-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[engine] Support remapping envvars for providers #16394
Draft
pgavlin
wants to merge
1
commit into
master
Choose a base branch
from
pgavlin/provider-env-vars
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
These changes add support for remapping environment variables when launching providers. This allows users to work around problems with dynamic provider configuration that is stored in statefiles causing problems during refresh and destroy operations. For a bit of background: `pulumi up` is distinctly different from `pulumi destroy` and `pulumi refresh` in that it involves running the Pulumi program associated with the stack's project. As it runs, the Pulumi program defines the desired state for resources--including provider resources--using values computed by the program in coordination with the Pulumi engine. When the program creates a provider resource, the inputs for the provider are either sourced from the program itself (i.e. from values provided by the program) or are read out-of-band by the provider plugin. The exact set of configuration that may be sourced from the environment is particular to each provider--for example, the Kubernetes provider uses the ambient `kubeconfig` by default, the AWS provider reads various AWS-specific environment variables, etc. Any _explicitly-provided inputs_ are written into the stack's statefile. For example, consider the following program: ```typescript import * as aws from "@pulumi/aws"; const usEast1 = new aws.Provider("us-east-1", { region: "us-east-1" }); const defaultRegion = new aws.Provider("default-region"); ``` The `usEast1` provider's `region` is explicitly specified by the program, but the `defaultRegion` provider's `region` will be read from the environment (e.g. from the `AWS_REGION` environment variable). In the resulting statefile, the `usEast1` provider's state will include the `region` input, but the `defaultRegion` provider's state will not. Because `pulumi refresh` and `pulumi destroy` do not run the Pulumi program associated with the stack's project, they are unable to recompute configuration values that were explicitly provided by the program, and must use the values stored in the statefile. Unfortunately, this may include credential information, which is what causes the errors described here. The current workaround--which is certainly not sufficient for explicitly-instantiated providers--is to use environment variables to provide credentials out-of-band. The clearest/most complete solution here is to run the Pulumi program associated with a stack's project as part of `pulumi refresh` and `pulumi destroy`. Unfortunately, this is a _major_ behavioral change, and the exact semantics of the run are not clear. These changes allow explicitly-instantiated providers to make use of the same workaround that is available to default providers: pass dynamic, environmentally-sourced provider configuration in environment variables rather than as provider inputs. The environment variable remapping allows users to replace the value for a provider environment variable with the value of a different environment variable before the provider is loaded. This allows users to place configuration in environment variables that the provider would not normally read and remap them to provider-supported envvars, which allows multiple distinct sets of environment variables for providers. For the example above, this might look like so: ```typescript import * as aws from "@pulumi/aws"; const usEast1 = new aws.Provider("us-east-1", { pluginEnvVars: { "AWS_REGION": { from: "US_EAST_1_REGION" } }, }); const defaultRegion = new aws.Provider("default-region"); ``` Or, if the providers needed different credentials (much more common): ```typescript import * as aws from "@pulumi/aws"; const usEast1 = new aws.Provider("us-east-1", { pluginEnvVars: { "AWS_ACCESS_KEY_ID": { from: "US_EAST_1_AWS_ACCESS_KEY_ID" }, "AWS_SECRET_ACCESS_KEY": { from: "US_EAST_1_AWS_SECRET_ACCESS_KEY" }, "AWS_SESSION_TOKEN": { from: "US_EAST_1_AWS_SESSION_TOKEN" }, }, }); const defaultRegion = new aws.Provider("default-region"); ```
Some downsides:
We might be able to improve the ergonomics by simplifying this a bit and just supporting an envvar prefix. Something like this: const usEast1 = new aws.Provider("us-east-1", {}, { envVarPrefix: "US_EAST_1" }); The engine would then do something like this: const envvars = Object.entries(process.env).filter(([k]) => k.startsWith(envVarPrefix + "_")).map(([k, v]) => [k.slice(envVarPrefix.length + 1), v]); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
These changes add support for remapping environment variables when launching providers. This allows users to work around problems with dynamic provider configuration that is stored in statefiles causing problems during refresh and destroy operations.
Background
pulumi up
is distinctly different frompulumi destroy
andpulumi refresh
in that it involves running the Pulumi program associated with the stack's project. As it runs, the Pulumi program defines the desired state for resources--including provider resources--using values computed by the program in coordination with the Pulumi engine. When the program creates a provider resource, the inputs for the provider are either sourced from the program itself (i.e. from values provided by the program) or are read out-of-band by the provider plugin. The exact set of configuration that may be sourced from the environment is particular to each provider--for example, the Kubernetes provider uses the ambientkubeconfig
by default, the AWS provider reads various AWS-specific environment variables, etc. Any explicitly-provided inputs are written into the stack's statefile.For example, consider the following program:
The
usEast1
provider'sregion
is explicitly specified by the program, but thedefaultRegion
provider'sregion
will be read from the environment (e.g. from theAWS_REGION
environment variable). In the resulting statefile, theusEast1
provider's state will include theregion
input, but thedefaultRegion
provider's state will not.Because
pulumi refresh
andpulumi destroy
do not run the Pulumi program associated with the stack's project, they are unable to recompute configuration values that were explicitly provided by the program, and must use the values stored in the statefile. Unfortunately, this may include credential information, which is what causes the errors described here. The current workaround--which is certainly not sufficient for explicitly-instantiated providers--is to use environment variables to provide credentials out-of-band.The clearest/most complete solution here is to run the Pulumi program associated with a stack's project as part of
pulumi refresh
andpulumi destroy
. Unfortunately, this is a major behavioral change, and the exact semantics of the run are not clear.#4981 tracks this issue in general.
Changes in this PR
These changes allow explicitly-instantiated providers to make use of the same workaround that is available to default providers: pass dynamic, environmentally-sourced provider configuration in environment variables rather than as provider inputs. The environment variable remapping allows users to replace the value for a provider environment variable with the value of a different environment variable before the provider is loaded. This allows users to place configuration in environment variables that the provider would not normally read and remap them to provider-supported envvars, which allows multiple distinct sets of environment variables for providers.
For the example above, this might look like so:
Or, if the providers needed different credentials (much more common):