Ignore username/password changes in registryAuth config (#1327)

This PR modifies how the Docker provider handles changes to registry
authentication credentials. Previously, any changes to the registryAuth
configuration would trigger resource updates. Now, changes to usernames
and passwords are ignored while changes to registry addresses still
trigger updates. This aligns the native `docker.Image` resource (which
already ignored username/password changes) with the rest of the bridged
resources.
To handle nested json-encoded configuration (related to
pulumi/pulumi#17667) the provider is
leveraging the `UnfoldProperties` method from the bridge. This way it
can transparently operate on the config without having to worry about
the json encoding.

Fixes #952

Author: flostadler

examples/examples_nodejs_test.go

@@ -29,6 +29,7 @@ import (
 	"testing"
 
 	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
+	"github.com/pulumi/pulumi/sdk/v3/go/auto/optpreview"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/crypto/ssh"
@@ -200,12 +201,21 @@ func TestSecretsInExplicitProviderNode(t *testing.T) {
 					"Unexpected panic recorded in engine events")
 			}
 		})
+
+		t.Run("providerWithRandomPassword", func(t *testing.T) {
+			pw := stack.Outputs["randomPassword"].(string)
+			realPW, err := base64.StdEncoding.DecodeString(pw)
+			assert.NoError(t, err)
+			assert.NotContainsf(t, string(deploymentJSON), string(realPW),
+				"Secret properties like RegistryAuth.Password should not be stored in the plain")
+		})
 	}
 	test := getJsOptions(t).With(integration.ProgramTestOptions{
-		Dir:                    path.Join(getCwd(t), "test-secrets-in-explicit-provider", "ts"),
-		Quick:                  true,
-		SkipRefresh:            true,
-		ExtraRuntimeValidation: check,
+		Dir: path.Join(getCwd(t), "test-secrets-in-explicit-provider", "ts"),
+		// Changes to registry username or password should not trigger a diff
+		AllowEmptyPreviewChanges: false,
+		SkipEmptyPreviewUpdate:   false,
+		ExtraRuntimeValidation:   check,
 	})
 	integration.ProgramTest(t, &test)
 }
@@ -288,6 +298,64 @@ func TestLocalRepoDigestNode(t *testing.T) {
 	integration.ProgramTest(t, &test)
 }
 
+func TestRegistryImage(t *testing.T) {
+	region := os.Getenv("AWS_REGION")
+	if region == "" {
+		t.Skipf("Skipping test due to missing AWS_REGION environment variable")
+	}
+	test := getJsOptions(t).
+		With(integration.ProgramTestOptions{
+			Dir: path.Join(getCwd(t), "test-registry-image"),
+			Config: map[string]string{
+				"aws:region": region,
+			},
+			ExtraRuntimeValidation: assertHasRepoDigest,
+		})
+	integration.ProgramTest(t, &test)
+}
+
+// TestIgnoreAuthChangesTs tests that changes to username and password do not trigger a diff for runtimes
+// that receive json-encoded data for nested provider config. Nodejs is one such runtime.
+func TestIgnoreAuthChangesTs(t *testing.T) {
+	t.Parallel()
+
+	ptest := pulumiTest(t, path.Join(getCwd(t), "test-ignore-auth-changes", "ts"))
+	ptest.SetConfig(t, "address", "some-address")
+	ptest.SetConfig(t, "username", "some-user")
+	ptest.SetConfig(t, "password", "some-password")
+	ptest.Up(t)
+
+	// Changes to username and password should not trigger a diff.
+	ptest.SetConfig(t, "username", "some-other-user")
+	ptest.SetConfig(t, "password", "some-other-password")
+	ptest.Preview(t, optpreview.ExpectNoChanges())
+
+	// Changes to address should still trigger a diff.
+	ptest.SetConfig(t, "address", "some-other-address")
+	previewResult := ptest.Preview(t)
+	AssertHasChanges(t, previewResult)
+}
+
+// TestIgnoreAuthChangesYaml tests that changes to username and password do not trigger a diff for runtimes
+// that receive regular GRPC structs for nested provider config. YAML is one such runtime.
+func TestIgnoreAuthChangesYaml(t *testing.T) {
+	ptest := pulumiTest(t, path.Join(getCwd(t), "test-ignore-auth-changes", "yaml"))
+	ptest.SetConfig(t, "address", "some-address")
+	ptest.SetConfig(t, "username", "some-user")
+	ptest.SetConfig(t, "password", "some-password")
+	ptest.Up(t)
+
+	// Changes to username and password should not trigger a diff.
+	ptest.SetConfig(t, "username", "some-other-user")
+	ptest.SetConfig(t, "password", "some-other-password")
+	ptest.Preview(t, optpreview.ExpectNoChanges())
+
+	// Changes to address should trigger a diff.
+	ptest.SetConfig(t, "address", "some-other-address")
+	previewResult := ptest.Preview(t)
+	AssertHasChanges(t, previewResult)
+}
+
 func getJsOptions(t *testing.T) integration.ProgramTestOptions {
 	base := getBaseOptions()
 	baseJs := base.With(integration.ProgramTestOptions{

examples/examples_test.go

@@ -16,9 +16,15 @@ package examples
 
 import (
 	"os"
+	"path/filepath"
 	"testing"
 
+	"github.com/pulumi/providertest/pulumitest"
+	"github.com/pulumi/providertest/pulumitest/changesummary"
+	"github.com/pulumi/providertest/pulumitest/opttest"
 	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
+	"github.com/pulumi/pulumi/sdk/v3/go/auto"
+	"github.com/pulumi/pulumi/sdk/v3/go/common/apitype"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -42,3 +48,22 @@ func assertHasRepoDigest(t *testing.T, stack integration.RuntimeValidationStackI
 	assert.True(t, ok, "expected repoDigest output")
 	assert.NotEmpty(t, repoDigest)
 }
+
+func pulumiTest(t *testing.T, dir string, opts ...opttest.Option) *pulumitest.PulumiTest {
+	cwd, err := os.Getwd()
+	if err != nil {
+		t.Error(err)
+	}
+	opts = append(opts, opttest.LocalProviderPath("docker", filepath.Join(cwd, "..", "bin")))
+	ptest := pulumitest.NewPulumiTest(t, dir, opts...)
+	return ptest
+}
+
+func AssertHasChanges(t *testing.T, preview auto.PreviewResult) {
+	t.Helper()
+
+	convertedMap := changesummary.ChangeSummary(preview.ChangeSummary)
+	expectedOps := convertedMap.WhereOpEquals(apitype.OpDelete, apitype.OpDeleteReplaced, apitype.OpReplace, apitype.OpUpdate)
+
+	assert.NotEmpty(t, expectedOps, "expected changes, but preview returned no changes: %s", preview.StdOut)
+}

examples/go.mod

@@ -4,7 +4,9 @@ go 1.21
 
 require (
 	github.com/docker/docker v27.0.3+incompatible
+	github.com/pulumi/providertest v0.1.3
 	github.com/pulumi/pulumi/pkg/v3 v3.145.0
+	github.com/pulumi/pulumi/sdk/v3 v3.145.0
 	github.com/stretchr/testify v1.9.0
 	golang.org/x/crypto v0.31.0
 )
@@ -66,6 +68,7 @@ require (
 	github.com/edsrzf/mmap-go v1.1.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.5.0 // indirect
 	github.com/go-git/go-git/v5 v5.12.0 // indirect
@@ -98,6 +101,7 @@ require (
 	github.com/hashicorp/hcl/v2 v2.22.0 // indirect
 	github.com/hashicorp/vault/api v1.12.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/iwdgo/sigintwindows v0.2.2 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -121,6 +125,7 @@ require (
 	github.com/muesli/reflow v0.3.0 // indirect
 	github.com/muesli/termenv v0.15.2 // indirect
 	github.com/natefinch/atomic v1.0.1 // indirect
+	github.com/nxadm/tail v1.4.11 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.2 // indirect
 	github.com/opentracing/basictracer-go v1.1.0 // indirect
@@ -134,7 +139,6 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
 	github.com/pulumi/esc v0.10.0 // indirect
-	github.com/pulumi/pulumi/sdk/v3 v3.145.0 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/rogpeppe/go-internal v1.12.0 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
@@ -180,6 +184,7 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240814211410-ddb44dafa142 // indirect
 	google.golang.org/grpc v1.67.1 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
+	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.5.1 // indirect

examples/go.sum

@@ -147,6 +147,15 @@ github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
 github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
+github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
+github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/gkampitakis/ciinfo v0.3.0 h1:gWZlOC2+RYYttL0hBqcoQhM7h1qNkVqvRCV1fOvpAv8=
+github.com/gkampitakis/ciinfo v0.3.0/go.mod h1:1NIwaOcFChN4fa/B0hEBdAb6npDlFL8Bwx4dfRLRqAo=
+github.com/gkampitakis/go-diff v1.3.2 h1:Qyn0J9XJSDTgnsgHRdz9Zp24RaJeKMUHg2+PDZZdC4M=
+github.com/gkampitakis/go-diff v1.3.2/go.mod h1:LLgOrpqleQe26cte8s36HTWcTmMEur6OPYerdAAS9tk=
+github.com/gkampitakis/go-snaps v0.4.9 h1:x6+GEQeYWC+cnLNsHK5uXXgEQADmlH/1EqMrjfXjzk8=
+github.com/gkampitakis/go-snaps v0.4.9/go.mod h1:8HW4KX3JKV8M0GSw69CvT+Jqhd1AlBPMPpBfjBI3bdY=
 github.com/gliderlabs/ssh v0.3.7 h1:iV3Bqi942d9huXnzEF2Mt+CY9gLu8DNM4Obd+8bODRE=
 github.com/gliderlabs/ssh v0.3.7/go.mod h1:zpHEXBstFnQYtGnB8k8kQLol82umzn/2/snG7alWVD8=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
@@ -253,6 +262,8 @@ github.com/hashicorp/vault/api v1.12.0 h1:meCpJSesvzQyao8FCOgk2fGdoADAnbDu2WPJN1
 github.com/hashicorp/vault/api v1.12.0/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/iwdgo/sigintwindows v0.2.2 h1:P6oWzpvV7MrEAmhUgs+zmarrWkyL77ycZz4v7+1gYAE=
+github.com/iwdgo/sigintwindows v0.2.2/go.mod h1:70wPb8oz8OnxPvsj2QMUjgIVhb8hMu5TUgX8KfFl7QY=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
@@ -319,6 +330,8 @@ github.com/muesli/termenv v0.15.2 h1:GohcuySI0QmI3wN8Ok9PtKGkgkFIk7y6Vpb5PvrY+Wo
 github.com/muesli/termenv v0.15.2/go.mod h1:Epx+iuz8sNs7mNKhxzH4fWXGNpZwUaJKRS1noLXviQ8=
 github.com/natefinch/atomic v1.0.1 h1:ZPYKxkqQOx3KZ+RsbnP/YsgvxWQPGxjC0oBt2AhwV0A=
 github.com/natefinch/atomic v1.0.1/go.mod h1:N/D/ELrljoqDyT3rZrsUmtsuzvHkeB/wWjHV22AZRbM=
+github.com/nxadm/tail v1.4.11 h1:8feyoE3OzPrcshW5/MJ4sGESc5cqmGkGCWlco4l0bqY=
+github.com/nxadm/tail v1.4.11/go.mod h1:OTaG3NK980DZzxbRq6lEuzgU+mug70nY11sMd4JXXHc=
 github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
 github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
@@ -349,6 +362,8 @@ github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 h1:vkHw5I/plNdTr435
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231/go.mod h1:murToZ2N9hNJzewjHBgfFdXhZKjY3z5cYC1VXk+lbFE=
 github.com/pulumi/esc v0.10.0 h1:jzBKzkLVW0mePeanDRfqSQoCJ5yrkux0jIwAkUxpRKE=
 github.com/pulumi/esc v0.10.0/go.mod h1:2Bfa+FWj/xl8CKqRTWbWgDX0SOD4opdQgvYSURTGK2c=
+github.com/pulumi/providertest v0.1.3 h1:GpNKRy/haNjRHiUA9bi4diU4Op2zf3axYXbga5AepHg=
+github.com/pulumi/providertest v0.1.3/go.mod h1:GcsqEGgSngwaNOD+kICJPIUQlnA911fGBU8HDlJvVL0=
 github.com/pulumi/pulumi/pkg/v3 v3.145.0 h1:hAhFLieunnCKuMd3GbLqE5uWQ1hpNLdl6+bCDFSF4YQ=
 github.com/pulumi/pulumi/pkg/v3 v3.145.0/go.mod h1:N19IsMJ3GyYO5N2JfpsCAVk0eH1NKkF05fZGn5dnhBE=
 github.com/pulumi/pulumi/sdk/v3 v3.145.0 h1:r5iOgz67RElFXJt4GVVY2SBGh5sR24mL9NOcKBiBi/k=
@@ -375,6 +390,8 @@ github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/skeema/knownhosts v1.2.2 h1:Iug2P4fLmDw9f41PB6thxUkNUkJzB5i+1/exaj40L3A=
 github.com/skeema/knownhosts v1.2.2/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
+github.com/spf13/cast v1.4.1 h1:s0hze+J0196ZfEMTs80N7UlFt0BDuQ7Q+JDnHiMWKdA=
+github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
 github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
@@ -397,6 +414,14 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/texttheater/golang-levenshtein v1.0.1 h1:+cRNoVrfiwufQPhoMzB6N0Yf/Mqajr6t1lOv8GyGE2U=
 github.com/texttheater/golang-levenshtein v1.0.1/go.mod h1:PYAKrbF5sAiq9wd+H82hs7gNaen0CplQ9uvm6+enD/8=
+github.com/tidwall/gjson v1.17.0 h1:/Jocvlh98kcTfpN2+JzGQWQcqrPQwDrVEMApx/M5ZwM=
+github.com/tidwall/gjson v1.17.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
+github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
+github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
+github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
+github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
 github.com/uber/jaeger-client-go v2.30.0+incompatible h1:D6wyKGCecFaSRUpo8lCVbaOOb6ThwMmTEbhRwtKR97o=
 github.com/uber/jaeger-client-go v2.30.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk=
 github.com/uber/jaeger-lib v2.4.1+incompatible h1:td4jdvLcExb4cBISKIpHuGoVXh+dVKhn2Um6rjCsSsg=
@@ -515,6 +540,7 @@ golang.org/x/sys v0.0.0-20211110154304-99a53858aa08/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -608,6 +634,8 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

examples/test-ignore-auth-changes/ts/Pulumi.yaml

@@ -0,0 +1,3 @@
+name: test-ignore-auth-changes
+runtime: nodejs
+description: A minimal TypeScript Pulumi program

examples/test-ignore-auth-changes/ts/index.ts

@@ -0,0 +1,15 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as docker from "@pulumi/docker";
+
+const config = new pulumi.Config();
+
+// Changes to username and password should not trigger a diff, but changes to address should.
+const provider = new docker.Provider("docker", {
+  registryAuth: [
+    {
+      address: config.require("address"),
+      username: config.require("username"),
+      password: config.require("password"),
+    },
+  ],
+});

examples/test-ignore-auth-changes/ts/package.json

@@ -0,0 +1,10 @@
+{
+  "name": "test-ignore-auth-changes",
+  "devDependencies": {
+    "@types/node": "^14.0.0"
+  },
+  "dependencies": {
+    "@pulumi/docker": "^4.5.8",
+    "@pulumi/pulumi": "^3.144.1"
+  }
+}

examples/test-ignore-auth-changes/yaml/Pulumi.yaml

@@ -0,0 +1,17 @@
+name: docker-provider-config
+runtime: yaml
+config:
+  username:
+    type: string
+  password:
+    type: string
+  address:
+    type: string
+resources:
+  dockerProvider:
+    type: pulumi:providers:docker
+    properties:
+      registryAuth:
+        - address: ${address}
+          username: ${username}
+          password: ${password}

examples/test-registry-image/.gitignore

@@ -0,0 +1,2 @@
+/bin/
+/node_modules/

examples/test-registry-image/Pulumi.yaml

@@ -0,0 +1,3 @@
+name: test-registry-image
+runtime: nodejs
+description: A minimal AWS TypeScript Pulumi program

examples/test-registry-image/app/Dockerfile

@@ -0,0 +1,3 @@
+FROM nginx
+RUN echo "<h1>Hi from Pulumi!</h1>" > \
+    /usr/share/nginx/html/index.html

examples/test-registry-image/index.ts

@@ -0,0 +1,48 @@
+import * as aws from "@pulumi/aws";
+import * as docker from "@pulumi/docker";
+
+// Create a private ECR registry.
+const repo = new aws.ecr.Repository("my-repo",{
+    forceDelete: true,
+});
+
+// Get registry info (creds and endpoint) so we can build/publish to it.
+const registryInfo = repo.registryId.apply(async id => {
+    const credentials = await aws.ecr.getCredentials({ registryId: id });
+    const decodedCredentials = Buffer.from(credentials.authorizationToken, "base64").toString();
+    const [username, password] = decodedCredentials.split(":");
+    if (!password || !username) {
+        throw new Error("Invalid credentials");
+    }
+    return {
+        address: credentials.proxyEndpoint,
+        username: username,
+        password: password,
+    };
+});
+
+
+// Build and publish the image.
+const image = new docker.Image("my-image", {
+    build: {
+        context: "app",
+    },
+    imageName: repo.repositoryUrl,
+    skipPush: true
+});
+
+const ecrProvider = new docker.Provider("ecr-provider", {
+    registryAuth: [registryInfo],
+});
+
+// Publish the image to the registry
+const registryImage = new docker.RegistryImage("my-registry-image",
+    {
+        name: repo.repositoryUrl,
+    },
+    { provider: ecrProvider, dependsOn: [image] },
+);
+
+// Export the resulting image name
+export const imageName = registryImage.name;
+export const repoDigest = registryImage.sha256Digest;

examples/test-registry-image/package.json

@@ -0,0 +1,11 @@
+{
+    "name": "test-registry-image",
+    "devDependencies": {
+        "@types/node": "^14.0.0"
+    },
+    "dependencies": {
+        "@pulumi/aws": "^6.10.0",
+        "@pulumi/pulumi": "^3.0.0",
+        "@pulumi/docker": "^4.5.0"
+    }
+}