Implement first-class providers. (#1695)
### First-Class Providers
These changes implement support for first-class providers. First-class
providers are provider plugins that are exposed as resources via the
Pulumi programming model so that they may be explicitly and multiply
instantiated. Each instance of a provider resource may be configured
differently, and configuration parameters may be source from the
outputs of other resources.

### Provider Plugin Changes
In order to accommodate the need to verify and diff provider
configuration and configure providers without complete configuration
information, these changes adjust the high-level provider plugin
interface. Two new methods for validating a provider's configuration
and diffing changes to the same have been added (`CheckConfig` and
`DiffConfig`, respectively), and the type of the configuration bag
accepted by `Configure` has been changed to a `PropertyMap`.

These changes have not yet been reflected in the provider plugin gRPC
interface. We will do this in a set of follow-up changes. Until then,
these methods are implemented by adapters:
- `CheckConfig` validates that all configuration parameters are string
  or unknown properties. This is necessary because existing plugins
  only accept string-typed configuration values.
- `DiffConfig` either returns "never replace" if all configuration
  values are known or "must replace" if any configuration value is
  unknown. The justification for this behavior is given
- `Configure` converts the config bag to a legacy config map and
  configures the provider plugin if all config values are known. If any
  config value is unknown, the underlying plugin is not configured and
  the provider may only perform `Check`, `Read`, and `Invoke`, all of
  which return empty results. We justify this behavior becuase it is
  only possible during a preview and provides the best experience we
  can manage with the existing gRPC interface.

### Resource Model Changes
Providers are now exposed as resources that participate in a stack's
dependency graph. Like other resources, they are explicitly created,
may have multiple instances, and may have dependencies on other
resources. Providers are referred to using provider references, which
are a combination of the provider's URN and its ID. This design
addresses the need during a preview to refer to providers that have not
yet been physically created and therefore have no ID.

All custom resources that are not themselves providers must specify a
single provider via a provider reference. The named provider will be
used to manage that resource's CRUD operations. If a resource's
provider reference changes, the resource must be replaced. Though its
URN is not present in the resource's dependency list, the provider
should be treated as a dependency of the resource when topologically
sorting the dependency graph.

Finally, `Invoke` operations must now specify a provider to use for the
invocation via a provider reference.

### Engine Changes
First-class providers support requires a few changes to the engine:
- The engine must have some way to map from provider references to
  provider plugins. It must be possible to add providers from a stack's
  checkpoint to this map and to register new/updated providers during
  the execution of a plan in response to CRUD operations on provider
- In order to support updating existing stacks using existing Pulumi
  programs that may not explicitly instantiate providers, the engine
  must be able to manage the "default" providers for each package
  referenced by a checkpoint or Pulumi program. The configuration for
  a "default" provider is taken from the stack's configuration data.

The former need is addressed by adding a provider registry type that is
responsible for managing all of the plugins required by a plan. In
addition to loading plugins froma checkpoint and providing the ability
to map from a provider reference to a provider plugin, this type serves
as the provider plugin for providers themselves (i.e. it is the
"provider provider").

The latter need is solved via two relatively self-contained changes to
plan setup and the eval source.

During plan setup, the old checkpoint is scanned for custom resources
that do not have a provider reference in order to compute the set of
packages that require a default provider. Once this set has been
computed, the required default provider definitions are conjured and
prepended to the checkpoint's resource list. Each resource that
requires a default provider is then updated to refer to the default
provider for its package.

While an eval source is running, each custom resource registration,
resource read, and invoke that does not name a provider is trapped
before being returned by the source iterator. If no default provider
for the appropriate package has been registered, the eval source
synthesizes an appropriate registration, waits for it to complete, and
records the registered provider's reference. This reference is injected
into the original request, which is then processed as usual. If a
default provider was already registered, the recorded reference is
used and no new registration occurs.

### SDK Changes
These changes only expose first-class providers from the Node.JS SDK.
- A new abstract class, `ProviderResource`, can be subclassed and used
  to instantiate first-class providers.
- A new field in `ResourceOptions`, `provider`, can be used to supply
  a particular provider instance to manage a `CustomResource`'s CRUD
- A new type, `InvokeOptions`, can be used to specify options that
  control the behavior of a call to `pulumi.runtime.invoke`. This type
  includes a `provider` field that is analogous to
2018-08-06 17:50:29 -07:00

// Copyright 2016-2018, Pulumi Corporation.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
import "plugin.proto";
import "google/protobuf/empty.proto";
import "google/protobuf/struct.proto";
package pulumirpc;
// ResourceProvider is a service that understands how to create, read, update, or delete resources for types defined
// within a single package. It is driven by the overall planning engine in response to resource diffs.
service ResourceProvider {
// Configure configures the resource provider with "globals" that control its behavior.
rpc Configure(ConfigureRequest) returns (google.protobuf.Empty) {}
// Invoke dynamically executes a built-in function in the provider.
rpc Invoke(InvokeRequest) returns (InvokeResponse) {}
// Check validates that the given property bag is valid for a resource of the given type and returns the inputs
// that should be passed to successive calls to Diff, Create, or Update for this resource. As a rule, the provider
// inputs returned by a call to Check should preserve the original representation of the properties as present in
// the program inputs. Though this rule is not required for correctness, violations thereof can negatively impact
// the end-user experience, as the provider inputs are using for detecting and rendering diffs.
rpc Check(CheckRequest) returns (CheckResponse) {}
// Diff checks what impacts a hypothetical update will have on the resource's properties.
rpc Diff(DiffRequest) returns (DiffResponse) {}
// Create allocates a new instance of the provided resource and returns its unique ID afterwards. (The input ID
// must be blank.) If this call fails, the resource must not have been created (i.e., it is "transacational").
rpc Create(CreateRequest) returns (CreateResponse) {}
// Read the current live state associated with a resource. Enough state must be include in the inputs to uniquely
// identify the resource; this is typically just the resource ID, but may also include some properties.
rpc Read(ReadRequest) returns (ReadResponse) {}
// Update updates an existing resource with new values.
rpc Update(UpdateRequest) returns (UpdateResponse) {}
// Delete tears down an existing resource with the given ID. If it fails, the resource is assumed to still exist.
rpc Delete(DeleteRequest) returns (google.protobuf.Empty) {}
// Cancel signals the provider to abort all outstanding resource operations.
rpc Cancel(google.protobuf.Empty) returns (google.protobuf.Empty) {}
// GetPluginInfo returns generic information about this plugin, like its version.
rpc GetPluginInfo(google.protobuf.Empty) returns (PluginInfo) {}
message ConfigureRequest {
map<string, string> variables = 1; // a map of configuration keys to values.
// ConfigureErrorMissingKeys is sent as a Detail on an error returned from `ResourceProvider.Configure`.
message ConfigureErrorMissingKeys {
message MissingKey {
string name = 1; // the Pulumi name (not the provider name!) of the missing config key.
string description = 2; // a description of the missing config key, as reported by the provider.
repeated MissingKey missingKeys = 1; // a list of required configuration keys that were not supplied.
message InvokeRequest {
string tok = 1; // the function token to invoke.
google.protobuf.Struct args = 2; // the arguments for the function invocation.
string provider = 3; // an optional reference to the provider to use for this invoke.
message InvokeResponse {
google.protobuf.Struct return = 1; // the returned values, if invoke was successful.
repeated CheckFailure failures = 2; // the failures if any arguments didn't pass verification.
message CheckRequest {
string urn = 1; // the Pulumi URN for this resource.
google.protobuf.Struct olds = 2; // the old Pulumi inputs for this resource, if any.
google.protobuf.Struct news = 3; // the new Pulumi inputs for this resource.
message CheckResponse {
google.protobuf.Struct inputs = 1; // the provider inputs for this resource.
repeated CheckFailure failures = 2; // any validation failures that occurred.
message CheckFailure {
string property = 1; // the property that failed validation.
string reason = 2; // the reason that the property failed validation.
message DiffRequest {
string id = 1; // the ID of the resource to diff.
string urn = 2; // the Pulumi URN for this resource.
google.protobuf.Struct olds = 3; // the old values of provider inputs to diff.
google.protobuf.Struct news = 4; // the new values of provider inputs to diff.
message DiffResponse {
repeated string replaces = 1; // if this update requires a replacement, the set of properties triggering it.
repeated string stables = 2; // an optional list of properties that will not ever change.
bool deleteBeforeReplace = 3; // if true, this resource must be deleted before replacing it.
DiffChanges changes = 4; // if true, this diff represents an actual difference and thus requires an update.
enum DiffChanges {
DIFF_UNKNOWN = 0; // unknown whether there are changes or not (legacy behavior).
DIFF_NONE = 1; // the diff was performed, and no changes were detected that require an update.
DIFF_SOME = 2; // the diff was performed, and changes were detected that require an update or replacement.
message CreateRequest {
string urn = 1; // the Pulumi URN for this resource.
google.protobuf.Struct properties = 2; // the provider inputs to set during creation.
message CreateResponse {
// NOTE: The partial-update-error equivalent of this message is `ErrorResourceInitFailed`.
string id = 1; // the ID of the created resource.
google.protobuf.Struct properties = 2; // any properties that were computed during creation.
message ReadRequest {
string id = 1; // the ID of the resource to read.
string urn = 2; // the Pulumi URN for this resource.
google.protobuf.Struct properties = 3; // the current state (sufficiently complete to identify the resource).
message ReadResponse {
string id = 1; // the ID of the resource read back (or empty if missing).
google.protobuf.Struct properties = 2; // the state of the resource read from the live environment.
message UpdateRequest {
// NOTE: The partial-update-error equivalent of this message is `ErrorResourceInitFailed`.
string id = 1; // the ID of the resource to update.
string urn = 2; // the Pulumi URN for this resource.
google.protobuf.Struct olds = 3; // the old values of provider inputs for the resource to update.
google.protobuf.Struct news = 4; // the new values of provider inputs for the resource to update.
message UpdateResponse {
google.protobuf.Struct properties = 1; // any properties that were computed during updating.
message DeleteRequest {
string id = 1; // the ID of the resource to delete.
string urn = 2; // the Pulumi URN for this resource.
google.protobuf.Struct properties = 3; // the current properties on the resource.
// ErrorResourceInitFailed is sent as a Detail `ResourceProvider.{Create, Update}` fail because a
// resource was created successfully, but failed to initialize.
message ErrorResourceInitFailed {
string id = 1; // the ID of the created resource.
google.protobuf.Struct properties = 2; // any properties that were computed during updating.
repeated string reasons = 3; // error messages associated with initialization failure.