search

pulumi / pulumi-command

Apache License 2.0
57 stars 23 forks source link

Command gets re-created because of connection spurious diff #447

Open t0yv0 opened 1 month ago

t0yv0 commented 1 month ago

What happened?

I am trying to stage software installation into one Command and then testing the software into another Command, however the installation command keeps getting re-run because of a spurios diff where connection is getting un-secreted?

anton@anton-mbp-m3> pulumi preview --diff                                                                                                                                                ~/code/pulumi-aws/provider/test-programs/imds-auth/imds-v2
Previewing update (dev):
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:dev::imds-v2::pulumi:pulumi:Stack::imds-v2-dev]
    +-command:remote:CopyFile: (replace)
        [id=173165c0]
        [urn=urn:pulumi:dev::imds-v2::command:remote:CopyFile::file-copy]
      - connection: [secret]
      + connection: {
          + dialErrorLimit: 10
          + host          : "54.209.228.103"
          + perDialTimeout: 15
          + port          : 22
          + privateKey    : [secret]
          + user          : "ec2-user"
        }
    ~ command:remote:Command: (update)
        [id=install-cmd1a13738b]
        [urn=urn:pulumi:dev::imds-v2::command:remote:Command::install-cmd]
      - connection: [secret]
      + connection: {
          + dialErrorLimit: 10
          + host          : "54.209.228.103"
          + perDialTimeout: 15
          + port          : 22
          + privateKey    : [secret]
          + user          : "ec2-user"
        }
    + command:remote:Command: (create)
        [urn=urn:pulumi:dev::imds-v2::command:remote:Command::init-cmd]
        connection: {
            dialErrorLimit: 10
            host          : "54.209.228.103"
            perDialTimeout: 15
            port          : 22
            privateKey    : [secret]
            user          : "ec2-user"
        }
        create    : "echo \"+++++\"\naws --version\naws s3 ls\necho \"+++++\"\ncd /tmp\nmkdir ./pulumi-state\nexport PULUMI_CONFIG_PASSPHRASE=123456\npulumi stack init dev\npulumi stack select dev\npulumi config set aws:skipMetadataApiCheck false\npulumi config\npulumi preview\n"
    --outputs:--
  + commandOut: output<string>
  + installOut: output<string>
  + instanceId: "i-08fb51d6485d8ec7d"
  + publicIp  : "54.209.228.103"
Resources:
    + 1 to create
    ~ 1 to update
    +-1 to replace
    3 changes. 5 unchanged

Try to run pulumi up twice. Expect no changes on the second run.

Example


name: imds-v2
runtime: yaml
description: Test the ability of pulumi-aws to authenticate on an EC2 instance with IMDSv2 enabled

backend:
  url: file://./pulumi-state

config:
  pulumi:tags:
    value:
      pulumi:template: aws-yaml

variables:
  ec2ami:
    fn::invoke:
      function: aws:ec2:getAmi
      arguments:
        filters:
          - name: name
            values: ["amzn2-ami-hvm-*-x86_64-*"]
        owners:
          - amazon
        mostRecent: true
      return: id

resources:

  segroup:
    type: aws:ec2:SecurityGroup
    properties:
      ingress:
        - protocol: tcp
          fromPort: 80
          toPort: 80
          cidrBlocks: ["0.0.0.0/0"]
        - protocol: tcp
          fromPort: 22
          toPort: 22
          cidrBlocks: ["0.0.0.0/0"]
      egress:
        - fromPort: 0
          toPort: 0
          protocol: '-1'
          cidrBlocks:
            - 0.0.0.0/0
          ipv6CidrBlocks:
            - ::/0
  priv-key:
    type: tls:PrivateKey
    properties:
      algorithm: RSA
      rsaBits: 2048

  key-pair:
    type: aws:ec2/keyPair:KeyPair
    properties:
      publicKey: ${priv-key.publicKeyOpenssh}

  inst:
    type: aws:ec2/instance:Instance
    properties:
      ami: ${ec2ami}
      instanceType: t2.medium
      keyName: ${key-pair.keyName}
      metadataOptions:
        httpTokens: required
        httpEndpoint: enabled
        httpPutResponseHopLimit: 1
      vpcSecurityGroupIds:
        - ${segroup}
      userData: |
        #!/bin/bash

        # Reconfigure SSHD
        cat /etc/ssh/ssh_config >/tmp/sshd_config
        echo "AcceptEnv PULUMI_COMMAND_STDOUT" >> /tmp/sshd_config
        echo "AcceptEnv PULUMI_COMMAND_STDERR" >> /tmp/sshd_config
        sudo cp /tmp/sshd_config /etc/ssh/sshd_config || echo "FAILED to set sshd_config"
        rm /tmp/sshd_config

        # sudo systemctl restart sshd.service

  file-copy:
    type: command:remote:CopyFile
    properties:
      connection:
        host: ${inst.publicIp}
        user: ec2-user # The default user for Amazon Linux AMI
        privateKey: ${priv-key.privateKeyOpenssh}
      localPath: ./Pulumi.yaml
      remotePath: "/tmp/Pulumi.yaml"

  install-cmd:
    type: command:remote:Command
    properties:
      create: |

        echo "===="

        # Upgrade from AWS CLI v1 to AWS CLI v2
        sudo yum remove awscli
        curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
        unzip awscliv2.zip
        sudo ./aws/install

        echo "====="

        # Install Pulumi
        curl -fsSL https://get.pulumi.com | sh
        export PATH="/home/ec2-user/.pulumi/bin:$PATH"

        echo "======"
        pulumi version
        echo "======"
        aws --version
        echo "======"
      connection:
        host: ${inst.publicIp}
        user: ec2-user # The default user for Amazon Linux AMI
        privateKey: ${priv-key.privateKeyOpenssh}
    options:
      dependsOn:
        - ${file-copy}

  init-cmd:
    type: command:remote:Command
    properties:
      create: |
        echo "+++++"
        aws --version
        aws s3 ls
        echo "+++++"
        cd /tmp
        mkdir ./pulumi-state
        export PULUMI_CONFIG_PASSPHRASE=123456
        pulumi stack init dev
        pulumi stack select dev
        pulumi config set aws:skipMetadataApiCheck false
        pulumi config
        pulumi preview
      # SSH connection details to the remote machine
      connection:
        host: ${inst.publicIp}
        user: ec2-user # The default user for Amazon Linux AMI
        privateKey: ${priv-key.privateKeyOpenssh}
    options:
      dependsOn:
        - ${install-cmd}

outputs:
  instanceId: ${inst.id}
  publicIp: ${inst.publicIp}
  installOut: ${install-cmd.stdout}
  commandOut: ${init-cmd.stdout}

Output of pulumi about

CLI          
Version      3.111.1
Go Version   go1.22.1
Go Compiler  gc

Plugins
NAME     VERSION
aws      unknown
command  unknown
tls      unknown
yaml     unknown

Host     
OS       darwin
Version  14.4.1
Arch     arm64

This project is written in yaml

Current Stack: organization/imds-v2/dev

TYPE                                 URN
pulumi:pulumi:Stack                  urn:pulumi:dev::imds-v2::pulumi:pulumi:Stack::imds-v2-dev
pulumi:providers:aws                 urn:pulumi:dev::imds-v2::pulumi:providers:aws::default
pulumi:providers:tls                 urn:pulumi:dev::imds-v2::pulumi:providers:tls::default
tls:index/privateKey:PrivateKey      urn:pulumi:dev::imds-v2::tls:index/privateKey:PrivateKey::priv-key
aws:ec2/keyPair:KeyPair              urn:pulumi:dev::imds-v2::aws:ec2/keyPair:KeyPair::key-pair
aws:ec2/securityGroup:SecurityGroup  urn:pulumi:dev::imds-v2::aws:ec2/securityGroup:SecurityGroup::segroup
aws:ec2/instance:Instance            urn:pulumi:dev::imds-v2::aws:ec2/instance:Instance::inst
pulumi:providers:command             urn:pulumi:dev::imds-v2::pulumi:providers:command::default
command:remote:CopyFile              urn:pulumi:dev::imds-v2::command:remote:CopyFile::file-copy
command:remote:Command               urn:pulumi:dev::imds-v2::command:remote:Command::install-cmd

Found no pending operations associated with dev

Backend        
Name           anton-mbp-m3.local
URL            file://./pulumi-state
User           anton
Organizations  
Token type     personal

No dependencies found

Pulumi locates its logs in /var/folders/gd/3ncjb1lj5ljgk8xl5ssn_gvc0000gn/T/com.apple.shortcuts.mac-helper// by default

Additional context

N/A

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

t0yv0 commented 1 month ago

I can get the behavior I want with ignoreChanges: connection