Closed dcox-at-bgrove closed 9 months ago
Hi @dcox-at-bgrove. I'm sorry to hear that. I tried to reproduce with gcp 7.2.1
against this program:
name: secret-random-yaml
runtime: yaml
variables:
gcp_project: pulumi-development
resources:
redacted-bucket:
type: gcp:storage:Bucket
properties:
labels:
foo: bar
lifecycleRules:
- action:
type: Delete
condition:
age: 3
withState: ANY
forceDestroy: true
location: us-west1
name: redacted-140879
project: ${gcp_project}
publicAccessPrevention: enforced
uniformBucketLevelAccess: true
options:
protect: true
I was unable to trigger the panic. From the stack trace, it looks like this has something to do with labels. Can you provide a less redacted view of the labels you were using?[^1] Are you using default labels at the provider level?
[^1]: I don't think I need the values you are using, just the shape.
redacted-bucket:
type: gcp:storage:Bucket
properties:
labels:
vanta-contains-user-data: false
vanta-description: redacted
vanta-non-prod: ${redacted}
vanta-owner: redacted
purpose: redacted
Thanks @dcox-at-bgrove. I have a repro.
To repro, run pulumi up
with this program. Then switch out the version used (6.55.1
to 7.2.1
) and run pulumi preview
. This will panic.
name: dev-yaml
runtime: yaml
resources:
gcp:
type: pulumi:providers:gcp
properties:
project: pulumi-development
options:
version: 6.55.1
# version: 7.2.1
defaultProvider: true
bucket:
type: gcp:storage:Bucket
properties:
location: US
labels:
bad-bool: true
@dcox-at-bgrove You are passing vanta-contains-user-data: false
to labels
. pulumi-gcp
should convert that false
(of type bool
) into "false"
(of type string
). For some reason, it's missing the conversion and that is causing the panic.
As a work-around, you can replace the bool value with a string value:
- vanta-contains-user-data: false
+ vanta-contains-user-data: "false"
This fixes the panic.
It seems the bug was introduced in https://github.com/pulumi/pulumi-gcp/releases/tag/v7.0.0 - I successfully reproduced the issue there but not in https://github.com/pulumi/pulumi-gcp/releases/tag/v6.67.1
Also as far as I could see, we are passing approximately the same parameters into upstream's SimpleDiff
, both attached here.
new_params.txt
old_params.txt
Looks like something changed on the TF side - as far as I can see we use the same parameters for SimpleDiff
but it now throws an error.
I tried replicating this in a TF program but they don't have the same issue - it seems that bool(true)
was converted to "true"
on TF GCP provider versions as well. They likely have a separate conversion step before passing to the provider.
We have existing code for implicit type conversion of boolean values in the bridge but it looks like it doesn't apply for elements of a map - https://github.com/pulumi/pulumi-terraform-bridge/pull/1557 should fix this.
The downside is that it converts bool(true)
into "true"
while it was previously converted to "1"
, which causes an unnecessary diff when upgrading.
It appears that we have a choice here around how to coalesce boolean values to the expected string type. The canonical mapping (how it usually happens in bridged providers) translates true => "true"
; false => "false"
. We found a bug in the bridge that fails to do it for the code in question. We definitely will fix that. However that introduces another wrinkle. For users of 6.x provider that manifested the true => "1" and false => "0"
translation, this will introduce an observable change that the "1" label will be relabelled as "true".
Wondering here if it is worth it to put some additional logic in the GCP provider, perhaps in PreCheckCallback across all resources that would help with preserving this 6.x behavior for labels specifically, making it the new canonical behavior? Or will be be OK with the slightly breaking change that switches "1" to "true"?
What happened?
We use CircleCI's Pulumi Orb to execute Pulumi in a CI/CD context. The Linux containers used to execute Pulumi start off without Pulumi or its plugins installed. We direct the orb to install Pulumi, then upon
pulumi update
, pulumi itself installs needed resource plugins such asgcp
.For several months, we've been using our Pulumi program to build/update, among other things, instances of
gcp:storage:Bucket
. But with the advent ofgcp
plugin version7.0
around 2023-11-14, our jobs have begun failing in thepulumi update
step:pulumi update --yes --stack redacted --cwd redacted
This still occurs today with
gcp
plugin version 7.2.1.If I install the latest 6.x release of the
gcp
plugin (executepulumi plugin rm resource gcp
thenpulumi plugin install resource gcp 6.67.1
), thenpulumi update
works as before.Example
Ours is a yaml-based Pulumi program. The error appears to be in processing this resource:
Output of
pulumi about
(On my Windows developer machine, on which essentially the same error occurs)
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).