Imported AclPolicy needs replacement

[cynicaljoy]

What happened?

After importing my Nomad AclPolicy into my stack and running a pulumi pre --diff I noticed it was ending up in a state where it was going to be replaced. I sandbox this out in a local environment and ran the pulumi up and it doesn't just replace the Acl it actually destroyed it. Luckily running a pulumi refresh and pulumi up recreates it and the tokens associated are still in-tact. But, it shouldn't be necessary to jump through those hoops. I'd expect an imported AclPolicy to have no diffs.

  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:local::nomad-acls-sandbox::pulumi:pulumi:Stack::nomad-acls-sandbox-local]
    + pulumi:providers:nomad: (create)
        [urn=urn:pulumi:local::nomad-acls-sandbox::pulumi:providers:nomad::nomad-provider]
        address: "http://127.0.0.1:4646"
        version: "2.1.0"
    +-nomad:index/aclPolicy:AclPolicy: (replace) 🔓
        [id=full-access]
        [urn=urn:pulumi:local::nomad-acls-sandbox::nomad:index/aclPolicy:AclPolicy::full-access-policy]
        [provider: urn:pulumi:local::nomad-acls-sandbox::pulumi:providers:nomad::default_2_1_0::7a9b130a-244a-4c30-9c71-c9e41101a25a => urn:pulumi:local::nomad-acls-sandbox::pulumi:providers:nomad::nomad-provider::output<string>]
        description: "Full Access Policy"
      - id         : "full-access"
        name       : "full-access"
        rulesHcl   : "namespace \"*\" {\n  policy       = \"write\"\n  capabilities = [\"alloc-node-exec\"]\n}\n\nagent {\n  policy = \"write\"\n}\n\noperator {\n  policy = \"write\"\n}\n\nquota {\n  policy = \"write\"\n}\n\nnode {\n  policy = \"write\"\n}\n\nhost_volume \"*\" {\n  policy = \"write\"\n}\n\n"
Resources:
    + 1 to create
    +-1 to replace
    2 changes. 1 unchanged

I tried to add ignore_changes=["id"] to the resource options, that didn't help.

Example

full-access.hcl

namespace "*" {
  policy       = "write"
  capabilities = ["alloc-node-exec"]
}

agent {
  policy = "write"
}

operator {
  policy = "write"
}

quota {
  policy = "write"
}

node {
  policy = "write"
}

host_volume "*" {
  policy = "write"
}

nomad agent -dev -acl-enabled
export NOMAD_TOKEN=$( nomad acl bootstrap -json | jq -r '.SecretID')
export NOMAD_ADDRESS="http://127.0.0.1:4646/"
export NOMAD_REGION=""

nomad acl policy apply -description "Full Access Policy" full-access full-access.hcl
nomad acl token create -name="Pulumi Testing" -policy="full-access" -type=client -ttl=8h

pulumi stack init sandbox
pulumi import nomad:index/aclPolicy:AclPolicy full-access-policy full-access -y

pulumi pre --diff --expect-no-changes

Output of pulumi about

CLI
Version 3.103.1
Go Version go1.21.6
Go Compiler gc

Plugins
NAME VERSION
aws 6.19.0
nomad 2.1.0
python unknown

Host
OS darwin
Version 14.2.1
Arch x86_64

This project is written in python: executable='/usr/local/share/mise/installs/python/3.9/bin/python3' version='3.9.18'

Current Stack: nomad-acls-sandbox/local

TYPE URN
pulumi:pulumi:Stack urn:pulumi:local::nomad-acls-sandbox::pulumi:pulumi:Stack::nomad-acls-sandbox-local
pulumi:providers:nomad urn:pulumi:local::nomad-acls-sandbox::pulumi:providers:nomad::default_2_1_0
nomad:index/aclPolicy:AclPolicy urn:pulumi:local::nomad-acls-sandbox::nomad:index/aclPolicy:AclPolicy::full-access-policy

Found no pending operations associated with local

Backend

Dependencies:
NAME VERSION
pip 23.3.2
pulumi_aws 6.19.0
pulumi_nomad 2.1.0
setuptools 69.0.3
wheel 0.42.0

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[iwahbe]

Hi @cynicaljoy. I am unable to reproduce the bug. Your script was very helpful getting everything setup. I was able to import and then run pulumi pre --diff and see no changes. Which version of nomad are you running against? I am on v1.6.2.

P.S. The run script has a typo:

-export NOAD_ADDRESS="http://127.0.0.1:4646/"
+export NOMAD_ADDRESS="http://127.0.0.1:4646/"

[cynicaljoy]

Hi @cynicaljoy. I am unable to reproduce the bug. Your script was very helpful getting everything setup. I was able to import and then run pulumi pre --diff and see no changes. Which version of nomad are you running against? I am on v1.6.2.

P.S. The run script has a typo:

-export NOAD_ADDRESS="http://127.0.0.1:4646/"
+export NOMAD_ADDRESS="http://127.0.0.1:4646/"

Ah, sorry about that! I'm using Nomad 1.5.3

[cynicaljoy]

I just went through the same steps with Nomad 1.6.2 and repo'd 😕

[cynicaljoy]

I recreated it with Docker too:

docker-compose.yml

version: "3.6"
networks:
    sandbox:
       driver: bridge
services:
    nomad:
        image: hashicorp/nomad:1.6.2
        ports: [4646]
        networks: [sandbox]
        entrypoint: nomad agent -dev -acl-enabled -bind=0.0.0.0

    sandbox:
        build: .
        stdin_open: true
        tty: true
        entrypoint: /bin/sh
        networks: [sandbox]

Dockerfile

FROM pulumi/pulumi-python:3.104.2

WORKDIR /app
COPY . .

RUN pip install -r requirements.txt

requirements.txt

pulumi>=3.0.0,<4.0.0
pulumi-aws>=6.0.2,<7.0.0
pulumi-nomad==2.1.0

__main__.py

import pulumi
import pulumi_nomad as nomad

with open("full-access.hcl", "r") as file:
  full_access_hcl = file.read()

nomad.AclPolicy(
    "full-access-policy",
    name="full-access",
    description="Full Access Policy",
    # read full-access.hcl file into string
    rules_hcl=full_access_hcl,
    opts=pulumi.ResourceOptions(
        provider=nomad.Provider(
            "nomad-provider",
            address="http://nomad:4646",
        ),),
)

Pretty much the same steps, but a few extra since I didn't take the time to automate everything out and the nomad image doesn't have jq in it.

Repro steps

docker cp full-access.hcl pulumi-nomad-acls-sandbox-nomad-1:full-access.hcl
docker exec -it pulumi-nomad-acls-sandbox-nomad-1 /bin/sh
nomad acl bootstrap 
# manually copy Secret ID
export NOMAD_TOKEN="<Secret ID>"
export NOMAD_ADDRESS="http://127.0.0.1:4646/"
export NOMAD_REGION=""

nomad acl policy apply -description "Full Access Policy" full-access full-access.hcl
nomad acl token create -name="Pulumi Testing" -policy="full-access" -type=client -ttl=8h

exit

docker exec -it pulumi-nomad-acls-sandbox-sandbox-1 /bin/bash
export NOMAD_TOKEN="<Secret ID>"
export NOMAD_ADDRESS="http://nomad:4646/"
export NOMAD_REGION=""

pulumi login --local
# I had to re-init my Python venv, but that could have just been from me mucking about 🙈 -- if pulumi yells, delete it and recreate it 
pulumi stack init sandbox
pulumi import nomad:index/aclPolicy:AclPolicy full-access-policy full-access -y

pulumi pre --diff --expect-no-changes

Same result as before:

pulumi pre --diff

Previewing update (standbox):
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:standbox::nomad-acls-sandbox::pulumi:pulumi:Stack::nomad-acls-sandbox-standbox]
    + pulumi:providers:nomad: (create)
        [urn=urn:pulumi:standbox::nomad-acls-sandbox::pulumi:providers:nomad::nomad-provider]
        address: "http://nomad:4646/"
        version: "2.1.0"
    +-nomad:index/aclPolicy:AclPolicy: (replace) 🔓
        [id=full-access]
        [urn=urn:pulumi:standbox::nomad-acls-sandbox::nomad:index/aclPolicy:AclPolicy::full-access-policy]
        [provider: urn:pulumi:standbox::nomad-acls-sandbox::pulumi:providers:nomad::default_2_1_0::b754019b-cd3a-4db2-b978-0788f8716267 => urn:pulumi:standbox::nomad-acls-sandbox::pulumi:providers:nomad::nomad-provider::output<string>]
        description: "Full Access Policy"
      - id         : "full-access"
        name       : "full-access"
        rulesHcl   : "namespace \"*\" {\n  policy       = \"write\"\n  capabilities = [\"alloc-node-exec\"]\n}\n\nagent {\n  policy = \"write\"\n}\n\noperator {\n  policy = \"write\"\n}\n\nquota {\n  policy = \"write\"\n}\n\nnode {\n  policy = \"write\"\n}\n\nhost_volume \"*\" {\n  policy = \"write\"\n}\n\n"
Resources:
    + 1 to create
    +-1 to replace
    2 changes. 1 unchanged

[t0yv0]

Thanks again @cynicaljoy docker-compose is handy we probably should set this up for running examples locally. Looks like something nefarious is going on with "id" which is a special property, not a regular property. My team will get back to you debugging this as time permits.

PULUMI_DEBUG_GRPC="$PWD/here.json" logs could be useful from the import, as well as checking up on pulumi state export to check how this resource writes itself into the statefile.