You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We use Pulumi with Python to deploy our infrastructure in Azure. Unfortunately, there are cases where we have to temporarily create resources only for the purpose of making the deployment succeed. We'd like to clean those up afterwards automatically but we're wondering how exactly. Does Pulumi provide a primitive here to create resources only temporarily? In other words, they should be cleaned up automatically at the end of the deployment and not make it into the Pulumi state.
To give an example, we create a pulumi_azure_native.keyvault.Vault with enable_rbac_authorization=True and afterwards store certain secrets in it. However, in order for our Azure DevOps' deployment pipeline's service principal to be allowed to write to the key vault it just created, we first have to authorize it by creating an appropriate pulumi_azure_native.authorization.RoleAssignment. This has a number of unfortunate implications:
We either have to hard-code our pipeline's service principal ID or we could try to dynamically determine the security principal that's currently being used by Pulumi.
In the former case (hard-coding):
pulumi up will only succeed when actually run from within our pipeline. Running pulumi up locally will fail due to lack in permissions.
Running pulumi preview locally works as expected.
In the latter case (determining the security principal dynamically):
pulumi up can be run from both within our pipeline, and locally. However, the role assignment will be reflected in the state, i.e. the state will depend on who executed pulumi up last.
Running pulumi preview locally will indicate that the role assignment created by the pipeline would be deleted, and that a new one (for the local user) would be created. Clearly, this can lead to confusion, especially in cases where you have not made any changes to your code at all and therefore expect zero infrastructure changes.
Again, it would be great if Pulumi could provide a corresponding primitive here to not commit the role assignment to the state. Alternatively, pulumi_azure_native could of course create temporary role assignments under the hood when writing to a key vault, without committing them to the state; however I could imagine there are more cases like this, so a more general solution might be useful.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
We use Pulumi with Python to deploy our infrastructure in Azure. Unfortunately, there are cases where we have to temporarily create resources only for the purpose of making the deployment succeed. We'd like to clean those up afterwards automatically but we're wondering how exactly. Does Pulumi provide a primitive here to create resources only temporarily? In other words, they should be cleaned up automatically at the end of the deployment and not make it into the Pulumi state.
To give an example, we create a
pulumi_azure_native.keyvault.Vaultwithenable_rbac_authorization=Trueand afterwards store certain secrets in it. However, in order for our Azure DevOps' deployment pipeline's service principal to be allowed to write to the key vault it just created, we first have to authorize it by creating an appropriatepulumi_azure_native.authorization.RoleAssignment. This has a number of unfortunate implications:pulumi upwill only succeed when actually run from within our pipeline. Runningpulumi uplocally will fail due to lack in permissions.pulumi previewlocally works as expected.pulumi upcan be run from both within our pipeline, and locally. However, the role assignment will be reflected in the state, i.e. the state will depend on who executedpulumi uplast.pulumi previewlocally will indicate that the role assignment created by the pipeline would be deleted, and that a new one (for the local user) would be created. Clearly, this can lead to confusion, especially in cases where you have not made any changes to your code at all and therefore expect zero infrastructure changes.Again, it would be great if Pulumi could provide a corresponding primitive here to not commit the role assignment to the state. Alternatively,
pulumi_azure_nativecould of course create temporary role assignments under the hood when writing to a key vault, without committing them to the state; however I could imagine there are more cases like this, so a more general solution might be useful.Related tickets:
Beta Was this translation helpful? Give feedback.
All reactions