Accessing Identity output

[jkonecki-techfabric]

I'm trying to create a new VM ScaleSet with system-assigned identity and than create KeyVault access policy for this identity:

var scaleSet = new VirtualMachineScaleSet($"{tenant}-orleans-scaleset-{environment}", new VirtualMachineScaleSetArgs
{
	Identity = new VirtualMachineScaleSetIdentityArgs
	{
		Type = "SystemAssigned"
	}                
});

new AccessPolicy($"{tenant}-orleans-scaleset-{environment}", new AccessPolicyArgs
{
	KeyVaultId = keyVault.VaultId,
	ObjectId = scaleSet.Identity.Apply(x => x.PrincipalId),
	TenantId = scaleSet.Identity.Apply(x => x.TenantId),
	KeyPermissions = new[] { "get", "list" },
	SecretPermissions = new[] { "get", "list" }
});

When running pulumi up I'm getting the following error:

  azure:keyvault:AccessPolicy (vrm-orleans-scaleset-dev):
    error: azure:keyvault/accessPolicy:AccessPolicy resource 'vrm-orleans-scaleset-dev' has a problem: Missing required property 'tenantId'
    error: azure:keyvault/accessPolicy:AccessPolicy resource 'vrm-orleans-scaleset-dev' has a problem: Missing required property 'objectId'

Am I using Output.Apply correctly?

[mikhailshilkov]

Your Apply usage looks good.

1. Do I understand correctly that AccessPolicy is from Pulumi.Azure? (if so, I'll probably move the issue to that repo)
2. This sounds like this issue which was recently fixed. Which provider version are you using?

[jkonecki-techfabric]

Oh, Scaleset is from AzureNextGen and AccessPolicy is from Azure provider. Would this course a problem? Can inputs/outputs link resources managed by different providers?

…

________________________________ From: Mikhail Shilkov <notifications@github.com> Sent: Friday, November 6, 2020 1:37:09 PM To: pulumi/pulumi-azure-nextgen <pulumi-azure-nextgen@noreply.github.com> Cc: Jakub Konecki <jakub@techfabric.co>; Author <author@noreply.github.com> Subject: Re: [pulumi/pulumi-azure-nextgen] Accessing Identity output (#115) Your Apply usage looks good. 1. Do I understand correctly that AccessPolicy is from Pulumi.Azure? (if so, I'll probably move the issue to that repo) 2. This sounds like this issue<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_pulumi_pulumi-2Dazure_issues_192&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=J5xwzqk2JV6JmMQ8LmNyE6cRZCpM-ICHZBNHSFKl9k8&m=F_rBlzxa-eP4IZVEpmaf_z30qZxM0xsy4g1nOebHIzU&s=Y2XW42Gu0nylL_DaOKToZbw9o9SH5olvJryPy04pC_w&e=> which was recently fixed. Which provider version are you using? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_pulumi_pulumi-2Dazure-2Dnextgen_issues_115-23issuecomment-2D723084494&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=J5xwzqk2JV6JmMQ8LmNyE6cRZCpM-ICHZBNHSFKl9k8&m=F_rBlzxa-eP4IZVEpmaf_z30qZxM0xsy4g1nOebHIzU&s=xsuk8D1C63OzERhoG2E1e6jueEVFbYFlDngwiC5Xel0&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ANYCISNNRPIEVWDTZV52V5DSOP3YLANCNFSM4TMT3GKQ&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=J5xwzqk2JV6JmMQ8LmNyE6cRZCpM-ICHZBNHSFKl9k8&m=F_rBlzxa-eP4IZVEpmaf_z30qZxM0xsy4g1nOebHIzU&s=qSND2ZGgIewXjKN7wXNgbHedt6ncD8R21Jc3fRTwF54&e=>.

[mikhailshilkov]

Yes, it might be related. The issue I mentioned above was fixed for output flow for the Azure provider. I guess something is still missing for Azure NextGen. You can work around the issue with this:

    ObjectId = scaleSet.Identity.Apply(x => x.PrincipalId ?? Guid.Empty.ToString()),
    TenantId = scaleSet.Identity.Apply(x => x.TenantId ?? Guid.Empty.ToString()),

[jkonecki-techfabric]

Workaround worked. Thank you.

…

________________________________ From: Mikhail Shilkov <notifications@github.com> Sent: Friday, November 6, 2020 2:10:29 PM To: pulumi/pulumi-azure-nextgen <pulumi-azure-nextgen@noreply.github.com> Cc: Jakub Konecki <jakub@techfabric.co>; Author <author@noreply.github.com> Subject: Re: [pulumi/pulumi-azure-nextgen] Accessing Identity output (#115) Although, on the second thought, it is related. The issue I mentioned above was fixed for output flow for the Azure provider. I guess something is still missing for Azure NextGen. You can work around the issue with this: ObjectId = scaleSet.Identity.Apply(x => x.PrincipalId ?? Guid.Empty.ToString()), TenantId = scaleSet.Identity.Apply(x => x.TenantId ?? Guid.Empty.ToString()), — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_pulumi_pulumi-2Dazure-2Dnextgen_issues_115-23issuecomment-2D723100304&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=J5xwzqk2JV6JmMQ8LmNyE6cRZCpM-ICHZBNHSFKl9k8&m=JAgdnv6oS5O5AJa9oU0tRvTi5FC9rQAHyy7FBWyNHSA&s=KpIMfD19VXyOwaUUr_HzqSRaMyTll7KEDrnbRnNfuvU&e=>, or unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ANYCISJ4Q24MTM73XEJJVH3SOP7VLANCNFSM4TMT3GKQ&d=DwMCaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=J5xwzqk2JV6JmMQ8LmNyE6cRZCpM-ICHZBNHSFKl9k8&m=JAgdnv6oS5O5AJa9oU0tRvTi5FC9rQAHyy7FBWyNHSA&s=3Z7mMZdN4QGAQ4tbGzE9-kO31l-FB8rgjzyPqAGUJJY&e=>.

[mikhailshilkov]

@jkonecki-techfabric Which Pulumi.Azure version are you using?

[scp-mb]

It doesn't seem pulumi/pulumi-azure#192 has fixed the issue completely, seeing a very similar issue trying to create a new AppService using a managed identity and applying PrincipalId to an instance of Pulumi.Azure.Authorization.Assignment

new Pulumi.Azure.Authorization.Assignment(<redacted>",
            new Pulumi.Azure.Authorization.AssignmentArgs
            {
                PrincipalId = appService.Identity.Apply(x => x.PrincipalId),
                Scope = ResourceGroup.Id,
                RoleDefinitionName = "Contributor"
            });

error: azure:authorization/assignment:Assignment resource 'redacted' has a problem: Missing required property 'principalId'

This is with Pulumi 2.13.2 and Pulumi.Azure v3.30.0

Edit: I've just realised this is the nextgen provider repo, whereas I'm using the regular provider. The issue seems to be the same however.

[jkonecki-techfabric]

@mikhailshilkov 3.28.0

[mikhailshilkov]

@scp-mb Could you add a repro to pulumi/pulumi-azure#192? Maybe we should reopen it.

[mikhailshilkov]

I reopened pulumi/pulumi-azure#192 let's track there

[andrewdmoreno]

Encountered this issue also with AccessPolicy from Pulumi.AzureNextGen while attempting to get identity from WebApp and WebAppSlot, also from Pulumi.AzureNextGen.

The following workaround recommended above worked.

app.Identity.Apply(i => i?.PrincipalId ?? Guid.Empty.ToString())

[mikhailshilkov]

@andrewdmoreno I closed this 10 seconds before your comment :)

Could you add your code snippet here?

[andrewdmoreno]

@mikhailshilkov Just want to confirm I'm understanding you correctly: Are you asking me to post the above comment in pulumi/pulumi-azure#192? Or were you wanting me to provide more info here re: Pulumi.AzureNextGen?

[andrewdmoreno]

I'm gonna assume in the meantime that you wanted additional code snippet for Pulumi.AzureNextGen here. (Some code omitted for brevity).

            var app = new WebApp("api", new WebAppArgs
            {
                Name = ResourceName("api"),
                Location = _location,
                ResourceGroupName = _resourceGroup,
                ServerFarmId = plan.Id,
                ClientAffinityEnabled = false,
                Identity = ManagedIdentity(),
                SiteConfig = siteConfigArgs,
                Tags = Tags
            });

            var accessPolicies = new InputList<AccessPolicyEntryArgs>
            {
                DefaultSecretsAccessPolicy(servicePrincipalId),
                DefaultSecretsAccessPolicy(app.Identity.Apply(i => i?.PrincipalId ?? Guid.Empty.ToString())),
                DefaultSecretsAccessPolicy(slot.Identity.Apply(i => i?.PrincipalId ?? Guid.Empty.ToString()))
            };

            var vault = CreateKeyVault(accessPolicies);

        ...

        private Vault CreateKeyVault(InputList<AccessPolicyEntryArgs> accessPolicies)
        {
            return new Vault("vault", new VaultArgs
            {
                ResourceGroupName = _resourceGroup,
                Location = _location,
                Properties = new VaultPropertiesArgs
                {
                    Sku = new SkuArgs
                    {
                        Family = "A",
                        Name = "standard",
                    },
                    TenantId = _azureAdTenantId,
                    AccessPolicies = accessPolicies
                },
                VaultName = _keyVaultName
            });
        }

        private AccessPolicyEntryArgs DefaultSecretsAccessPolicy(Input<string> objectId) => new AccessPolicyEntryArgs
        {
            ObjectId = objectId,
            Permissions = new PermissionsArgs
            {
                Secrets = _secretPermissions,
            },
            TenantId = _azureAdTenantId,
        };

I don't have the exact error message this moment, but it was complaining about the access policies with index [1] and [2] in the accessPolicies list.

[mikhailshilkov]

The fix will be released in version 0.3.2

[mikhailshilkov]

While this error doesn't happen during the initial preview, it does happen during an update. For instance, if WebApp in the example above changes, I get an error azure-nextgen:keyvault/latest:Vault resource 'vault' has a problem: missing required property 'properties.accessPolicies[0].objectId'