def get_role_id_by_name(name, scope=""):
config = authorization.get_client_config()
client_token = authorization.get_client_token()
client = AuthorizationManagementClient(TokenCred(client_token.token),
config.subscription_id)
def_pages = client.role_definitions.list(scope,
filter=f'roleName eq {name}')
role = None
for x in def_pages:
role = x.id
break
if role is None:
raise Exception(f'role \'{name}\' not found at scope \'{scope}\'')
return role
import base64
import pulumi
from pulumi import ResourceOptions
from pulumi_azure_native import resources, containerservice, network, authorization
import pulumi_azuread as azuread
from pulumi_kubernetes import Provider
config = pulumi.Config("aks-hello-world")
prefix = config.require("prefix")
password = config.require("password")
ssh_public_key = config.require("sshkey")
location = config.get("location") or "east us"
subscription_id = authorization.get_client_config().subscription_id
# Create Azure AD Application for AKS
app = azuread.Application(f"{prefix}-aks-app",
display_name=f"{prefix}-aks-app")
# Create service principal for the application so AKS can act on behalf of the application
sp = azuread.ServicePrincipal("aks-sp", application_id=app.application_id)
# Create the service principal password
sppwd = azuread.ServicePrincipalPassword("aks-sp-pwd",
service_principal_id=sp.id,
end_date="2099-01-01T00:00:00Z")
rg = resources.ResourceGroup(f"{prefix}-rg", location=location)
vnet = network.VirtualNetwork(f"{prefix}-vnet",
location=rg.location,
resource_group_name=rg.name,
for x in def_pages:
role = x.id
break
if role is None:
raise Exception(f'role \'{name}\' not found at scope \'{scope}\'')
return role
# Create an Azure Resource Group
resource_group = resources.ResourceGroup('resource_group')
# Create a container registry
container_registry = containerregistry.Registry(
'registry',
resource_group_name=resource_group.name,
sku=containerregistry.SkuArgs(name='Basic'),
admin_user_enabled=True)
client_config = authorization.get_client_config()
current_principal = client_config.object_id
roledef = get_role_id_by_name('AcrPull')
authorization.RoleAssignment(
"access-from-cluster",
principal_id=current_principal,
# adjust this if running as user
principal_type=authorization.PrincipalType.SERVICE_PRINCIPAL,
role_definition_id=roledef,
scope=container_registry.id)
"container",
resource_group_name=resource_group.name,
account_name=cosmosdb_account.name,
database_name=db.name,
resource=documentdb.SqlContainerResourceArgs(
id="container",
partition_key=documentdb.ContainerPartitionKeyArgs(
paths=["/myPartitionKey"],
kind="Hash",
)))
account_keys = documentdb.list_database_account_keys_output(
account_name=cosmosdb_account.name,
resource_group_name=resource_group.name)
client_config = pulumi.Output.from_input(authorization.get_client_config())
api_id = pulumi.Output.concat("/subscriptions/", client_config.subscription_id,
"/providers/Microsoft.Web/locations/",
resource_group.location,
"/managedApis/documentdb")
# API Connection to be used in a Logic App
connection = web.Connection(
"connection",
resource_group_name=resource_group.name,
properties=web.ApiConnectionDefinitionPropertiesArgs(
display_name="cosmosdb_connection",
api=web.ApiReferenceArgs(id=api_id, ),
parameter_values={
"databaseAccount": cosmosdb_account.name,