Pulumi get deployment token for Static Web App

Question

I'm using pulumi with azure-native package to create azure infrastructure. I create Static Web App:

const staticApp = new azureNative.web.StaticSite(
  "test", 
  {
    resourceGroupName: "test-static-site",
    location: location,
    name: getResourceName(projectResources.staticSite)
  });

Later on I want to deploy files to this app using AzureStaticWebApp@0 pipeline task:

  - task: AzureStaticWebApp@0
    displayName: 'Deploy'
    inputs:
      app_location: '/.../build'
      api_location: '/.../api'
      output_location: ''
      skip_app_build: true
      azure_static_web_apps_api_token: '???'

I expect azure_static_web_apps_api_token be a part of pulumi azureNative.web.StaticSite, but it's not there. Is there a way to get this token value from pulumi output?

Why would you not use Pulumi to deploy the contents of this static app? — Piers Karsenbarg, Feb 22 '22 at 09:43
Will it make things easier? Currently we use pulumi for IaC only, all other deployment occurs in separate pipeline using `SqlAzureDacpacDeployment`, `AzureRmWebAppDeployment` and so on. And anyway it's not an option to change approach at this moment. — Mikel, Feb 22 '22 at 10:53

score 0 · Answer 1 · answered Jul 14 '22 at 00:27

If you are creating your azure static site with Pulumi and deploying with another pipeline tech then you need to get the azure deployment token explicitly during your deploy step with azure cli

az staticwebapp secrets list --name MyStaticSiteName -o json

You can find an example (not mine) here https://blog.johnnyreilly.com/2021/12/05/azure-static-web-app-deploy-previews-with-azure-devops#azure-pipelines-tweaks

score 0 · Answer 2 · answered May 17 '23 at 19:11

You can use azureNative.web.listStaticSiteSecretsOutput.
However, you should assert the ressource is created before calling the function.
You can do something like

const staticApp_secrets = staticApp.id.apply(() => // assert staticApp is created
  azureNative.web.listStaticSiteSecretsOutput({
    resourceGroupName: staticApp.ressourceGroupName,
    name: staticApp.name,
  })
);
const deploymentToken = staticApp_secrets.properties.apply((properties) => properties.apiKey);

score -1 · Answer 3 · answered Feb 22 '22 at 16:19

This value is provided by you. It's an input to the task, it needs to be provided to both the Azure DevOps Pipeline and the Azure Static Website resource.

You can see the input properties here

One option you can use is to generate a random secret using Pulumi, export it, and then input this option to your pipeline.

import * as random from "@pulumi/random";

const token = new random.RandomPassword("deploymentToken", {
    length: 10,
})

export const deploymentToken = token.result

const staticApp = new azureNative.web.StaticSite(
  "test", 
  {
    resourceGroupName: "test-static-site",
    location: location,
    name: getResourceName(projectResources.staticSite),
    repositoryToken: deploymentToken
  });

Now you'll need to export this value from the CLI like so:

pulumi stack output deploymentToken --show-secrets

Input this variable into your pipeline using these steps: https://learn.microsoft.com/en-us/azure/static-web-apps/publish-devops#create-the-pipeline-task-in-azure-devops

No, `repositoryToken` is "A user's **github repository** token. This is used to setup the Github Actions workflow file and API secrets." and `azure_static_web_apps_api_token` is deployment token that allow deployment to Static Site. It can be managed via azure portal "Manage deployment token" — Mikel, Feb 24 '22 at 07:12

Pulumi get deployment token for Static Web App

3 Answers3