Hi I ve tried googling but I felt I need to look for help he

Question

Hi I ve tried googling but I felt I need to look for help here so perhaps docs need to be clearer on this I have a Python program with a bunch of imported AWS resources but my plan is to make this a template so I can create and destroy these at will The problem I have is that if I start with a clean slate no stack state file then I can t use `pulumi stack import` because I don t have a stack state file like that I can t use `pulumi up` because that wants to create things that already exist I can t use `pulumi refresh` because it apparently doesn t care what I ve declared only what s in the stack state file I refuse to believe that the idea is to manually import each resource again like a peasant I should also point out that it would be nice if nomenclature and docs could be clearer on what s a resource in a program in a stack state and with the actual cloud provider at least two of these are very different right

limited-rainbow-51650 · Answer

gt a Python program with a bunch of imported resources I m not sure I understand If you have a program with a bunch of imported resources these resources should then be in your state file and `pulumi up` shouldn t create these a second time Either your description of imported resources is not what we understand of being truly imported resources into the state file or I am missing something about the current state of your setup

swift-apple-16812 · Answer

Yeah but I want to vary the the resource names to create at least dozens of these

swift-apple-16812 · Answer

What I want is to discover the remote resources matching the descriptions I ve given After that maybe some need to be created and some updated but that s a separate thing

swift-apple-16812 · Answer

program lt gt state lt gt cloud right Well if the state file is necessary it s not really fair to say you just declare your resources in your IaC program because you also need for them to be in the state file

swift-apple-16812 · Answer

If I want to import dozens of stacks that look just like this I apparently need to forge state files or do something equally strange

limited-rainbow-51650 · Answer

That is indeed the hard part of IaC the resources which need to be imported might make sense to you because you know your program But given the flat namespace AWS is you could deploy 10s even hundreds of differents stacks from the same program If we don t keep track of the resources set up by each stack in a corresponding state file how would we know which resources we need to update or additionally create

swift-apple-16812 · Answer

Easy They match the spec

swift-apple-16812 · Answer

If that s not enough you need to tighten the spec Tags are pretty good for that

limited-rainbow-51650 · Answer

Tags are AWS specific Pulumi s engine needed a model which works for any technology Whether it is Pulumi or another existing IaC tool they all keep track of state whether it is visible to you or not

swift-apple-16812 · Answer

Fair but there s no way to even try

swift-apple-16812 · Answer

Aside from this use case it makes the state file a really dangerous single point of failure

swift-apple-16812 · Answer

Having N stacks just make N anonymous resources seems really crazy to me They d at least have to be connected to something right Otherwise thinking face maybe you could just pick one at random

limited-rainbow-51650 · Answer

That is why our Pulumi SaaS is a hosted and fault tolerant backend to manage state with ACL audit logging etc

swift-apple-16812 · Answer

Right so the fix is to put all the eggs in a really really safe basket

swift-apple-16812 · Answer

Anyway I m not really worried about losing the state file I m worried about getting the state file corrupted

swift-apple-16812 · Answer

I guess versioning could help there but even trivial operations on 100+ version histories Yeah that s going to be pretty nasty

limited-rainbow-51650 · Answer

Whether it is our SaaS or a self managed backend e g S3 with bucket object versioning you can always get back to the last working version

limited-rainbow-51650 · Answer

FYI we keep a version of the complete state not a version per resource

swift-apple-16812 · Answer

Yeah but that s not going to recognize the state of the remote provider but that s not a thing that it does

limited-rainbow-51650 · Answer

that is what `pulumi refresh` is for

limited-rainbow-51650 · Answer

echoing-dinner-19531 · Answer

There is an issue we have tracking this idea <https github com pulumi pulumi issues 6667> But as suggested in the ticket there isn t really a good way to do this

swift-apple-16812 · Answer

Yes it s a large ish json file It s editable without something throwing a hissy fit which is nice

swift-apple-16812 · Answer

Ah ok how s this for a plan 1 Write up or import whatever the program 2 Generate a blank slate state file where everything is represented but id s are trashed 3 `pulumi refresh`

echoing-dinner-19531 · Answer

That won t work because `refresh` works via IDs

echoing-dinner-19531 · Answer

The point of refresh is to ask I had resource X and Y that had attributes A and B can you check those resources still exist and look like that

swift-apple-16812 · Answer

With my previous employer we wrote a service that deploys services and it had some of these concepts and design issues as well One of the things it did do very well was to discover and replace resources that had been fat fingered by the proletariat dress like teenagers paid like doctors expect to eat for free

swift-apple-16812 · Answer

Yeah that s what I d like to do too I just don t have the id s for anything I have a very good idea of what I expect things to look like though

echoing-dinner-19531 · Answer

gt discover and replace resources Yeh that s only doable if it s safe to assume that Pulumi is fully managing the entire cloud account Which is so rarely the case that we haven t put effort into supporting it

swift-apple-16812 · Answer

It s safe enough if all the resources you manage are tagged

swift-apple-16812 · Answer

Or ofc you can be quite sure some of way

echoing-dinner-19531 · Answer

Not every cloud supports tags so we can t do that

swift-apple-16812 · Answer

Well they need to have something otherwise it would just be too chaotic

swift-apple-16812 · Answer

Or maybe it just is scream

echoing-dinner-19531 · Answer

We are at the mercy of what aws microsoft google oracle everyone else decides to implement here shrug

echoing-dinner-19531 · Answer

I d suggest leaving your thoughts on <https github com pulumi pulumi issues 6667> it s a very interesting idea of we could work out a general way to support this but for the time being us and everyone other IaC tool in the market need to use state files

swift-apple-16812 · Answer

Yeah It just strikes me as crazy that the easiest way to work with this is to load up the SDK munge the cloud account and forge a state file I still like the rest of it so this is actually a real possibility

echoing-dinner-19531 · Answer

Well don t forge a state file just use the import machinery that s what `pulumi import` is for to build a statefile for you from existing resources

swift-apple-16812 · Answer

Hm Sure The annoying part is finding all the resources anyway

swift-apple-16812 · Answer

Looking at my shell history most of these are imported by name so there s that I guess

swift-apple-16812 · Answer

o 0 O Damn it shell scum is what I m trying to avoid here

echoing-dinner-19531 · Answer

Not much we can do to help with looking these resources up we ve got ideas of extending import to look up by attributes rather than ID but at least to save some amount of shell ing back and forth `pulumi import` can take a JSON file with a list of all the resource id pairs to import

swift-apple-16812 · Answer

Yeah it s something Anyway thanks for the support

swift-apple-16812 · Answer

If there s anything I can give you it s probably the observation that nomenclature could be clarified a bit In our tool service we used plan and fact to refer to objects describing desired resources and actual resources referred to