Open Navigatron opened 1 year ago
I did not consider this at first, but it runs the other way too - the two environments I ran locally now fail to run in CI/CD, as the refresh operation attempts to use az-cli local auth, instead of obeying the MSI environment variables.
Hi @Navigatron. I'm sorry you're having issues here. Refresh should not hang in any circumstance. Until I figure out otherwise, I'm assuming that the hang is an error in this provider.
pulumi refresh
is designed to update each resource you have in state to it's real value in the cloud. It runs these updates against the provider that the resource was created with. pulumi refresh
does not read your program. Since your stacks self-configure to use different auth depending on their environment, you will need to run up->refresh
. pulumi up
will bake your new configuration into the state file. Then pulumi refresh
will use the new state to run the refresh.
Any change to Pulumi's refresh semantics would need to happen in https://github.com/pulumi/pulumi.
@iwahbe , Thanks for the context! It sounds like there are two issues here:
refresh
operation has a hard dependency on the authentication method of the previous up
operation
up
. If it has been a while since the last deployment, we must refresh from wherever the last deployment was from. In a sense, deploying locally locks us out of ci/cd, and deploying in ci/cd locks us out of deploying locally.
What happened?
Our CI/CD pipeline was giving us issues ( diskControllerType and an out-of-bounds that I have yet to file a bug for), so I decided to try and
refresh->preview->up
from my local machine.Our environment variables tell our
Provider
constructor to use MSI in CI/CD, and to not use MSI locally. However, therefresh
operation appears to use the values from the previous deployment. Attempting to authenticate with MSI locally then causes refresh to hang.Relevant entries from
/tmp/.../eventlog.txt
show that the refresh is attempting to use MSI. Event 34 was the last event. The process hung for several minutes before I killed it with ctrl+c. This also requires manually deleting a lockfile from our backing storage.Expected Behavior
I expected Pulumi to use the azure cli to authenticate.
Steps to reproduce
ARM_USE_MSI
,ARM_CLIENT_ID
, andARM_TENANT_ID
environment variablesOutput of
pulumi about
We are using the pulumi automation API. pulumi about does not produce meaningful output.
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).