Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC: Exclusive Relationship Management Resources Support #4772

Open
t0yv0 opened this issue Nov 14, 2024 · 0 comments
Open

RFC: Exclusive Relationship Management Resources Support #4772

t0yv0 opened this issue Nov 14, 2024 · 0 comments
Labels
kind/engineering Work that is not visible to an external user kind/enhancement Improvements or new features

Comments

@t0yv0
Copy link
Member

t0yv0 commented Nov 14, 2024

Pulumi AWS provider should withhold input property deprecations introduced by the Terraform AWS provider until Pulumi-specific issues on the intended upgrade path are resolved.

The affected properties include (see 39376 for a full list):

  • aws.iam.Role managedPolicyArns
  • aws.iam.Role inlinePolicies

The latest iteration of Terraform AWS provider design thinking is introducing exclusive relationship management resources. To illustrate on the aws.iam.Role resource:

  • Upstream wants to deprecate inline_policy repeated argument in favor of N relationship resources such as aws_iam_role_policy
  • The community pushes back on this change because having N aws_iam_role_policy resources in Terraform does not guarantee that the associated aws_iam_role has no policies in the cloud that are not being tracked, something that inline_policy used to guarantee
  • Hence aws_iam_role_policies_exclusive is introduced: if users list all aws_iam_role_policy in aws_iam_role_policies_exclusive then Terraform will proactively detect when the actual set of policies in the cloud does not match the one specified by aws_iam_role_policies_exclusive

Unfortunately when testing this upgrade scenario in the Pulumi provider we found that aws.iam.RolePoliciesExclusive does not detect role policy drift due to specifics of how Pulumi maps Terraform providers (#4766).

Because of this issue, users trying to act on the deprecation notice in Pulumi will not be able to rely on aws.iam.RolePoliciesExclusive to ensure all inline policies are tracked in Pulumi. Other property deprecations are likely similarly affected.

The proposal going forward is as follows:

  • remove deprecation notices from the affected Pulumi AWS provider properties and continue supporting them
  • proactively fix the issues so that Exclusive Management Resources work as well as they do in upstream
  • re-introduce deprecations and supporting migration deprecation when there is full confidence in the upgrade path

References
@pulumi-bot pulumi-bot added the needs-triage Needs attention from the triage team label Nov 14, 2024
@flostadler flostadler added kind/enhancement Improvements or new features kind/engineering Work that is not visible to an external user and removed needs-triage Needs attention from the triage team labels Nov 14, 2024
@t0yv0 t0yv0 changed the title RFC: Exclusive Management Resource Support RFC: Exclusive Relationship Management Resources Support Nov 14, 2024
@t0yv0 t0yv0 pinned this issue Nov 14, 2024
t0yv0 added a commit that referenced this issue Nov 14, 2024
@t0yv0
Add NOTEs for exclusive management resources doc pages
06947e3 
Exclusive Relationship Management Resources do not currently work as you would expect in Pulumi but require `pulumi up --refresh`. A NOTE is added with this information to the affected resources docs pages so that users are made aware of the problem.

More context in: #4772
@t0yv0 t0yv0 mentioned this issue Nov 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/engineering Work that is not visible to an external user kind/enhancement Improvements or new features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@t0yv0 @flostadler @pulumi-bot