I have a feeling I may have missed something or misunderstoo Pulumi Community #automation-api

I have a feeling I may have missed something or mi...

better-shampoo-48884

03/21/2021, 9:50 PM

I have a feeling I may have missed something or misunderstood some part of the conf here.. Given this:

Copy code

let currentStack = "dev-devsecops"
    const stack = await pulumi.LocalWorkspace.createOrSelectStack({
        projectName: "k8s-baseline",
        program: pulumiProgram,
        stackName: currentStack
    },{ 
        projectSettings: {
            name: "k8s-baseline",
            author: "It's a me",
            runtime: "nodejs",
            backend: {
                url: "<azblob://pulumi-state>"
            },            
            description: "Baseline Kubernetes configuration for xxxxx"
        },
        secretsProvider: "<azurekeyvault://xxxxxvault.azure.net/keys/pulumi>"
    })

I'm getting:

Copy code

commandResult: CommandResult {
    stdout: '',
    stderr: 'error: getting secrets manager: passphrase must be set with PULUMI_CONFIG_PASSPHRASE or PULUMI_CONFIG_PASSPHRASE_FILE environment variables\n',
    code: 4294967295,
    err: undefined

There is no Pulumi.yaml or stack yml in the directory where I'm running this btw. Could there be something of the stack previously cached or something? I would have thought providing the secretsProvider explicitly removed the need for the passphrase?

bored-oyster-3147

03/21/2021, 10:38 PM

hmmm idk. The fact that it is a

CommandResult

indicates that the Automation API is just forwarding you an error that the CLI threw. When you provide a

projectSettings

object the

LocalWorkspace.CreateOrSelectStack

method should be serializing that into a project setting YAML. So, the first thing I would do is verify that the project settings YAML that is generated, in the temp directory that it creates, has the secrets provider as you expect it to. If it does, than I would try the same configuration using the CLI - not the Automation API - and see if you get the same error. If you don't, than it is an Automation API issue. If you do, than it is either a CLI issue or is an issue with your configuration

lemon-agent-27707

03/22/2021, 4:27 AM

When you use an inline program without specifying a working directory, it puts the pulumi.yaml and pulumi.stack.yaml in a temporary directory. You may need to save or populate those files on your own.

better-shampoo-48884

03/22/2021, 5:58 AM

I just set

workDir: ".",

now, and Pulumi.yaml showed up in the directory (no stack yaml though). Same error - so I'm guessing it needs a passphrase to establish a stack then it converts that to secrets-store afterwards..

better-shampoo-48884

03/22/2021, 6:40 AM

Think I figured it out.. it's a logging issue I think.. creating the stack manually with the --secrets-provider gave me a token issue for keyvault, which reminded me that I needed to set AZURE_KEYVAULT_AUTH_VIA_CLI, so when I update the code to:

Copy code

const stack = await pulumi.LocalWorkspace.createOrSelectStack({
        projectName: "k8s-baseline",
        program: pulumiProgram,
        stackName: currentStack
    },{
        envVars: {
            AZURE_KEYVAULT_AUTH_VIA_CLI: "true",
        }, 
        projectSettings: {
           ....
        },
        workDir: ".",
        secretsProvider: "<azurekeyvault://xxxxx.vault.azure.net/keys/pulumi>"
    })

it works without complaint

better-shampoo-48884

03/22/2021, 6:41 AM

so the issue is simply this: when auth for secretsprovider fails, pulumi automation silently ignores this and prompts for passphrase.

👍 1

better-shampoo-48884

03/22/2021, 6:42 AM

Automation issues.. do they go in pulumi/pulumi or is there somewhere else for automation?

lemon-agent-27707

03/22/2021, 4:12 PM

Yes https://github.com/pulumi/pulumi/issues/new?assignees=&labels=kind%2Fbug&template=0-bug-report.md

6 Views

Open in Slack

Previous Next