Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pulumi reports vault.azure.BackendRole always has changes #231

Open
dgivens opened this issue Apr 11, 2023 · 5 comments
Open

Pulumi reports vault.azure.BackendRole always has changes #231

dgivens opened this issue Apr 11, 2023 · 5 comments
Labels
bug/diff kind/bug related to Pulumi generating wrong diffs on preview or up. kind/bug Some behavior is incorrect or out of spec

Comments

@dgivens
Copy link

dgivens commented Apr 11, 2023

What happened?

Pulumi always reports changes for vault.azure.BackendRole resources even when no changes have been made.

~ vault:azure/backendRole:BackendRole: (update)
    [id=azure/roles/mgmt-reader]
    [urn=urn:pulumi:hashistack.dev::hashistack::vault:azure/backendRole:BackendRole::mgmt-reader]
    [provider=urn:pulumi:hashistack.dev::hashistack::pulumi:providers:vault::default_5_10_0::0a3911b0-f18a-49fa-ab4c-f043f1d1fd19]
  ~ azureRoles: [
      ~ [0]: {
              + roleName: [secret]
              ~ scope   : [secret] => [secret]
            }
    ]

Expected Behavior

Pulumi should not attempt to make changes when they are unnecessary.

Steps to reproduce

Something like the following should work, with mgmtScope being either a subscription or management group.

import * as vault from "@pulumi/vault";

interface AzurePlatformConfig {
  clientId: string;
  clientSecret: string;
  subscriptionId: string;
  tenantId: string;
  mgmtScope: string;
}

const platformConfig =
  config.requireSecretObject<AzurePlatformConfig>("azurePlatform");

const platformBackend = new vault.azure.Backend(
  "azure",
  {
    path: "azure",
    clientId: platformConfig.clientId,
    clientSecret: platformConfig.clientSecret,
    subscriptionId: platformConfig.subscriptionId,
    tenantId: platformConfig.tenantId,
    useMicrosoftGraphApi: true,
  },
  {
    ignoreChanges: ["clientSecret"],
    deleteBeforeReplace: true,
  }
);

new vault.azure.BackendRole(
  "mgmt-reader",
  {
    backend: platformBackend.path.apply((p) => p!),
    role: "mgmt-reader",
    ttl: "3600",
    maxTtl: "86400",
    azureRoles: [
      {
        roleName: "Reader",
        scope: platformConfig.mgmtScope,
      },
    ],
  }
);

Output of pulumi about

CLI
Version      3.62.0
Go Version   go1.20.2
Go Compiler  gc

Plugins
NAME    VERSION
aws     5.35.0
consul  3.8.0
gcp     6.53.0
nodejs  unknown
vault   5.10.0

Host
OS       ubuntu
Version  20.04
Arch     x86_64

This project is written in nodejs: executable='/home/esdev/.nvm/versions/node/v18.9.1/bin/node' version='v18.9.1'

<removed resources>

Found no pending operations associated with hashistack.dev

Backend
Name           esdev
URL            s3://<redacted>?region=<redacted>&awssdk=2&profile=<redacted>
User           esdev
Organizations

Dependencies:
NAME                              VERSION
@pulumi/aws                       5.35.0
@pulumi/consul                    3.8.0
@pulumi/gcp                       6.53.0
@pulumi/pulumi                    3.62.0
@pulumi/vault                     5.10.0
@types/mustache                   4.2.2
mustache                          4.2.0
@types/node                       17.0.23
@typescript-eslint/eslint-plugin  5.58.0
@typescript-eslint/parser         5.58.0
eslint                            8.38.0
eslint-config-prettier            8.8.0
prettier                          2.8.7
typescript                        4.9.4

Pulumi locates its logs in /tmp by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@dgivens dgivens added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Apr 11, 2023
@jazzyfresh jazzyfresh removed the needs-triage Needs attention from the triage team label Apr 14, 2023
@jazzyfresh
Copy link

Thank you for reporting this! This has been added to our project board

@aq17
Copy link

aq17 commented Jun 20, 2023

@t0yv0 looks like an instance of pulumi/pulumi-terraform-bridge#866?

@t0yv0 t0yv0 added the bug/diff kind/bug related to Pulumi generating wrong diffs on preview or up. label Jul 7, 2023
@lukehoban
Copy link

This still repros with 6.3.2 of @pulumi/vault - even after adressing pulumi/pulumi-terraform-bridge#866 / pulumi/pulumi-terraform-bridge#1785.

@lukehoban
Copy link

Here's the diff:

I1109 09:43:11.977367   40326 provider_plugin.go:911] Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader): executing (#oldInputs=6#oldOutputs=13,#newInputs=6)
I1109 09:43:11.977375   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldInputs]: __defaults={[]}
I1109 09:43:11.977541   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldInputs]: azureRoles={&{{[{map[__defaults:{[]} roleName:{acdd72a7-3385-48ef-bd42-f606fba81ae7} scope:{/subscriptions/0282681f-7a9e-424b-80b2-96babd57a8a1}]}]}}}
I1109 09:43:11.977570   40326 rpc.go:193] marshalling secret value as raw value as opts.KeepSecrets is false
I1109 09:43:11.977583   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldInputs]: __defaults={[]}
I1109 09:43:11.977591   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldInputs]: roleName={acdd72a7-3385-48ef-bd42-f606fba81ae7}
I1109 09:43:11.977597   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldInputs]: scope={/subscriptions/0282681f-7a9e-424b-80b2-96babd57a8a1}
I1109 09:43:11.977605   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldInputs]: backend={azure}
I1109 09:43:11.977610   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldInputs]: maxTtl={86400}
I1109 09:43:11.977615   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldInputs]: role={mgmt-reader}
I1109 09:43:11.977619   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldInputs]: ttl={3600}
I1109 09:43:11.977626   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldOutputs]: applicationObjectId={}
I1109 09:43:11.977631   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldOutputs]: azureGroups={[]}
I1109 09:43:11.977644   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldOutputs]: azureRoles={&{{[{map[roleId:{/subscriptions/0282681f-7a9e-424b-80b2-96babd57a8a1/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7} roleName:{acdd72a7-3385-48ef-bd42-f606fba81ae7} scope:{/subscriptions/0282681f-7a9e-424b-80b2-96babd57a8a1}]}]}}}
I1109 09:43:11.977648   40326 rpc.go:193] marshalling secret value as raw value as opts.KeepSecrets is false
I1109 09:43:11.977655   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldOutputs]: roleId={/subscriptions/0282681f-7a9e-424b-80b2-96babd57a8a1/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7}
I1109 09:43:11.977659   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldOutputs]: roleName={acdd72a7-3385-48ef-bd42-f606fba81ae7}
I1109 09:43:11.977664   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldOutputs]: scope={/subscriptions/0282681f-7a9e-424b-80b2-96babd57a8a1}
I1109 09:43:11.977668   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldOutputs]: backend={azure}
I1109 09:43:11.977672   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldOutputs]: description={<nil>}
I1109 09:43:11.977677   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldOutputs]: id={azure/roles/mgmt-reader}
I1109 09:43:11.977694   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldOutputs]: maxTtl={86400}
I1109 09:43:11.977704   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldOutputs]: namespace={<nil>}
I1109 09:43:11.977709   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldOutputs]: permanentlyDelete={false}
I1109 09:43:11.977714   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldOutputs]: role={mgmt-reader}
I1109 09:43:11.977718   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldOutputs]: signInAudience={}
I1109 09:43:11.977722   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldOutputs]: tags={[]}
I1109 09:43:11.977726   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).oldOutputs]: ttl={3600}
I1109 09:43:11.977731   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).newInputs]: __defaults={[]}
I1109 09:43:11.977738   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).newInputs]: azureRoles={&{{[{map[__defaults:{[]} roleName:{Reader} scope:{/subscriptions/0282681f-7a9e-424b-80b2-96babd57a8a1}]}]}}}
I1109 09:43:11.977741   40326 rpc.go:193] marshalling secret value as raw value as opts.KeepSecrets is false
I1109 09:43:11.977747   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).newInputs]: __defaults={[]}
I1109 09:43:11.977751   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).newInputs]: roleName={Reader}
I1109 09:43:11.977755   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).newInputs]: scope={/subscriptions/0282681f-7a9e-424b-80b2-96babd57a8a1}
I1109 09:43:11.977760   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).newInputs]: backend={azure}
I1109 09:43:11.977764   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).newInputs]: maxTtl={86400}
I1109 09:43:11.977768   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).newInputs]: role={mgmt-reader}
I1109 09:43:11.977772   40326 rpc.go:77] Marshaling property for RPC[Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader).newInputs]: ttl={3600}
I1109 09:43:11.981890   40326 provider_plugin.go:996] Provider[vault, 0x14002149180].Diff(urn:pulumi:dev::vault231::vault:azure/backendRole:BackendRole::mgmt-reader,azure/roles/mgmt-reader) success: changes=2 #replaces=[] #stables=[backend namespace role] delbefrepl=false, diffs=#[azureRoles], detaileddiff=map[azureRoles[0].roleName: azureRoles[0].scope:kind:UPDATE]

And the most important parts:

oldInputs]: azureRoles={&{{[{map[__defaults:{[]} roleName:{acdd72a7-3385-48ef-bd42-f606fba81ae7} scope:{/subscriptions/0282681f-7a9e-424b-80b2-96babd57a8a1}]}]}}}
oldOutputs]: azureRoles={&{{[{map[roleId:{/subscriptions/0282681f-7a9e-424b-80b2-96babd57a8a1/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-f606fba81ae7} roleName:{acdd72a7-3385-48ef-bd42-f606fba81ae7} scope:{/subscriptions/0282681f-7a9e-424b-80b2-96babd57a8a1}]}]}}}
newInputs]: azureRoles={&{{[{map[__defaults:{[]} roleName:{Reader} scope:{/subscriptions/0282681f-7a9e-424b-80b2-96babd57a8a1}]}]}}}

changes=2 #replaces=[] #stables=[backend namespace role] delbefrepl=false, diffs=#[azureRoles], detaileddiff=map[azureRoles[0].roleName: azureRoles[0].scope:kind:UPDATE]

Oddities:

  1. Why are oldInputs including roleName as a GUID instead of the input provided by the user? This is leading to persistent roleName diff.
  2. Why is there any detaileddiff reported on azureRoles[0].scope? There is no change in this value across oldInputs, newInputs or oldOutputs.

@t0yv0
Copy link
Member

t0yv0 commented Nov 11, 2024

Can you write down some notes on a complete repro as it is not clear how to get to a working mgmtScope: string, thank you.

acdd72a7-3385-48ef-bd42-f606fba81ae7 is a well-known role ID, in https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles ; perhaps this is of interest here.

role_name is Computed which means the provider can substitute the value provided by the user.
https://github.com/hashicorp/terraform-provider-vault/blob/v4.4.0/vault/resource_azure_secret_backend_role.go#L74

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug/diff kind/bug related to Pulumi generating wrong diffs on preview or up. kind/bug Some behavior is incorrect or out of spec
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@t0yv0 @lukehoban @jazzyfresh @dgivens @aq17