Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fail fast to deploy when oidc configuration for azure is not properly configured #972

Open
TechWatching opened this issue Jun 27, 2023 · 2 comments
Labels
area/cicd kind/enhancement Improvements or new features

Comments

@TechWatching
Copy link

What happened?

The pulumi up command took 8 min to fail when running in a Github Actions with the following error:

azure-native:resources:ResourceGroup rg-breizhCamp creating (451s) error: autorest/Client#Do: Preparing request failed: StatusCode=0 -- Original Error: clientCredentialsToken: received HTTP status 401 with response: {"error":"unauthorized_client","error_description":"AADSTS70021: No matching federated identity record found for presented assertion. Assertion Issuer: 'https://token.actions.githubusercontent.com/'.

Expected Behavior

It should have failed fast by detecting that the OIDC configuration was incorrect.

Steps to reproduce

  • Create a new pulumi project using the azure-typescript template.
  • Run the pulumi up -y command in a github action
name: infra

on:
  workflow_dispatch:

permissions:
  id-token: write   # required for OIDC auth
  contents: read

jobs:
  provision-infra:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Install pnpm
        uses: pnpm/action-setup@v2
        with:
          version: latest

      - name: Set node version to 18
        uses: actions/setup-node@v3
        with:
          node-version: 18
          cache: 'pnpm'
      
      - name: Install dependencies
        run: pnpm install
      
      - name: Provision infrastructure
        uses: pulumi/[email protected]
        id: pulumi
        with:
          command: up
          stack-name: dev
        env:
          ARM_USE_OIDC: true
          PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} 

Output of pulumi about

CLI
Version 3.73.0
Go Version go1.20.5
Go Compiler gc

Plugins
NAME VERSION
azure-native 2.0.0-beta.1
nodejs unknown

Host
OS Microsoft Windows 11 Pro
Version 10.0.22621 Build 22621
Arch x86_64

This project is written in nodejs: executable='C:\Users\alexa\AppData\Local\pnpm\node.exe' version='v18.16.0'

Current Stack: TechWatching/demo/dev

Found no resources associated with dev

Found no pending operations associated with dev

Additional context

It took 8 min when running from github action.
When running locally it failed quickly.

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

@TechWatching TechWatching added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Jun 27, 2023
@dixler
Copy link
Contributor

dixler commented Jun 27, 2023

Hey. First off, thanks for posting these because they really highlight some ways we could do better because this does seem frustrating.

Do you mind providing a repro program? I'm trying to determine if it could be enhanced via the pulumi engine or the azure provider. 🙏

@dixler dixler added kind/enhancement Improvements or new features area/cicd and removed needs-triage Needs attention from the triage team kind/bug Some behavior is incorrect or out of spec labels Jun 27, 2023
@TechWatching
Copy link
Author

TechWatching commented Jun 28, 2023

Here is the code I used: https://github.com/TechWatching/azure-ready-repository-repro You can see the logs of the failed attemps in the github actions section

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/cicd kind/enhancement Improvements or new features
Projects
None yet
Development

No branches or pull requests

2 participants