Aliasing allows two definitions of the same resource to be applied #11173
Assignees
Labels
area/engine
Pulumi engine
kind/bug
Some behavior is incorrect or out of spec
resolution/fixed
This issue was fixed
Milestone
Comments
sfc-gh-jsirak
added
kind/bug
Frassle
added
area/engine
Frassle
added a commit
that referenced
this issue
Nov 1, 2022
We need to check that for example that if a resource X is created that we don't allow another resource Y to be alias against X. Likewise if our old state has X and we then create Y aliased against X we should not then allow X to be created later in the deployment. Fixes #11173
3 tasks
Frassle
added a commit
that referenced
this issue
Nov 1, 2022
We need to check that for example that if a resource X is created that we don't allow another resource Y to be alias against X. Likewise if our old state has X and we then create Y aliased against X we should not then allow X to be created later in the deployment. Fixes #11173
bors bot
added a commit
that referenced
this issue
Nov 1, 2022
11212: Check for duplicate aliases and plain URNs r=Frassle a=Frassle <!--- Thanks so much for your contribution! If this is your first time contributing, please ensure that you have read the [CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md) documentation. --> # Description <!--- Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. --> We need to check that for example that if a resource X is created that we don't allow another resource Y to be alias against X. Likewise if our old state has X and we then create Y aliased against X we should not then allow X to be created later in the deployment. Fixes #11173 ## Checklist <!--- Please provide details if the checkbox below is to be left unchecked. --> - [x] I have added tests that prove my fix is effective or that my feature works <!--- User-facing changes require a CHANGELOG entry. --> - [x] I have run `make changelog` and committed the `changelog/pending/<file>` documenting my change <!-- If the change(s) in this PR is a modification of an existing call to the Pulumi Service, then the service should honor older versions of the CLI where this change would not exist. You must then bump the API version in /pkg/backend/httpstate/client/api.go, as well as add it to the service. --> - [ ] Yes, there are changes in this PR that warrants bumping the Pulumi Service API version <!-- `@Pulumi` employees: If yes, you must submit corresponding changes in the service repo. --> Co-authored-by: Fraser Waters <fraser@pulumi.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened?
As part of a refactoring, we attempted to rename all our pulumi resources with a consistent pattern using the Alias feature. Our changes previewed and applied with out an issue, but when we attempted to apply new changes, pulumi failed with
error: post-step event returned an error: failed to verify snapshot: duplicate resource <urn>. As part of the renaming of our pulumi resources, we also have relocated them to a different place in the code, but apparently, we forgot to clean up some of the old resources with the old name. Typically, we would have gotten a duplicate resource error on pulumi preview. However, the use of aliasing seems to have prevented pulumi from erroring on the presence of duplicate resources.Steps to reproduce
The change can be reproduced using a dev vault server:
Pulumi Go code
package main import ( "os" "github.com/pulumi/pulumi-vault/sdk/v5/go/vault" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) func main() { pulumi.Run(func(ctx *pulumi.Context) error { vaultAddr := os.Getenv("VAULT_ADDR") token := os.Getenv("VAULT_TOKEN") _, err := vault.NewProvider(ctx, "vault", &vault.ProviderArgs{ Address: pulumi.String(vaultAddr), Token: pulumi.ToSecret(pulumi.String(token)).(pulumi.StringOutput), }) if err != nil { return err } _, err = vault.NewPolicy(ctx, "aws_policy_test", &vault.PolicyArgs{ Name: pulumi.String("test"), Policy: pulumi.String("path \"secret/data/test/*\" {\n capabilities = [\"read\"]\n}\n"), }) if err != nil { return err } return nil }) }pulumi upand create the resourcesPulumi Go code
pulumi upand you will see that there are no changes, but apply it anyway.Pulumi up with no change
pulumi upagain and you will see that there are no changes, but apply it anyway. This will result in error:Pulumi up with no change
Expected Behavior
We expected that pulumi preview would error out because of the duplicate resource definition wether one of the resources is an alias of the other or not.
Actual Behavior
Pulumi instead allowed two definitions of the same resource to be applied, which resulted in breaking the state. Also, because both the preview and apply were successful, we only discovered when trying to make new changes. This broke all our stacks including productions and it required manually deleting the duplicate resources from state in all our pulumi stacks.
Output of
pulumi aboutAdditional context
I have only tested this on vault pulumi resources. It quite likely that this is a larger issue with Alias implementation and not specific to vault resource definitions.
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: