Importing a BucketIAMBinding results in a unexpected diff on the bucket input
#1900
Assignees
Labels
area/import
An issue related to `pulumi import` or the import resource option.
kind/bug
Some behavior is incorrect or out of spec
resolution/fixed
This issue was fixed
Milestone
Comments
zbuchheit
added
kind/bug
iwahbe
added
area/import
guineveresaenger
added
the
p1
|
Reproed this with the following slightly modified example:
#!/bin/bas
set -euxo pipefail
pulumi stack init test1 || True
pulumi up --stack test1 --yes
eval "$(pulumi stack output --shell)"
pulumi state delete $bindingUrn --yes --stack test1
cp import_template.json import.json
sed -i '' -e 's,<BUCKETID>,'"$bucketId"',g' import.json
pulumi import --file import.json --yes
pulumi preview --expect-no-changes
{
"resources": [
{
"type": "gcp:storage/bucketIAMBinding:BucketIAMBinding",
"name": "objectAdminBinding",
"id": "<BUCKETID> roles/storage.objectAdmin",
"version": "7.18.0"
}
]
}
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
// Create a GCP resource (Storage Bucket)
const bucket = new gcp.storage.Bucket("my-bucket", { location: "US" });
const binding = new gcp.storage.BucketIAMBinding("objectAdminBinding", {
bucket: bucket.name,
role: "roles/storage.objectAdmin",
members: ["allAuthenticatedUsers"],
});
export const bucketId = bucket.id;
export const bindingUrn = binding.urn;Oddly, when I run looks like we return {
"method": "/pulumirpc.ResourceProvider/Diff",
"request": {
"id": "b/my-bucket-a9682fd/roles/storage.objectAdmin",
"urn": "urn:pulumi:test1::gcp_bucket_import::gcp:storage/bucketIAMBinding:BucketIAMBinding::objectAdminBinding",
"olds": {
"bucket": "b/my-bucket-a9682fd",
"condition": null,
"etag": "CAI=",
"id": "b/my-bucket-a9682fd/roles/storage.objectAdmin",
"members": [
"allAuthenticatedUsers"
],
"role": "roles/storage.objectAdmin"
},
"news": {
"__defaults": [],
"bucket": "my-bucket-a9682fd",
"members": [
"allAuthenticatedUsers"
],
"role": "roles/storage.objectAdmin"
},
"oldInputs": {
"__defaults": [],
"bucket": "b/my-bucket-a9682fd",
"members": [
"allAuthenticatedUsers"
],
"role": "roles/storage.objectAdmin"
}
},
"response": {
"stables": [
"bucket",
"condition",
"role"
],
"changes": "DIFF_NONE",
"hasDetailedDiff": true
},
"metadata": {
"kind": "resource",
"mode": "client",
"name": "gcp"
}
}Checked this in TF, it does not reproduce: provider "google" {
region = "us-central1"
}
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "4.84.0"
}
}
}
resource "google_storage_bucket_iam_binding" "binding" {
bucket = "b/my-bucket-a9682fd"
role = "roles/storage.objectAdmin"
members = [
"allAuthenticatedUsers",
]
}Tried to repro by just editing the import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
// Create a GCP resource (Storage Bucket)
const bucket = new gcp.storage.Bucket("my-bucket", { location: "US" });
const useB = new pulumi.Config().getBoolean("useB");
export const name = useB
? bucket.name.apply((name) => "b/" + name)
: bucket.name;
new gcp.storage.BucketIAMBinding("objectAdminBinding", {
bucket: name,
role: "roles/storage.objectAdmin",
members: ["allAuthenticatedUsers"],
});After discussing this with @Frassle, he confirmed this is an issue with the display logic in the engine. This is likely to be difficult to fix there, so I'll raise an issue there and work on hacking something in the provider to work around the issue. |
This was referenced Apr 15, 2024
Closed
Closed
|
Found a workaround here - prepending I've also got a patch which fixes the behaviour in #1922 but it affects other things too so I am hesitant to commit that. Platform has mentioned they will prioritize pulumi/pulumi#15944 which is the real cause of the issue. Workaround example: // Create a GCP resource (Storage Bucket)
const bucket = new gcp.storage.Bucket("my-bucket", { location: "US" });
const binding = new gcp.storage.BucketIAMBinding("objectAdminBinding", {
bucket: bucket.name.apply((name) => 'b/' + name), // notice the b/ prefix
role: "roles/storage.objectAdmin",
members: ["allAuthenticatedUsers"],
});
export const bucketId = bucket.id;
export const bindingUrn = binding.urn; |
VenelinMartinov
added
the
blocked
iwahbe
removed
the
p1
VenelinMartinov
added
resolution/fixed
|
This was fixed in the latest version of the pulumi CLI. I've also added a regression test in #1969 |
VenelinMartinov
added a commit
that referenced
this issue
May 3, 2024
Adds a regression test for #1900
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened?
When importing a
BucketIAMBindingit is able to import the resource correctly but incorrectly appendsb/to the bucket input once it is imported, resulting in a diff as the code will attempt to remove theb/.Example
Steps to Repro
Code Repro
pulumi state delete urn:pulumi:dev::gcp-bucket-binding-ts::gcp:storage/bucketIAMBinding:BucketIAMBinding::objectAdminBinding --yespulumi import --file import.jsonimport.json
Diff Output
This produces a diff like the following
Output of
pulumi aboutAdditional context
Resource state after the import
{ "urn": "urn:pulumi:dev::gcp-bucket-binding-ts::gcp:storage/bucketIAMBinding:BucketIAMBinding::objectAdminBinding", "custom": true, "id": "b/zbuchheit-bucket/roles/storage.objectAdmin", "type": "gcp:storage/bucketIAMBinding:BucketIAMBinding", "inputs": { "__defaults": [], "bucket": "b/zbuchheit-bucket", "members": [ "user:zbuchheit@pulumi.com" ], "role": "roles/storage.objectAdmin" }, "outputs": { "bucket": "b/zbuchheit-bucket", "condition": null, "etag": "CAI=", "id": "b/zbuchheit-bucket/roles/storage.objectAdmin", "members": [ "user:zbuchheit@pulumi.com" ], "role": "roles/storage.objectAdmin" }, "parent": "urn:pulumi:dev::gcp-bucket-binding-ts::pulumi:pulumi:Stack::gcp-bucket-binding-ts-dev", "protect": true, "provider": "urn:pulumi:dev::gcp-bucket-binding-ts::pulumi:providers:gcp::default_7_16_0::053f77be-1eaf-46ec-93ac-cd6fecc52536", "created": "2024-04-04T18:59:46.766148Z", "modified": "2024-04-04T18:59:46.766148Z" }Resource state after the up
{ "urn": "urn:pulumi:dev::gcp-bucket-binding-ts::gcp:storage/bucketIAMBinding:BucketIAMBinding::objectAdminBinding", "custom": true, "id": "b/zbuchheit-bucket/roles/storage.objectAdmin", "type": "gcp:storage/bucketIAMBinding:BucketIAMBinding", "inputs": { "__defaults": [], "bucket": "zbuchheit-bucket", "members": [ "user:zbuchheit@pulumi.com" ], "role": "roles/storage.objectAdmin" }, "outputs": { "bucket": "b/zbuchheit-bucket", "condition": null, "etag": "CAI=", "id": "b/zbuchheit-bucket/roles/storage.objectAdmin", "members": [ "user:zbuchheit@pulumi.com" ], "role": "roles/storage.objectAdmin" }, "parent": "urn:pulumi:dev::gcp-bucket-binding-ts::pulumi:pulumi:Stack::gcp-bucket-binding-ts-dev", "dependencies": [ "urn:pulumi:dev::gcp-bucket-binding-ts::gcp:storage/bucket:Bucket::zbuchheit-bucket" ], "provider": "urn:pulumi:dev::gcp-bucket-binding-ts::pulumi:providers:gcp::default_7_16_0::053f77be-1eaf-46ec-93ac-cd6fecc52536", "propertyDependencies": { "bucket": [ "urn:pulumi:dev::gcp-bucket-binding-ts::gcp:storage/bucket:Bucket::zbuchheit-bucket" ], "members": [], "role": [] }, "created": "2024-04-04T18:59:46.766148Z", "modified": "2024-04-04T18:59:46.766148Z", "sourcePosition": "project:///index.ts#10,28" }Additional Note
For a reason I can't explain setting
--protectto what matches in the code, will actually import the resource without theb/on the inputs and result in no diff after the import. Using resourceOptions import also works as desired, but not a viable option given the current constraints I am facing.Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: