Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Imported AclPolicy needs replacement #227

Open
cynicaljoy opened this issue Jan 31, 2024 · 8 comments
Open

Imported AclPolicy needs replacement #227

cynicaljoy opened this issue Jan 31, 2024 · 8 comments
Labels
area/import An issue related to `pulumi import` or the import resource option. impact/usability Something that impacts users' ability to use the product easily and intuitively kind/bug Some behavior is incorrect or out of spec
Milestone
0.112

Comments

@cynicaljoy
Copy link

cynicaljoy commented Jan 31, 2024
edited
Loading

What happened?

After importing my Nomad AclPolicy into my stack and running a pulumi pre --diff I noticed it was ending up in a state where it was going to be replaced. I sandbox this out in a local environment and ran the pulumi up and it doesn't just replace the Acl it actually destroyed it. Luckily running a pulumi refresh and pulumi up recreates it and the tokens associated are still in-tact. But, it shouldn't be necessary to jump through those hoops. I'd expect an imported AclPolicy to have no diffs.

  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:local::nomad-acls-sandbox::pulumi:pulumi:Stack::nomad-acls-sandbox-local]
    + pulumi:providers:nomad: (create)
        [urn=urn:pulumi:local::nomad-acls-sandbox::pulumi:providers:nomad::nomad-provider]
        address: "http://127.0.0.1:4646"
        version: "2.1.0"
    +-nomad:index/aclPolicy:AclPolicy: (replace) 🔓
        [id=full-access]
        [urn=urn:pulumi:local::nomad-acls-sandbox::nomad:index/aclPolicy:AclPolicy::full-access-policy]
        [provider: urn:pulumi:local::nomad-acls-sandbox::pulumi:providers:nomad::default_2_1_0::7a9b130a-244a-4c30-9c71-c9e41101a25a => urn:pulumi:local::nomad-acls-sandbox::pulumi:providers:nomad::nomad-provider::output<string>]
        description: "Full Access Policy"
      - id         : "full-access"
        name       : "full-access"
        rulesHcl   : "namespace \"*\" {\n  policy       = \"write\"\n  capabilities = [\"alloc-node-exec\"]\n}\n\nagent {\n  policy = \"write\"\n}\n\noperator {\n  policy = \"write\"\n}\n\nquota {\n  policy = \"write\"\n}\n\nnode {\n  policy = \"write\"\n}\n\nhost_volume \"*\" {\n  policy = \"write\"\n}\n\n"
Resources:
    + 1 to create
    +-1 to replace
    2 changes. 1 unchanged

I tried to add ignore_changes=["id"] to the resource options, that didn't help.

Example

full-access.hcl 
namespace "*" {
  policy       = "write"
  capabilities = ["alloc-node-exec"]
}

agent {
  policy = "write"
}

operator {
  policy = "write"
}

quota {
  policy = "write"
}

node {
  policy = "write"
}

host_volume "*" {
  policy = "write"
}



nomad agent -dev -acl-enabled
export NOMAD_TOKEN=$( nomad acl bootstrap -json | jq -r '.SecretID')
export NOMAD_ADDRESS="http://127.0.0.1:4646/"
export NOMAD_REGION=""

nomad acl policy apply -description "Full Access Policy" full-access full-access.hcl
nomad acl token create -name="Pulumi Testing" -policy="full-access" -type=client -ttl=8h

pulumi stack init sandbox
pulumi import nomad:index/aclPolicy:AclPolicy full-access-policy full-access -y

pulumi pre --diff --expect-no-changes

Output of pulumi about

CLI
Version 3.103.1
Go Version go1.21.6
Go Compiler gc

Plugins
NAME VERSION
aws 6.19.0
nomad 2.1.0
python unknown

Host
OS darwin
Version 14.2.1
Arch x86_64

This project is written in python: executable='/usr/local/share/mise/installs/python/3.9/bin/python3' version='3.9.18'

Current Stack: nomad-acls-sandbox/local

TYPE URN
pulumi:pulumi:Stack urn:pulumi:local::nomad-acls-sandbox::pulumi:pulumi:Stack::nomad-acls-sandbox-local
pulumi:providers:nomad urn:pulumi:local::nomad-acls-sandbox::pulumi:providers:nomad::default_2_1_0
nomad:index/aclPolicy:AclPolicy urn:pulumi:local::nomad-acls-sandbox::nomad:index/aclPolicy:AclPolicy::full-access-policy

Found no pending operations associated with local

Backend

Dependencies:
NAME VERSION
pip 23.3.2
pulumi_aws 6.19.0
pulumi_nomad 2.1.0
setuptools 69.0.3
wheel 0.42.0

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@cynicaljoy cynicaljoy added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Jan 31, 2024
@iwahbe iwahbe removed the needs-triage Needs attention from the triage team label Feb 1, 2024
@iwahbe
Copy link
Member

iwahbe commented Feb 1, 2024
edited
Loading

Hi @cynicaljoy. I am unable to reproduce the bug. Your script was very helpful getting everything setup. I was able to import and then run pulumi pre --diff and see no changes. Which version of nomad are you running against? I am on v1.6.2.

P.S. The run script has a typo:

-export NOAD_ADDRESS="http://127.0.0.1:4646/"
+export NOMAD_ADDRESS="http://127.0.0.1:4646/"

@iwahbe iwahbe added the needs-repro Needs repro steps before it can be triaged or fixed label Feb 1, 2024
@cynicaljoy
Copy link
Author

Hi @cynicaljoy. I am unable to reproduce the bug. Your script was very helpful getting everything setup. I was able to import and then run pulumi pre --diff and see no changes. Which version of nomad are you running against? I am on v1.6.2.

P.S. The run script has a typo:

-export NOAD_ADDRESS="http://127.0.0.1:4646/"
+export NOMAD_ADDRESS="http://127.0.0.1:4646/"

Ah, sorry about that! I'm using Nomad 1.5.3

@cynicaljoy
Copy link
Author

cynicaljoy commented Feb 1, 2024
edited
Loading

I just went through the same steps with Nomad 1.6.2 and repo'd 😕

@cynicaljoy
Copy link
Author

cynicaljoy commented Feb 2, 2024
edited
Loading

I recreated it with Docker too:

docker-compose.yml 
version: "3.6"
networks:
    sandbox:
       driver: bridge
services:
    nomad:
        image: hashicorp/nomad:1.6.2
        ports: [4646]
        networks: [sandbox]
        entrypoint: nomad agent -dev -acl-enabled -bind=0.0.0.0

    sandbox:
        build: .
        stdin_open: true
        tty: true
        entrypoint: /bin/sh
        networks: [sandbox]
Dockerfile 
FROM pulumi/pulumi-python:3.104.2

WORKDIR /app
COPY . .

RUN pip install -r requirements.txt
requirements.txt 
pulumi>=3.0.0,<4.0.0
pulumi-aws>=6.0.2,<7.0.0
pulumi-nomad==2.1.0
__main__.py 
import pulumi
import pulumi_nomad as nomad

with open("full-access.hcl", "r") as file:
  full_access_hcl = file.read()

nomad.AclPolicy(
    "full-access-policy",
    name="full-access",
    description="Full Access Policy",
    # read full-access.hcl file into string
    rules_hcl=full_access_hcl,
    opts=pulumi.ResourceOptions(
        provider=nomad.Provider(
            "nomad-provider",
            address="http://nomad:4646",
        ),),
)

Pretty much the same steps, but a few extra since I didn't take the time to automate everything out and the nomad image doesn't have jq in it.

Repro steps 
docker cp full-access.hcl pulumi-nomad-acls-sandbox-nomad-1:full-access.hcl
docker exec -it pulumi-nomad-acls-sandbox-nomad-1 /bin/sh
nomad acl bootstrap 
# manually copy Secret ID
export NOMAD_TOKEN="<Secret ID>"
export NOMAD_ADDRESS="http://127.0.0.1:4646/"
export NOMAD_REGION=""

nomad acl policy apply -description "Full Access Policy" full-access full-access.hcl
nomad acl token create -name="Pulumi Testing" -policy="full-access" -type=client -ttl=8h

exit

docker exec -it pulumi-nomad-acls-sandbox-sandbox-1 /bin/bash
export NOMAD_TOKEN="<Secret ID>"
export NOMAD_ADDRESS="http://nomad:4646/"
export NOMAD_REGION=""

pulumi login --local
# I had to re-init my Python venv, but that could have just been from me mucking about 🙈 -- if pulumi yells, delete it and recreate it 
pulumi stack init sandbox
pulumi import nomad:index/aclPolicy:AclPolicy full-access-policy full-access -y

pulumi pre --diff --expect-no-changes

Same result as before:

pulumi pre --diff 
Previewing update (standbox):
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:standbox::nomad-acls-sandbox::pulumi:pulumi:Stack::nomad-acls-sandbox-standbox]
    + pulumi:providers:nomad: (create)
        [urn=urn:pulumi:standbox::nomad-acls-sandbox::pulumi:providers:nomad::nomad-provider]
        address: "http://nomad:4646/"
        version: "2.1.0"
    +-nomad:index/aclPolicy:AclPolicy: (replace) 🔓
        [id=full-access]
        [urn=urn:pulumi:standbox::nomad-acls-sandbox::nomad:index/aclPolicy:AclPolicy::full-access-policy]
        [provider: urn:pulumi:standbox::nomad-acls-sandbox::pulumi:providers:nomad::default_2_1_0::b754019b-cd3a-4db2-b978-0788f8716267 => urn:pulumi:standbox::nomad-acls-sandbox::pulumi:providers:nomad::nomad-provider::output<string>]
        description: "Full Access Policy"
      - id         : "full-access"
        name       : "full-access"
        rulesHcl   : "namespace \"*\" {\n  policy       = \"write\"\n  capabilities = [\"alloc-node-exec\"]\n}\n\nagent {\n  policy = \"write\"\n}\n\noperator {\n  policy = \"write\"\n}\n\nquota {\n  policy = \"write\"\n}\n\nnode {\n  policy = \"write\"\n}\n\nhost_volume \"*\" {\n  policy = \"write\"\n}\n\n"
Resources:
    + 1 to create
    +-1 to replace
    2 changes. 1 unchanged

@iwahbe iwahbe added the needs-triage Needs attention from the triage team label Feb 2, 2024
@t0yv0 t0yv0 added impact/usability Something that impacts users' ability to use the product easily and intuitively and removed needs-repro Needs repro steps before it can be triaged or fixed needs-triage Needs attention from the triage team labels Feb 6, 2024
@t0yv0
Copy link
Member

t0yv0 commented Feb 6, 2024

Thanks again @cynicaljoy docker-compose is handy we probably should set this up for running examples locally. Looks like something nefarious is going on with "id" which is a special property, not a regular property. My team will get back to you debugging this as time permits.

PULUMI_DEBUG_GRPC="$PWD/here.json" logs could be useful from the import, as well as checking up on pulumi state export to check how this resource writes itself into the statefile.

@mjeffryes
Copy link
Member

Unfortunately, it looks like this issue hasn't seen any updates in a while. If you're still encountering this problem, could you leave a quick comment to let us know so we can prioritize it? (Commenting will bump it back into our triage queue.)

@mjeffryes mjeffryes added awaiting-feedback Blocked on input from the author area/import An issue related to `pulumi import` or the import resource option. labels Sep 27, 2024
@cynicaljoy
Copy link
Author

@mjeffryes we're still waiting on a fix/workaround for the issue.

@pulumi-bot pulumi-bot added needs-triage Needs attention from the triage team and removed awaiting-feedback Blocked on input from the author labels Sep 27, 2024
@guineveresaenger
Copy link
Contributor

guineveresaenger commented Sep 27, 2024
edited
Loading

Thank you for verifying. We will take a look as soon as we can.

@guineveresaenger guineveresaenger removed the needs-triage Needs attention from the triage team label Sep 27, 2024
@mjeffryes mjeffryes added this to the 0.111 milestone Oct 2, 2024
@mjeffryes mjeffryes modified the milestones: 0.111, 0.112 Oct 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/import An issue related to `pulumi import` or the import resource option. impact/usability Something that impacts users' ability to use the product easily and intuitively kind/bug Some behavior is incorrect or out of spec
Projects
None yet
Milestone
0.112
Development

No branches or pull requests
6 participants
@t0yv0 @cynicaljoy @mjeffryes @guineveresaenger @iwahbe @pulumi-bot