Expose provider config #164
Conversation
|
Hah. Deadlock may be of my doing, I'll dig with you on Monday. I can at least add timeouts to all the places. |
| @@ -152,6 +155,10 @@ func CreateTFFile( | |||
| } | |||
| inputsMap := inputs.MapRepl(nil, locals.decode) | |||
|
|
|||
| for providerName, config := range providerConfig { | |||
| providers[providerName] = config.MapRepl(nil, locals.decode) | |||
There was a problem hiding this comment.
locals.decode here is interesting. It makes one think what happens when first-class secrets are passed in here. I wonder if we already handle all there is to handle or there's some residual issues.
Same for unknowns. Wonder what happens when provider configs are not known.
There was a problem hiding this comment.
When getting the values via CheckConfig, I actually made it such that we don't keep secrets nor unknowns:
config, err := plugin.UnmarshalProperties(req.GetNews(), plugin.MarshalOptions{
KeepUnknowns: false,
KeepSecrets: false,
KeepResources: false,
KeepOutputValues: false,
})There was a problem hiding this comment.
Actually changed this to:
config, err := plugin.UnmarshalProperties(req.GetNews(), plugin.MarshalOptions{
KeepUnknowns: true,
RejectAssets: true,
KeepSecrets: true,
KeepOutputValues: false,
})since tf seems to be able to handle secrets and unknowns but that needs more testing
There was a problem hiding this comment.
Ok so sounds like I need to write test tickets for that.
There was a problem hiding this comment.
#187 not hugely important but listing for completeness.
| } | ||
|
|
||
| if module.ProviderRequirements != nil { | ||
| for providerName := range module.ProviderRequirements.RequiredProviders { |
|
Do you know why we have RegisterComponentResource call in the code under NewModuleComponentResource? I thought we should not have it as the SDK is going to be calling that. |
|
Ah that's a red herring. Looks like the RegisterComponentResource call gets back a URN for us. |
|
Still it looks like deadlock is due to breaking assumptions about the process model. We have: There are two instances of the provider. We expect there to be one. One sec. |
|
#171 perhaps? Gets me past the hang on preview. |
| // | ||
| // { | ||
| // propertyKey("version"): stringProperty("0.1.0"), | ||
| // propertyKey("aws"): stringProperty("{\"region\": \"us-west-2\"}") |
There was a problem hiding this comment.
Can you explain step by step, what's going on here? Are we affected by the JSON encoding again :/
There was a problem hiding this comment.
Are we affected by the JSON encoding again :/
Yes. Config values arrive to the provider JSON-stringified so here we change them back to an object format, if necessary. When they are already an object, we use that shape.
If the value is a string, then it must be a stringified JSON object since the schema for each field specifies a free-form object so it is same to assume.
…tion Amendments to exposing provider configurations PR
| @@ -84,15 +86,28 @@ func NewModuleComponentResource( | |||
| planStore.Forget(urn) | |||
| }() | |||
|
|
|||
| var providerSelfRef pulumi.ProviderResource | |||
| if providerSelfURN != "" { | |||
There was a problem hiding this comment.
Remind me why it's ever empty. Is it only empty in tests? If so can we add a comment to that purpose?
There was a problem hiding this comment.
It is empty if only CheckConfig is called until we can access the URN from Configure. Right now, URN from Configure is not strictly needed and the check here is a workaround for TestSavingModuleState
There was a problem hiding this comment.
OK yeah TestSavingModuleState we might want to remove that, together with an incomplete engine, in favor of just trusting full blown integration tests.
| @@ -242,3 +278,16 @@ func NewModuleComponentResource( | |||
|
|
|||
| return &urn, marshalledOutputs, nil | |||
| } | |||
|
|
|||
| func newProviderSelfReference(ctx *pulumi.Context, urn1 pulumi.URN) pulumi.ProviderResource { | |||
There was a problem hiding this comment.
@Frassle if I could have your 5 min to eyeball this.
We feed the result of this function to pulumi.Provider(newProviderSelfReference(..)). This is a workaround. I tried and tired to find a way to pass URN directly to pulumi.Provider() but could not :/
We could drop to gRPC level of calling RegisterResource to workaround this but that negates benefits of using the SDK.
While this workaround seems to work, you were mentioning that self-identifying a provider instance requires both a self-URN and self-ID, and self-URN by itself is not specific enough.
Ideally something like this maybe would be public?
https://github.com/pulumi/pulumi/blob/68295c45f3f3c8f6aadbd76d141a4dcf4f0a55d2/sdk/go/pulumi/resource.go#L181
I found no way to call it though due to internal constraints.
There was a problem hiding this comment.
It tried extending the struct and overriding ID() and URN() outputs. That worked EXCEPT I cannot seem to ever be able to set this highly private pkg field, not through reflection, not through subtyping, nor can I override getPackage so I am stuck not being able to make it work with the Provider option.
There was a problem hiding this comment.
I guess we could use what we use here, the code as is, and then wrap{prov} with
type wrap struct {
pulumi.ProviderResourceState
id pulumi.ID
}
func (*wrap) ID() pulumi.IDOutput{
return toOutput(pulumi.ID)
}
| @@ -41,6 +41,9 @@ func pulumiSchemaForModule(pargs *ParameterizeArgs, inferredModule *InferredModu | |||
| Name: string(packageName), | |||
| Version: string(pkgVer), | |||
| Types: inferredModule.SupportingTypes, | |||
| Provider: schema.ResourceSpec{ | |||
| InputProperties: inferredModule.ProvidersConfig.Variables, | |||
| KeepUnknowns: true, | ||
| RejectAssets: true, | ||
| KeepSecrets: true, | ||
| KeepOutputValues: false, |
There was a problem hiding this comment.
What this does is rewires first-class outputs to Secret or Computed cases, but it also drops dependencies inherent in first-class outputs. Whether that messes things up for Pulumi or not, I am not sure. We could test this out later on. I'll add a ticket.
| []tfsandbox.TFOutputSpec{}, /*outputs*/ | ||
| inputs, /*inputs*/ | ||
| []tfsandbox.TFOutputSpec{}, /*outputs*/ | ||
| map[string]resource.PropertyMap{}, /*providersConfig*/ |
There was a problem hiding this comment.
This should be a TODO here right? When read executes tofu refresh, it does need to have the provider config?
| // An environment variable that can be set to a path of a directory | ||
| // to which we write the generated Terraform JSON file. | ||
| // mainly used for debugging purposes and being able to see the generated code. | ||
| writeDir := os.Getenv("PULUMI_TERRAFORM_MODULE_WRITE_TF_FILE") |
There was a problem hiding this comment.
This is cool, we can do better though exposing the entire workdir with downloaded tofu modules and all, for debugging purposes I think.
There was a problem hiding this comment.
Ah I see it is handy for testing to just write the TF file nothing else.
There was a problem hiding this comment.
Yeah just for tests 😄
tests/acc_test.go
Outdated
| @@ -338,7 +338,7 @@ func TestTerraformAwsModulesVpcIntoTypeScript(t *testing.T) { | |||
|
|
|||
| func TestS3BucketModSecret(t *testing.T) { | |||
| localProviderBinPath := ensureCompiledProvider(t) | |||
| skipLocalRunsWithoutCreds(t) | |||
| //skipLocalRunsWithoutCreds(t) | |||
There was a problem hiding this comment.
Restore this I think? Did you have trouble with it?
There was a problem hiding this comment.
No trouble, just wanted to run it locally so I removed the line 😄 lemme bring it back
There was a problem hiding this comment.
It would run locally if you have AWS_PROFILE env var set or some such. AWS_REGION.
| }) | ||
| }) | ||
|
|
||
| t.Run("pulumi up", func(t *testing.T) { |
There was a problem hiding this comment.
#186 can backfill in separate change.
| "version": "4.5.0" | ||
| } | ||
| }, | ||
| "provider": { |
There was a problem hiding this comment.
Does this support detecting and emitting alias configuration?
Or do we need a ticket to take care of it later?
There was a problem hiding this comment.
I think we don't need aliases because in my understanding, they are used to define different configurations for the same provider. In Pulumi, you would define another explicit provider with different config if you wanted the same provider with different config
There was a problem hiding this comment.
I don't think that quite squares with what I understand they accomplish. A single module instance m may request several copies of the aws provider, like aws-east and aws-west, etc. If we defined several Pulumi explicit providers we'd have a tough time sending 2+ of them to the same module instance.
|
|
||
| if len(deserialized) > 0 { | ||
| providersConfig[string(propertyKey)] = resource.NewPropertyMapFromMap(deserialized) | ||
| } |
There was a problem hiding this comment.
Missing continue here? I don't think it should fall through to the next case.
There was a problem hiding this comment.
Added the continue so that the final fall through is a hard failure in case we get something we don't understand ✅
| // we might later get a new behaviour where programs no longer send serialized JSON | ||
| // but send the actual object instead | ||
| providersConfig[string(propertyKey)] = serializedConfig.ObjectValue() | ||
| } |
There was a problem hiding this comment.
Let's assert here if we fall through and we failed to parse it, we fail loud that we don't understand the encoding. This would be helpful weeding out some edge cases. I think secrets are encoded funny in JSON config encoding and we will need to tweak this a bit to fix that.
pkg/modprovider/server.go
Outdated
| } | ||
|
|
||
| if serializedConfig.IsObject() { | ||
| // we might later get a new behaviour where programs no longer send serialized JSON |
There was a problem hiding this comment.
We already have this behavior in YAML and Go. This entire section should reference https://github.com/pulumi/home/issues/3705 or some such.
There was a problem hiding this comment.
Added the issue for reference in the code ✅
| value := serializedConfig.StringValue() | ||
| deserialized := map[string]interface{}{} | ||
| if err := json.Unmarshal([]byte(value), &deserialized); err != nil { | ||
| contract.Failf("failed to deserialize provider config into a map: %v", err) |
There was a problem hiding this comment.
So this thinks if it's a string it's always JSON-encoded string. That's probably OK since the type of these values is map<any>.
pkg/modprovider/server.go
Outdated
| func cleanProvidersConfig(config resource.PropertyMap) map[string]resource.PropertyMap { | ||
| providersConfig := make(map[string]resource.PropertyMap) | ||
| for propertyKey, serializedConfig := range config { | ||
| if string(propertyKey) == "version" { |
There was a problem hiding this comment.
I think another one is "pluginDownloadURL" https://github.com/pulumi/pulumi-terraform-bridge/blob/4ee0d00c1d1a3cd3dd1b50b0a5227c816cbac4dd/pkg/tfbridge/provider.go#L712
|
Let's address the small comments like missing continue etc and I've stood up 5 follow up small tickets on various aspects discussed here. #186 is most important of these. |
|
|
|
This PR has been shipped in release v0.0.5. |
Initial idea to expose provider config is first by exposing which providers can be configured: when inferring the schema, we can access
ProviderRequirements.RequiredProvidersand can see which provider is used in the module (e.g.aws).Using this information, we extend the schema of the provider resource to accept a free-form object for every required provider e.g.
aws : mapType(anyType). In TypeScript it looks like this:We keep track of provider configuration in memory via
CheckConfigandConfigurebecauseCheckConfigis not always called duringDelete. Then we match the used explicit provider duringConstruct(...)During construct, we figure out which provider config to use, if any and pass it down to the TF sandbox in the form of
map[string]resource.PropertyMapwhere each entry is a provider config block that has inputs and the module inputs gets a newprovidersfield to reference these config blocks i.e.providers = { "aws" = aws }See generated TF files per operation on the test
TestS3BucketWithExplicitProvider