New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Structural resources #918
Comments
We have seen (surprisingly?) relatively few issues related to this in the wild so far - so we'll hold off on making a change here for now. |
I believe I'm hitting this.
target_group = ...
def add_instance(instance):
attachment_id = instance.id.apply(lambda x: x + '_elb_attach')
attachment = lb.TargetGroupAttachment(attachment_id,
port=9200,
target_group_arn=target_group.arn,
target_id=instance.id)
import elb
instance = ec2.Instance(...)
elb.add_instance(instance) Upon doing a preview, I get an error:
Am I doing something wrong or do I need a workaround for this issue? |
I am having the same issue.
I did manage to work around this using:
but I would prefer giving my resources more recognizable names, is there a solution for this? |
While I don't think this is an incredibly uncommon use case, I can understand why the issue isn't encountered as frequently as one would expect. In reality these attachments tend to exist to prevent the the need to recreate the "root" object, like an IAM Role or Security Group. I'm currently in the process of converting a large terraform project to Pulumi, so I've been mostly deleting and recreating my stack from scratch throughout testing the different components. We are very partial to using our resource name pattern, and understand that in many cases we lose the ability to update certain resources without downtime via deleteBeforeCreate, but we are fine with that. I only noticed this issue when I realized a typo in the args passed to my IAM role (deploymentName), which would trigger a name change to the Role, and I tried to run the update on existing infrastructure. Sample Code:
Pulumi Preview Output:
Pulumi Up Output:
So even though I have strongly expressed that the attachment is dependent on the role, and the pulumi engine sees that the resource needs to be updated based on the new role, it consistently attempts to replace the role before deleting the attachments. Throughout my testing I also used Preview Output w/ RolePolicyAttachment
Seeing this I decided to test the behavior of the aws.ec2.SecurityGroup and aws.ec2.SecurityGroupRule resources under the same conditions (all of my security groups are declared ruleless within components, rules are created in index.ts to "glue" everything together) and found the same outcome. If I trigger some change requiring replacement on the security group, it does not know to first delete the security group rules, and an error is thrown by the AWS API. With all that - its not incredibly common to see things like the actual role or security group require replacement when the rules/policies are not declared in line, that's kind of why they're structured that way in the first place. That said - I've worked on projects where existing resource names needed to be updated across the board (typically for some regulatory/governance reason), and as much as it pains me to say it - not every problem can be solved by deleting and recreating a stack. I would expect that pulumi handles all resource dependencies the same, even though attachments have no "hard" resource to link them to, they are still resources in the world of pulumi, no different than an EC2 or RDS instance. |
I found a workaround! I still can't 100% explain how/why it works, but it does. I started breaking down the individual roles and policies, and decided that it would be best to loop through the policy attachments, which required a
pulumi up Output:
|
Fixes #98 The ACL resource is what Pulumi would consider a "structural resource", see: - pulumi/pulumi#918 This kind of resource is not quite correctly handled in the object model, and this interacts poorly with the upstream provider requiring the ACL to exactly match the default for "create" to succeed. It's a reasonable safety precaution of the upstream provider, so it's better to work around that by using a regular resource in the test.
It seems like most resources of this nature are joining two (or more) resources together, which forms a natural primary key so they don't have an additional key. Would it be possible to make the urn for such resources contain all relevant IDs instead? |
Just went down a huge rabbit hole with the related issues to this one today because we realized that some role policy attachments had disappeared from AWS even though they were still in Pulumi. This caused some cascading failures in our Staging environment because a bunch of Fargate tasks could no longer start up since they were missing required permissions |
Would allowing the provider to control URN allocation for the resource fix the issue cleanly (though that could perhaps be difficult to carry out)? Coming here from |
We'd need to have a way of sending the provider just the type and current inputs and for it to tell us the URN, because this would have to be before any state lookup. |
pulumi/pulumi-aws#3166 adds some interesting implications to refresh. Adding BucketVersioningV2 has the side-effect that Bucket is no longer clean with respect to refresh, as its pulumi-tracked state differs from cloud-tracked state once the sidecar resource has been added. This is a bit of a moonshot possibility, but Pulumi providers could map these resources to properties of the main resource (Bucket)? This would make it explicit that not only identity but also lifecycle of these is tied to the owning resource. |
I did have the same thought. Just get rid of all structural resources are map them to properties on other resources. |
pulumi/pulumi-terraform-bridge#1631 Related issue where resources with |
Today, all Pulumi resources are identified by URN. Two resources are different iff they have different URNs, and create/update/deletes are determined based on that.
There are some resources though which do not have any fixed nominal identity in the source provider.
In particular, the AWS provider has several "Attachment" resources, such as
aws.iam.RolePolicyAttachment
. This resource isn't really a resource in AWS, it's just a request to add (during Create) or remove (during Delete) an association between aRole
and aPolicy
.That means that these
RolePolicyAttachment
resources are really "structural" resources. If I already have an association between aRole
and aPolicy
it makes no sense to create a new one - it is only ever associated or not.Worse though, when we allow these resources to have names, it means the name can change, resulting in a create of a new association followed by a delete of the same association. Because both of these operations affect the same association - this results in going from
{A}
to{A}
to{}
(even though the intended result was{A}
). Additional details in pulumi/pulumi-cloud#278.We have tracked this as one of the motivating scenarios for delete-before-create in #450. However, that would lead to downtime with no policy attached, in cases where we really do not intend to make any change.
What feels like the more correct approach is to have a notion of "structural" resources.
A possible sketch of what this would mean:
Critically, the requirement is that the user is not able to name this resource at all for purposes of identity. We can continue to allow them to provide a name which is used purely for display purposes.
The text was updated successfully, but these errors were encountered: