maxmustermann/pulumi
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
pulumi/pkg/resource/stack/deployment_test.go

438 lines
15 KiB
Go
Raw Normal View History

Add license headers
2018-05-22 21:43:36 +02:00
// Copyright 2016-2018, Pulumi Corporation.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
Fix pulumi/lumi#198 This change fixes the serialization of resource properties during deployment checkpoints. We erroneously serialized empty arrays and empty maps as though they were nil; instead, we want to keep them serialized as non-nil empty collections, since the presence of a value might be semantically meaningful. (We still skip nils.) Also added some test cases.
2017-06-07 01:42:14 +02:00
Use `Stack` over `Environment` to describe a deployment target Previously we used the word "Environment" as the term for a deployment target, but since then we've started to use the term Stack. Adopt this across the CLI. From a user's point of view, there are a few changes: 1. The `env` verb has been renamed to `stack` 2. The `-e` and `--env` options to commands which operate on an environment now take `-s` or `--stack` instead. 3. Becase of (2), the commands that used `-s` to display a summary now only support passing the full option name (`--summary`). On the local file system, we still store checkpoint data in the `env` sub-folder under `.pulumi` (so we can reuse existing checkpoint files that were written to the old folder)
2017-10-16 21:04:35 +02:00
package stack
Fix pulumi/lumi#198 This change fixes the serialization of resource properties during deployment checkpoints. We erroneously serialized empty arrays and empty maps as though they were nil; instead, we want to keep them serialized as non-nil empty collections, since the presence of a value might be semantically meaningful. (We still skip nils.) Also added some test cases.
2017-06-07 01:42:14 +02:00
import (
Add tests for serializing PropertyMaps (#3533) * WIP - Add tests for serializing PropertyMaps * Apply suggestions from code review Co-Authored-By: Pat Gavlin <pat@pulumi.com> * Cleanup tests
2019-11-20 06:10:51 +01:00
"encoding/json"
Error instead of assert on invalid resource in state file (#7065) * Error instead of assert on invalid resource in state file Fixes #6955 * Add CHANGELOG
2021-05-17 10:47:28 +02:00
"fmt"
Add tests for serializing PropertyMaps (#3533) * WIP - Add tests for serializing PropertyMaps * Apply suggestions from code review Co-Authored-By: Pat Gavlin <pat@pulumi.com> * Cleanup tests
2019-11-20 06:10:51 +01:00
"strings"
Fix pulumi/lumi#198 This change fixes the serialization of resource properties during deployment checkpoints. We erroneously serialized empty arrays and empty maps as though they were nil; instead, we want to keep them serialized as non-nil empty collections, since the presence of a value might be semantically meaningful. (We still skip nils.) Also added some test cases.
2017-06-07 01:42:14 +02:00
"testing"
"github.com/stretchr/testify/assert"
[breaking] Changing the version of go.mod in sdk / pkg to be v3
2021-03-17 14:20:05 +01:00
"github.com/pulumi/pulumi/sdk/v3/go/common/apitype"
"github.com/pulumi/pulumi/sdk/v3/go/common/resource"
"github.com/pulumi/pulumi/sdk/v3/go/common/resource/config"
"github.com/pulumi/pulumi/sdk/v3/go/common/tokens"
"github.com/pulumi/pulumi/sdk/v3/go/common/util/contract"
Fix pulumi/lumi#198 This change fixes the serialization of resource properties during deployment checkpoints. We erroneously serialized empty arrays and empty maps as though they were nil; instead, we want to keep them serialized as non-nil empty collections, since the presence of a value might be semantically meaningful. (We still skip nils.) Also added some test cases.
2017-06-07 01:42:14 +02:00
)
Save resource dependency information in the checkpoint file This commit does two things: 1. All dependencies of a resource, both implicit and explicit, are communicated directly to the engine when registering a resource. The engine keeps track of these dependencies and ultimately serializes them out to the checkpoint file upon successful deployment. 2. Once a successful deployment is done, the new `pulumi stack graph` command reads the checkpoint file and outputs the dependency information within in the DOT format. Keeping track of dependency information within the checkpoint file is desirable for a number of reasons, most notably delete-before-create, where we want to delete resources before we have created their replacement when performing an update.
2018-02-22 00:11:21 +01:00
// TestDeploymentSerialization creates a basic snapshot of a given resource state.
Fix pulumi/lumi#198 This change fixes the serialization of resource properties during deployment checkpoints. We erroneously serialized empty arrays and empty maps as though they were nil; instead, we want to keep them serialized as non-nil empty collections, since the presence of a value might be semantically meaningful. (We still skip nils.) Also added some test cases.
2017-06-07 01:42:14 +02:00
func TestDeploymentSerialization(t *testing.T) {
More progress on pulumi/lumi#90 This change refactors a number of aspects of the CLI's treatment of steps, in line with the new scheme, and a number of other miscellaneous and minor fixes. It also regenerates all RPC code impacted by recent renames.
2017-06-11 02:03:58 +02:00
res := resource.NewState(
Fix pulumi/lumi#198 This change fixes the serialization of resource properties during deployment checkpoints. We erroneously serialized empty arrays and empty maps as though they were nil; instead, we want to keep them serialized as non-nil empty collections, since the presence of a value might be semantically meaningful. (We still skip nils.) Also added some test cases.
2017-06-07 01:42:14 +02:00
tokens.Type("Test"),
More progress on pulumi/lumi#90 This change refactors a number of aspects of the CLI's treatment of steps, in line with the new scheme, and a number of other miscellaneous and minor fixes. It also regenerates all RPC code impacted by recent renames.
2017-06-11 02:03:58 +02:00
resource.NewURN(
tokens.QName("test"),
Wire up Lumi to the new runtime strategy :fire: :fire: :fire: :boat: :fire: :fire: :fire: Getting closer on #311.
2017-08-30 03:24:12 +02:00
tokens.PackageName("resource/test"),
Always add 8 chars of randomness to URN names we create. Error if that exceeds the max length allowed for that resource. (#500) * Include parent type in urn to better ensure component URN uniqueness.
2017-12-04 23:50:55 +01:00
tokens.Type(""),
More progress on pulumi/lumi#90 This change refactors a number of aspects of the CLI's treatment of steps, in line with the new scheme, and a number of other miscellaneous and minor fixes. It also regenerates all RPC code impacted by recent renames.
2017-06-11 02:03:58 +02:00
tokens.Type("Test"),
tokens.QName("resource-x"),
),
Implement components This change implements core support for "components" in the Pulumi Fabric. This work is described further in pulumi/pulumi#340, where we are still discussing some of the finer points. In a nutshell, resources no longer imply external providers. It's entirely possible to have a resource that logically represents something but without having a physical manifestation that needs to be tracked and managed by our typical CRUD operations. For example, the aws/serverless/Function helper is one such type. It aggregates Lambda-related resources and exposes a nice interface. All of the Pulumi Cloud Framework resources are also examples. To indicate that a resource does participate in the usual CRUD resource provider, it simply derives from ExternalResource instead of Resource. All resources now have the ability to adopt children. This is purely a metadata/tagging thing, and will help us roll up displays, provide attribution to the developer, and even hide aspects of the resource graph as appropriate (e.g., when they are implementation details). Our use of this capability is ultra limited right now; in fact, the only place we display children is in the CLI output. For instance: + aws:serverless:Function: (create) [urn=urn:pulumi:demo::serverless::aws:serverless:Function::mylambda] => urn:pulumi:demo::serverless::aws:iam/role:Role::mylambda-iamrole => urn:pulumi:demo::serverless::aws:iam/rolePolicyAttachment:RolePolicyAttachment::mylambda-iampolicy-0 => urn:pulumi:demo::serverless::aws:lambda/function:Function::mylambda The bit indicating whether a resource is external or not is tracked in the resulting checkpoint file, along with any of its children.
2017-10-14 23:18:43 +02:00
true,
Track resources that are pending deletion in checkpoints. During the course of a `pulumi update`, it is possible for a resource to become slated for deletion. In the case that this deletion is part of a replacement, another resource with the same URN as the to-be-deleted resource will have been created earlier. If the `update` fails after the replacement resource is created but before the original resource has been deleted, the snapshot must capture that the original resource still exists and should be deleted in a future update without losing track of the order in which the deletion must occur relative to other deletes. Currently, we are unable to track this information because the our checkpoints require that no two resources have the same URN. To fix this, these changes introduce to the update engine the notion of a resource that is pending deletion and change checkpoint serialization to use an array of resources rather than a map. The meaning of the former is straightforward: a resource that is pending deletion should be deleted during the next update. This is a fairly major breaking change to our checkpoint files, as the map of resources is no more. Happily, though, it makes our checkpoint files a bit more "obvious" to any tooling that might want to grovel or rewrite them. Fixes #432, #387.
2017-10-05 23:08:35 +02:00
false,
More progress on pulumi/lumi#90 This change refactors a number of aspects of the CLI's treatment of steps, in line with the new scheme, and a number of other miscellaneous and minor fixes. It also regenerates all RPC code impacted by recent renames.
2017-06-11 02:03:58 +02:00
resource.ID("test-resource-x"),
resource.NewPropertyMapFromMap(map[string]interface{}{
Fix pulumi/lumi#198 This change fixes the serialization of resource properties during deployment checkpoints. We erroneously serialized empty arrays and empty maps as though they were nil; instead, we want to keep them serialized as non-nil empty collections, since the presence of a value might be semantically meaningful. (We still skip nils.) Also added some test cases.
2017-06-07 01:42:14 +02:00
"in-nil": nil,
"in-bool": true,
"in-float64": float64(1.5),
"in-string": "lumilumilo",
"in-array": []interface{}{"a", true, float64(32)},
"in-empty-array": []interface{}{},
"in-map": map[string]interface{}{
"a": true,
"b": float64(88),
"c": "c-see-saw",
"d": "d-dee-daw",
},
Fix malformed resource value bug (#6164) * Fix resource-ref-as-ID marshaling. (#6125) This reapplies 2f0dba23ab4fd561da20d39e231af976fe092ef2. * Fix malformed resource value bug PR #6125 introduced a bug by marshaling resource ids as PropertyValues, but not handling that case on the unmarshaling side. The previous code assumed that the id was a simple string value. This bug prevents any stack update operations (preview, update, destroy, refresh). Since this change was already released, we must now handle both cases in the unmarshaling code. * Add resource ref unit tests for the Go SDK. (#6142) This reapplies 3d505912b86f48aa1b303a90c7aad1b6df8f65c4. Co-authored-by: Pat Gavlin <pat@pulumi.com>
2021-01-22 00:40:27 +01:00
"in-empty-map": map[string]interface{}{},
"in-component-resource-reference": resource.MakeComponentResourceReference("urn", "1.2.3").V,
"in-custom-resource-reference": resource.MakeCustomResourceReference("urn2", "id", "2.3.4").V,
"in-custom-resource-reference-unknown-id": resource.MakeCustomResourceReference("urn3", "", "3.4.5").V,
Fix pulumi/lumi#198 This change fixes the serialization of resource properties during deployment checkpoints. We erroneously serialized empty arrays and empty maps as though they were nil; instead, we want to keep them serialized as non-nil empty collections, since the presence of a value might be semantically meaningful. (We still skip nils.) Also added some test cases.
2017-06-07 01:42:14 +02:00
}),
More progress on pulumi/lumi#90 This change refactors a number of aspects of the CLI's treatment of steps, in line with the new scheme, and a number of other miscellaneous and minor fixes. It also regenerates all RPC code impacted by recent renames.
2017-06-11 02:03:58 +02:00
resource.NewPropertyMapFromMap(map[string]interface{}{
Fix pulumi/lumi#198 This change fixes the serialization of resource properties during deployment checkpoints. We erroneously serialized empty arrays and empty maps as though they were nil; instead, we want to keep them serialized as non-nil empty collections, since the presence of a value might be semantically meaningful. (We still skip nils.) Also added some test cases.
2017-06-07 01:42:14 +02:00
"out-nil": nil,
"out-bool": false,
"out-float64": float64(76),
"out-string": "loyolumiloom",
"out-array": []interface{}{false, "zzxx"},
"out-empty-array": []interface{}{},
"out-map": map[string]interface{}{
"x": false,
"y": "z-zee-zaw",
"z": float64(999.9),
},
"out-empty-map": map[string]interface{}{},
}),
Merge root stack changes with parenting
2017-11-20 19:08:59 +01:00
"",
Implement resource protection (#751) This change implements resource protection, as per pulumi/pulumi#689. The overall idea is that a resource can be marked as "protect: true", which will prevent deletion of that resource for any reason whatsoever (straight deletion, replacement, etc). This is expressed in the program. To "unprotect" a resource, one must perform an update setting "protect: false", and then afterwards, they can delete the resource. For example: let res = new MyResource("precious", { .. }, { protect: true }); Afterwards, the resource will display in the CLI with a lock icon, and any attempts to remove it will fail in the usual ways (in planning or, worst case, during an actual update). This was done by adding a new ResourceOptions bag parameter to the base Resource types. This is unfortunately a breaking change, but now is the right time to take this one. We had been adding new settings one by one -- like parent and dependsOn -- and this new approach will set us up to add any number of additional settings down the road, without needing to worry about breaking anything ever again. This is related to protected stacks, as described in pulumi/pulumi-service#399. Most likely this will serve as a foundational building block that enables the coarser grained policy management.
2017-12-20 23:31:07 +01:00
false,
Save resources obtained from ".get" in the snapshot (#1654) * Protobuf changes to record dependencies for read resources * Add a number of tests for read resources, especially around replacement * Place read resources in the snapshot with "external" bit set Fixes pulumi/pulumi#1521. This commit introduces two new step ops: Read and ReadReplacement. The engine generates Read and ReadReplacement steps when servicing ReadResource RPC calls from the language host. * Fix an omission of OpReadReplace from the step list * Rebase against master * Transition to use V2 Resources by default * Add a semantic "relinquish" operation to the engine If the engine observes that a resource is read and also that the resource exists in the snapshot as a non-external resource, it will not delete the resource if the IDs of the old and new resources match. * Typo fix * CR: add missing comments, DeserializeDeployment -> DeserializeDeploymentV2, ID check
2018-08-03 23:06:00 +02:00
false,
Code review feedback: 1. Various idiomatic Go and TypeScript fixes 2. Add an integration test that end-to-end roundtrips dependency information for a simple Pulumi program 3. Add an additional test assert that tests that dependency information comes from the language host as expected
2018-02-22 21:52:50 +01:00
[]resource.URN{
resource.URN("foo:bar:baz"),
resource.URN("foo:bar:boo"),
},
Checkpoint resource initialization errors When a resource fails to initialize (i.e., it is successfully created, but fails to transition to a fully-initialized state), and a user subsequently runs `pulumi update` without changing that resource, our CLI will fail to warn the user that this resource is not initialized. This commit begins the process of allowing our CLI to report this by storing a list of initialization errors in the checkpoint.
2018-07-19 07:52:01 +02:00
[]string{},
Implement first-class providers. (#1695) ### First-Class Providers These changes implement support for first-class providers. First-class providers are provider plugins that are exposed as resources via the Pulumi programming model so that they may be explicitly and multiply instantiated. Each instance of a provider resource may be configured differently, and configuration parameters may be source from the outputs of other resources. ### Provider Plugin Changes In order to accommodate the need to verify and diff provider configuration and configure providers without complete configuration information, these changes adjust the high-level provider plugin interface. Two new methods for validating a provider's configuration and diffing changes to the same have been added (`CheckConfig` and `DiffConfig`, respectively), and the type of the configuration bag accepted by `Configure` has been changed to a `PropertyMap`. These changes have not yet been reflected in the provider plugin gRPC interface. We will do this in a set of follow-up changes. Until then, these methods are implemented by adapters: - `CheckConfig` validates that all configuration parameters are string or unknown properties. This is necessary because existing plugins only accept string-typed configuration values. - `DiffConfig` either returns "never replace" if all configuration values are known or "must replace" if any configuration value is unknown. The justification for this behavior is given [here](https://github.com/pulumi/pulumi/pull/1695/files#diff-a6cd5c7f337665f5bb22e92ca5f07537R106) - `Configure` converts the config bag to a legacy config map and configures the provider plugin if all config values are known. If any config value is unknown, the underlying plugin is not configured and the provider may only perform `Check`, `Read`, and `Invoke`, all of which return empty results. We justify this behavior becuase it is only possible during a preview and provides the best experience we can manage with the existing gRPC interface. ### Resource Model Changes Providers are now exposed as resources that participate in a stack's dependency graph. Like other resources, they are explicitly created, may have multiple instances, and may have dependencies on other resources. Providers are referred to using provider references, which are a combination of the provider's URN and its ID. This design addresses the need during a preview to refer to providers that have not yet been physically created and therefore have no ID. All custom resources that are not themselves providers must specify a single provider via a provider reference. The named provider will be used to manage that resource's CRUD operations. If a resource's provider reference changes, the resource must be replaced. Though its URN is not present in the resource's dependency list, the provider should be treated as a dependency of the resource when topologically sorting the dependency graph. Finally, `Invoke` operations must now specify a provider to use for the invocation via a provider reference. ### Engine Changes First-class providers support requires a few changes to the engine: - The engine must have some way to map from provider references to provider plugins. It must be possible to add providers from a stack's checkpoint to this map and to register new/updated providers during the execution of a plan in response to CRUD operations on provider resources. - In order to support updating existing stacks using existing Pulumi programs that may not explicitly instantiate providers, the engine must be able to manage the "default" providers for each package referenced by a checkpoint or Pulumi program. The configuration for a "default" provider is taken from the stack's configuration data. The former need is addressed by adding a provider registry type that is responsible for managing all of the plugins required by a plan. In addition to loading plugins froma checkpoint and providing the ability to map from a provider reference to a provider plugin, this type serves as the provider plugin for providers themselves (i.e. it is the "provider provider"). The latter need is solved via two relatively self-contained changes to plan setup and the eval source. During plan setup, the old checkpoint is scanned for custom resources that do not have a provider reference in order to compute the set of packages that require a default provider. Once this set has been computed, the required default provider definitions are conjured and prepended to the checkpoint's resource list. Each resource that requires a default provider is then updated to refer to the default provider for its package. While an eval source is running, each custom resource registration, resource read, and invoke that does not name a provider is trapped before being returned by the source iterator. If no default provider for the appropriate package has been registered, the eval source synthesizes an appropriate registration, waits for it to complete, and records the registered provider's reference. This reference is injected into the original request, which is then processed as usual. If a default provider was already registered, the recorded reference is used and no new registration occurs. ### SDK Changes These changes only expose first-class providers from the Node.JS SDK. - A new abstract class, `ProviderResource`, can be subclassed and used to instantiate first-class providers. - A new field in `ResourceOptions`, `provider`, can be used to supply a particular provider instance to manage a `CustomResource`'s CRUD operations. - A new type, `InvokeOptions`, can be used to specify options that control the behavior of a call to `pulumi.runtime.invoke`. This type includes a `provider` field that is analogous to `ResourceOptions.provider`.
2018-08-07 02:50:29 +02:00
"",
Implement more precise delete-before-replace semantics. (#2369) This implements the new algorithm for deciding which resources must be deleted due to a delete-before-replace operation. We need to compute the set of resources that may be replaced by a change to the resource under consideration. We do this by taking the complete set of transitive dependents on the resource under consideration and removing any resources that would not be replaced by changes to their dependencies. We determine whether or not a resource may be replaced by substituting unknowns for input properties that may change due to deletion of the resources their value depends on and calling the resource provider's Diff method. This is perhaps clearer when described by example. Consider the following dependency graph: A __|__ B C | _|_ D E F In this graph, all of B, C, D, E, and F transitively depend on A. It may be the case, however, that changes to the specific properties of any of those resources R that would occur if a resource on the path to A were deleted and recreated may not cause R to be replaced. For example, the edge from B to A may be a simple dependsOn edge such that a change to B does not actually influence any of B's input properties. In that case, neither B nor D would need to be deleted before A could be deleted. In order to make the above algorithm a reality, the resource monitor interface has been updated to include a map that associates an input property key with the list of resources that input property depends on. Older clients of the resource monitor will leave this map empty, in which case all input properties will be treated as depending on all dependencies of the resource. This is probably overly conservative, but it is less conservative than what we currently implement, and is certainly correct.
2019-01-28 18:46:30 +01:00
nil,
false,
Augment secret outputs based on per request options
2019-04-23 02:45:26 +02:00
nil,
Support aliases for renaming, re-typing, or re-parenting resources (#2774) Adds a new resource option `aliases` which can be used to rename a resource. When making a breaking change to the name or type of a resource or component, the old name can be added to the list of `aliases` for a resource to ensure that existing resources will be migrated to the new name instead of being deleted and replaced with the new named resource. There are two key places this change is implemented. The first is the step generator in the engine. When computing whether there is an old version of a registered resource, we now take into account the aliases specified on the registered resource. That is, we first look up the resource by its new URN in the old state, and then by any aliases provided (in order). This can allow the resource to be matched as a (potential) update to an existing resource with a different URN. The second is the core `Resource` constructor in the JavaScript (and soon Python) SDKs. This change ensures that when a parent resource is aliased, that all children implicitly inherit corresponding aliases. It is similar to how many other resource options are "inherited" implicitly from the parent. Four specific scenarios are explicitly tested as part of this PR: 1. Renaming a resource 2. Adopting a resource into a component (as the owner of both component and consumption codebases) 3. Renaming a component instance (as the owner of the consumption codebase without changes to the component) 4. Changing the type of a component (as the owner of the component codebase without changes to the consumption codebase) 4. Combining (1) and (3) to make both changes to a resource at the same time
2019-06-01 08:01:01 +02:00
nil,
Addition of Custom Timeouts (#2885) * Plumbing the custom timeouts from the engine to the providers * Plumbing the CustomTimeouts through to the engine and adding test to show this * Change the provider proto to include individual timeouts * Plumbing the CustomTimeouts from the engine through to the Provider RPC interface * Change how the CustomTimeouts are sent across RPC These errors were spotted in testing. We can now see that the timeout information is arriving in the RegisterResourceRequest ``` req=&pulumirpc.RegisterResourceRequest{ Type: "aws:s3/bucket:Bucket", Name: "my-bucket", Parent: "urn:pulumi:dev::aws-vpc::pulumi:pulumi:Stack::aws-vpc-dev", Custom: true, Object: &structpb.Struct{}, Protect: false, Dependencies: nil, Provider: "", PropertyDependencies: {}, DeleteBeforeReplace: false, Version: "", IgnoreChanges: nil, AcceptSecrets: true, AdditionalSecretOutputs: nil, Aliases: nil, CustomTimeouts: &pulumirpc.RegisterResourceRequest_CustomTimeouts{ Create: 300, Update: 400, Delete: 500, XXX_NoUnkeyedLiteral: struct {}{}, XXX_unrecognized: nil, XXX_sizecache: 0, }, XXX_NoUnkeyedLiteral: struct {}{}, XXX_unrecognized: nil, XXX_sizecache: 0, } ``` * Changing the design to use strings * CHANGELOG entry to include the CustomTimeouts work * Changing custom timeouts to be passed around the engine as converted value We don't want to pass around strings - the user can provide it but we want to make the engine aware of the timeout in seconds as a float64
2019-07-15 23:26:28 +02:00
nil,
Avoid replace on second update with import applied (#4403) After importing some resources, and running a second update with the import still applied, an unexpected replace would occur. This wouldn't happen for the vast majority of resources, but for some it would. It turns out that the resources that trigger this are ones that use a different format of identifier for the import input than they do for the ID property. Before this change, we would trigger an import-replacement when an existing resource's ID property didn't match the import property, which would be the case for the small set of resources where the input identifier is different than the ID property. To avoid this, we now store the `importID` in the statefile, and compare that to the import property instead of comparing the ID.
2020-04-16 03:52:40 +02:00
"",
Fix pulumi/lumi#198 This change fixes the serialization of resource properties during deployment checkpoints. We erroneously serialized empty arrays and empty maps as though they were nil; instead, we want to keep them serialized as non-nil empty collections, since the presence of a value might be semantically meaningful. (We still skip nils.) Also added some test cases.
2017-06-07 01:42:14 +02:00
)
Allow pulumi stack export to decrypt secrets (#4046)
2020-05-11 20:16:30 +02:00
dep, err := SerializeResource(res, config.NopEncrypter, false /* showSecrets */)
Encrypt secret values in deployments When constructing a Deployment (which is a plaintext representation of a Snapshot), ensure that we encrypt secret values. To do so, we introduce a new type `secrets.Manager` which is able to encrypt and decrypt values. In addition, it is able to reflect information about itself that can be stored in the deployment such that we can deserialize the deployment into a snapshot (decrypting the values in the process) without external knowledge about how it was encrypted. The ability to do this is import for allowing stack references to work, since two stacks may not use the same manager (or they will use the same type of manager, but have different state). The state value is stored in plaintext in the deployment, so it **must not** contain sensitive data. A sample manager, which just base64 encodes and decodes strings is provided, as it useful for testing. We will allow it to be varried soon.
2019-04-17 22:48:38 +02:00
assert.NoError(t, err)
Fix pulumi/lumi#198 This change fixes the serialization of resource properties during deployment checkpoints. We erroneously serialized empty arrays and empty maps as though they were nil; instead, we want to keep them serialized as non-nil empty collections, since the presence of a value might be semantically meaningful. (We still skip nils.) Also added some test cases.
2017-06-07 01:42:14 +02:00
// assert some things about the deployment record:
assert.NotNil(t, dep)
assert.NotNil(t, dep.ID)
More progress on pulumi/lumi#90 This change refactors a number of aspects of the CLI's treatment of steps, in line with the new scheme, and a number of other miscellaneous and minor fixes. It also regenerates all RPC code impacted by recent renames.
2017-06-11 02:03:58 +02:00
assert.Equal(t, resource.ID("test-resource-x"), dep.ID)
Fix pulumi/lumi#198 This change fixes the serialization of resource properties during deployment checkpoints. We erroneously serialized empty arrays and empty maps as though they were nil; instead, we want to keep them serialized as non-nil empty collections, since the presence of a value might be semantically meaningful. (We still skip nils.) Also added some test cases.
2017-06-07 01:42:14 +02:00
assert.Equal(t, tokens.Type("Test"), dep.Type)
Save resource dependency information in the checkpoint file This commit does two things: 1. All dependencies of a resource, both implicit and explicit, are communicated directly to the engine when registering a resource. The engine keeps track of these dependencies and ultimately serializes them out to the checkpoint file upon successful deployment. 2. Once a successful deployment is done, the new `pulumi stack graph` command reads the checkpoint file and outputs the dependency information within in the DOT format. Keeping track of dependency information within the checkpoint file is desirable for a number of reasons, most notably delete-before-create, where we want to delete resources before we have created their replacement when performing an update.
2018-02-22 00:11:21 +01:00
assert.Equal(t, 2, len(dep.Dependencies))
assert.Equal(t, resource.URN("foo:bar:baz"), dep.Dependencies[0])
assert.Equal(t, resource.URN("foo:bar:boo"), dep.Dependencies[1])
Fix pulumi/lumi#198 This change fixes the serialization of resource properties during deployment checkpoints. We erroneously serialized empty arrays and empty maps as though they were nil; instead, we want to keep them serialized as non-nil empty collections, since the presence of a value might be semantically meaningful. (We still skip nils.) Also added some test cases.
2017-06-07 01:42:14 +02:00
// assert some things about the inputs:
assert.NotNil(t, dep.Inputs)
assert.Nil(t, dep.Inputs["in-nil"])
assert.NotNil(t, dep.Inputs["in-bool"])
assert.True(t, dep.Inputs["in-bool"].(bool))
assert.NotNil(t, dep.Inputs["in-float64"])
assert.Equal(t, float64(1.5), dep.Inputs["in-float64"].(float64))
assert.NotNil(t, dep.Inputs["in-string"])
assert.Equal(t, "lumilumilo", dep.Inputs["in-string"].(string))
assert.NotNil(t, dep.Inputs["in-array"])
assert.Equal(t, 3, len(dep.Inputs["in-array"].([]interface{})))
assert.Equal(t, "a", dep.Inputs["in-array"].([]interface{})[0])
assert.Equal(t, true, dep.Inputs["in-array"].([]interface{})[1])
assert.Equal(t, float64(32), dep.Inputs["in-array"].([]interface{})[2])
assert.NotNil(t, dep.Inputs["in-empty-array"])
assert.Equal(t, 0, len(dep.Inputs["in-empty-array"].([]interface{})))
assert.NotNil(t, dep.Inputs["in-map"])
inmap := dep.Inputs["in-map"].(map[string]interface{})
assert.Equal(t, 4, len(inmap))
assert.NotNil(t, inmap["a"])
assert.Equal(t, true, inmap["a"].(bool))
assert.NotNil(t, inmap["b"])
assert.Equal(t, float64(88), inmap["b"].(float64))
assert.NotNil(t, inmap["c"])
assert.Equal(t, "c-see-saw", inmap["c"].(string))
assert.NotNil(t, inmap["d"])
assert.Equal(t, "d-dee-daw", inmap["d"].(string))
assert.NotNil(t, dep.Inputs["in-empty-map"])
assert.Equal(t, 0, len(dep.Inputs["in-empty-map"].(map[string]interface{})))
Fix malformed resource value bug (#6164) * Fix resource-ref-as-ID marshaling. (#6125) This reapplies 2f0dba23ab4fd561da20d39e231af976fe092ef2. * Fix malformed resource value bug PR #6125 introduced a bug by marshaling resource ids as PropertyValues, but not handling that case on the unmarshaling side. The previous code assumed that the id was a simple string value. This bug prevents any stack update operations (preview, update, destroy, refresh). Since this change was already released, we must now handle both cases in the unmarshaling code. * Add resource ref unit tests for the Go SDK. (#6142) This reapplies 3d505912b86f48aa1b303a90c7aad1b6df8f65c4. Co-authored-by: Pat Gavlin <pat@pulumi.com>
2021-01-22 00:40:27 +01:00
assert.Equal(t, map[string]interface{}{
resource.SigKey: resource.ResourceReferenceSig,
"urn": "urn",
"packageVersion": "1.2.3",
}, dep.Inputs["in-component-resource-reference"])
assert.Equal(t, map[string]interface{}{
resource.SigKey: resource.ResourceReferenceSig,
"urn": "urn2",
"id": "id",
"packageVersion": "2.3.4",
}, dep.Inputs["in-custom-resource-reference"])
assert.Equal(t, map[string]interface{}{
resource.SigKey: resource.ResourceReferenceSig,
"urn": "urn3",
"id": "",
"packageVersion": "3.4.5",
}, dep.Inputs["in-custom-resource-reference-unknown-id"])
Fix pulumi/lumi#198 This change fixes the serialization of resource properties during deployment checkpoints. We erroneously serialized empty arrays and empty maps as though they were nil; instead, we want to keep them serialized as non-nil empty collections, since the presence of a value might be semantically meaningful. (We still skip nils.) Also added some test cases.
2017-06-07 01:42:14 +02:00
// assert some things about the outputs:
assert.NotNil(t, dep.Outputs)
assert.Nil(t, dep.Outputs["out-nil"])
assert.NotNil(t, dep.Outputs["out-bool"])
assert.False(t, dep.Outputs["out-bool"].(bool))
assert.NotNil(t, dep.Outputs["out-float64"])
assert.Equal(t, float64(76), dep.Outputs["out-float64"].(float64))
assert.NotNil(t, dep.Outputs["out-string"])
assert.Equal(t, "loyolumiloom", dep.Outputs["out-string"].(string))
assert.NotNil(t, dep.Outputs["out-array"])
assert.Equal(t, 2, len(dep.Outputs["out-array"].([]interface{})))
assert.Equal(t, false, dep.Outputs["out-array"].([]interface{})[0])
assert.Equal(t, "zzxx", dep.Outputs["out-array"].([]interface{})[1])
assert.NotNil(t, dep.Outputs["out-empty-array"])
assert.Equal(t, 0, len(dep.Outputs["out-empty-array"].([]interface{})))
assert.NotNil(t, dep.Outputs["out-map"])
outmap := dep.Outputs["out-map"].(map[string]interface{})
assert.Equal(t, 3, len(outmap))
assert.NotNil(t, outmap["x"])
assert.Equal(t, false, outmap["x"].(bool))
assert.NotNil(t, outmap["y"])
assert.Equal(t, "z-zee-zaw", outmap["y"].(string))
assert.NotNil(t, outmap["z"])
assert.Equal(t, float64(999.9), outmap["z"].(float64))
assert.NotNil(t, dep.Outputs["out-empty-map"])
assert.Equal(t, 0, len(dep.Outputs["out-empty-map"].(map[string]interface{})))
}
Fail fast when attempting to load a too-new or too-old deployment (#1382) * Error when loading a deployment that is not a version that the CLI understands * Add a test for 'pulumi stack import' on a badly-versioned deployment * Move current deployment version to 'apitype' * Rebase against master * CR: emit CLI-friendly error message at the two points outside of the engine calling 'DeserializeDeployment'
2018-05-25 22:29:59 +02:00
func TestLoadTooNewDeployment(t *testing.T) {
untypedDeployment := &apitype.UntypedDeployment{
Version: apitype.DeploymentSchemaVersionCurrent + 1,
}
Refactor the way secrets managers are provided (#3001)
2019-08-01 19:33:52 +02:00
deployment, err := DeserializeUntypedDeployment(untypedDeployment, DefaultSecretsProvider)
Fail fast when attempting to load a too-new or too-old deployment (#1382) * Error when loading a deployment that is not a version that the CLI understands * Add a test for 'pulumi stack import' on a badly-versioned deployment * Move current deployment version to 'apitype' * Rebase against master * CR: emit CLI-friendly error message at the two points outside of the engine calling 'DeserializeDeployment'
2018-05-25 22:29:59 +02:00
assert.Nil(t, deployment)
assert.Error(t, err)
assert.Equal(t, ErrDeploymentSchemaVersionTooNew, err)
}
func TestLoadTooOldDeployment(t *testing.T) {
untypedDeployment := &apitype.UntypedDeployment{
Version: DeploymentSchemaVersionOldestSupported - 1,
}
Refactor the way secrets managers are provided (#3001)
2019-08-01 19:33:52 +02:00
deployment, err := DeserializeUntypedDeployment(untypedDeployment, DefaultSecretsProvider)
Fail fast when attempting to load a too-new or too-old deployment (#1382) * Error when loading a deployment that is not a version that the CLI understands * Add a test for 'pulumi stack import' on a badly-versioned deployment * Move current deployment version to 'apitype' * Rebase against master * CR: emit CLI-friendly error message at the two points outside of the engine calling 'DeserializeDeployment'
2018-05-25 22:29:59 +02:00
assert.Nil(t, deployment)
assert.Error(t, err)
assert.Equal(t, ErrDeploymentSchemaVersionTooOld, err)
}
Follow up on #2369 (#2397) - Add support for per-property dependencies to the Go SDK - Add tests for first-class secret rejection in the checkpoint and RPC layers and language SDKs
2019-01-29 02:38:16 +01:00
func TestUnsupportedSecret(t *testing.T) {
rawProp := map[string]interface{}{
resource.SigKey: resource.SecretSig,
}
Allow pulumi stack export to decrypt secrets (#4046)
2020-05-11 20:16:30 +02:00
_, err := DeserializePropertyValue(rawProp, config.NewPanicCrypter(), config.NewPanicCrypter())
Follow up on #2369 (#2397) - Add support for per-property dependencies to the Go SDK - Add tests for first-class secret rejection in the checkpoint and RPC layers and language SDKs
2019-01-29 02:38:16 +01:00
assert.Error(t, err)
}
func TestUnknownSig(t *testing.T) {
rawProp := map[string]interface{}{
resource.SigKey: "foobar",
}
Allow pulumi stack export to decrypt secrets (#4046)
2020-05-11 20:16:30 +02:00
_, err := DeserializePropertyValue(rawProp, config.NewPanicCrypter(), config.NewPanicCrypter())
Follow up on #2369 (#2397) - Add support for per-property dependencies to the Go SDK - Add tests for first-class secret rejection in the checkpoint and RPC layers and language SDKs
2019-01-29 02:38:16 +01:00
assert.Error(t, err)
}
Add tests for serializing PropertyMaps (#3533) * WIP - Add tests for serializing PropertyMaps * Apply suggestions from code review Co-Authored-By: Pat Gavlin <pat@pulumi.com> * Cleanup tests
2019-11-20 06:10:51 +01:00
Fix malformed resource value bug (#6164) * Fix resource-ref-as-ID marshaling. (#6125) This reapplies 2f0dba23ab4fd561da20d39e231af976fe092ef2. * Fix malformed resource value bug PR #6125 introduced a bug by marshaling resource ids as PropertyValues, but not handling that case on the unmarshaling side. The previous code assumed that the id was a simple string value. This bug prevents any stack update operations (preview, update, destroy, refresh). Since this change was already released, we must now handle both cases in the unmarshaling code. * Add resource ref unit tests for the Go SDK. (#6142) This reapplies 3d505912b86f48aa1b303a90c7aad1b6df8f65c4. Co-authored-by: Pat Gavlin <pat@pulumi.com>
2021-01-22 00:40:27 +01:00
// TestDeserializeResourceReferencePropertyValueID tests the ability of the deserializer to handle resource references
// that were serialized without unwrapping their ID PropertyValue due to a bug in the serializer. Such resource
// references were produced by Pulumi v2.18.0.
func TestDeserializeResourceReferencePropertyValueID(t *testing.T) {
// Serialize replicates Pulumi 2.18.0's buggy resource reference serializer. We round-trip the value through JSON
// in order to convert the ID property value into a plain map[string]interface{}.
serialize := func(v resource.PropertyValue) interface{} {
ref := v.ResourceReferenceValue()
bytes, err := json.Marshal(map[string]interface{}{
resource.SigKey: resource.ResourceReferenceSig,
"urn": ref.URN,
"id": ref.ID,
"packageVersion": ref.PackageVersion,
})
contract.IgnoreError(err)
var sv interface{}
err = json.Unmarshal(bytes, &sv)
contract.IgnoreError(err)
return sv
}
serialized := map[string]interface{}{
"component-resource": serialize(resource.MakeComponentResourceReference("urn", "1.2.3")),
"custom-resource": serialize(resource.MakeCustomResourceReference("urn2", "id", "2.3.4")),
"custom-resource-unknown-id": serialize(resource.MakeCustomResourceReference("urn3", "", "3.4.5")),
}
deserialized, err := DeserializePropertyValue(serialized, config.NewPanicCrypter(), config.NewPanicCrypter())
assert.NoError(t, err)
assert.Equal(t, resource.NewPropertyValue(map[string]interface{}{
"component-resource": resource.MakeComponentResourceReference("urn", "1.2.3").V,
"custom-resource": resource.MakeCustomResourceReference("urn2", "id", "2.3.4").V,
"custom-resource-unknown-id": resource.MakeCustomResourceReference("urn3", "", "3.4.5").V,
}), deserialized)
}
Add tests for serializing PropertyMaps (#3533) * WIP - Add tests for serializing PropertyMaps * Apply suggestions from code review Co-Authored-By: Pat Gavlin <pat@pulumi.com> * Cleanup tests
2019-11-20 06:10:51 +01:00
func TestCustomSerialization(t *testing.T) {
textAsset, err := resource.NewTextAsset("alpha beta gamma")
assert.NoError(t, err)
strProp := resource.NewStringProperty("strProp")
computed := resource.Computed{Element: strProp}
output := resource.Output{Element: strProp}
secret := &resource.Secret{Element: strProp}
propMap := resource.NewPropertyMapFromMap(map[string]interface{}{
// Primitive types
"nil": nil,
"bool": true,
"int32": int64(41),
"int64": int64(42),
"float32": float32(2.5),
"float64": float64(1.5),
"string": "string literal",
// Data structures
"array": []interface{}{"a", true, float64(32)},
"array-empty": []interface{}{},
"map": map[string]interface{}{
"a": true,
"b": float64(88),
"c": "c-see-saw",
"d": "d-dee-daw",
},
"map-empty": map[string]interface{}{},
// Specialized resource types
"asset-text": textAsset,
"computed": computed,
"output": output,
"secret": secret,
})
assert.True(t, propMap.ContainsSecrets())
assert.True(t, propMap.ContainsUnknowns())
// Confirm the expected shape of serializing a ResourceProperty and PropertyMap using the
// reflection-based default JSON encoder. This should NOT be used when serializing resources,
// but we confirm the expected shape here while we migrate older code that relied on the
// specific format.
t.Run("SerializeToJSON", func(t *testing.T) {
b, err := json.Marshal(propMap)
if err != nil {
t.Fatalf("Marshalling PropertyMap: %v", err)
}
json := string(b)
// Look for the specific JSON serialization of the properties.
tests := []string{
// Primitives
`"nil":{"V":null}`,
`"bool":{"V":true}`,
`"string":{"V":"string literal"}}`,
`"float32":{"V":2.5}`,
`"float64":{"V":1.5}`,
`"int32":{"V":41}`,
`"int64":{"V":42}`,
// Data structures
`array":{"V":[{"V":"a"},{"V":true},{"V":32}]}`,
`"array-empty":{"V":[]}`,
`"map":{"V":{"a":{"V":true},"b":{"V":88},"c":{"V":"c-see-saw"},"d":{"V":"d-dee-daw"}}}`,
`"map-empty":{"V":{}}`,
// Specialized resource types
// nolint: lll
`"asset-text":{"V":{"4dabf18193072939515e22adb298388d":"c44067f5952c0a294b673a41bacd8c17","hash":"64989ccbf3efa9c84e2afe7cee9bc5828bf0fcb91e44f8c1e591638a2c2e90e3","text":"alpha beta gamma"}}`,
`"computed":{"V":{"Element":{"V":"strProp"}}}`,
`"output":{"V":{"Element":{"V":"strProp"}}}`,
`"secret":{"V":{"Element":{"V":"strProp"}}}`,
}
for _, want := range tests {
if !strings.Contains(json, want) {
t.Errorf("Did not find expected snippet: %v", want)
}
}
if t.Failed() {
t.Logf("Full JSON encoding:\n%v", json)
}
})
// Using stack.SerializeProperties will get the correct behavior and should be used
// whenever persisting resources into some durable form.
t.Run("SerializeProperties", func(t *testing.T) {
Allow pulumi stack export to decrypt secrets (#4046)
2020-05-11 20:16:30 +02:00
serializedPropMap, err := SerializeProperties(propMap, config.BlindingCrypter, false /* showSecrets */)
Add tests for serializing PropertyMaps (#3533) * WIP - Add tests for serializing PropertyMaps * Apply suggestions from code review Co-Authored-By: Pat Gavlin <pat@pulumi.com> * Cleanup tests
2019-11-20 06:10:51 +01:00
assert.NoError(t, err)
// Now JSON encode the results?
b, err := json.Marshal(serializedPropMap)
if err != nil {
t.Fatalf("Marshalling PropertyMap: %v", err)
}
json := string(b)
// Look for the specific JSON serialization of the properties.
tests := []string{
// Primitives
`"bool":true`,
`"string":"string literal"`,
`"float32":2.5`,
`"float64":1.5`,
`"int32":41`,
`"int64":42`,
Serialize null property values. (#3561) Eliding these values prevents us from properly round-tripping resource states that include null property values. This is part of the fix for https://github.com/pulumi/pulumi-azure/issues/383.
2019-11-22 20:03:02 +01:00
`"nil":null`,
Add tests for serializing PropertyMaps (#3533) * WIP - Add tests for serializing PropertyMaps * Apply suggestions from code review Co-Authored-By: Pat Gavlin <pat@pulumi.com> * Cleanup tests
2019-11-20 06:10:51 +01:00
// Data structures
`"array":["a",true,32]`,
`"array-empty":[]`,
`"map":{"a":true,"b":88,"c":"c-see-saw","d":"d-dee-daw"}`,
`"map-empty":{}`,
// Specialized resource types
// nolint: lll
`"asset-text":{"4dabf18193072939515e22adb298388d":"c44067f5952c0a294b673a41bacd8c17","hash":"64989ccbf3efa9c84e2afe7cee9bc5828bf0fcb91e44f8c1e591638a2c2e90e3","text":"alpha beta gamma"}`,
Persist computed values (#3558)
2019-11-21 23:58:30 +01:00
// Computed values are replaced with a magic constant.
`"computed":"04da6b54-80e4-46f7-96ec-b56ff0331ba9"`,
Serialize null property values. (#3561) Eliding these values prevents us from properly round-tripping resource states that include null property values. This is part of the fix for https://github.com/pulumi/pulumi-azure/issues/383.
2019-11-22 20:03:02 +01:00
`"output":"04da6b54-80e4-46f7-96ec-b56ff0331ba9"`,
Persist computed values (#3558)
2019-11-21 23:58:30 +01:00
// Secrets are serialized with the special sig key, and their underlying cipher text.
// Since we passed in a config.BlindingCrypter the cipher text isn't super-useful.
Add tests for serializing PropertyMaps (#3533) * WIP - Add tests for serializing PropertyMaps * Apply suggestions from code review Co-Authored-By: Pat Gavlin <pat@pulumi.com> * Cleanup tests
2019-11-20 06:10:51 +01:00
`"secret":{"4dabf18193072939515e22adb298388d":"1b47061264138c4ac30d75fd1eb44270","ciphertext":"[secret]"}`,
}
for _, want := range tests {
if !strings.Contains(json, want) {
t.Errorf("Did not find expected snippet: %v", want)
}
}
if t.Failed() {
t.Logf("Full JSON encoding:\n%v", json)
}
})
}
Error instead of assert on invalid resource in state file (#7065) * Error instead of assert on invalid resource in state file Fixes #6955 * Add CHANGELOG
2021-05-17 10:47:28 +02:00
func TestDeserializeInvalidResourceErrors(t *testing.T) {
deployment, err := DeserializeDeploymentV3(apitype.DeploymentV3{
Resources: []apitype.ResourceV3{
{},
},
}, DefaultSecretsProvider)
assert.Nil(t, deployment)
assert.Error(t, err)
assert.Equal(t, "resource missing required 'urn' field", err.Error())
urn := "urn:pulumi:prod::acme::acme:erp:Backend$aws:ebs/volume:Volume::PlatformBackendDb"
deployment, err = DeserializeDeploymentV3(apitype.DeploymentV3{
Resources: []apitype.ResourceV3{
{
URN: resource.URN(urn),
},
},
}, DefaultSecretsProvider)
assert.Nil(t, deployment)
assert.Error(t, err)
assert.Equal(t, fmt.Sprintf("resource '%s' missing required 'type' field", urn), err.Error())
deployment, err = DeserializeDeploymentV3(apitype.DeploymentV3{
Resources: []apitype.ResourceV3{
{
URN: resource.URN(urn),
Type: "aws:ebs/volume:Volume",
Custom: false,
ID: "vol-044ba5ad2bd959bc1",
},
},
}, DefaultSecretsProvider)
assert.Nil(t, deployment)
assert.Error(t, err)
assert.Equal(t, fmt.Sprintf("resource '%s' has 'custom' false but non-empty ID", urn), err.Error())
}
Reference in a new issue Copy permalink