Skip to content

Commit

Permalink
Don't bail at preview when a protected resource needs replacement (#1…
Browse files Browse the repository at this point in the history 
…5969)

<!--- 
Thanks so much for your contribution! If this is your first time
contributing, please ensure that you have read the
[CONTRIBUTING](https://github.com/pulumi/pulumi/blob/master/CONTRIBUTING.md)
documentation.
-->

# Description

Don't bail at preview when a protected resource needs replacement, just
error. This makes sure that users can see the actual diff that causes
the replacement.

Fixes #5027

Before:

```
$ pulumi preview
Type                                     Name                  Plan     Info
     pulumi:pulumi:Stack                      azure-native-ts-dev2           
     └─ azure-native:resources:ResourceGroup  rg                             1 error

Diagnostics:
  azure-native:resources:ResourceGroup (rg):
    error: unable to replace resource "urn:pulumi:dev2::azure-native-ts::azure-native:resources:ResourceGroup::rg"
    as it is currently marked for protection. To unprotect the resource, remove the `protect` flag from the resource in your Pulumi program and run `pulumi up`


$ pulumi preview --diff
pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:dev2::azure-native-ts::pulumi:pulumi:Stack::azure-native-ts-dev2]
error: unable to replace resource "urn:pulumi:dev2::azure-native-ts::azure-native:resources:ResourceGroup::rg"
as it is currently marked for protection. To unprotect the resource, remove the `protect` flag from the resource in your Pulumi program and run `pulumi up`
Resources:
    1 unchanged
```

After:

```
$ pulumi preview
Type                                     Name                  Plan        Info
     pulumi:pulumi:Stack                      azure-native-ts-dev2              1 error; 2 warnings
 +-  └─ azure-native:resources:ResourceGroup  rg                    replace     [diff: ~location]; 1 error

Diagnostics:
  azure-native:resources:ResourceGroup (rg):
    error: unable to replace resource "urn:pulumi:dev2::azure-native-ts::azure-native:resources:ResourceGroup::rg"
    as it is currently marked for protection. To unprotect the resource, remove the `protect` flag from the resource in your Pulumi program and run `pulumi up`

  pulumi:pulumi:Stack (azure-native-ts-dev2):
    error: preview failed


$ pulumi preview --diff
pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:dev2::azure-native-ts::pulumi:pulumi:Stack::azure-native-ts-dev2]
error: unable to replace resource "urn:pulumi:dev2::azure-native-ts::azure-native:resources:ResourceGroup::rg"
as it is currently marked for protection. To unprotect the resource, remove the `protect` flag from the resource in your Pulumi program and run `pulumi up`
    +-azure-native:resources:ResourceGroup: (replace) 🔒
        [id=/subscriptions/0282681f-7a9e-424b-80b2-96babd57a8a1/resourceGroups/rg5f8e30e4]
        [urn=urn:pulumi:dev2::azure-native-ts::azure-native:resources:ResourceGroup::rg]
        [provider=urn:pulumi:dev2::azure-native-ts::pulumi:providers:azure-native::default_2_30_0::3c957b2a-4852-439c-b211-22a115bbe89a]
      ~ location: "westeurope" => "westus2"
error: preview failed
Resources:
    +-1 to replace
    1 unchanged
```

## Checklist

- [ ] I have run `make tidy` to update any new dependencies
- [ ] I have run `make lint` to verify my code passes the lint check
  - [ ] I have formatted my code using `gofumpt`

<!--- Please provide details if the checkbox below is to be left
unchecked. -->
- [x] I have added tests that prove my fix is effective or that my
feature works
<!--- 
User-facing changes require a CHANGELOG entry.
-->
- [x] I have run `make changelog` and committed the
`changelog/pending/<file>` documenting my change
<!--
If the change(s) in this PR is a modification of an existing call to the
Pulumi Cloud,
then the service should honor older versions of the CLI where this
change would not exist.
You must then bump the API version in
/pkg/backend/httpstate/client/api.go, as well as add
it to the service.
-->
- [ ] Yes, there are changes in this PR that warrants bumping the Pulumi
Cloud API version
<!-- @pulumi employees: If yes, you must submit corresponding changes in
the service repo. -->
  • Loading branch information
@mikhailshilkov
mikhailshilkov committed Apr 18, 2024
1 parent 10e63cc commit 60adf18
Show file tree
Hide file tree
Showing 3 changed files with 22 additions and 5 deletions.
4 changes: 4 additions & 0 deletions ...g/20240417--engine--dont-bail-at-preview-when-a-protected-resource-needs-replacement.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
changes:
- type: fix
scope: engine
description: Display the entire preview with diff when a protected resource needs replacement
14 changes: 10 additions & 4 deletions pkg/engine/lifecycletest/pulumi_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3181,13 +3181,19 @@ func TestProtect(t *testing.T) {
return err
}

// Run a new update which will cause a replace, we should get an error
// Run a dry-run (preview) which will cause a replace, we should get an error.
// However, the preview doesn't bail, so we expect one "created" resource as a result of this operation.
expectedMessage = "<{%reset%}>unable to replace resource \"urn:pulumi:test::test::pkgA:m:typA::resA\"\n" +
"as it is currently marked for protection. To unprotect the resource, remove the `protect` flag from " +
"the resource in your Pulumi program and run `pulumi up`<{%reset%}>\n"
ins = resource.NewPropertyMapFromMap(map[string]interface{}{
"foo": "baz",
})
_, err = TestOp(Update).Run(project, p.GetTarget(t, snap), p.Options, true, p.BackendClient, validate)
assert.ErrorContains(t, err, "step generator errored")

// Run an update which will cause a replace, we should get an error.
// Contrary to the preview, the error is a bail, so no resources are created.
snap, err = TestOp(Update).Run(project, p.GetTarget(t, snap), p.Options, false, p.BackendClient, validate)
assert.Error(t, err)
assert.NotNil(t, snap)
Expand Down Expand Up @@ -3217,7 +3223,7 @@ func TestProtect(t *testing.T) {
assert.NoError(t, err)
assert.NotNil(t, snap)
assert.Len(t, snap.Resources, 2)
assert.Equal(t, "created-id-1", snap.Resources[1].ID.String())
assert.Equal(t, "created-id-2", snap.Resources[1].ID.String())
assert.Equal(t, false, snap.Resources[1].Protect)
assert.Equal(t, 1, deleteCounter)

Expand All @@ -3227,7 +3233,7 @@ func TestProtect(t *testing.T) {
assert.NoError(t, err)
assert.NotNil(t, snap)
assert.Len(t, snap.Resources, 2)
assert.Equal(t, "created-id-1", snap.Resources[1].ID.String())
assert.Equal(t, "created-id-2", snap.Resources[1].ID.String())
assert.Equal(t, true, snap.Resources[1].Protect)
assert.Equal(t, 1, deleteCounter)

Expand All @@ -3240,7 +3246,7 @@ func TestProtect(t *testing.T) {
assert.NoError(t, err)
assert.NotNil(t, snap)
assert.Len(t, snap.Resources, 2)
assert.Equal(t, "created-id-2", snap.Resources[1].ID.String())
assert.Equal(t, "created-id-3", snap.Resources[1].ID.String())
assert.Equal(t, 2, deleteCounter)
}

Expand Down
9 changes: 8 additions & 1 deletion pkg/resource/deploy/step_generator.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1034,7 +1034,14 @@ func (sg *stepGenerator) generateStepsFromDiff(
"program and run `pulumi up`", urn)
sg.deployment.ctx.Diag.Errorf(diag.StreamMessage(urn, message, 0))
sg.sawError = true
return nil, result.BailErrorf(message)
// In Preview, we mark the deployment as Error but continue to next steps,
// so that the preview is shown to the user and they can see the diff causing it.
// In Update mode, we bail to stop any further actions immediately. If we don't bail and
// we're doing a create before delete replacement we'll execute the create before getting
// to the delete error.
if !sg.deployment.preview {
return nil, result.BailErrorf(message)
}
}

// If the goal state specified an ID, issue an error: the replacement will change the ID, and is
Expand Down

0 comments on commit 60adf18

Please sign in to comment.