We've had failing (due to timeout) unit tests for a little while. Looking into it now, I've tracked ...
l
little-cartoon-10569
10/29/2025, 1:08 AMWe've had failing (due to timeout) unit tests for a little while. Looking into it now, I've tracked it down to
@pulumi/puluminewResource()newResource()little-cartoon-10569
10/29/2025, 1:09 AMReviewing the changelog, the most likely change is this one: https://github.com/pulumi/pulumi/pull/20357
little-cartoon-10569
10/29/2025, 1:09 AMBut I don't understand the innards of the engine, so take that with a handful of salt.
little-cartoon-10569
10/29/2025, 1:11 AMIt certainly seems to affect the right area: https://github.com/pulumi/pulumi/issues/10533#issuecomment-3074092966
little-cartoon-10569
10/29/2025, 1:24 AMbefore()little-cartoon-10569
10/29/2025, 1:27 AMI presume this is the code that will need to change. What should it look like now?
little-cartoon-10569
10/29/2025, 2:18 AMHopefully Fraser will spot this in his morning.. I don't want to ping him, it's 3.20am there...
e
echoing-dinner-19531
10/29/2025, 7:03 AMFeel free to ping me whenever 🙂 I just pick them up in the morning, I won't get woken up by it.
Whats your top resource look like? Most importantly what does it pass to the super constructor for the input args.
echoing-dinner-19531
10/29/2025, 7:36 AMActually more important than the top resource, because sounds like thats the one thats constructing ok. What do the inputs look like for the child resources?
l
little-cartoon-10569
10/29/2025, 7:20 PMHi! I've determined that all the failures do have a common thread: they're the ones that create our Vpc wrapper component resource as a test dependency (though not necessary in before/beforeAll, I've moved it into the test function while experimenting).
The Vpc wrapper is old code, and adds onto awsx.ec2.Vpc, using its older interfaces, with promises rather than apply, to iterate through subnets to build NACLs, security groups and routes.
little-cartoon-10569
10/29/2025, 7:21 PMThe actual Vpc object is passed into the constructors of the component resources under test in each case. We prefer to pass IDs, but in these cases there's unknown numbers of subnets, etc. that needs to be handled, so the Vpc wrapper objects is passed.
little-cartoon-10569
10/29/2025, 7:23 PMMaybe there's a race condition somewhere, a pair of things are mutually blocking each other. It's a large amount of code to start commenting out in chunks to figure out what the problem is. At least I can rule out the Vpc peering code that's in there, since I'm not peering in the tests.
little-cartoon-10569
10/29/2025, 7:23 PMI can't give this 100% time today, but I'll keep on at it as best I can and keep this thread updated.
little-cartoon-10569
10/29/2025, 9:13 PMI've commented out almost everything. The smallest case I get get it to happen in is when a component resource constructs an awsx.classic.ec2.Vpc and then refers to its id property later in the constructor. I'll see if I can create a one-file MCVE.
little-cartoon-10569
10/29/2025, 10:26 PMMocha file that causes the problem. Note that all three of the marked "critical" bits have to be there; remove any of them and it's fine.
little-cartoon-10569
10/29/2025, 10:38 PMI tried reproducing that with simpler resources but couldn't quickly find a simpler pair that reproduced the problem. I'm afraid I've hit my time limit on debugging this for today. It's really weird that setting the parent on both resources is absolutely required....
little-cartoon-10569
10/29/2025, 11:59 PMOh wow. Just discovered that changing the second
{parent: this}{parent: undefined}{parent: this.vpc}e
echoing-dinner-19531
10/30/2025, 9:19 AMOK thanks that's a lot of information. Nothing stands out as an obvious culprit so I'll have to dig into this a bit.
l
little-cartoon-10569
10/31/2025, 3:00 AMDid this change result in args to a component resource automatically getting stored in the resource? I'm seeing a pile of unexpected updates for my component resources, adding values that are used in the constructor but don't need to be stored.
little-cartoon-10569
10/31/2025, 3:07 AMHmm... I see passwords that are encrypted in constructors, but Pulumi is wanting to save them into state in plain text because they're in an arg. This isn't ideal.
little-cartoon-10569
10/31/2025, 3:10 AMYep that's what's happening:
[components/{go,nodejs}] Send component inputs to be saved in state. This brings NodeJS and Go inline with Python behaviour
https://github.com/pulumi/pulumi/pull/20357That's a big enough change that it deserved a big red warning label, I'm afraid. This is going to require some rewriting in our code.
little-cartoon-10569
10/31/2025, 3:11 AMI don't suppose there's an opt-out for this behaviour is there? Our code assumes that properties are required in order to save something to state, but this change means that args are also saved to state. We're going to need to write new policy.
e
echoing-dinner-19531
10/31/2025, 8:41 AMIf you need to opt-out you can just change the super call to ComponentConstructor to not pass those args.
but Pulumi is wanting to save them into state in plain text because they're in an arg. This isn't ideal.That's unexpected. Secrets should still be propagating through args.
That's a big enough change that it deserved a big red warning label, I'm afraid.Yeh seems its mostly gone unnoticed but has bitten a couple of users badly. Our internal testing had gone fine with only thing causing issues was circular references but we recommend against those anyway.
I'm seeing a pile of unexpected updates for my componentThis is actually one of the big wins here, is now the engine can tell that a component is "updated" and so call lifecycle hooks for it.
echoing-dinner-19531
10/31/2025, 9:17 AMLooking to add an envvar to opt out of this to help as well. Wouldn't advise depending on it long term, there are good points to saving inputs in state, but should make things like this less urgent panic.
echoing-dinner-19531
10/31/2025, 9:58 AMl
little-cartoon-10569
10/31/2025, 10:57 PMIf you need to opt-out you can just change the super call to ComponentConstructor to not pass those args.
This is good to know. This may be the quick way to get deployments happening again, then we can fix the couple of poor dev choices we made years ago afterwards.
Secrets should still be propagating through args.
They are. The code that alarmed me involved passing a plaintext secret into a constructor, which then wrapped it in a secret and put it in a property. The plaintext secret wasn't being put into state previously.
> I'm seeing a pile of unexpected updates for my component
This is actually one of the big wins here, is now the engine can tell that a component is "updated" and so call lifecycle hooks for it.
Good stuff. We don't have any of those, but good to know it'll work if we ever create any :)
Pulumi Community
No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.
Powered by