https://pulumi.com logo
Title
c

cold-motherboard-88215

12/06/2022, 10:04 AM
Hi Guys, Love Pulumi trying to setup an environment but I don’t know how to add a directory (or multiple) to an BlobContainer of a StorageAccount where SFTP is enabled. I know this is possible from the Azure Portal … but I don’t know how to do this with pulumi …
Just for the people who are interested why in hell I would like to have this: I’m setting up an SFTP environment for multiple tenants and everytime a new tenant is created it needs to automaticaly setup a certain directory structure, so each container is a tenant
Just as extra information, I’ve enabled the Azure Data Lage Storage Gen2 hierarchical feature on the StorageAccount, this enabled the feature to be able to create directories. Azure Data Lake Storage Gen2 Hierarchical Namespace | Microsoft Learn
m

many-telephone-49025

12/06/2022, 11:23 AM
Hi Nick, Thanks for the love! :heart_hands: I think it is not possible currently in Pulumi and neither in ARM. What people are using is a
Deployment Script
or AzureCLiScript with our azure-native provider to execute cli calls. In your case
az storage fs
-> https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-directory-file-acl-cli
c

cold-motherboard-88215

12/06/2022, 11:24 AM
Hi Engin, this was exactly what I was looking at 🙂
Thanks for confirming!
m

many-telephone-49025

12/06/2022, 11:25 AM
Me too, as I have to call
az acr task run
😄 and I did it before with Pulumi Command
c

cold-motherboard-88215

12/06/2022, 12:38 PM
Can you provide me an working example of
AzureCliScript
Because when I try to create AzureCliScript it’s complaining that it needs to “kind” parameter in typescript … but in the documentation it does not exist …
m

many-telephone-49025

12/06/2022, 1:02 PM
Ok
on moment
My one, in Golang, looks like this:
azureCliScript, err := resources.NewAzureCliScript(ctx, "create-registry-credentials", &resources.AzureCliScriptArgs{
			Location:          resourceGroup.Location,
			ResourceGroupName: resourceGroup.Name,
			Identity: resources.ManagedServiceIdentityArgs{
				Type:                   pulumi.String(resources.ManagedServiceIdentityTypeUserAssigned),
				UserAssignedIdentities: scriptUserIdentityMapOutput,
			},
			RetentionInterval: pulumi.String("P1D"),
			AzCliVersion:      pulumi.String("2.41.0"),
			Kind:              pulumi.String("AzureCLI"),
			ScriptContent: pulumi.Sprintf(`az acr task create \
    --registry %s \
    --name goapp \
    --image go-app:latest \
    --context <https://github.com/dirien/infrastructure-as-code-workshop.git#main:pulumi-azure-container-apps/app> \
    --file Dockerfile --commit-trigger-enabled false && \
	az acr task run --registry %s --name goapp --only-show-errors`, registry.Name, registry.Name),
		})
		if err != nil {
			return err
		}
Two things: Kind = AzureCLI
And I use a managed-idenity
c

cold-motherboard-88215

12/06/2022, 1:15 PM
ok thx I think ill manage with this, much appreciated
m

many-telephone-49025

12/06/2022, 1:15 PM
to not do az login
The managed identity has Role contributor on scope Resourcegroup
I am sure you can nerf it down
c

cold-motherboard-88215

12/06/2022, 1:15 PM
I hope so 🙂
Sorry to bug you again … but I get the following “Cannot call ‘.get’ during update or preview”
is there some sort of way i can add an if(preview !== true) { then perform this}
m

many-telephone-49025

12/06/2022, 1:37 PM
you may need to share a GitHub gist with the code
I never saw this message, but maybe it's down to nodejs way of getting valus
values*
c

cold-motherboard-88215

12/06/2022, 1:39 PM
const azureCliEnableSftp = new resources.AzureCliScript("enable-sftp-storage-account", {
    location: foodResourceGroup.location,
    resourceGroupName: foodResourceGroup.name,
    azCliVersion: "2020-10-01",
    kind: "AzureCLI",
    retentionInterval: "P1D",
    scriptContent: `az storage account update --resource-group="${foodResourceGroup.name.get()}" --name="${foodSftpStorageAccount.name.get()}" --enable-sftp=true`
});
m

many-telephone-49025

12/06/2022, 1:40 PM
CLi versio must be like this 2.41.0
c

cold-motherboard-88215

12/06/2022, 1:40 PM
in the scriptContent: i’m calling resourceGroup.name.get()
hmm looks like it works fine if I remove the .get()
m

many-telephone-49025

12/06/2022, 1:41 PM
and script conntent should be pulumi.interpolate
to resolve the values
c

cold-motherboard-88215

12/06/2022, 1:43 PM
Ofcourse that makes sense
m

many-telephone-49025

12/06/2022, 1:43 PM
like
pulumi.interpolate`az storage account update --resource-group="${foodResourceGroup.name}" --name="${foodSftpStorageAccount.name}" --enable-sftp=true`
but without quotes
c

cold-motherboard-88215

12/06/2022, 1:43 PM
you are my hero 😉
m

many-telephone-49025

12/06/2022, 1:43 PM
let's hope it works 🙂
FYI: if you need to pass secrets, use the environment variables
c

cold-motherboard-88215

12/06/2022, 1:46 PM
You one of the devs ? Really like pulumi much easier to understand than terraform 🙂
m

many-telephone-49025

12/06/2022, 1:47 PM
I am in the Customer Engineering team and not in the core engineering team but I will let them know for sure your feedback!
c

cold-motherboard-88215

12/06/2022, 1:53 PM
Now i’m getting Message=“The provided script failed with the following error:\r\nERROR: Please run ‘az login’ to setup account.
Probably something to do with the missing identity
m

many-telephone-49025

12/06/2022, 1:54 PM
yessss
I would prefer this
c

cold-motherboard-88215

12/06/2022, 1:54 PM
identity: new resources.ManagedServiceIdentityArgs({
    
}),
For some reason this does not work … I feel so stupid at the moment 😞
m

many-telephone-49025

12/06/2022, 1:55 PM
NewUserAssignedIdentity
on the package managedidentiy
c

cold-motherboard-88215

12/06/2022, 2:01 PM
Ok, ok, I already have an app registration used for pulumi should I use the same here ?
this is creating a new one
m

many-telephone-49025

12/06/2022, 2:03 PM
Depends on you
c

cold-motherboard-88215

12/06/2022, 2:03 PM
identity: new UserAssignedIdentity("pulumi-iac-test", {
    resourceGroupName: foodResourceGroup.name,
    resourceName: "pulumi-iac-test"
}),
Doing this creates a new one I guess and I get azure-native:resources:AzureCliScript resource ‘enable-sftp-storage-account’ has a problem: ‘identity’ should be of type ‘object’ but got a string
m

many-telephone-49025

12/06/2022, 2:04 PM
And then give it the role
Identity: resources.ManagedServiceIdentityArgs{
   Type:                   pulumi.String(resources.ManagedServiceIdentityTypeUserAssigned),
   UserAssignedIdentities: scriptUserIdentityMapOutput,
},
And i created a mapout put this way:
scriptUserIdentityMapOutput := script.ID().ToIDOutput().ToStringOutput().ApplyT(func(v string) map[string]interface{} {
			m := make(map[string]interface{})
			m[v] = pulumi.ToStringMap(map[string]string{})
			return m
		}).(pulumi.MapOutput)
Not sure how to translate the last part into typescript
but in go, it needed to be a Map where the key is the id of the identity and the value is empty
c

cold-motherboard-88215

12/06/2022, 2:07 PM
Is there someone in your team who can help me with this in typescript ? I’m not a GO dude and it’s quite hard for me to read
m

many-telephone-49025

12/06/2022, 2:13 PM
Have to see if someone else in the community slack joins this thread. This is fully community driven
c

cold-motherboard-88215

12/06/2022, 2:13 PM
Yeah I understand I really appreciate your help!