Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to refresh resources when provider ClientSecret updates #295

Open
thecodetinker opened this issue Aug 16, 2022 · 1 comment
Open

Unable to refresh resources when provider ClientSecret updates #295

thecodetinker opened this issue Aug 16, 2022 · 1 comment
Labels
kind/question Questions about existing features

Comments

@thecodetinker
Copy link

What happened?

Our stack contains Azure AD resources located in a different tenant than the main Azure resources. To access this we log in a Provider with an ID/Password obtained from KeyVault further up the pipeline. The code is roughly like this:

var userTenantProvider = new Provider("UserTenantProvider", new ProviderArgs
{
    TenantId = args.UserTenantId,
    ClientId = args.ClientId,
    ClientSecret = args.ClientSecret
});

var appOptions = new CustomResourceOptions { 
    Parent = this, 
    DeleteBeforeReplace = true, 
    Provider = userTenantProvider 
};

var appRegistrationPassword = new ApplicationPassword("AdministratorAppRegistration-Password", new ApplicationPasswordArgs
{
    ApplicationObjectId = args.ObjectId,
    DisplayName = appRegistrationPasswordName,
    EndDate = "2099-01-01T01:02:03Z",
}, appOptions);

This works fine until the client secret is rotated, at which point refreshing fails. It feels like the refresh doesn't update the provider - possibly reasonable but it breaks this workflow.

Steps to reproduce

  1. Create a stack similar to the above, with resources created with a Provider that takes a ClientID and ClientSecret.
  2. Run pulumi refresh.
  3. Observe that the refresh succeeds.
  4. Run pulumi up to create the stack.
  5. Update the client secret.
  6. Run pulumi refresh again.

Expected Behavior

I expect the provider to use the updated secret I passed in, and the refresh to work.

Actual Behavior

The refresh fails due to the provider still using the expired credential.

Versions used

We use the Pulumi Automation API so there isn't an obvious 'About' but the plugins listed are

Installing Plugins ...
* azure v4.27.0
* azuread v5.6.0
* azure-native v1.52.0
* random v4.3.1

With pulumi automation Nuget package v3.25.1

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@thecodetinker thecodetinker added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Aug 16, 2022
@lblackstone lblackstone added kind/question Questions about existing features and removed needs-triage Needs attention from the triage team kind/bug Some behavior is incorrect or out of spec labels Aug 18, 2022
@lblackstone
Copy link
Member

Hi @thecodetinker -- I've seen similar cases on other providers before, and I believe the solution was to use the --target option to fix the Provider credentials before updating the other resources in a subsequent update.

If the creds are expected to rotate regularly, you might want to consider splitting that resource out into a separate stack so that the Provider lifecycle can be managed separately from the dependent resources.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/question Questions about existing features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lblackstone @thecodetinker