Good morning. My first time trying out Pulumi was yesterday and I really want to get over few errors that are stopping me from trying it out fully. I created a repo with my setup and description of the errors. https://github.com/sturlath/MyTest The problems I can´t get over • I get "could not find role" here • trying to give 2 services access to the db (here and here). I probably should create admin once and then assign it somehow to the principal.. I would also like some pointers on my setup if that is possible. Am I organizing things "correctly" (I know its probably a matter of an opinion) . And I know I´m probably using output wrong.

hey there @sticky-exabyte-94099 the error of "could not find role" is because you're passing a role definition name that doesn't exist, where did you get that name from?

I´m not sure... sorry.. still basically 1st day with Pulumi 😉 But this is the example I followed https://github.com/pulumi/examples/blob/master/classic-azure-cs-msi-keyvault-rbac/AppStack.cs And I can´t see that my code is any different...

// Work around a preview issue <https://github.com/pulumi/pulumi-azure/issues/192>
        var principalId = apiApp.Identity.Apply(id => id.PrincipalId ?? "11111111-1111-1111-1111-111111111111");

        // Grant App Service access to KV secrets
        var policy = new AccessPolicy("api-app-policy", new AccessPolicyArgs
        {
            KeyVaultId = KeyVault.Apply(t => t.Id),
            TenantId = TenantId,
            ObjectId = principalId,
            SecretPermissions = { "get" },
        });

        // Make the App Service the admin of the SQL Server (double check if you want a more fine-grained security model in your real app)
        var sqlAdmin = new ActiveDirectoryAdministrator("apiadmin", new ActiveDirectoryAdministratorArgs
        {
            ResourceGroupName = ResourceGroup.Apply(t => t.Name),
            TenantId = TenantId,
            ObjectId = principalId,
            Login = "adadmin",
            ServerName = SqlServerName,
        });

        // Grant access from App Service to the container in the storage
        var posterImagesBlobPermission = new Assignment("readposterblobpermission", new AssignmentArgs
        {
            PrincipalId = principalId,
            Scope = Output.Format($"{StorageAccountId}/blobServices/default/containers/{posterImagesStorageContainer.Name}"),
            RoleDefinitionName = "Poster Images Storage Blob Data Reader",
        });

it looks like those are built in Azure roles: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#storage-blob-data-reader can you verify they exist in your environment via the portal?

I´ll give it a go and let you know if I get this to work... give me 10

the final issue in your repo is the exact opposite, that role already exists and you're trying to recreate it with your code. you'll need to import it

Ok managed to test this and of course the first one is fixed. So thank you for that

Pulumi operates by storing the result of its operations in its "state". If something doesn't exist in the state Pulumi tries to create it for you. In this particular case, you've defined some code to create a resource, and it doesn't exist in your state, so Pulumi says "hey let's create it!" It goes to make the API call, and the Azure API says "you're trying to create something that already exists" because something out of band with Pulumi already created it - it might be you, or someone else. Either way, it's already there. So in order to fix this, you need to either: • Tell Pulumi it already exists. This is done by "importing" the resource into your state, telling Pulumi "this resource exists and you can now manage it because it's in the state file" • you can change your code to do a lookup on the existing resource, which means Pulumi becomes aware of it, but will NOT manage the resource lifecycle

ah.. ok I think I got it.. And the first approach is probably the better one since I could like to have my pulumi code all "Create"... So I just need to run this here and it should work?

pulumi import azure-native:sql:ServerAzureADAdministrator activeDirectory /subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/sqlcrudtest-4799/providers/Microsoft.Sql/servers/sqlcrudtest-6440/administrators/ActiveDirectory

(with my values) Found this here https://www.pulumi.com/registry/packages/azure-native/api-docs/sql/serverazureadadministrator/

yes, that works

Ok even though I pasted in this code the cli gave me?

if you leave it protected you won't be able to destroy the stack at all

Ok I need to think and read about that I think.. but I will be adding this to a CI/CD pipeline... next thing to figure out ;-) But now everything seams to be working good except that it demands I remove the first one of this because it exists but can run the other one This runs fine (apiadmin)

var sqlAdmin = new ActiveDirectoryAdministrator("apiadmin", new ActiveDirectoryAdministratorArgs
        {
            ResourceGroupName = ResourceGroup.Apply(t => t.Name),
            TenantId = TenantId,
            ObjectId = principalId,
            Login = "adadmin",
            ServerName = SqlServerName,
        });

but this (identiyadmin) doesn´t here I always get the already exists error

var sqlAdmin = new ActiveDirectoryAdministrator("identityadmin", new ActiveDirectoryAdministratorArgs
        {
            ResourceGroupName = ResourceGroup.Apply(t => t.Name),
            TenantId = TenantId,
            ObjectId = principalId,
            Login = "adadmin",
            ServerName = SqlServerName,
        });

So close... ;-)

@sticky-exabyte-94099 you're trying to create two logins with the same namd

adadmin

- you probably want to use autonaming

ah.. I understand.. got it "AD" in "adadmin" must have confused me and I was thinking it was something built in..

it's a little hard to followng what's going on I'm afraid

Ok np will try to destroy everything and hopefully when I run everything again it will just work.. 🤞

I'd recommend trying to read and understand some links about how Pulumi works: https://www.pulumi.com/docs/intro/concepts/

Hi @billowy-army-68599 I just got back to this and have been trying to destroy everything but I´m not able to. What could be the problem here and how can a force this delete?

@sticky-exabyte-94099

pulumi refresh

will get your state in the right place if you manually delete things

pulumi state unprotect

will unprotect resources

ok needed that command... thank you

@sticky-exabyte-94099 you need to give things unique names and make sure the resources don't already exist. are you familiar with how desired state configuration works?

I´m alone working on this so thats that. And if I go to the Pulumi portal and click on the only ActiveDirectoryAdministrator that is created and delete it and then even destroy the stack (done that 2-3x) and rerun pulumi up I can only get the first one in and then it complains. I´ll destroy it all again and retry but I have already done it.

the Pulumi portal? are you creating things manually in the Azure portal?

I'm creating this with CLI but I have tried to go here and then navigating to the Azure portal (from the Pulumi "portal") and delete it there. Then I have destroyed everything (with CLI) and made sure everything is gone in Azure and then (sometimes hours later) I run pulumi up again but only 1 gets greated...

if you go into the Azure Portal, do you see a resource with that name already there?

No I cant see it anywhere… 🤨