General understanding on `pulumi preview` delete replace vs Pulumi Community #general

General understanding on `pulumi preview` (delete-...

rhythmic-finland-36256

08/19/2019, 10:23 AM

General understanding on

pulumi preview

(delete-replace vs. in-place-update)

rhythmic-finland-36256

08/19/2019, 10:25 AM

I’m just playing around with the azure provider, doing the quickstart tutorial for azure. I’m at this step: https://www.pulumi.com/docs/quickstart/azure/review-project/ and extended the resource group to have some tags.

rhythmic-finland-36256

08/19/2019, 10:25 AM

The preview now says that the storage bucket will be replaced

Copy code

Type                         Name                  Plan        Info
     pulumi:pulumi:Stack          azure-infra-eval-dev
 ~   ├─ azure:core:ResourceGroup  pulumi-azure-eval     update      [diff: ~tags]
 +-  └─ azure:storage:Account     teststorage           replace     [diff: ~resourceGroupName]

best-xylophone-83824

08/19/2019, 10:26 AM

--diff

arg is helpful to see exact changes

👍 1

rhythmic-finland-36256

08/19/2019, 10:27 AM

which is probably caused by the inability to have the real output available (the name of the resource group that was changed by adding one tag):

~ resourceGroupName: "pulumi-azure-evalf9c2b004" => output<string>

rhythmic-finland-36256

08/19/2019, 10:28 AM

I’m already watching the full diff which says the resource group is updated and the account is create-replacement as the

resourceGroupName

changed (which won’t change just because of the additional tags)

rhythmic-finland-36256

08/19/2019, 10:29 AM

I now manually added one blob to the container to see if it will be lost and when I performed the upgrade in the end it was just an update and no create-replacement. Is this the usual behavior as the preview cannot definitely know if it can be done using a plain update?

rhythmic-finland-36256

08/19/2019, 10:30 AM

Copy code

Do you want to perform this update? yes
Updating (dev):

     Type                         Name                  Status      Info
     pulumi:pulumi:Stack          azure-infra-eval-dev
 ~   └─ azure:core:ResourceGroup  pulumi-azure-eval     updated     [diff: ~tags]

rhythmic-finland-36256

08/19/2019, 10:32 AM

pulumi preview --diff

also lists it as a replacement due to the “new”

resourceGroupName

rhythmic-finland-36256

08/19/2019, 10:33 AM

~ resourceGroupName: "pulumi-azure-evalf9c2b004" => output<string>

best-xylophone-83824

08/19/2019, 10:35 AM

Maybe there is no link between input args and output, any relation is per resource. if that is right, then yes it can't know whether value is going to change

best-xylophone-83824

08/19/2019, 10:36 AM

On the other hand they claim that they can track this relation for data marked as secret, so maybe it is not the full picture

rhythmic-finland-36256

08/19/2019, 10:37 AM

I’m using the sample of the azure tutorial. Just a resource group and a storage bucket that has this resource group name as an input (see first link)

rhythmic-finland-36256

08/19/2019, 10:38 AM

The

storageAccount

does not live under the resource group itself but on the same level. If I’m right, indentation hierarchy only applies if things are a sub-resource from a component-kind-of-view, right?

best-xylophone-83824

08/19/2019, 10:40 AM

yeah, both your resources are on the same level (as it should be)

rhythmic-finland-36256

08/19/2019, 10:40 AM

There is a dependency from the

storageAccount

to the

resourceGroup

by referencing the `resourceGroup`’s name as property of the

storageAccount

like so:

resourceGroupName: resourceGroup.name,

rhythmic-finland-36256

08/19/2019, 10:41 AM

So performing the update exactly does what is expected. The

resourceGroup

is updated in place and the

storageAccount

doesn’t change at all as its

resourceGroup

reference is still the same as before.

rhythmic-finland-36256

08/19/2019, 10:42 AM

Just wondering if there is a better way to evaluate the previews or if one just needs to know how things behave and that the given preview is just a pessimistic one…

best-xylophone-83824

08/19/2019, 10:42 AM

yes, update is fine, problem is that preview is not accurate

best-xylophone-83824

08/19/2019, 10:43 AM

for preview to be accurate Pulumi need to track args -> output dependency.

best-xylophone-83824

08/19/2019, 10:43 AM

they say that they do it for secrets, so maybe this particular provider needs to implement that fine tracking?

rhythmic-finland-36256

08/19/2019, 10:58 AM

Could you give me a hint on where I should find this? Is this on the parent side or on the referencing/depending side? Having a look at the

pulumi/pulumi-azure

repo shows that most of that is generated using the terraform bridge tool. 🤔

best-xylophone-83824

08/19/2019, 11:05 AM

Sorry, I remembered it wrong, it is very coarse:

When constructing a resource that has one or more secret inputs for a property, the entire corresponding output property of the resource is marked as a secret as well.

(from https://www.pulumi.com/blog/managing-secrets-with-pulumi/) , so it matches the behavior you see, as in it don't know which outputs depends on which inputs

rhythmic-finland-36256

08/19/2019, 12:43 PM

I don’t see how this relates to the problem I observe, why there should be some secret when I create the

resourceGroup

. There is no secret input to the resource and the name should also not be marked as a secret as it is the public given name of the resource.

best-xylophone-83824

08/19/2019, 12:49 PM

it is related as it is another indication that it can't map changes in inputs to individual outputs, therefore it can't know during planning stage that resurceGroup.name wont change when it's tags change

82 Views

Open in Slack

Previous Next