search

pulumi / pulumi-nomad

Apache License 2.0
11 stars 2 forks source link

Imported AclPolicy needs replacement #227

Open cynicaljoy opened 9 months ago

cynicaljoy commented 9 months ago

What happened?

After importing my Nomad AclPolicy into my stack and running a pulumi pre --diff I noticed it was ending up in a state where it was going to be replaced. I sandbox this out in a local environment and ran the pulumi up and it doesn't just replace the Acl it actually destroyed it. Luckily running a pulumi refresh and pulumi up recreates it and the tokens associated are still in-tact. But, it shouldn't be necessary to jump through those hoops. I'd expect an imported AclPolicy to have no diffs.

  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:local::nomad-acls-sandbox::pulumi:pulumi:Stack::nomad-acls-sandbox-local]
    + pulumi:providers:nomad: (create)
        [urn=urn:pulumi:local::nomad-acls-sandbox::pulumi:providers:nomad::nomad-provider]
        address: "http://127.0.0.1:4646"
        version: "2.1.0"
    +-nomad:index/aclPolicy:AclPolicy: (replace) 🔓
        [id=full-access]
        [urn=urn:pulumi:local::nomad-acls-sandbox::nomad:index/aclPolicy:AclPolicy::full-access-policy]
        [provider: urn:pulumi:local::nomad-acls-sandbox::pulumi:providers:nomad::default_2_1_0::7a9b130a-244a-4c30-9c71-c9e41101a25a => urn:pulumi:local::nomad-acls-sandbox::pulumi:providers:nomad::nomad-provider::output<string>]
        description: "Full Access Policy"
      - id         : "full-access"
        name       : "full-access"
        rulesHcl   : "namespace \"*\" {\n  policy       = \"write\"\n  capabilities = [\"alloc-node-exec\"]\n}\n\nagent {\n  policy = \"write\"\n}\n\noperator {\n  policy = \"write\"\n}\n\nquota {\n  policy = \"write\"\n}\n\nnode {\n  policy = \"write\"\n}\n\nhost_volume \"*\" {\n  policy = \"write\"\n}\n\n"
Resources:
    + 1 to create
    +-1 to replace
    2 changes. 1 unchanged

I tried to add ignore_changes=["id"] to the resource options, that didn't help.

Example

full-access.hcl ``` namespace "*" { policy = "write" capabilities = ["alloc-node-exec"] } agent { policy = "write" } operator { policy = "write" } quota { policy = "write" } node { policy = "write" } host_volume "*" { policy = "write" } ``` 
nomad agent -dev -acl-enabled
export NOMAD_TOKEN=$( nomad acl bootstrap -json | jq -r '.SecretID')
export NOMAD_ADDRESS="http://127.0.0.1:4646/"
export NOMAD_REGION=""

nomad acl policy apply -description "Full Access Policy" full-access full-access.hcl
nomad acl token create -name="Pulumi Testing" -policy="full-access" -type=client -ttl=8h

pulumi stack init sandbox
pulumi import nomad:index/aclPolicy:AclPolicy full-access-policy full-access -y

pulumi pre --diff --expect-no-changes

Output of pulumi about

CLI Version 3.103.1 Go Version go1.21.6 Go Compiler gc

Plugins NAME VERSION aws 6.19.0 nomad 2.1.0 python unknown

Host OS darwin Version 14.2.1 Arch x86_64

This project is written in python: executable='/usr/local/share/mise/installs/python/3.9/bin/python3' version='3.9.18'

Current Stack: nomad-acls-sandbox/local

TYPE URN pulumi:pulumi:Stack urn:pulumi:local::nomad-acls-sandbox::pulumi:pulumi:Stack::nomad-acls-sandbox-local pulumi:providers:nomad urn:pulumi:local::nomad-acls-sandbox::pulumi:providers:nomad::default_2_1_0 nomad:index/aclPolicy:AclPolicy urn:pulumi:local::nomad-acls-sandbox::nomad:index/aclPolicy:AclPolicy::full-access-policy

Found no pending operations associated with local

Backend

Dependencies: NAME VERSION pip 23.3.2 pulumi_aws 6.19.0 pulumi_nomad 2.1.0 setuptools 69.0.3 wheel 0.42.0

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

iwahbe commented 9 months ago

Hi @cynicaljoy. I am unable to reproduce the bug. Your script was very helpful getting everything setup. I was able to import and then run pulumi pre --diff and see no changes. Which version of nomad are you running against? I am on v1.6.2.

P.S. The run script has a typo:

-export NOAD_ADDRESS="http://127.0.0.1:4646/"
+export NOMAD_ADDRESS="http://127.0.0.1:4646/"
cynicaljoy commented 9 months ago

Hi @cynicaljoy. I am unable to reproduce the bug. Your script was very helpful getting everything setup. I was able to import and then run pulumi pre --diff and see no changes. Which version of nomad are you running against? I am on v1.6.2.

P.S. The run script has a typo:

-export NOAD_ADDRESS="http://127.0.0.1:4646/"
+export NOMAD_ADDRESS="http://127.0.0.1:4646/"

Ah, sorry about that! I'm using Nomad 1.5.3

cynicaljoy commented 9 months ago

I just went through the same steps with Nomad 1.6.2 and repo'd 😕

cynicaljoy commented 9 months ago

I recreated it with Docker too:

docker-compose.yml ```docker-compose version: "3.6" networks: sandbox: driver: bridge services: nomad: image: hashicorp/nomad:1.6.2 ports: [4646] networks: [sandbox] entrypoint: nomad agent -dev -acl-enabled -bind=0.0.0.0 sandbox: build: . stdin_open: true tty: true entrypoint: /bin/sh networks: [sandbox] ```
Dockerfile ```dockerfile FROM pulumi/pulumi-python:3.104.2 WORKDIR /app COPY . . RUN pip install -r requirements.txt ```
requirements.txt ``` pulumi>=3.0.0,<4.0.0 pulumi-aws>=6.0.2,<7.0.0 pulumi-nomad==2.1.0 ```
__main__.py ```python import pulumi import pulumi_nomad as nomad with open("full-access.hcl", "r") as file: full_access_hcl = file.read() nomad.AclPolicy( "full-access-policy", name="full-access", description="Full Access Policy", # read full-access.hcl file into string rules_hcl=full_access_hcl, opts=pulumi.ResourceOptions( provider=nomad.Provider( "nomad-provider", address="http://nomad:4646", ),), ) ```

Pretty much the same steps, but a few extra since I didn't take the time to automate everything out and the nomad image doesn't have jq in it.

Repro steps ```shell docker cp full-access.hcl pulumi-nomad-acls-sandbox-nomad-1:full-access.hcl docker exec -it pulumi-nomad-acls-sandbox-nomad-1 /bin/sh nomad acl bootstrap # manually copy Secret ID export NOMAD_TOKEN="" export NOMAD_ADDRESS="http://127.0.0.1:4646/" export NOMAD_REGION="" nomad acl policy apply -description "Full Access Policy" full-access full-access.hcl nomad acl token create -name="Pulumi Testing" -policy="full-access" -type=client -ttl=8h exit docker exec -it pulumi-nomad-acls-sandbox-sandbox-1 /bin/bash export NOMAD_TOKEN="" export NOMAD_ADDRESS="http://nomad:4646/" export NOMAD_REGION="" pulumi login --local # I had to re-init my Python venv, but that could have just been from me mucking about 🙈 -- if pulumi yells, delete it and recreate it pulumi stack init sandbox pulumi import nomad:index/aclPolicy:AclPolicy full-access-policy full-access -y pulumi pre --diff --expect-no-changes ```

Same result as before:

pulumi pre --diff ``` Previewing update (standbox): pulumi:pulumi:Stack: (same) [urn=urn:pulumi:standbox::nomad-acls-sandbox::pulumi:pulumi:Stack::nomad-acls-sandbox-standbox] + pulumi:providers:nomad: (create) [urn=urn:pulumi:standbox::nomad-acls-sandbox::pulumi:providers:nomad::nomad-provider] address: "http://nomad:4646/" version: "2.1.0" +-nomad:index/aclPolicy:AclPolicy: (replace) 🔓 [id=full-access] [urn=urn:pulumi:standbox::nomad-acls-sandbox::nomad:index/aclPolicy:AclPolicy::full-access-policy] [provider: urn:pulumi:standbox::nomad-acls-sandbox::pulumi:providers:nomad::default_2_1_0::b754019b-cd3a-4db2-b978-0788f8716267 => urn:pulumi:standbox::nomad-acls-sandbox::pulumi:providers:nomad::nomad-provider::output] description: "Full Access Policy" - id : "full-access" name : "full-access" rulesHcl : "namespace \"*\" {\n policy = \"write\"\n capabilities = [\"alloc-node-exec\"]\n}\n\nagent {\n policy = \"write\"\n}\n\noperator {\n policy = \"write\"\n}\n\nquota {\n policy = \"write\"\n}\n\nnode {\n policy = \"write\"\n}\n\nhost_volume \"*\" {\n policy = \"write\"\n}\n\n" Resources: + 1 to create +-1 to replace 2 changes. 1 unchanged ```
t0yv0 commented 9 months ago

Thanks again @cynicaljoy docker-compose is handy we probably should set this up for running examples locally. Looks like something nefarious is going on with "id" which is a special property, not a regular property. My team will get back to you debugging this as time permits.

PULUMI_DEBUG_GRPC="$PWD/here.json" logs could be useful from the import, as well as checking up on pulumi state export to check how this resource writes itself into the statefile.

mjeffryes commented 1 month ago

Unfortunately, it looks like this issue hasn't seen any updates in a while. If you're still encountering this problem, could you leave a quick comment to let us know so we can prioritize it? (Commenting will bump it back into our triage queue.)

cynicaljoy commented 1 month ago

@mjeffryes we're still waiting on a fix/workaround for the issue.

guineveresaenger commented 1 month ago

Thank you for verifying. We will take a look as soon as we can.