https://pulumi.com logo
Powered by
b

better-shampoo-48884

03/21/2021, 9:50 PM
I have a feeling I may have missed something or misunderstood some part of the conf here.. Given this:
Copy code
let currentStack = "dev-devsecops"
    const stack = await pulumi.LocalWorkspace.createOrSelectStack({
        projectName: "k8s-baseline",
        program: pulumiProgram,
        stackName: currentStack
    },{ 
        projectSettings: {
            name: "k8s-baseline",
            author: "It's a me",
            runtime: "nodejs",
            backend: {
                url: "<azblob://pulumi-state>"
            },            
            description: "Baseline Kubernetes configuration for xxxxx"
        },
        secretsProvider: "<azurekeyvault://xxxxxvault.azure.net/keys/pulumi>"
    })
I'm getting:
Copy code
commandResult: CommandResult {
    stdout: '',
    stderr: 'error: getting secrets manager: passphrase must be set with PULUMI_CONFIG_PASSPHRASE or PULUMI_CONFIG_PASSPHRASE_FILE environment variables\n',
    code: 4294967295,
    err: undefined
There is no Pulumi.yaml or stack yml in the directory where I'm running this btw. Could there be something of the stack previously cached or something? I would have thought providing the secretsProvider explicitly removed the need for the passphrase?
b

bored-oyster-3147

03/21/2021, 10:38 PM
hmmm idk. The fact that it is a 
CommandResult
indicates that the Automation API is just forwarding you an error that the CLI threw. When you provide a 
projectSettings
object the 
LocalWorkspace.CreateOrSelectStack
method should be serializing that into a project setting YAML. So, the first thing I would do is verify that the project settings YAML that is generated, in the temp directory that it creates, has the secrets provider as you expect it to. If it does, than I would try the same configuration using the CLI - not the Automation API - and see if you get the same error. If you don't, than it is an Automation API issue. If you do, than it is either a CLI issue or is an issue with your configuration
l

lemon-agent-27707

03/22/2021, 4:27 AM
When you use an inline program without specifying a working directory, it puts the pulumi.yaml and pulumi.stack.yaml in a temporary directory. You may need to save or populate those files on your own.
b

better-shampoo-48884

03/22/2021, 5:58 AM
I just set 
workDir: ".",
now, and Pulumi.yaml showed up in the directory (no stack yaml though). Same error - so I'm guessing it needs a passphrase to establish a stack then it converts that to secrets-store afterwards..
Think I figured it out.. it's a logging issue I think.. creating the stack manually with the --secrets-provider gave me a token issue for keyvault, which reminded me that I needed to set AZURE_KEYVAULT_AUTH_VIA_CLI, so when I update the code to:
Copy code
const stack = await pulumi.LocalWorkspace.createOrSelectStack({
        projectName: "k8s-baseline",
        program: pulumiProgram,
        stackName: currentStack
    },{
        envVars: {
            AZURE_KEYVAULT_AUTH_VIA_CLI: "true",
        }, 
        projectSettings: {
           ....
        },
        workDir: ".",
        secretsProvider: "<azurekeyvault://xxxxx.vault.azure.net/keys/pulumi>"
    })
it works without complaint
so the issue is simply this: when auth for secretsprovider fails, pulumi automation silently ignores this and prompts for passphrase.
👍 1
Automation issues.. do they go in pulumi/pulumi or is there somewhere else for automation?
l

lemon-agent-27707

03/22/2021, 4:12 PM
Powered by