https://pulumi.com logo
Join Slack
Powered by
I'm using Pulumi with GitHub actions. To authentic...
# general
w
I'm using Pulumi with GitHub actions. To authenticate with Azure I'm using a service principal. Locally it works great (I'm using my own user to login to the CLI locally), however when it executes in the GitHub Action it throws a Terraform Error related to the 
skip_provider_registration
flag. Any ideas why this behaviour occurs and what is a workaround in Pulumi? Note: This only occurs when I am using a method for Getting an existing registry by name and resource group. If I am creating resources, I am experiencing no issues.
Copy code
Error: invocation of azure:containerservice/getRegistry:getRegistry returned an error: 1 error occurred:
      	* Error ensuring Resource Providers are registered.
      
      Terraform automatically attempts to register the Resource Providers it supports to
      ensure it's able to provision resources.
      
      If you don't have permission to register Resource Providers you may wish to use the
      "skip_provider_registration" flag in the Provider block to disable this functionality.
      
      Please note that if you opt out of Resource Provider Registration and Terraform tries
      to provision a resource from a Resource Provider which is unregistered, then the errors
      may appear misleading - for example:
      
      > API version 2019-XX-XX was not found for Microsoft.Foo
a
Maybe the service principle doesn't have correct permissions?
w
That was my first thought as well, but it seems like it has contributor access across the board.
a
HHmmm...i would double check that the SP has "register/action" rights on the sub. I mean yes, i believe the Contributor role should have that, but worth checking. I had some simliar issue with Contributor & Storage Account Contributor roles a few weeks back as MSFT had made some changes.
w
Thanks for the input John, I actually found a solution - I'll detail it below for anybody who bumps into this issue in the future 🆘
👍 1
The solution is pretty simple: Instead of using the 
@pulumi/azure
npm package, make sure you're using the 
@pulumi/azure_native
package. So a simple change to the code.
Copy code
// Instead of something like this
import * as azure from '@pulumi/azure';

const registry = azure.containerservice.getRegistry({
  name: "myregistryname",
  resourceGroupName: "myresourcegroupname",
});

//====================================================

// Use something like THIS instead (Notice: different package)
import * as containerregistry from '@pulumi/azure-native/containerregistry';

const registry = containerregistry.getRegistry({
    registryName: "myregistryname",
    resourceGroupName "myresourcegroupname"
});
🙌 1
Can't explain the underlying issue, but this is a solution that worked for me 👍
b
The other solution is to set the 
SkipProviderRegistration
flag to true in the Azure config. This can be done by adding the following to the 
config
section in the yaml: 
azure:skip_provider_registration: "true"
👍 1
For various reasons we've found some things that the azure_native package doesn't support as well as the azure package, and vice versa, so we're currently using a mixture of the two.
👍 1
It's Terraform's fault that you need to skip provider registration if you don't have the sufficient permissions. I think it tries to register the providers for anything you're trying to use, even if they're already registered. I had the same issue when using Terraform directly, and the 
azure
provider uses Terraform under the covers.
w
My sense was that Terraform actually tries to register providers for everything that it supports, not just what you're trying to use. I've seen some errors for services completely unrelated to what I'm working with e.g. machine learning.
Either way thanks for the heads up, the config tip is very useful
2 Views
Open in Slack
PreviousNext
Powered by