[WIP] azure: add timeout flag to schedule automatic destroy #507
Conversation
anjannath
changed the title
|
|
||
| // get analytics workspace shared key | ||
| shk, err := operationalinsights.GetWorkspaceSharedKeys(ctx, &operationalinsights.GetWorkspaceSharedKeysArgs{ | ||
| ResourceGroupName: rgName, |
There was a problem hiding this comment.
Is this working...I thought I tried something similar in the past... but due to the dependency graph on the pulumi runtime I am not sure that will have a value
this adds the '--timeout' flag to the 'azure <svc> create' commands that schedules a serverless containerapp job on azure that'll destroy the created resources after a delay
when using the '--timeout' flag the backed url needs to be a remote backed store, this moves the pre-existing check used aws to the manager package so its reusable in case of azure
| // add 'Contributor' role to userassigned id to provide permissions to access the resource group | ||
| // _, err = authorization.NewRoleAssignment(ctx, resourcesUtil.GetResourceName(a.prefix, a.componentID, "role-assignment"), | ||
| // &authorization.RoleAssignmentArgs{ | ||
| // PrincipalId: principalID, | ||
| // PrincipalType: pulumi.String(authorization.PrincipalTypeServicePrincipal), | ||
| // RoleDefinitionId: pulumi.String("/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"), | ||
| // Scope: a.resourceGroup.ID(), | ||
| // }) | ||
| // if err != nil { | ||
| // return err | ||
| // } |
There was a problem hiding this comment.
@adrianriobo to be able to add the Contributor role to the identity, so that the serverless job is able to destroy the resources, the identity used to create the job needs to be able to have the role to edit Authorization roles, which my accound id currently do not have, so this part is not tested yet
There was a problem hiding this comment.
we may need to shift a bit the approach....as I am afraid if any user is not able to create it due to the same issue you are hitting....
What I am thinking of, I think we discussed in the past create the serverless task spec (this can be done on an initial "installation" process which will be managed by an user with admin privileges) and then the timeout will create a trigger for the execution overriding the command args
this adds the '--timeout' flag to the 'azure create' commands that schedules a serverless containerapp job on azure that'll destroy the created resources after a delay