Search code examples
azure-devopsazure-pipelinespulumi

Azure DevOps pipeline for Pulumi when using Azure blob storage as backend

Instead of using Pulumi service (managed) backend, I am using Azure blob container as stack state backend. According to the documentation, Pulumi CLI would expect AZURE_STORAGE_KEY (or AZURE_STORAGE_SAS_TOKEN) environment variable in the Pipeline Agent.

When account key is provided as pipeline variable, it's working. But when account key is stored in KeyVault as secret, it's not working.

What I did:

Account key in KayVault as secret
→ (pipeline variable group) Link secrets from an Azure key vault as variables
→ → (Pipeline variables) Link variable group
→ → → Make account key available to Pulumi CLI (in pipeline agent) as environment variable

The problem:

  • KeyVault secret name can not contain '_'
  • Secret name for account key is AZURE-STORAGE-KEY (not AZURE_STORAGE_KEY since secret name can not contain '_')
  • Environment variable in pipeline agent becomes AZURE-STORAGE-KEY

So, the problem is obvious: environment variable name mismatch → Pulumi CLI is not getting what it expects (AZURE_STORAGE_KEY).

FYI,

  • I am using "classic editor" and "Pulumi Azure Pipelines Task"
  • I tried creating a pipeline variable with "Name: azure.storage.key, Value: $(AZURE-STORAGE-KEY)", hoping that this variable value will be set from KeyVault secret since secrets are linked to variable group → did not working
  • Tried to set environment variable in a PowerShell task ($env:AZURE_STORAGE_KEY = "$(AZURE-STORAGE-KEY)") mentioned that this PowerShell task is in front of "Pulumi Azure Pipelines Task" → did not work
  • Pulumi documentation Pulumi Task Extension for Azure Pipelines and Other StackOverflow question Pulumi Azure Pipeline task did not help

How to solve this problem?
Is there any better approach? (providing account key to Pulumi CLI in pipeline agent securely).
Is there any way to achieve this if YAML (azure-pipelines.yml) is used? how? (Any work around or hint would also help)

Solution

  • I was able to solve the problem :

    • As mentioned in my question, KeyVault secrets are linked to variable group
    • Variable group is linked to pipeline variables (so now KeyVault secrets are available as pipeline variables)
    • According to Microsoft documentation, secret type variables are not injected into the task automatically
    • Used env for task to inject environment variables (that are expected by Pulumi CLI) by interpolating pipeline variables

    azure-pipelines.yml

    pool:
  vmImage: 'ubuntu-latest'

variables:
- group: "pulumi-demo-vg"

job: PulumiUpJob
displayName: Pulumi Up Stack Deployment Job
steps:
- task: Pulumi@1
  inputs:
    azureSubscription: 'pulumi-demo-sc' # sc -> Service Connection
    command: 'up'
    loginArgs: 'azblob://pulumi-backend-container'
    args: '--yes'
    stack: 'dev'
  env:
    AZURE_STORAGE_ACCOUNT: "xxxsa"
    AZURE_STORAGE_KEY: $(AZURE-STORAGE-KEY)
    AZURE_CLIENT_ID: $(AZURE-CLIENT-ID)
    AZURE_CLIENT_SECRET: $(AZURE-CLIENT-SECRET)
    AZURE_TENANT_ID: $(AZURE-TENANT-ID)