fast-sandwich-30809
03/18/2024, 12:14 AM__provider
in the statefile for dynamic resources is causing nightmares (mostly re trying to not serialize rotating credentials). It seems the new state of the art is relying on process.env
to pass in auth tokens. As long as my code runs before the serialized provider, this should be fine - but I'm worried about refresh operations. Does refresh
run the program? Or does it only look at the statefile?little-cartoon-10569
03/18/2024, 2:00 AMfast-sandwich-30809
03/18/2024, 12:46 PMfast-sandwich-30809
03/18/2024, 12:50 PMup
fast-sandwich-30809
03/18/2024, 3:22 PMprocess.env
, even during up
, doesn't appear to be working. We've devised an evil scheme, however, that just might work:
• When our code runs, write the token to /tmp/${provider}_${resource_name}.txt
• Read from said file in the provider (I'm guessing process.env didn't work because the provider runs in a different process)
• Since we're using the automation API, we can call the subset of our code that does said writing before passing to pulumi for the refresh
.
This is extremely hacky, but avoids all embedded credentials, and we can "test" the creds before getting pulumi involved at all. (fail fast!)
The only failure case I can think of is serializing 'node:fs'
. We've tried and miserably failed in the past trying to get URL()
to work post-serialization. If we can't use node built-ins in the provider, we'll have to rely on globals, and do something with fetch
and a local http listener think I hope that's not the casefast-sandwich-30809
03/18/2024, 4:24 PMLocalWorkspaceOptions
takes an envVars
option. We still need to break our pulumi programs into preBuild
and build
to populate tokens, but then we can use process.env
again and avoid the node:fs
tangle entirely!little-cartoon-10569
03/18/2024, 8:09 PMfast-sandwich-30809
03/22/2024, 5:55 PMrefresh
operations. The dynamic provider then just looks for a token in the environment variables and it's good to go! We have successfully deployed + re-created + mutated custom resources 🙂