Hey, bit of a random question about how Pulumi works. TLDR we have an existing stack with state stored in GCP and interacting with Gitlab. Pulumi had been working fine with creating repos etc. We recently refreshed the token used to authenticate to Gitlab, and now see 401 errors when trying to do any operation with a refresh. Playing around with config, I noticed that even when I changed all references to the host url, the refresh is failing with 401 against the old value. I'm wondering if Pulumi is storing the old config in state and trying to use that for the refresh instead of the updated local values?

Yes. The deployed resource is used with the provider it is deployed with. If you (really) changed the provider, Pulumi would have to destroy the old resource and create a new one in the new provider, so it needs to remember what old provider is associated with each resource. To resolve this, you need to update the state so that either the old provider has the new token, or all the resources used the new provider. I believe there are better / newer ways to do this, but I'm an old-timer: my solution would be to export-edit-import the state file. Hopefully someone who has been keeping up-to-date with changes in

pulumi refresh

and

pulumi import

will be able to furnish you with a better solution!

@little-cartoon-10569 Thanks for your reply. The provider hasn't been changed aside from the token it's using to authenticate has. So yeah, I think you're right that I'll need to edit the state manually. Yeah, I had had a look at those commands but didn't see anything useful for my case.

Yes I think that would work, if you're using an explicit provider. Maybe not, if you're using the default provider? Worth a try!

My only concern is changes that have occurred outside of state being reverted/crushed, but by the sounds of it that shouldn't happen. 🤔

I see something extremely similar, by the way, with the DigitalOcean and Cloudflare providers; I joined the Slack today to ask about it! My own

pulumi up

thinks it needs to destroy most of the stack, so I can't let that run, and

pulumi refresh

is failing to auth (presumably due to the rotated creds). I don't suppose you know the difference between the "inputs" and "outputs" properties of the Pulumi provider? The output of

pulumi stack export

, in the Cloudflare provider section, contains two different ciphertexts for the Cloudflare

apiToken

in its

inputs

and its `outputs`; can I just replace both those ciphertexts in the output of `pulumi stack export`" with the contents of the same key in

Pulumi.<stack>.yaml

?

@fancy-pharmacist-39201 not personally, I really don't use pulumi much 😬 Hopefully someone else can help. You may be better off asking outside of this thread for visibility.