-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot import resources when provider has default tags #4030
Comments
Thanks for reaching out @piotr-bzdyl-vertexinc! I'm sorry you're running into those issues. I'm gonna have a look into this to see if I can find the cause or find a workaround. |
@piotr-bzdyl-vertexinc Sorry it seems like we're incorrectly handling the merge of default tags and regular tags during imports! As a workaround you can try adding an
With that change the import works for me locally. Without it fails with a diff in tags because they wrongly include the default tags as well:
|
That's strange as I did try the following workarounds before opening this issue (I'm sorry for not mentioning it earlier):
Also I double checked your suggestion with
|
@piotr-bzdyl-vertexinc I see that you have the following provider config in your example:
Can you try without the conditional default tags like so:
|
As a possible workaround would |
Yes, manual |
@piotr-bzdyl-vertexinc did the updated example from above without the conditional default tags work? I'm not able to reproduce it this way in combination with |
@flostadler the whole point of the conditional in the repro case was to create a resource with a different set of tags (as if it was created e.g. by Terraform) and then try to import it to a program that uses a different set of tags in the default tags configuration. |
@piotr-bzdyl-vertexinc Got it! In that case both the I updated your code example to ignore changes to both Code exampleimport pulumi
import pulumi_aws
test_import = pulumi.Config().get_bool("test_import")
bucket_name = "defaulttags-import-issue-other"
provider = pulumi_aws.Provider(
"aws",
default_tags={
"tags": {
"Project": "x",
"Environment": "dev",
"CodeRepository": "infra",
}
} if test_import else None,
)
pulumi_aws.s3.BucketV2(
bucket_name,
bucket=bucket_name,
tags={
"Environment": "dev",
"CodeRepository": "legacy-infra",
"CreatedBy": "terraform",
},
opts=pulumi.ResourceOptions(
import_=bucket_name if test_import else None,
provider=provider,
retain_on_delete=True,
ignore_changes=["tags", "tagsAll"],
),
) And here's the according test logs: Test logs
Does this solve your issue? |
@flostadler Yes, indeed, adding both |
We have special logic around applying default provider tags to resources. This logic only applied to the `Check` call which means it was not applied when you were importing resources. This PR extends that logic to also run during the `Read` call. fix #4030, fix 4080
# This is the 1st commit message: Fix import resources with provider default tags We have special logic around applying default provider tags to resources. This logic only applied to the `Check` call which means it was not applied when you were importing resources. This PR extends that logic to also run during the `Read` call. fix #4030, fix 4080 # This is the commit message #2: skip test # This is the commit message #3: fixing test # This is the commit message #4: Adding more tests # This is the commit message #5: Upgrade pulumi-terraform-bridge to v3.86.0 (#4160) This PR was generated via `$ upgrade-provider pulumi/pulumi-aws --kind=bridge --pr-reviewers=guineveresaenger`. Fixes #4091 Fixes #4137 --- - Upgrading pulumi-terraform-bridge from v3.85.0 to v3.86.0. - Upgrading pulumi-terraform-bridge/pf from v0.38.0 to v0.39.0. # This is the commit message #6: chore: run upstream provider-lint (#4120) This adds a step for running the upstream `provider-lint` make target. As part of this I had to fix some of the patches which violated some lint rules. **0009-Add-ECR-credentials_data_source.patch** - `ForceNew` does not apply to data sources **0032-DisableTagSchemaCheck-for-PF-provider.patch** - Schema have to have a `Type` - Also needed to add a ignore for `S013` which forces `Computed`, `Optional` or `Required` to be set. Looks like it can't recognize the `tagsComputed` var **0034-Fail-fast-when-PF-resources-are-dropped.patch** - Added a lint ignore for a rule which doesn't allow panics **0050-Normalize-retentionDays-in-aws_controltower_landing_.patch** - This test doesn't actually need a region or partition so replacing with a placeholder closes #4110 # This is the commit message #7: fix: CVE-2024-24791 (#4175) Fixes #4163 Upgrades minimally required Go versions to those unaffected by CVE-2024-24791.
Slight variation for readability: import pulumi
import pulumi_aws
test_import = pulumi.Config().get_bool("test_import")
bucket_name = "pulumi-aws-defaulttags-import-issue-anton-6"
provider = pulumi_aws.Provider(
"aws1",
default_tags={
"tags": {
"Environment": "dev",
"CodeRepository": "infra",
}
}
)
if not test_import:
print('PROVISIONING')
pulumi_aws.s3.BucketV2(
bucket_name,
bucket=bucket_name,
tags={
"CodeRepository": "legacy-infra",
"CreatedBy": "terraform",
},
opts=pulumi.ResourceOptions(provider=provider))
else:
print('IMPORTING')
pulumi_aws.s3.BucketV2(
bucket_name,
bucket=bucket_name,
tags={
"CodeRepository": "legacy-infra",
"CreatedBy": "terraform",
},
opts=pulumi.ResourceOptions(provider=provider, import_=bucket_name)) #!/usr/bin/env bash
set -euo pipefail
pulumi destroy --yes --skip-preview
pulumi stack export --file empty-state.json
pulumi config set test_import false
pulumi up --yes --skip-preview
pulumi stack import --file empty-state.json
sleep 5
pulumi config set test_import true
pulumi up --yes --skip-preview This fails on latest but succeeds on pulumi-aws 5.42.0. |
We have special logic around applying default provider tags to resources. This logic only applied to the `Check` call which means it was not applied when you were importing resources. This PR extends that logic to also run during the `Read` call by utilizing `TransformOutputs`. While it is true that `TransformOutputs` also runs during `Create` & `Update` this is a side effect that I think is ok. From my understanding `tags` and `tagsAll` should always be equal. If we have an additional place where we make sure they are equal it shouldn't harm anything. I've added tests (see `testTagsPulumiLifecycle`) which test the complete lifecycle of a pulumi program 1. `Up` with both provider `defaultTags`/`ignoreTags` and resource level `tags` 1a. Run validations on result 2. `Refresh` with no changes 3. `Import` using the resource option. Ensures resource can be successfully imported 3a. Allows for a hook to be run prior to import being run. e.g. Add tags remotely 4. `Import` using the CLI. Ensures resources can be successfully imported 4a. Allows for a hook to be run prior to import being run. e.g. Add tags remotely 5. `Refresh` with no changes fix #4030, fix #4080, fix #3311
This issue has been addressed in PR #4169 and shipped in release v6.45.2. |
Describe what happened
When an AWS provider instance has
defaultTags
configured, AWS resources cannot be imported into Pulumi state usingpulumi up
because of differences shown by pulumi in the imported resource tags.Sample program
Log output
Affected Resource(s)
No response
Output of
pulumi about
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: