https://pulumi.com logo
s

sticky-exabyte-94099

01/03/2022, 8:37 AM
Good morning. My first time trying out Pulumi was yesterday and I really want to get over few errors that are stopping me from trying it out fully. I created a repo with my setup and description of the errors. https://github.com/sturlath/MyTest The problems I can´t get over • I get "could not find role" here • trying to give 2 services access to the db (here and here). I probably should create admin once and then assign it somehow to the principal.. I would also like some pointers on my setup if that is possible. Am I organizing things "correctly" (I know its probably a matter of an opinion) . And I know I´m probably using output wrong.
b

billowy-army-68599

01/03/2022, 3:25 PM
hey there @sticky-exabyte-94099 the error of "could not find role" is because you're passing a role definition name that doesn't exist, where did you get that name from?
s

sticky-exabyte-94099

01/03/2022, 3:40 PM
I´m not sure... sorry.. still basically 1st day with Pulumi 😉 But this is the example I followed https://github.com/pulumi/examples/blob/master/classic-azure-cs-msi-keyvault-rbac/AppStack.cs And I can´t see that my code is any different...
Copy code
// Work around a preview issue <https://github.com/pulumi/pulumi-azure/issues/192>
        var principalId = apiApp.Identity.Apply(id => id.PrincipalId ?? "11111111-1111-1111-1111-111111111111");

        // Grant App Service access to KV secrets
        var policy = new AccessPolicy("api-app-policy", new AccessPolicyArgs
        {
            KeyVaultId = KeyVault.Apply(t => t.Id),
            TenantId = TenantId,
            ObjectId = principalId,
            SecretPermissions = { "get" },
        });

        // Make the App Service the admin of the SQL Server (double check if you want a more fine-grained security model in your real app)
        var sqlAdmin = new ActiveDirectoryAdministrator("apiadmin", new ActiveDirectoryAdministratorArgs
        {
            ResourceGroupName = ResourceGroup.Apply(t => t.Name),
            TenantId = TenantId,
            ObjectId = principalId,
            Login = "adadmin",
            ServerName = SqlServerName,
        });

        // Grant access from App Service to the container in the storage
        var posterImagesBlobPermission = new Assignment("readposterblobpermission", new AssignmentArgs
        {
            PrincipalId = principalId,
            Scope = Output.Format($"{StorageAccountId}/blobServices/default/containers/{posterImagesStorageContainer.Name}"),
            RoleDefinitionName = "Poster Images Storage Blob Data Reader",
        });
Ok ok so the RoleDefinitionName should be "*Storage Blob Data Reader".....*
b

billowy-army-68599

01/03/2022, 3:44 PM
it looks like those are built in Azure roles: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-blob-data-reader can you verify they exist in your environment via the portal?
it looks like your azure account miught have some missing roles?
s

sticky-exabyte-94099

01/03/2022, 3:45 PM
I´ll give it a go and let you know if I get this to work... give me 10
b

billowy-army-68599

01/03/2022, 3:46 PM
the final issue in your repo is the exact opposite, that role already exists and you're trying to recreate it with your code. you'll need to import it
s

sticky-exabyte-94099

01/03/2022, 5:46 PM
Ok managed to test this and of course the first one is fixed. So thank you for that
But I'm not sure what to do with the other issue.. don´t I need to create the sqlAdmin and then sign the serivce pricipalid to ObjectId ? Sorry I don't know what you mean by importing...
So lets say I create the sqlAdmin without connecting it somewhere above and then I "import" it (get?) and do something in the line of "sqlAdmin.ObjectId=principalId"?
b

billowy-army-68599

01/03/2022, 6:01 PM
Pulumi operates by storing the result of its operations in its "state". If something doesn't exist in the state Pulumi tries to create it for you. In this particular case, you've defined some code to create a resource, and it doesn't exist in your state, so Pulumi says "hey let's create it!" It goes to make the API call, and the Azure API says "you're trying to create something that already exists" because something out of band with Pulumi already created it - it might be you, or someone else. Either way, it's already there. So in order to fix this, you need to either: • Tell Pulumi it already exists. This is done by "importing" the resource into your state, telling Pulumi "this resource exists and you can now manage it because it's in the state file" • you can change your code to do a lookup on the existing resource, which means Pulumi becomes aware of it, but will NOT manage the resource lifecycle
s

sticky-exabyte-94099

01/03/2022, 6:10 PM
ah.. ok I think I got it.. And the first approach is probably the better one since I could like to have my pulumi code all "Create"... So I just need to run this here and it should work?
pulumi import azure-native:sql:ServerAzureADAdministrator activeDirectory /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/sqlcrudtest-4799/providers/Microsoft.Sql/servers/sqlcrudtest-6440/administrators/ActiveDirectory
(with my values) Found this here https://www.pulumi.com/registry/packages/azure-native/api-docs/sql/serverazureadadministrator/
b

billowy-army-68599

01/03/2022, 6:45 PM
yes, that works
however, remember if you import into pulumi's state, if you do a
pulumi destroy
it'll remove the resource
so if you're working in an environment where other people might use the role with another tool, that might not be the best idea
s

sticky-exabyte-94099

01/03/2022, 6:48 PM
Ok even though I pasted in this code the cli gave me?
b

billowy-army-68599

01/03/2022, 6:50 PM
if you leave it protected you won't be able to destroy the stack at all
until you either unprotect, or remove it from state
s

sticky-exabyte-94099

01/03/2022, 6:56 PM
Ok I need to think and read about that I think.. but I will be adding this to a CI/CD pipeline... next thing to figure out ;-) But now everything seams to be working good except that it demands I remove the first one of this because it exists but can run the other one This runs fine (apiadmin)
Copy code
var sqlAdmin = new ActiveDirectoryAdministrator("apiadmin", new ActiveDirectoryAdministratorArgs
        {
            ResourceGroupName = ResourceGroup.Apply(t => t.Name),
            TenantId = TenantId,
            ObjectId = principalId,
            Login = "adadmin",
            ServerName = SqlServerName,
        });
but this (identiyadmin) doesn´t here I always get the already exists error
Copy code
var sqlAdmin = new ActiveDirectoryAdministrator("identityadmin", new ActiveDirectoryAdministratorArgs
        {
            ResourceGroupName = ResourceGroup.Apply(t => t.Name),
            TenantId = TenantId,
            ObjectId = principalId,
            Login = "adadmin",
            ServerName = SqlServerName,
        });
So close... ;-)
sorry found an error!
no sorry... got confused by the "Identity" in var principalId = apiApp.Identity.Apply(id => id.PrincipalId ?? "11111111-1111-1111-1111-111111111111"); Still get this error..
b

billowy-army-68599

01/03/2022, 7:19 PM
@sticky-exabyte-94099 you're trying to create two logins with the same namd
adadmin
- you probably want to use autonaming
or update the
Login
field
s

sticky-exabyte-94099

01/03/2022, 7:51 PM
ah.. I understand.. got it "AD" in "adadmin" must have confused me and I was thinking it was something built in..
ok I changed Login="identityadmin" and still get the error... Am I now maybe in some strange state? I'm guessing I could create a "identityadmin2" and then everything works. But I would like to understand about "identityadmin"..
b

billowy-army-68599

01/03/2022, 9:03 PM
it's a little hard to followng what's going on I'm afraid
if you get the same error for
identityadmin
it means that already exists
s

sticky-exabyte-94099

01/03/2022, 9:05 PM
Ok np will try to destroy everything and hopefully when I run everything again it will just work.. 🤞
b

billowy-army-68599

01/03/2022, 9:12 PM
I'd recommend trying to read and understand some links about how Pulumi works: https://www.pulumi.com/docs/intro/concepts/
👍 1
s

sticky-exabyte-94099

01/06/2022, 12:00 PM
Hi @billowy-army-68599 I just got back to this and have been trying to destroy everything but I´m not able to. What could be the problem here and how can a force this delete?
Its just locked.. Should I just go into the Azure portal and delete it from there and then run destroy? But why can´t I delete it from the cli?
There doesn´t seem to be away other than just delete the stack and start new
Ok managed to do this with pulumi up... I thought I had done that.
Because I decided to just delete the resource in the Azure portal I get the following error when deleting it with pulumi
So now I guess my only course of action is to delete the stack...
b

billowy-army-68599

01/06/2022, 2:24 PM
@sticky-exabyte-94099
pulumi refresh
will get your state in the right place if you manually delete things
pulumi state unprotect
will unprotect resources
1
s

sticky-exabyte-94099

01/06/2022, 2:27 PM
ok needed that command... thank you
Ok sorry @billowy-army-68599 but I´m just not getting this... How can I give two Appservices admin access to the SQL server? I have this code
Copy code
... create a SQLServer

// use that sql server and create AD
var activeDirectory = new AzureNative.Sql.ServerAzureADAdministrator("activeDirectory", new AzureNative.Sql.ServerAzureADAdministratorArgs
{
    AdministratorName = "ActiveDirectory",
    AdministratorType = "ActiveDirectory",
    Login = "adadmin",
    ResourceGroupName = ResourceGroup.Apply(t => t.Name),
    ServerName = SqlServer.Apply(t => t.Name),
    Sid = "d4aee8f4-2aa3-42cf-b6b0-1260b11516d7",
    TenantId = CurrentPricipal,
}

// Create one service
var identityApp = new AppService("IdentityService", new AppServiceArgs
{
  ... code to create service
}
var principalId1 = identityApp.Identity.Apply(id => id.PrincipalId ?? "11111111-1111-1111-1111-111111111111");

// Make the App Service the admin of the SQL Server (double check if you want a more fine-grained security model in your real app)
var sqlAdmin = new ActiveDirectoryAdministrator("identityadmin", new ActiveDirectoryAdministratorArgs
{
    ResourceGroupName = ResourceGroup.Apply(t => t.Name),
    TenantId = TenantId,
    ObjectId = principalId1, //<-- basically this... how do I tie a sql admin and appservice...
    Login = "adadmin",
    ServerName = SqlServer.Apply(t => t.Name)
});
And this just works fine... But then I have another service that I want the service also to be the admin of the SQL server....
Copy code
// If I try this I get an error telling me a reasource ActiveDirectory already exists..
var sqlAdmin = new ActiveDirectoryAdministrator("apiadmin", new ActiveDirectoryAdministratorArgs
{
    ResourceGroupName = ResourceGroup.Apply(t => t.Name),
    TenantId = TenantId,
    ObjectId = principalId2, //<-- from service nr 2
    Login = "adadmin",
    ServerName = SqlServer.Apply(t => t.Name),
});
I get this
A resource with the ID "/subscriptions/.../resourceGroups/beinni-rg52d042de/providers/Microsoft.SQL/servers/sqlserverbeinni5c30eaa/administrators/ActiveDirectory" already exists - to be managed via Terraform this resource needs to be imported into the State. Please see the resource documentation for "azurerm_sql_active_directory_administrator" for more information.
and I have no idea how I can then use that AD to connect things together... What I´m finding is that the examples and explanations are just to shallow (just one service and simple setup) or hard to figure out... this is e.g. the only example of ActiveDirectoryAdministrator usage I can find .. https://github.com/pulumi/examples/blob/258d3bad0a00020704743e37911c51be63c06bb4/classic-azure-cs-msi-keyvault-rbac/AppStack.cs I would benefit from a larger more complex examples and setup... Hope you can assist me soon. thank you and sorry for being so daft!
I thought I could maybe do something like the following instead of creating two ad admins I would use the first and connect them together with this code
Copy code
var sqlAdmin = ActiveDirectoryAdministrator.Get("identityadmin");
sqlAdmin.ObjectId = principalId;
but ObjectId is read only...
b

billowy-army-68599

01/07/2022, 2:06 PM
@sticky-exabyte-94099 you need to give things unique names and make sure the resources don't already exist. are you familiar with how desired state configuration works?
it seems like you, or someone else is adding things manually, then trying to add them into Pulumi
s

sticky-exabyte-94099

01/07/2022, 2:17 PM
I´m alone working on this so thats that. And if I go to the Pulumi portal and click on the only ActiveDirectoryAdministrator that is created and delete it and then even destroy the stack (done that 2-3x) and rerun pulumi up I can only get the first one in and then it complains. I´ll destroy it all again and retry but I have already done it.
and between creating/deleting I have been also trying pulumi refresh to make sure all is in sync...
b

billowy-army-68599

01/07/2022, 2:22 PM
the Pulumi portal? are you creating things manually in the Azure portal?
s

sticky-exabyte-94099

01/07/2022, 2:35 PM
I'm creating this with CLI but I have tried to go here and then navigating to the Azure portal (from the Pulumi "portal") and delete it there. Then I have destroyed everything (with CLI) and made sure everything is gone in Azure and then (sometimes hours later) I run pulumi up again but only 1 gets greated...
Sorry @billowy-army-68599 I destroyed everything and recreated it with the fixes from the other issue. I pushed all my code to https://github.com/sturlath/MyTest/blob/master/AppStack.cs (just the way I´m using it.. Any change to have somebody with C# knowledge look at what I might be doing wrong? I just can´t get past creating these ActiveDirectoryAdministrator....
b

billowy-army-68599

01/07/2022, 5:42 PM
if you go into the Azure Portal, do you see a resource with that name already there?
s

sticky-exabyte-94099

01/07/2022, 6:03 PM
No I cant see it anywhere… 🤨
This is what gets greated… cant find any identyadmin anywhere
And I have browsed into all access AD etc I can find.. so if its somewhere its somewhere new I have never been to..😫
And if I follow that resource mention in the error it shows me ActiveDirectory and no user/permission/etc is identityadmin This is getting super frustrating... I will probably try to test this on another subscription this weekend and if that doesn´t work I´ll have to set this test aside for the time being..
After using these azure command here to below I´m getting back on my original thought that the syntax or code setup is just wrong. Don´t you need to create 1
ActiveDirectoryAdministrator
and then assign the services principal to that admin and do it once for each service? I sure hope you can point me in the right direction here or give me any idea at all what to do...
heads up @billowy-army-68599 I created a github ticket for this https://github.com/pulumi/pulumi-azure-native/issues/1416 in hope to get more assistance with this..