This message was deleted.
# general
s
This message was deleted.
e
That looks reasonable. Have you tested that config works locally (I'm not sure the exact names for azure-native configuration myself)? Might also be worth having a dummy step before hand that sets an envvar with the same config-map string and check that prints the string correctly (assuming this is a locked down repo that other people can't just look at the gha logs for)
a
Hey Fraser. Thanks for your response! I can confirm it works locally, we have the secret set as the same credentials we use locally. As for printing it, GitHub actions seem very good at catching my own stupidity, so I can't seem to be able to display a secret! I've just tried storing the secret as an envvar in the Pulumi step, then referencing that in the
config-map
string, which "seems" to get me a little further. I'm going to play around a bit more with it after lunch and will update on here!
e
Might just be needs some quote chars added, dunno if github would expand
${{ secrets.AZURE_DETAILS.clientSecret }}
to
"secret"
or just
secret
and you'd need the former if its in JSON style.
a
Good point, I will test that too.
Well, I think I've gotten rid of the error message about the wrong client secret. But now it's warning that I'm not logged in via azure cli:
Copy code
Diagnostics:
    azure-native:resources:ResourceGroup (rg-myrg-):
      error: obtain subscription() from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.
I would take this over to the azure channel, but when I comment out
config-map
, Pulumi updates work on existing stacks. I've also noticed that the inputs seem to be empty where GitHub secrets are defined:
Copy code
Run pulumi/actions@v3
  with:
    command: update
    stack-name: company/mystack
    work-dir: iac/pulumi
    upsert: true
    config-map: ***azure-native:clientId: ***value: '$ARM_CLIENT_ID', secret: false***, azure-native:clientSecret: ***value: '', secret: true***, azure-native:location: ***value: 'westeurope', secret: false***, ...
I don't think this is normal behaviour in GitHub from what I can see online.
e
We're not doing anything odd Github actions wise with this, its just using the gha sdk to get the action input: https://github.com/pulumi/actions/blob/master/src/config.ts#LL71
a
Yeah, that makes sense. I've found the issue now. I had a structured secret which contained the credentials to access the azure cli. GitHub docs say not to do this... Anyways, after changing that, it's happy. I will make a final comment on this thread and the following link to explain what I did to get this working: https://github.com/pulumi/actions/issues/716 I also have another issue now 🤦 but it's unrelated to this, so will put that back in general. Thanks for your time Fraser!
If anyone else is wondering how you format larger configs including GitHub secrets, here's how I did it for Azure:
Copy code
- name: Deploy with pulumi
   uses: pulumi/actions@v3
   with:
     command: preview
     stack-name: dev
     work-dir: infra
     config-map: "{
       azure-native:clientId: {value: '${{ secrets.AZURE_DETAILS_CLIENT_ID }}', secret: false},
       azure-native:clientSecret: {value: '${{ secrets.AZURE_DETAILS_CLIENT_SECRET }}', secret: true},
       azure-native:location: {value: 'westeurope', secret: false},
       azure-native:subscriptionId: {value: '${{ secrets.AZURE_DETAILS_SUBSCRIPTION_ID }}', secret: false},
       azure-native:tenantId: {value: '${{ secrets.AZURE_DETAILS_TENANT_ID }}', secret: false},
       environment:size: {value: 'xs', secret: false},
       environment:type: {value: 'testing', secret: false}
       }"
You can use multi-line double-quoted strings to help make it easier on the eyes. When expanding GitHub variables, wrap them in single-quotes.