Channels
#general
Title
b
better-actor-92669
03/11/2020, 10:47 AMHi guys! Is it possible to do "update before delete"? For instance, I have a GCP Https proxy target, which depends on a certificate and I cannot replace a certificate cause another resource depends on it.
Copy code
Error reading SslCertificate: googleapi: Error 400: The ssl_certificate resource 'projects/some-project/global/sslCertificates/base-site-ssl-certificate' is already being used by 'projects/some-project/global/targetHttpsProxies/base-site-http-proxy', resourceInUseByAnotherResourcel
limited-rainbow-51650
03/11/2020, 10:51 AMThat should work normally. Can you post a code snippet for the certificate and proxy? I suspect you lock the naming of the certificate and not let Pulumi do its autonaming. See the last paragraph here: https://www.pulumi.com/blog/infrastructure-as-code-resource-naming/#logical-vs-physical-names
b
better-actor-92669
03/11/2020, 10:55 AM@limited-rainbow-51650 it has nothing to do with naming. I generate self-signed certificate each time, therefore .certificate and .private_key properties of the ssl_certificate object change. Since target https proxy depends on it, I cannot do a "replace" operation on the ssl_certificate.
In terraform you can replace it using "update before delete" or "create before delete", smth like that, I do not remember exactly, but I think those two are separate
I've found this, but ...
https://github.com/pulumi/pulumi/issues/450
there is no mention of how to use it
s
stocky-island-3676
03/11/2020, 11:02 AM@better-actor-92669 You need to create the new `SSLCertificate` before deleting the existing one (here:
base-site-ssl-certificatel
limited-rainbow-51650
03/11/2020, 11:06 AMRight, and adding that hash is something Pulumi does by default if you don’t provide a value for the
namedelete before createdeleteBeforeReplaceb
better-actor-92669
03/11/2020, 11:06 AM@stocky-island-3676 thank you. It will for sure solve the issue, i do it for postgresql instances, since google reserves a name for a long time after deletion. However, it doesn’t answer my initial question about the resource lifecycle. Imagine that you have a cerificate, let’s say as a secret, and when you change it , you don’t want to replace the name of the resource
l
limited-rainbow-51650
03/11/2020, 11:07 AM@better-actor-92669 that is again a reason to let Pulumi do its autonaming.
b
better-actor-92669
03/11/2020, 11:08 AM@limited-rainbow-51650 , @stocky-island-3676 thank you. I will take a look at that property. Strange that I haven’t found it in the programming model article
s
stocky-island-3676
03/11/2020, 11:09 AMl
limited-rainbow-51650
03/11/2020, 11:09 AM@better-actor-92669 it is there: https://www.pulumi.com/docs/intro/concepts/programming-model/#autonaming
b
better-actor-92669
03/11/2020, 11:11 AM@limited-rainbow-51650, I was talking about deletebeforereplace. Autonaming makes sense, thank you for the explanation, however I try to specify resource name to have some consistency in gcp console.
l
limited-rainbow-51650
03/11/2020, 11:12 AM@better-actor-92669 which means you are overriding the autonaming. Autonaming is the biggest reason for not ending up in the situation you are in now.
b
better-actor-92669
03/11/2020, 11:15 AMYeah, I agree. But if I want to avoid autonaming, let’s say for the consistency of ci cd, I can’t afford to have random names each time. In some cases I need to have control over the resource lifecycle
That’s why that deletebeforecreate exists I guess
l
limited-rainbow-51650
03/11/2020, 11:20 AMThe naming is not fully random. If you create e.g.
pulumi.gcp.SSLCertificate('my-name-here', …)my-name-here-<hash>In the end, it is still your call, but definitely have another look at the autonaming and see if you aren’t taking a lot of hassle upon yourselves by bypassing it. I haven’t had any problems so far with it.
As a closing note: before Pulumi, I used Terraform. In Terraform, I had to manage the naming fully myself, meaning I needed the hassle to make the resource name unique myself. In Terraform, they needed the reverse lifecycle trick as a result:
create_before_destroy👍 1
s
stocky-island-3676
03/11/2020, 11:28 AM@better-actor-92669 For CI/CD consistency, Pulumi uses stacks where the state is saved (similar or same(?) like Terraform). That way a repeated application (
updateSSLCertificateb
better-actor-92669
03/11/2020, 11:32 AMSorry, I think I confused you. I don't really want to change the
resource_namenames
stocky-island-3676
03/11/2020, 11:34 AMI only care about theThat’s what we’re also talking about. Pulumi automatically sets thename
name = resource-name-hash-suffixname👍🏼 1
b
better-actor-92669
03/11/2020, 11:38 AMGot you, thanks!
@stocky-island-3676, when I mentioned the CI-CD part, I didn't mean pulumi specifically. Let's say you create your whole infrastructure automatically using any CI/CD tool or a script (very bad idea). Then, you want to access a resource via it's name in latter steps (outside of pulumi). For instance, to do host configuration via Ansible or apply a salt state. In this case, you want some consistency of how you assign your Cloud DNS names using the pattern
some-nginxpulumi.get_peoject()and yes, both autonaming and deletebeforereplace work like a charm. Thank you guys!
s
stocky-island-3676
03/11/2020, 12:03 PM@better-actor-92669 Right, I know this problem, too.
Still, in the
SSLCertificatename = BBAAb
better-actor-92669
03/11/2020, 2:02 PMyeah, @stocky-island-3676, thanks a lot. For now, I just used autonaming. Cheers!