Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Calling pulumiservice.TeamAccessToken() with --refresh causes token name conflict and update failure #159

Closed
aureq opened this issue Aug 11, 2023 · 10 comments · Fixed by #191 or #192
Closed

Calling pulumiservice.TeamAccessToken() with --refresh causes token name conflict and update failure #159

aureq opened this issue Aug 11, 2023 · 10 comments · Fixed by #191 or #192
Assignees
@komalali
Labels
kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed
Milestone
0.96

Comments

@aureq
Copy link
Member

aureq commented Aug 11, 2023

What happened?

When using this provider, a customer can create a Pulumi app to efficiently manage Team Access Tokens.

However, if during a subsequent update --refresh is used, Pulumi will attempt to recreate a token that already exists. As a result to this, the update fails with the error failed to create access token: 409 API error: Conflict: token name already exists because a token with the same name already exists.

Expected Behavior

The team access token is create during the 1st deployment, then no further update is needed even when calling pulumi up --refresh.

Steps to reproduce

  1. pulumi new typescript
  2. npm install --save @pulumi/pulumiservice @pulumi/random
  3. Use the index.ts provided below
  4. run pulumi up --yes and a new team access token is created ✅
  5. run pulumi up --yes and nothing gets updated ✅
  6. run pulumi up --yes --refresh, the update attempts to create a new team access token and subsequently fails ❌

Output of pulumi about

CLI          
Version      3.77.1
Go Version   go1.20.6
Go Compiler  gc

Plugins
NAME           VERSION
nodejs         unknown
pulumiservice  0.10.1
random         4.13.2

Host     
OS       debian
Version  12.1
Arch     x86_64

This project is written in nodejs: executable='/usr/local/bin/node' version='v18.17.0'

Current Stack: menfin/pulumiservice-ts/dev

TYPE                                    URN
pulumi:pulumi:Stack                     urn:pulumi:dev::pulumiservice-ts::pulumi:pulumi:Stack::pulumiservice-ts-dev
pulumi:providers:random                 urn:pulumi:dev::pulumiservice-ts::pulumi:providers:random::default_4_13_2
random:index/randomString:RandomString  urn:pulumi:dev::pulumiservice-ts::random:index/randomString:RandomString::[aureq]-pulumi-token-suffix
pulumi:providers:pulumiservice          urn:pulumi:dev::pulumiservice-ts::pulumi:providers:pulumiservice::default_0_10_1


Found no pending operations associated with dev

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/aureq
User           aureq
Organizations  aureq, team-ce, menfin, menfin-team, demo, pulumi

Dependencies:
NAME                   VERSION
@pulumi/random         4.13.2
@types/node            16.18.40
@pulumi/pulumi         3.78.0
@pulumi/pulumiservice  0.10.1

Pulumi locates its logs in /tmp by default

Additional context

import * as pulumi from "@pulumi/pulumi";
import * as pulumiservice from "@pulumi/pulumiservice";
import * as random from "@pulumi/random";

export = async () => {

    const orgName = pulumi.getOrganization();
    const teamName = "team-1";
    const pipelineName = "coolspot";

    const tokenSuffix = new random.RandomString(`[${pipelineName}]-pulumi-token-suffix`, {
        length: 7,
        lower: true,
        minLower: 3,
        numeric: true,
        minNumeric: 4,
        special: false,
        upper: false,
    });

    const pulumiToken = new pulumiservice.TeamAccessToken(`[${pipelineName}]-token`, {
        name: pulumi.interpolate`${pipelineName}-${tokenSuffix.result}`,
        organizationName: orgName,
        teamName: teamName.toLowerCase(),
        description: `Access token for '${pipelineName}' pipeline.`,
    }, { dependsOn: tokenSuffix, deleteBeforeReplace: true });

}

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@aureq aureq added the kind/bug Some behavior is incorrect or out of spec label Aug 11, 2023
@cleverguy25 cleverguy25 added this to the 0.97 milestone Nov 1, 2023
@komalali komalali added the resolution/fixed This issue was fixed label Nov 16, 2023
@komalali
Copy link
Member

This was fixed by #177

@pulumi-bot pulumi-bot reopened this Nov 16, 2023
@pulumi-bot
Copy link

Cannot close issue:

  • does not have an assignee

Please fix these problems and try again.

@komalali komalali self-assigned this Nov 16, 2023
@theplatformer
Copy link

Hi @komalali. I don't believe this is resolved by #177.

My project is what @aureq's original reproduction was copied from and I still am seeing the provider wanting to recreate existing tokens when using refresh with the latest 0.14.0...

➜ p preview --refresh=false
Previewing update (***)

View in Browser (Ctrl+O): https://app.pulumi.com/***

     Type                 Name             Plan     
     pulumi:pulumi:Stack  ***           

Resources:
    16 unchanged

➜ p preview --refresh=true 
Previewing update (***)

View in Browser (Ctrl+O): https://app.pulumi.com/***

     Type                                    Name                                   Plan       
     pulumi:pulumi:Stack                     ***                                   
     ├─ random:index:RandomString            [***]-pulumi-token-suffix                      
     ├─ random:index:RandomString            [***]-pulumi-token-suffix              
     ├─ random:index:RandomString            [***]-pulumi-token-suffix                  
     ├─ random:index:RandomString            [***]-pulumi-token-suffix                    
 +   ├─ pulumiservice:index:TeamAccessToken  [***]-token                 create     
 +   │  └─ github:index:ActionsSecret        [***]-actions-secret        create     
     ├─ random:index:RandomString            [***]-pulumi-token-suffix             
 +   ├─ pulumiservice:index:TeamAccessToken  [***]-token                     create     
 +   │  └─ github:index:ActionsSecret        [***]-actions-secret            create     
 +   ├─ pulumiservice:index:TeamAccessToken  [***]-token                         create     
 +   │  └─ github:index:ActionsSecret        [***]-actions-secret                create     
 +   ├─ pulumiservice:index:TeamAccessToken  [***]-token                       create     
 +   │  └─ github:index:ActionsSecret        [***]-actions-secret              create     
 +   └─ pulumiservice:index:TeamAccessToken  [***]-token                create     
 +      └─ github:index:ActionsSecret        [***]-actions-secret       create     

Resources:
    + 10 to create
    6 unchanged

➜ p about
CLI          
Version      3.91.1
Go Version   go1.21.3
Go Compiler  gc

Plugins
NAME           VERSION
aws            6.7.0
github         5.22.0
kubernetes     4.5.3
nodejs         unknown
pulumiservice  0.14.0
random         4.14.0

Host     
OS       darwin
Version  14.0
Arch     arm64

This project is written in nodejs: executable='/Users/chris/.nvm/versions/node/v18.17.0/bin/node' version='v18.17.0'

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/theplatformer
User           theplatformer
Organizations  theplatformer, ***
Token type     personal

Dependencies:
NAME                              VERSION
@pulumi/kubernetes                4.5.3
@pulumi/pulumiservice             0.14.0
@pulumi/github                    5.22.0
@pulumi/pulumi                    3.91.1
@pulumi/random                    4.14.0
@typescript-eslint/parser         6.9.1
prettier                          3.0.3
@pulumi/aws                       6.7.0
eslint                            8.52.0
@types/node                       18.17.1
eslint-config-prettier            9.0.0
fast-glob                         3.3.1
json-schema-to-typescript         13.1.1
yaml                              2.3.3
@typescript-eslint/eslint-plugin  6.9.1

Thanks!

@aureq aureq reopened this Nov 16, 2023
@aureq aureq removed the resolution/fixed This issue was fixed label Nov 16, 2023
@komalali
Copy link
Member

Whoops sorry about that @theplatformer - you're totally right, that PR only touched the AccessToken resource. We'll need a similar fix for the TeamAccessToken resource.

@komalali komalali mentioned this issue Nov 16, 2023
Merged
@cleverguy25 cleverguy25 modified the milestones: 0.97, 0.96 Nov 17, 2023
komalali added a commit that referenced this issue Nov 17, 2023
@komalali
Allow refreshing org and team tokens (#191)
6c88d5c 
Fixes #159
@pulumi-bot pulumi-bot added the resolution/fixed This issue was fixed label Nov 17, 2023
@komalali
Copy link
Member

This should be fixed in the latest release, v0.15.0 - feel free to reopen if the issue isn't resolved!

@theplatformer
Copy link

Thanks @komalali. Unfortunately it is still wanting to create the team tokens with v0.15.0.

➜ p preview --refresh=true 
Previewing update (***)

View in Browser (Ctrl+O): https://app.pulumi.com/***

     Type                                    Name                               Plan       
     pulumi:pulumi:Stack                     ***                                   
     ├─ random:index:RandomString            [***]-pulumi-token-suffix                      
     ├─ random:index:RandomString            [***]-pulumi-token-suffix              
     ├─ random:index:RandomString            [***]-pulumi-token-suffix                  
     ├─ random:index:RandomString            [***]-pulumi-token-suffix                    
 +   ├─ pulumiservice:index:TeamAccessToken  [***]-token                        create     
 +   │  └─ github:index:ActionsSecret        [***]-actions-secret               create     
     ├─ random:index:RandomString            [***]-pulumi-token-suffix             
 +   ├─ pulumiservice:index:TeamAccessToken  [***]-token                        create     
 +   │  └─ github:index:ActionsSecret        [***]-actions-secret               create     
 +   ├─ pulumiservice:index:TeamAccessToken  [***]-token                        create     
 +   │  └─ github:index:ActionsSecret        [***]-actions-secret               create     
 +   ├─ pulumiservice:index:TeamAccessToken  [***]-token                        create     
 +   │  └─ github:index:ActionsSecret        [***]-actions-secret               create     
 +   └─ pulumiservice:index:TeamAccessToken  [***]-token                        create     
 +      └─ github:index:ActionsSecret        [***]-actions-secret               create     

Resources:
    + 10 to create
    6 unchanged

Interestingly, running the preview with --refresh=false now wants to replace the tokens...

➜ p preview --refresh=false
Previewing update (***)

View in Browser (Ctrl+O): https://app.pulumi.com/***

     Type                                    Name                         Plan        Info
     pulumi:pulumi:Stack                     ***                              
 +-  ├─ pulumiservice:index:TeamAccessToken  [***]-token                  replace     [diff: +description,name,organizationName,teamName-__inputs,value~provider]
 +-  │  └─ github:index:ActionsSecret        [***]-actions-secret         replace     [diff: ~plaintextValue]
 +-  ├─ pulumiservice:index:TeamAccessToken  [***]-token                  replace     [diff: +description,name,organizationName,teamName-__inputs,value~provider]
 +-  │  └─ github:index:ActionsSecret        [***]-actions-secret         replace     [diff: ~plaintextValue]
 +-  ├─ pulumiservice:index:TeamAccessToken  [***]-token                  replace     [diff: +description,name,organizationName,teamName-__inputs,value~provider]
 +-  │  └─ github:index:ActionsSecret        [***]-actions-secret         replace     [diff: ~plaintextValue]
 +-  ├─ pulumiservice:index:TeamAccessToken  [***]-token                  replace     [diff: +description,name,organizationName,teamName-__inputs,value~provider]
 +-  │  └─ github:index:ActionsSecret        [***]-actions-secret         replace     [diff: ~plaintextValue]
 +-  └─ pulumiservice:index:TeamAccessToken  [***]-token                  replace     [diff: +description,name,organizationName,teamName-__inputs,value~provider]
 +-     └─ github:index:ActionsSecret        [***]-actions-secret         replace     [diff: ~plaintextValue]

Resources:
    +-10 to replace
    6 unchanged

Reverting back to v0.14.0 for now so we can continue running with --refresh=false.

@aureq aureq reopened this Nov 18, 2023
@komalali
Copy link
Member

🤦🏽 Yikes! Apologies for the back and forth here. I am able to repro the issue you're seeing with refresh=false, but I'm not able to repro the create on up. I have a fix for the first issue, I'll need to do some more testing to repro the create problem but hopeful to have this resolved once and for all early next week.

@komalali komalali removed the resolution/fixed This issue was fixed label Nov 18, 2023
@theplatformer
Copy link

All good @komalali! Appreciate the efforts 🙇

@komalali komalali mentioned this issue Nov 19, 2023
Merged
komalali added a commit that referenced this issue Nov 20, 2023
@komalali
Allow refreshing org and team tokens (#191)
6d5109b 
Fixes #159
@cleverguy25 cleverguy25 modified the milestones: 0.96, 0.97 Nov 20, 2023
komalali added a commit that referenced this issue Nov 20, 2023
@komalali
Fix diff functions for access tokens (#192)
fe512f8 
Fixes a regression introduced in #191, fixes the diff functions for team
tokens and org tokens to correctly replace on changes and adds tests.

Also fixed a bug in teams where an update was detected based on the
order of team members.

Fixes #159
Fixes #158
@pulumi-bot pulumi-bot added the resolution/fixed This issue was fixed label Nov 20, 2023
@komalali
Copy link
Member

@theplatformer pushing out a new release now - but I'm slightly concerned about the fact that pulumi up --refresh was showing a Create for you. I'm curious to hear what the result is with the new version. If you're still running into issues I might need to take a look at your state file to see if we can pinpoint the issue. Let me know if you're still unresolved with v0.16.0

@cleverguy25 cleverguy25 modified the milestones: 0.97, 0.96 Nov 20, 2023
@theplatformer
Copy link

@komalali No luck unfortunately, though things have changed a little. --refresh=false is still showing replace but for a different diff this time, and only for 4 of the Team Tokens instead of 5.

➜ p preview --refresh=false
Previewing update (***)

View in Browser (Ctrl+O): https://app.pulumi.com/***

     Type                                    Name                        Plan        Info
     pulumi:pulumi:Stack                     ***                              
 +-  ├─ pulumiservice:index:TeamAccessToken  [***]-token                 replace     [diff: ~provider]
 +-  │  └─ github:index:ActionsSecret        [***]-actions-secret        replace     [diff: ~plaintextValue]
 +-  ├─ pulumiservice:index:TeamAccessToken  [***]-token                 replace     [diff: ~provider]
 +-  │  └─ github:index:ActionsSecret        [***]-actions-secret        replace     [diff: ~plaintextValue]
 +-  ├─ pulumiservice:index:TeamAccessToken  [***]-token                 replace     [diff: ~provider]
 +-  │  └─ github:index:ActionsSecret        [***]-actions-secret        replace     [diff: ~plaintextValue]
 +-  └─ pulumiservice:index:TeamAccessToken  [***]-token                 replace     [diff: ~provider]
 +-     └─ github:index:ActionsSecret        [***]-actions-secret        replace     [diff: ~plaintextValue]

Resources:
    +-8 to replace
    8 unchanged

I don't have a theory as to why the fifth token isn't showing as a replace. It was the most recent one added in the project, but I've just had a look and they were all added with @pulumi/pulumiservice v0.10.0.

This is an example of the --diff output...

➜ p preview --refresh=false --diff
Previewing update (***)

View Live: https://app.pulumi.com/***

  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:pulumi::***::pulumi:pulumi:Stack::***]
    +-pulumiservice:index:TeamAccessToken: (replace)
        [id=***/***/***-282v4iw/48a3738c-95a8-4ad2-b904-94d023727fd6]
        [urn=urn:pulumi:pulumi::***::pulumiservice:index:TeamAccessToken::[***]-token]
        [provider: urn:pulumi:pulumi::***::pulumi:providers:pulumiservice::default_0_14_0::71e46d9e-2cdd-45e4-b8b7-23224b5d2cb9 => urn:pulumi:pulumi::***::pulumi:providers:pulumiservice::default_0_16_0::output<string>]
        description     : "***"
        name            : "***-282v4iw"
        organizationName: "***"
        teamName        : "***"

--refresh=true is still showing as create for all of them...

➜ p preview --refresh=true 
Previewing update (***)

View in Browser (Ctrl+O): https://app.pulumi.com/***

     Type                                    Name                              Plan       
     pulumi:pulumi:Stack                     ***                                   
     ├─ random:index:RandomString            [***]-pulumi-token-suffix                    
     ├─ random:index:RandomString            [***]-pulumi-token-suffix                  
 +   ├─ pulumiservice:index:TeamAccessToken  [***]-token                       create     
 +   │  └─ github:index:ActionsSecret        [***]-actions-secret              create     
     ├─ random:index:RandomString            [***]-pulumi-token-suffix                      
     ├─ random:index:RandomString            [***]-pulumi-token-suffix              
     ├─ random:index:RandomString            [***]-pulumi-token-suffix             
 +   ├─ pulumiservice:index:TeamAccessToken  [***]-token                       create     
 +   │  └─ github:index:ActionsSecret        [***]-actions-secret              create     
 +   ├─ pulumiservice:index:TeamAccessToken  [***]-token                       create     
 +   │  └─ github:index:ActionsSecret        [***]-actions-secret              create     
 +   ├─ pulumiservice:index:TeamAccessToken  [***]-token                       create     
 +   │  └─ github:index:ActionsSecret        [***]-actions-secret              create     
 +   └─ pulumiservice:index:TeamAccessToken  [***]-token                       create     
 +      └─ github:index:ActionsSecret        [***]-actions-secret              create     

Resources:
    + 10 to create
    6 unchanged

There was a support ticket (#3353) from when I originally hit the issue but I believe it has been closed now. It might be easier to touch base over Slack? @aureq could you maybe make an intro? Thanks!

@aureq aureq mentioned this issue Nov 21, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@komalali komalali

Labels
kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed
Projects
None yet
Milestone
0.96
5 participants
@aureq @cleverguy25 @komalali @theplatformer @pulumi-bot