> which also has an example application here: <https://github.com/pulumi/examples/blob/21e672e577c82a0df4b7e6e5d0184e78fdefe0c6/azure-ts-appservice/index.ts#L97> but it also uses the admin credentials inside the `AppService`.

Thanks for that blog post. No blaming intended!

You should totally create non-admin users. I guess you should probably have a SQL script for this and run it out of pulumi program?

I’d like to automate that inside the pulumi program but looking for a good way to do it. For terraform, there is this `nullresource` “hack” that executes code. <https://stackoverflow.com/questions/54326033/add-azure-sql-user-with-terraform>

If you need a hack, you could make a dynamic provider for this.

As we have a real programming language and access to all server names and credentials, we should be able to execute this logic from within the pulumi program (and even create some random passwords for those users).

My question is more if I need to do such a hack or if there are easier ways of executing code. I’m wondering what I need to take care of to work nicely within the preview phase. I assume this could cause some issues as the code can only be executed when in the real execution.

I read about `isDryRun` but not sure if that’s a good practice for that.

A dynamic provider would take care of this. It's not really a hack, just that it's manual work.

Yes, sure. This is not a failure of pulumi, but more of a missing feature on the azure api I guess.

Then I’ll have a look at the DynamicProvider documentation. Thanks for this direction! :thumbsup:

In terms of Azure, this is clearly a data plane thing, ARM doesn't know about SQL users.

Like you can't create a Blob with ARM. But you can with Pulumi :slightly_smiling_face:

There is <https://github.com/pulumi/pulumi-mysql> so I guess there could be a provider for SQL Server/Database

Some examples of dynamic providers: <https://github.com/pulumi/examples/blob/master/azure-ts-static-website/staticWebsite.ts> and <https://github.com/pulumi/examples/blob/master/azure-ts-dynamicresource/cdnCustomDomain.ts>

i started on a dynamic provider for sql server but never finished it

hit variuos issues with trying to create MSI users 'from external provider' but i've since found a workaround