https://pulumi.com logo
Title
a

acoustic-dress-83560

01/04/2023, 11:31 AM
Hey all, happy new year! Does anyone know how to use the
config-map
option in the Pulumi GitHub action? I'm having trouble injecting secrets into it to create a new stack to access Azure with a
clientId
,
clientSecret
in the config. In my action I have a YAML string similar to the following (I've shortened it a lot here):
config-map: "{azure-native:location: {value: westeurope, secret: false}, azure-native:clientSecret: {value: ${{ secrets.AZURE_DETAILS.clientSecret }}, secret: true}, azure-native:tenantId: {value: my-guid, secret: false}}"
env:
  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
  ARM_CLIENT_ID: ${{ secrets.AZURE_DETAILS.clientId }}
  ARM_CLIENT_SECRET: ${{ secrets.AZURE_DETAILS.clientSecret }}
  ARM_TENANT_ID: ${{ secrets.AZURE_DETAILS.tenantId }}
  ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_DETAILS.subscriptionId }}
But I receive an error when the Pulumi step runs, suggesting I've used the wrong `clientSecret`:
azure-native:resources:ResourceGroup rg-myrg- creating (0s) error: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to <https://management.azure.com/subscriptions/my-subscription-id-guid/resourcegroups/rg-rg-myrg-a8fcf880?api-version=2019-05-01>: StatusCode=401 -- Original Error: adal: Refresh request failed. Status Code = '401'. Response body: ***"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app 'my-app-guid'.\r\nTrace ID: 8d13de75-afd6-492a-8c0a-aea6ed140801\r\nCorrelation ID: b8fd878d-cbc3-46cf-a1ac-24607590db62\r\nTimestamp: 2023-01-04 11:22:21Z","error_codes":[7000215],"timestamp":"2023-01-04 11:22:21Z","trace_id":"8d13de75-afd6-492a-8c0a-aea6ed140801","correlation_id":"b8fd878d-cbc3-46cf-a1ac-24607590db62","error_uri":"<https://login.microsoftonline.com/error?code=7000215>"*** Endpoint <https://login.microsoftonline.com/my-tenant-id-guid/oauth2/token?api-version=1.0>
If I run the action without
config-map
and just target an existing stack, I can update and destroy the stack just fine. The credentials I'm using are the same in the config and in the
env
, they are from the same GitHub secret. It seems that GitHub secrets are not injected properly into the
config-map
YAML string, using the syntax I am. Though, no syntax is shown in the description and I can't find any examples.
e

echoing-dinner-19531

01/04/2023, 11:56 AM
That looks reasonable. Have you tested that config works locally (I'm not sure the exact names for azure-native configuration myself)? Might also be worth having a dummy step before hand that sets an envvar with the same config-map string and check that prints the string correctly (assuming this is a locked down repo that other people can't just look at the gha logs for)
a

acoustic-dress-83560

01/04/2023, 12:09 PM
Hey Fraser. Thanks for your response! I can confirm it works locally, we have the secret set as the same credentials we use locally. As for printing it, GitHub actions seem very good at catching my own stupidity, so I can't seem to be able to display a secret! I've just tried storing the secret as an envvar in the Pulumi step, then referencing that in the
config-map
string, which "seems" to get me a little further. I'm going to play around a bit more with it after lunch and will update on here!
e

echoing-dinner-19531

01/04/2023, 12:26 PM
Might just be needs some quote chars added, dunno if github would expand
${{ secrets.AZURE_DETAILS.clientSecret }}
to
"secret"
or just
secret
and you'd need the former if its in JSON style.
a

acoustic-dress-83560

01/04/2023, 1:13 PM
Good point, I will test that too.
Well, I think I've gotten rid of the error message about the wrong client secret. But now it's warning that I'm not logged in via azure cli:
Diagnostics:
    azure-native:resources:ResourceGroup (rg-myrg-):
      error: obtain subscription() from Azure CLI: parsing json result from the Azure CLI: waiting for the Azure CLI: exit status 1: ERROR: Please run 'az login' to setup account.
e

echoing-dinner-19531

01/04/2023, 3:36 PM
We're not doing anything odd Github actions wise with this, its just using the gha sdk to get the action input: https://github.com/pulumi/actions/blob/master/src/config.ts#LL71
a

acoustic-dress-83560

01/04/2023, 4:09 PM
Yeah, that makes sense. I've found the issue now. I had a structured secret which contained the credentials to access the azure cli. GitHub docs say not to do this... Anyways, after changing that, it's happy. I will make a final comment on this thread and the following link to explain what I did to get this working: https://github.com/pulumi/actions/issues/716 I also have another issue now 🤦 but it's unrelated to this, so will put that back in general. Thanks for your time Fraser!
If anyone else is wondering how you format larger configs including GitHub secrets, here's how I did it for Azure:
yaml
- name: Deploy with pulumi
   uses: pulumi/actions@v3
   with:
     command: preview
     stack-name: dev
     work-dir: infra
     config-map: "{
       azure-native:clientId: {value: '${{ secrets.AZURE_DETAILS_CLIENT_ID }}', secret: false},
       azure-native:clientSecret: {value: '${{ secrets.AZURE_DETAILS_CLIENT_SECRET }}', secret: true},
       azure-native:location: {value: 'westeurope', secret: false},
       azure-native:subscriptionId: {value: '${{ secrets.AZURE_DETAILS_SUBSCRIPTION_ID }}', secret: false},
       azure-native:tenantId: {value: '${{ secrets.AZURE_DETAILS_TENANT_ID }}', secret: false},
       environment:size: {value: 'xs', secret: false},
       environment:type: {value: 'testing', secret: false}
       }"
You can use multi-line double-quoted strings to help make it easier on the eyes. When expanding GitHub variables, wrap them in single-quotes.