Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't bail at preview when a protected resource needs replacement #15969

Merged
merged 6 commits into from
Apr 18, 2024
Merged

Don't bail at preview when a protected resource needs replacement #15969

merged 6 commits into from
Apr 18, 2024

Conversation

mikhailshilkov
Copy link
Member

@mikhailshilkov mikhailshilkov commented Apr 17, 2024
edited

Description

Don't bail at preview when a protected resource needs replacement, just error. This makes sure that users can see the actual diff that causes the replacement.

Fixes #5027

Before:

$ pulumi preview
Type                                     Name                  Plan     Info
     pulumi:pulumi:Stack                      azure-native-ts-dev2           
     └─ azure-native:resources:ResourceGroup  rg                             1 error

Diagnostics:
  azure-native:resources:ResourceGroup (rg):
    error: unable to replace resource "urn:pulumi:dev2::azure-native-ts::azure-native:resources:ResourceGroup::rg"
    as it is currently marked for protection. To unprotect the resource, remove the `protect` flag from the resource in your Pulumi program and run `pulumi up`


$ pulumi preview --diff
pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:dev2::azure-native-ts::pulumi:pulumi:Stack::azure-native-ts-dev2]
error: unable to replace resource "urn:pulumi:dev2::azure-native-ts::azure-native:resources:ResourceGroup::rg"
as it is currently marked for protection. To unprotect the resource, remove the `protect` flag from the resource in your Pulumi program and run `pulumi up`
Resources:
    1 unchanged

After:

$ pulumi preview
Type                                     Name                  Plan        Info
     pulumi:pulumi:Stack                      azure-native-ts-dev2              1 error; 2 warnings
 +-  └─ azure-native:resources:ResourceGroup  rg                    replace     [diff: ~location]; 1 error

Diagnostics:
  azure-native:resources:ResourceGroup (rg):
    error: unable to replace resource "urn:pulumi:dev2::azure-native-ts::azure-native:resources:ResourceGroup::rg"
    as it is currently marked for protection. To unprotect the resource, remove the `protect` flag from the resource in your Pulumi program and run `pulumi up`

  pulumi:pulumi:Stack (azure-native-ts-dev2):
    error: preview failed


$ pulumi preview --diff
pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:dev2::azure-native-ts::pulumi:pulumi:Stack::azure-native-ts-dev2]
error: unable to replace resource "urn:pulumi:dev2::azure-native-ts::azure-native:resources:ResourceGroup::rg"
as it is currently marked for protection. To unprotect the resource, remove the `protect` flag from the resource in your Pulumi program and run `pulumi up`
    +-azure-native:resources:ResourceGroup: (replace) 🔒
        [id=/subscriptions/0282681f-7a9e-424b-80b2-96babd57a8a1/resourceGroups/rg5f8e30e4]
        [urn=urn:pulumi:dev2::azure-native-ts::azure-native:resources:ResourceGroup::rg]
        [provider=urn:pulumi:dev2::azure-native-ts::pulumi:providers:azure-native::default_2_30_0::3c957b2a-4852-439c-b211-22a115bbe89a]
      ~ location: "westeurope" => "westus2"
error: preview failed
Resources:
    +-1 to replace
    1 unchanged

Checklist

  • I have run make tidy to update any new dependencies
  • I have run make lint to verify my code passes the lint check
    • I have formatted my code using gofumpt
  • I have added tests that prove my fix is effective or that my feature works
  • I have run make changelog and committed the changelog/pending/<file> documenting my change
  • Yes, there are changes in this PR that warrants bumping the Pulumi Cloud API version

@pulumi-bot
Copy link
Contributor

pulumi-bot commented Apr 17, 2024
edited

Changelog

[uncommitted] (2024-04-18)

Bug Fixes

  • [engine] Display the entire preview with diff when a protected resource needs replacement
    #15969

@mikhailshilkov mikhailshilkov marked this pull request as ready for review April 17, 2024 16:23
@mikhailshilkov mikhailshilkov requested a review from a team as a code owner April 17, 2024 16:23
Frassle
Frassle reviewed Apr 17, 2024
View reviewed changes
pkg/engine/lifecycletest/pulumi_test.go Outdated
expectedMessage = "<{%reset%}>unable to replace resource \"urn:pulumi:test::test::pkgA:m:typA::resA\"\n" +
"as it is currently marked for protection. To unprotect the resource, remove the `protect` flag from " +
"the resource in your Pulumi program and run `pulumi up`<{%reset%}>\n"
ins = resource.NewPropertyMapFromMap(map[string]interface{}{
"foo": "baz",
})
_, err = TestOp(Update).Run(project, p.GetTarget(t, snap), p.Options, true, p.BackendClient, validate)
assert.Error(t, err)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please don't use assert.Error, use ErrorContains or similar to check its actually the error expected.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought that already happens with expectedMessage. I'll double check.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

expectedMessage is checking the diagnostic gets output, but we also want to check that the error is the bail error we expect matching up to that, not some other random error that might get hit in the system. We've had tests before that we thought we're testing for one error case just using asset.Error and when the system slightly changed to a different error the tests didn't catch it but users noticed.

pkg/resource/deploy/step_generator.go
@@ -1034,7 +1034,9 @@ func (sg *stepGenerator) generateStepsFromDiff(
"program and run `pulumi up`", urn)
sg.deployment.ctx.Diag.Errorf(diag.StreamMessage(urn, message, 0))
sg.sawError = true
return nil, result.BailErrorf(message)
if !sg.deployment.preview {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably worth a comment why we have to error here if not preview.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a comment. I'm not exactly sure we need to bail during update. Honestly, I'm making the smallest possible change to solve the preview issue.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we don't bail and we're doing a create before delete replacement we'll execute the create before getting to the delete error. State will still be tracking both resources but it's an awkward state to cleanup from.

@mikhailshilkov mikhailshilkov added this pull request to the merge queue Apr 18, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Apr 18, 2024
@mikhailshilkov mikhailshilkov added this pull request to the merge queue Apr 18, 2024
Merged via the queue into master with commit 60adf18 Apr 18, 2024
49 checks passed
@mikhailshilkov mikhailshilkov deleted the mikhailshilkov/no-bail-on-preview-replacement-of-protected branch April 18, 2024 17:46
@mikhailshilkov mikhailshilkov mentioned this pull request May 29, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tgummerer tgummerer tgummerer approved these changes

@Frassle Frassle Awaiting requested review from Frassle

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Preview of a resource that needs a replacement but is marked protect: true could be more informative
4 participants
@mikhailshilkov @pulumi-bot @tgummerer @Frassle