Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
f
future-analyst-18745
11/28/2022, 12:02 AM[Updates: see replies]
Is there a better guide than this https://www.pulumi.com/docs/guides/continuous-delivery/github-actions/
for Pulumi + GitHub Actions + Azure?
If not, does this still work?
I'm stuck
[Update: this does not work "error: Authenticating using the Azure CLI is only supported as a User (not a Service Principal)."]
One difference so far:
- name: Azure Login
uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}[Update: encountered auth error]
This worked:
name: Pulumi
on:
push:
branches:
- main
jobs:
update:
name: Update
runs-on: ubuntu-latest
defaults:
run:
working-directory: <path/to/go.mod>
steps:
- uses: actions/checkout@v2
- uses: actions/setup-go@v2
with:
go-version: 1.19.x
- name: Azure Login
uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- run: go mod download
- uses: pulumi/actions@v3
with:
work-dir: <path/to/go.mod>
command: up
stack-name: org-name/stack-name # When using an individual account, only use stack-name.
env:
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}Side note:
https://github.com/Azure/login#configure-a-service-principal-with-a-secret
Note: The abovecommand will give you theaz ad sp create-for-rbacdeprecation warning. As we are working with CLI for this deprecation process, we strongly recommend users to use this--sdk-authflag as the result dictionary output changes and not accepted by login action if--sdk-authis not used.--sdk-auth
Trying to follow this old guide:
https://nvd.codes/post/deploying-to-azure-with-pulumi-from-github-actions/
Current problem:
Could not create application: graphrbac.ApplicationsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Unknown" Message="Unknown service error" Details=[{"odata.error":{"code":"Authorization_RequestDenied","date":"2022-11-28T16:57:29","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"c25989a6-dfb0-4e49-ad1a-0ce14dac8758"}}]I found a solution...
tl;dr
az role assignment create --assignee "servicePrincipalIdPlaceholder" --role "Owner" --subscription "subscriptionIdPlaceholder"az rest --method post --uri <https://graph.microsoft.com/v1.0/servicePrincipals/60b3f8d5-92c6-4f51-93f0-8d0f0825cf9d/appRoleAssignedTo> --body '{ "principalId": "servicePrincipalIdPlaceholder", "resourceId": "subscriptionIdPlaceholder", "appRoleId": "1cda74f2-2616-4834-b122-5cb1b07f8a59" }'az rest --method post --uri <https://graph.microsoft.com/v1.0/servicePrincipals/60b3f8d5-92c6-4f51-93f0-8d0f0825cf9d/appRoleAssignedTo> --body '{ "principalId": "servicePrincipalIdPlaceholder", "resourceId": "subscriptionIdPlaceholder", "appRoleId": "78c8a3c8-a07e-4b9e-af1b-b5ccab50a175" }'This is somewhat relevant:
https://www.pulumi.com/docs/guides/crosswalk/kubernetes/identity/