pulumi icon indicating copy to clipboard operation
pulumi copied to clipboard

Published 20 hours ago verified publisher icon pulumi

Adds support for Copilot templates to `pulumi new`

Open foot opened this issue 1 year ago • 3 comments

Copilot templates require an access token to look up the conversation data and extract the code

Here we try to download any template as usual, but then add the follow logic to the response checking:

  • If a 403 is returned from what we identify as a pulumi-service backend (via X-Pulumi-Request-ID header, which has been present for the last 6 years)
  • Then we re-request w/ the auth token, or prompt the user to pulumi login --set-current=false if we can't one.

This does result in always raising a 403 on the server every time we request a copilot template.

If we want to avoid these 403s we could check the domain against known pulumi backends in the CLI first, at the cost of intro'ing another code path.

foot avatar Jul 29 '24 08:07 foot

Changelog

[uncommitted] (2024-08-05)

Features

  • [cli/new] Adds support for Copilot templates #16825

pulumi-bot avatar Jul 29 '24 08:07 pulumi-bot

Rather than have this check, can we have api.pulumi.com proxy this request and select the appropriate HTTP backend to send requests to Pulumi Copilot?

Yes!

A template could be for a public URL (like https://github.com/...) or an AI URL (https://api.pulumi-self-hosted.foo.corp/...)... How do we handle that, and when do we tell the user to log in via pulumi login? Open to ideas here.

Latest attempt here we:

  1. retry if we get a 401 and identify the response as coming from a pulumi cloud backend.
  2. prompt the user to pulumi login if we can't find any local credentials for that backend or they also give a 401.

Right now the checking is a little bit loose, and we send the auth token to any path on the domain. Could tighten it up by implementing a (backend | client).RetrieveCopilotTemplate(). Then we'd have the template path hard coded in 3 places. Its an API endpoint that is half the point I guess. Will do a quick test of that.

foot avatar Aug 02 '24 13:08 foot

Then we'd have the template path hard coded in 3 places. Its an API endpoint that is half the point I guess

E.g. we'd have to take a template URL and parse it to some degree. Security conscious escalation:

  1. Send auth to any endpoint on that domain, e.g. what the browser does.
  2. Having some guard rails would be another option. /api/ai/bundle/.*
  3. Parse it completely for the cli command (pulumi new copilot-template --org --convo-id --message-id --program-id) or in the cli to target a particular endpoint.

I think I'm okay with number 1 here.

foot avatar Aug 02 '24 14:08 foot

Thanks for the review @Frassle ! Cleaned it up a bit

foot avatar Sep 11 '24 14:09 foot

Is it possible to add a test for this?

Yes! Will have a look at adding some tests 👍 , thanks for TAL!

foot avatar Jan 07 '25 14:01 foot

This PR has been shipped in release v3.146.0.

pulumi-bot avatar Jan 16 '25 01:01 pulumi-bot