https://pulumi.com logo
#general
Title
# general
h

hallowed-camera-71190

05/24/2023, 4:40 AM
Hey, bit of a random question about how Pulumi works. TLDR we have an existing stack with state stored in GCP and interacting with Gitlab. Pulumi had been working fine with creating repos etc. We recently refreshed the token used to authenticate to Gitlab, and now see 401 errors when trying to do any operation with a refresh. Playing around with config, I noticed that even when I changed all references to the host url, the refresh is failing with 401 against the old value. I'm wondering if Pulumi is storing the old config in state and trying to use that for the refresh instead of the updated local values?
l

little-cartoon-10569

05/24/2023, 5:08 AM
Yes. The deployed resource is used with the provider it is deployed with. If you (really) changed the provider, Pulumi would have to destroy the old resource and create a new one in the new provider, so it needs to remember what old provider is associated with each resource. To resolve this, you need to update the state so that either the old provider has the new token, or all the resources used the new provider. I believe there are better / newer ways to do this, but I'm an old-timer: my solution would be to export-edit-import the state file. Hopefully someone who has been keeping up-to-date with changes in
pulumi refresh
and
pulumi import
will be able to furnish you with a better solution!
h

hallowed-camera-71190

05/24/2023, 5:33 AM
@little-cartoon-10569 Thanks for your reply. The provider hasn't been changed aside from the token it's using to authenticate has. So yeah, I think you're right that I'll need to edit the state manually. Yeah, I had had a look at those commands but didn't see anything useful for my case.
Given that the preview operation shows no change, and based on a video I've just watched indicating pulumi will only attempt to apply a change if it thinks a resource needs to change, would it be viable to apply pulumi (without refresh), (presumably) have the token be updated in state and then be able to run operations with
--refresh
?
l

little-cartoon-10569

05/24/2023, 5:45 AM
Yes I think that would work, if you're using an explicit provider. Maybe not, if you're using the default provider? Worth a try!
h

hallowed-camera-71190

05/24/2023, 5:47 AM
My only concern is changes that have occurred outside of state being reverted/crushed, but by the sounds of it that shouldn't happen. 🤔
Yep, that seems to have worked. Thanks again @little-cartoon-10569 for your input 🚀 .
f

fancy-pharmacist-39201

05/24/2023, 6:39 AM
I see something extremely similar, by the way, with the DigitalOcean and Cloudflare providers; I joined the Slack today to ask about it! My own
pulumi up
thinks it needs to destroy most of the stack, so I can't let that run, and
pulumi refresh
is failing to auth (presumably due to the rotated creds). I don't suppose you know the difference between the "inputs" and "outputs" properties of the Pulumi provider? The output of
pulumi stack export
, in the Cloudflare provider section, contains two different ciphertexts for the Cloudflare
apiToken
in its
inputs
and its `outputs`; can I just replace both those ciphertexts in the output of `pulumi stack export`" with the contents of the same key in
Pulumi.<stack>.yaml
?
h

hallowed-camera-71190

05/24/2023, 6:49 AM
@fancy-pharmacist-39201 not personally, I really don't use pulumi much 😬 Hopefully someone else can help. You may be better off asking outside of this thread for visibility.