Fix import resources with provider default tags

[corymhall]

We have special logic around applying default provider tags to
resources. This logic only applied to the Check call which means it
was not applied when you were importing resources. This PR extends that
logic to also run during the Read call by utilizing TransformOutputs.

While it is true that TransformOutputs also runs during Create & Update
this is a side effect that I think is ok. From my understanding tags and tagsAll
should always be equal. If we have an additional place where we make sure they are equal
it shouldn't harm anything.

I've added tests (see testTagsPulumiLifecycle) which test the complete lifecycle of a pulumi program

1. Up with both provider defaultTags/ignoreTags and resource level tags
   1a. Run validations on result
2. Refresh with no changes
3. Import using the resource option. Ensures resource can be successfully imported
   3a. Allows for a hook to be run prior to import being run. e.g. Add tags remotely
4. Import using the CLI. Ensures resources can be successfully imported
   4a. Allows for a hook to be run prior to import being run. e.g. Add tags remotely
5. Refresh with no changes

fix #4030, fix #4080, fix #3311

[github-actions]

Does the PR have any schema changes?

Looking good! No breaking changes found.
No new resources/functions.

Maintainer note: consult the runbook for dealing with any breaking changes.

[t0yv0]

I'd appreciate a little bit of elaboration here on what we're trying to do, and how does it work, I see this:

As written, allTags = mergeTags(ctx, config.tags, {defaultTags: config.tagsAll}).

I think if I recall what TransformOutputs is doing this will be assigning config to the tags and tagsAll coming out of the TF provider. This seems to then ignore the current defaultTags on the provider itself as it were.

Why does this work? I thought perhaps we're not trusting the tags_all output from the provider internals, is it useful here?

[flostadler]

Why do we set allTags to tags? Shouldn't tags only include the tags specified on the resource?

[t0yv0]

Yeah I was also confused here, I was expecting something like this:

• (1) we receive data from the Read call that has "tags" and "tags_all"

• (2) I think here we need to understand what this data is and do we trust it; e.g. the TF provider would be grabbing all tags from the AWS hopefully, but then it would also possibly applying the defaultTags to that result to either union or exclude them? We had to disable this behavior for Create/Update lifecycle since we couldn't get the implementation to behave correctly and trust it; perhaps something similar needs to be tweaked here for reads

• (3) suppose we figured out (2) correctly and we obtained what we believe is the set of in-AWS resource tags. Now what do we decide to surface as "tags". Perhaps here we want to exclude surfacing a k:v pair in "tags" if the defaultTags already has it set at provider level. So perhaps take the set difference here?

Unfortunately it's more complicated than this as TransformOutputs hook is hiding some differences around the context this code is executing in. Let me add below.

[t0yv0]

ResourceProvider.Read we're trying to modify here is very overloaded in Pulumi unfortunately, so there's a matrix of case here to consider.

Case 1: pulumi import on the CLI

pulumi import 'aws:iam/user:User' name id

Relatively simple version where there are no program inputs to consider and the objective is to generate a minimal program. The program would be minimal if all cloud tags that are already in defaultTags are omitted.

Case 2: import with resource option

I think this is somehow meaningfully different from vanilla import because it has some resource inputs to consider from the program. If the program specifies an input tag k:v in the inputs and the cloud doesn't have it or has a contradicting value, Pulumi should probably be failing saying that the inputs do not match so that the user fixes up the program before proceeding. If the program does not specify the tag k:v that cloud has, but defaultTags do, then we should proceed without warning.

opts=pulumi.ResourceOptions(import_=bucket_name)

Case 3: pulumi refresh

This one is interesting because it starts engaging bridge heuristics ExtractInputsFromOutputs to try to guess which cloud value is an input and which one is an output. I think it's pretty crude right now and might not do what we'd like for tags, worth thinking through.

Case 4: Bucket.get()

This one I have a bit of a knowledge gap and need to brush up on, but I think it will also call Read.

[t0yv0]

The additional matrix dimension is that resources can be PF based or SDKv2 based and the underlying TF behavior can be different .

[t0yv0]

TransformOutputs is a blunt tool since it will not only modify Read results, but also modify Create and Update results, and it can't yet understand which kind of Read context it's operating in. There's some additional burden on verifying these changes don't affect Create/Update but looks like the test suite passed so that might be working just fine. I'm wondering if we need something more granular here..

[corymhall]

@t0yv0 @flostadler here is what my current understanding is.

There are two fields that track tags on a resource;

• tags - These are the tags that are applied to the resource itself.

new aws.s3.BucketV2('bucket', {
  tags: {
    SomeKey: 'SomeValue',
  },
});

• tagsAll/defaultTags - These are the tags that are specified on the provider and apply to all resources under that provider.

new aws.Provider('aws', {
  defaultTags: {
    tags: {
      GlobalTag: 'Value',
    },
  },
});

When it comes time to apply these tags to a resource we merge the tags into a single list of tags. The way that we do this is a hack on the pulumi side as part of the PreCheckCallback. All the tags specified in defaultTags are merged into the resource tags so that it contains all the tags that need to be created on the resource. This runs during the Check request which runs prior to Create & Update so that the output of Check contains the merged tags and is passed into Create/Update.

From what I can tell, the intention is for tags and tagsAll to always be equal.

Example

If I were to create a resource with this configuration (both defaultTags & tags)

const provider = new aws.Provider('aws', {
  defaultTags: {
    tags: {
      GlobalTag: 'Value',
    },
  },
});

new aws.s3.BucketV2('bucket', {
  tags: {
    LocalTag: 'Value',
  },
}, { provider });

The state of the bucket resource will have the tags like this (merged together):

{
  "resources": [
    {
        "type": "aws:s3/bucketV2:BucketV2",
        "inputs": {
            "tags": {
                "GlobalTag": "Value",
                "LocalTag": "Value"
            },
            "tagsAll": {
                "GlobalTag": "Value",
                "LocalTag": "Value"
            }
        },
        "outputs": {
            "tags": {
                "GlobalTag": "Value",
                "LocalTag": "Value"
            },
            "tagsAll": {
                "GlobalTag": "Value",
                "LocalTag": "Value"
            }
        }
    }
  ]
}

If I were to then go an add a new tag in the console ConsoleTag and change the values of GlobalTag & LocalTag and then run a refresh it will show a diff for both tags and tags all. Everything works correctly because the inputs to read & diff is the current state which contains all the tags.

{
  "method": "/pulumirpc.ResourceProvider/Read",
  "request": {...},
  "response": {
      "tags": {
          "GlobalTag": "ValueOther",
          "LocalTag": "ValueOther",
          "ConsoleTag": "Value"
      },
      "tagsAll": {
          "GlobalTag": "ValueOther",
          "LocalTag": "ValueOther",
          "ConsoleTag": "Value"
      },
    "inputs": {
      "tags": {
          "GlobalTag": "Value",
          "LocalTag": "Value"
      },
      "tagsAll": {
          "GlobalTag": "Value",
          "LocalTag": "Value"
      }
    }
  }
}
{
  "method": "/pulumirpc.ResourceProvider/Diff",
  "request": {
    "olds": {
      "tags": {
          "GlobalTag": "ValueOther",
          "LocalTag": "ValueOther",
          "ConsoleTag": "Value"
      },
      "tagsAll": {
          "GlobalTag": "ValueOther",
          "LocalTag": "ValueOther",
          "ConsoleTag": "Value"
      }
    },
    "news": {
      "tags": {
          "GlobalTag": "Value",
          "LocalTag": "Value"
      },
      "tagsAll": {
          "GlobalTag": "Value",
          "LocalTag": "Value"
      }
    },
    "oldInputs": {
      "tags": {
          "GlobalTag": "Value",
          "LocalTag": "Value"
      },
      "tagsAll": {
          "GlobalTag": "Value",
          "LocalTag": "Value"
      }
    }
  },
  "response": {
    "changes": "DIFF_SOME",
    "diffs": ["tags","tags","tags","tagsAll","tagsAll","tagsAll"],
    "detailedDiff": {...},
    "hasDetailedDiff": true
  }
}

If instead I try and import a resource with the same configuration of tags there would be no existing state to rely on. The state would be produced by the output of the read call. When I run an import it will call Read -> Check -> Diff. The inputs to Diff will be:

• olds: produced by Read. There is a difference between tags & tagsAll because it is not merging them together.
• news: produced by Check. Check runs PreCheckCallBack and produces a merged tags & tagsAll.

This always leads to a diff because we are comparing an unmerged tags & tagsAll produced by Read with a merged tags & tagsAll produced by Check.

{
  "method": "/pulumirpc.ResourceProvider/Read",
  "request": {"properties": {}},
  "response": {
    "properties": {
      "tags": {
        "LocalTag": "Value"
      },
      "tagsAll": {
        "GlobalTag": "Value"
      },
    },
    "inputs": {
      "tags": {
        "LocalTag": "Value"
      },
      "tagsAll": {
        "GlobalTag": "Value"
      }
    }
  }
}
{
  "method": "/pulumirpc.ResourceProvider/Check",
  "request": {
    "olds": {
      "tags": {
       "LocalTag": "Value"
      },
      "tagsAll": {
        "GlobalTag": "Value"
      }
    },
    "news": {
      "tags": {
         "LocalTag": "Value" 
      }
    }
  },
  "response": {
    "inputs": {
      "tags": {
         "LocalTag": "Value" ,
        "GlobalTag": "Value"
      },
      "tagsAll": {
         "LocalTag": "Value" ,
        "GlobalTag": "Value"
      }
    }
  }
}
{
  "method": "/pulumirpc.ResourceProvider/Diff",
  "request": {
    "olds": {
      "tags": {
         "LocalTag": "Value" 
      },
      "tagsAll": {
        "GlobalTag": "Value"
      }
    },
    "news": {
      "tags": {
         "LocalTag": "Value" ,
        "GlobalTag": "Value"
      },
      "tagsAll": {
         "LocalTag": "Value" ,
        "GlobalTag": "Value"
      }
    },
    "oldInputs": {
      "tags": {
         "LocalTag": "Value" 
      },
      "tagsAll": {
         "LocalTag": "Value" ,
        "GlobalTag": "Value"
      }
    }
  },
  "response": {
    "changes": "DIFF_SOME",
    "diffs": [ "tags", "tags", "tags" ],
    "detailedDiff": {...},
    "hasDetailedDiff": true
  }
}

What this PR attempts to do is to apply the same type of hack that we do in PreCheckCallback to the TransformOutputs that is run during Read, Create, & Update. Looking at the above example, we need the Read call to produce a merged tags & tagsAll, which we can do as part of TransformOutputs.

TransformOutputs is a blunt tool since it will not only modify Read results, but also modify Create and Update results, and it can't yet understand which kind of Read context it's operating in.

I think this only matters in a case where we want tags & tagsAll (on a resource) to be different. Unless I am misunderstanding something I don't think there is ever a scenario where this is true. In that case it shouldn't matter that we merge tags & tagsAll in an additional callback.

[VenelinMartinov]

@corymhall Do you have some background on

From what I can tell, the intention is for tags and tagsAll to always be equal.

This is not what TF does:

provider "aws" {
  region = "us-east-1"
  default_tags {
    tags = {
      GlobalTag = "GlobalVal"
    }
  }
}

# s3 bucket
resource "aws_s3_bucket" "bucket" {
  bucket_prefix = "mybucket"
  tags = {
    "localTag" = "localValue"
  }
}

produces

"tags": {
  "localTag": "localValue"
},
"tags_all": {
  "GlobalTag": "GlobalVal",
  "localTag": "localValue"
},

which makes sense to me. Why are we doing something different here?

[corymhall]

which makes sense to me. Why are we doing something different here?

Apparently there are a lot of upstream issues around tagging and we decided to do something about it on our side. I think @t0yv0 and @iwahbe are most familiar with this and they are both out this week.

pulumi-aws/provider/tags.go

Lines 25 to 45 in 0063967

	// Apply provider tags to an individual resource.
	//
	// Historically, Pulumi has struggles to handle the "tags" and "tags_all" fields correctly:
	// - https://github.com/pulumi/pulumi-aws/issues/2633
	// - https://github.com/pulumi/pulumi-aws/issues/1655
	//
	// terraform-provider-aws has also struggled with implementing their desired behavior:
	// - https://github.com/hashicorp/terraform-provider-aws/issues/29747
	// - https://github.com/hashicorp/terraform-provider-aws/issues/29842
	// - https://github.com/hashicorp/terraform-provider-aws/issues/24449
	//
	// The Terraform lifecycle simply does not have a good way to map provider configuration
	// onto resource values, so terraform-provider-aws is forced to work around limitations in
	// unreliable ways. For example, terraform-provider-aws does not apply tags correctly with
	// -refresh=false.
	//
	// This gives pulumi the same limitations by default. However, unlike Terraform, Pulumi
	// does have a clear way to insert provider configuration into resource properties:
	// Check. By writing a custom check function that applies "default_tags" to "tags" before
	// the Terraform provider sees any resource configuration, we can give a consistent,
	// reliable and good experience for Pulumi users.

[flostadler]

What if we just create a test for each of the scenarios Anton mentioned? I think that should ensure nothing unexpected breaks.
The cli import might be tricky to test, but we can also test that manually if necessary.

[VenelinMartinov]

Thanks for the background @corymhall

The cli import might be tricky to test, but we can also test that manually if necessary.

#3859 has an example of importing in a test.

[VenelinMartinov]

Note that TransformOutputs affects Create and Update, not just read - is this intended here?

[corymhall]

It's a side effect, but as long as it is true that tags and defaultTags should always be equal then I think we are fine.

[flostadler]

Is my understanding correct that instead of following terraform's behavior of merging tags and default_tags into tags_all, we manually do the merge and set the result to both tags/tagsAll. Your change is adding that to the read code path as well.

What I'm still missing is why we need all of the special tag handling? In what areas does terraforms tagging fall short? Are we sure that it's still broken (the tests you've added might be good regression tests to check if we still need it)? Those are rather questions for @t0yv0 / @iwahbe I guess.

The change looks good to me, the tests are great! I think we should add some tests for the static get functions as well though.

[flostadler]

Nit: we could generalize this using tag:TagResources which can tag all taggable resources.

[corymhall]

Updated!

[flostadler]

We should test the static get functions as well ideally because we're changing the behavior of read

[corymhall]

Added!

[corymhall]

@t0yv0

The correct behavior is probably evident in the logs but asserts could be tightened a bit to make it more precise, namely not only verifying import succeeds but it produces the "desired" program

That's a good idea, i'll work on adding that.

once we have a more comprehensive test suite that passes that'd be preferable to doing the work in the wrapped provider

This is one of my big questions - what kind of tests do we need to add in order to be confident of the changes?

I suspect a more robust fix can be obtained by ignoring tagsAll returned in the outputs and just merging tags and defaultTags?

This might be more inline with the current PreCheckCallback hook, but we currently do not get the defaultTags from config in the TransformOutputs. Should we create a new PostReadCallback hook in the bridge to cover this scenario?

[corymhall]

@t0yv0

The correct behavior is probably evident in the logs but asserts could be tightened a bit to make it more precise, namely not only verifying import succeeds but it produces the "desired" program

I'm actually not sure that it is possible to generate the desire program. I think we can choose to have pulumi up (with import) work or have pulumi import generate a correct program, but not both.

In the current state (before this PR):

pulumi import generates the program based on Read (where tags != tagsAll)

{
  "method": "/pulumirpc.ResourceProvider/Read",
  "request": {},
  "response": {
    "inputs": {
      "tags": {
        "LocalTag": "foo"
      },
      "tagsAll": {
        "GlobalTag": "bar",
        "LocalTag": "foo"
      }
    }
  }
}

pulumi up performs the diff based on the response from Read vs the response from Check (which is setting tags=tagsAll)

{
  "method": "/pulumirpc.ResourceProvider/Check",
  "request": {...},
  "response": {
    "inputs": {
      "tags": {
        "GlobalTag": "bar",
        "LocalTag": "foo"
      },
      "tagsAll": {
        "GlobalTag": "bar",
        "LocalTag": "foo"
      }
    }
  }
}

So we have two options:

1. Have tags != tagsAll in order for pulumi import to generate the correct program
2. Have tags == tagsAll in order for pulumi up to import successfully

[iwahbe]

We need the special tags handling because terraform-provider-aws's native tags handling relies on refresh for correctness, and so doesn't work for most Pulumi users.

[corymhall]

We need the special tags handling because terraform-provider-aws's native tags handling relies on refresh for correctness, and so doesn't work for most Pulumi users.

@iwahbe can you expand on what this means?

[iwahbe]

We need the special tags handling because terraform-provider-aws's native tags handling relies on refresh for correctness, and so doesn't work for most Pulumi users.

@iwahbe can you expand on what this means?

I expanded a bit here: #4230 (comment).

Basically, if you run terraform apply -refresh=false then default tags do not work as expected (they don't delete, or they don't add...). This has improved since we last looked at it, but a cursory test shows that major functionality still doesn't work as expected.

[t0yv0]

Subset and not Equal? Why? Interesting.

[corymhall]

Updated.

[t0yv0]

Are these comments still useful?

[corymhall]

Added another comment with link to the issue. When the issue is fixed the code can be uncommented.

[t0yv0]

This is interesting, is this something worth linking a ticket to? Thank you.

[corymhall]

Added another comment with link to the issue.

[pulumi-bot]

This PR has been shipped in release v6.45.2.