0

Instead of using Pulumi service (managed) backend, I am using Azure blob container as stack state backend. According to the documentation, Pulumi CLI would expect AZURE_STORAGE_KEY (or AZURE_STORAGE_SAS_TOKEN) environment variable in the Pipeline Agent.

When account key is provided as pipeline variable, it's working. But when account key is stored in KeyVault as secret, it's not working.

What I did:

Account key in KayVault as secret
→ (pipeline variable group) Link secrets from an Azure key vault as variables
→ → (Pipeline variables) Link variable group
→ → → Make account key available to Pulumi CLI (in pipeline agent) as environment variable

The problem:

  • KeyVault secret name can not contain '_'
  • Secret name for account key is AZURE-STORAGE-KEY (not AZURE_STORAGE_KEY since secret name can not contain '_')
  • Environment variable in pipeline agent becomes AZURE-STORAGE-KEY

So, the problem is obvious: environment variable name mismatch → Pulumi CLI is not getting what it expects (AZURE_STORAGE_KEY).

FYI,

  • I am using "classic editor" and "Pulumi Azure Pipelines Task"
  • I tried creating a pipeline variable with "Name: azure.storage.key, Value: $(AZURE-STORAGE-KEY)", hoping that this variable value will be set from KeyVault secret since secrets are linked to variable group → did not working
  • Tried to set environment variable in a PowerShell task ($env:AZURE_STORAGE_KEY = "$(AZURE-STORAGE-KEY)") mentioned that this PowerShell task is in front of "Pulumi Azure Pipelines Task" → did not work
  • Pulumi documentation Pulumi Task Extension for Azure Pipelines and Other StackOverflow question Pulumi Azure Pipeline task did not help

How to solve this problem?
Is there any better approach? (providing account key to Pulumi CLI in pipeline agent securely).
Is there any way to achieve this if YAML (azure-pipelines.yml) is used? how? (Any work around or hint would also help)

MD TAREQ HASSAN
  • 1,188
  • 20
  • 46

2 Answers2

0

You need to set the variable using a different powershell task:

echo ##vso[task.setvariable variable=AZURE_STORAGE_KEY;]$(AZURE-STORAGE-KEY)
jaxxstorm
  • 12,422
  • 5
  • 57
  • 67
  • Did not work -> `##[error]Pulumi CLI login command failed. error: problem logging in: unable to open bucket azblob://pulumi-backend-container: open bucket azblob://pulumi-backend-container: invalid credentials` – MD TAREQ HASSAN Oct 21 '21 at 17:00
  • If you print the variable, does it record it correctly with the correct key? – jaxxstorm Oct 21 '21 at 17:06
  • Created 2 PowerShell Script Tasks : Task 1 doing what you mentioned in your answer, Task 2 `Write-Host "$(AZURE_STORAGE_KEY)"`. Getting error from Task 1 -> `Cannot process command because of one or more missing | mandatory parameters: InputObject. ` – MD TAREQ HASSAN Oct 21 '21 at 17:14
  • Forgot to mention, using "Target script type: Inline" for both PowerShell tasks, don't know if "Target script type: File Path" would make any difference – MD TAREQ HASSAN Oct 21 '21 at 17:18
0

I was able to solve the problem :

  • As mentioned in my question, KeyVault secrets are linked to variable group
  • Variable group is linked to pipeline variables (so now KeyVault secrets are available as pipeline variables)
  • According to Microsoft documentation, secret type variables are not injected into the task automatically
  • Used env for task to inject environment variables (that are expected by Pulumi CLI) by interpolating pipeline variables

azure-pipelines.yml

pool:
  vmImage: 'ubuntu-latest'

variables:
- group: "pulumi-demo-vg"

job: PulumiUpJob
displayName: Pulumi Up Stack Deployment Job
steps:
- task: Pulumi@1
  inputs:
    azureSubscription: 'pulumi-demo-sc' # sc -> Service Connection
    command: 'up'
    loginArgs: 'azblob://pulumi-backend-container'
    args: '--yes'
    stack: 'dev'
  env:
    AZURE_STORAGE_ACCOUNT: "xxxsa"
    AZURE_STORAGE_KEY: $(AZURE-STORAGE-KEY)
    AZURE_CLIENT_ID: $(AZURE-CLIENT-ID)
    AZURE_CLIENT_SECRET: $(AZURE-CLIENT-SECRET)
    AZURE_TENANT_ID: $(AZURE-TENANT-ID)
MD TAREQ HASSAN
  • 1,188
  • 20
  • 46