Pulumi is showing horrible diffs for TypeSets when...
# generalb
breezy-judge-31680
03/01/2025, 6:36 PMPulumi is showing horrible diffs for TypeSets when working with the FusionAuth provider in python. When making the same change directly the diff shows only the individual thing being added/removed. Wondering if this is a general pulumi issue, or pulumi python, or the third party package (based on pulumi-tf-provider-boilerplate) causing problems.
breezy-judge-31680
03/01/2025, 6:36 PMAs an example, with FusionAuth terraform you can create an API Key object, and you turn on or off individual API urls and scopes (delete, get, put, etc). What order you put them in is irrelevant to FusionAuth.
In terrafrom when you add a new URL or change a scope you see a diff with just that change.
In pulumi, when it gets the results in a different order then the diff is unreadably large.
Pulumi example output below may make it more clear. If you look at the first element /api/email/send came first from fusinonauth API, and now /api/application comes first. However if you dig in you'll see that /api/email/send is now seen in # 2, and has the same perms (true/true/true) as before.
This bug throws off any sanity checking or the ability to run in cicd in check mode because we'll get false positives all the time.
breezy-judge-31680
03/01/2025, 6:36 PM Copy code
~ permissionsEndpoints: [
~ [0]: {
+ __defaults: [
+ [0]: "delete"
+ [1]: "patch"
+ [2]: "post"
+ [3]: "put"
]
~ delete : true => false
~ endpoint : "/api/email/send" => "/api/application"
~ patch : true => false
~ post : true => false
~ put : true => false
}
~ [1]: {
+ __defaults: [
+ [0]: "delete"
+ [1]: "patch"
+ [2]: "post"
+ [3]: "put"
]
~ endpoint : "/api/user/recent-login" => "/api/application/role"
}
~ [2]: {
+ __defaults: []
~ endpoint : "/api/user/registration" => "/api/email/send"
}
~ [3]: {
+ __defaults: []
~ delete : false => true
~ endpoint : "/api/application/role" => "/api/user"
~ patch : false => true
~ post : false => true
~ put : false => true
}
~ [4]: {
+ __defaults: [
+ [0]: "delete"
+ [1]: "patch"
+ [2]: "post"
+ [3]: "put"
]
~ delete : true => false
~ endpoint : "/api/user" => "/api/user/recent-login"
~ patch : true => false
~ post : true => false
~ put : true => false
}
~ [5]: {
+ __defaults: []
~ delete : false => true
~ endpoint : "/api/application" => "/api/user/registration"
~ patch : false => true
~ post : false => true
~ put : false => true
}
~ [6]: {
+ __defaults: [
+ [0]: "delete"
+ [1]: "patch"
+ [2]: "post"
+ [3]: "put"
]
~ delete : true => false
~ endpoint : "/api/user/change-password" => "/api/user/search"
~ patch : true => false
~ post : true => false
~ put : true => false
}
- [7]: {
- delete : false
- endpoint: "/api/user/search"
- get : true
- patch : false
- post : false
- put : false
}
]breezy-judge-31680
03/01/2025, 6:36 PMThe terraform authors cannot reproduce this when doing terraform directly.
breezy-judge-31680
03/01/2025, 6:36 PMbreezy-judge-31680
03/01/2025, 6:37 PMAny ideas where we should try to tackle fixing this?
e
echoing-dinner-19531
03/01/2025, 8:06 PMProbably a bug in the terraform-bridge: https://github.com/pulumi/pulumi-terraform-bridge/issues
I know there's been some work to improve the handling of sets, but I guess there's more to do. Raising an issue there will give them more examples of what needs fixing.
9 Views