pulumi-aws icon indicating copy to clipboard operation
pulumi-aws copied to clipboard

Published 20 hours ago verified publisher icon pulumi

`s3.BucketObjectArgs.sourceHash` doesn't work as expected

Open chrisui opened this issue 2 years ago • 4 comments

Hello!

  • Vote on this issue by adding a 👍 reaction
  • To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already)

Issue details

As I can't provide entirely deterministic zip files I want to control the hash and in turn control when objects get updated. In the documentation there is etag and sourceHash (I opted for the latter due to encryption requirements elsewhere and wanting consistency).

This does not seem to work.

Steps to reproduce

  1. Create an object with sourceHash: 'a', reference a newly created .zip using FileArchive.
  2. pulumi up
  3. Delete and re-create a .zip with different contents (simulating the non-determinism im working around)
  4. pulumi up
  5. Notice how, even though controlling with documented sourceHash, it shows a modification for source and uploads the new zip.

Even more weirdly, when I add source to the ignoreChanges option, the diff shows the result I would expect (no change on source but a change to sourceHash. However when this executes it does not seem to upload the new .zip.

const artifactsBucket = new aws.s3.Bucket(
      resourceName('artifacts', service),
      {
        acl: 'private',
        versioning: { enabled: true },
        loggings: [
          {
            targetBucket: stack.logBucket.id,
            targetPrefix: 'log/' + service.name + '/artifacts/',
          },
        ],
        forceDestroy: config.safe,
      },
      { parent: this }
    )

const projectArchive = new pulumi.asset.FileArchive(
      getProjectPath(service.ctx, 'dist/pkg/project.zip')
    )

const projectArtifact = new aws.s3.BucketObject(
      resourceName('artifact', service),
      {
        bucket: artifactsBucket.id,
        key: 'artifacts/latest/project.zip',
        sourceHash: projectMeta.hash,
        source: projectArchive,
        acl: 'private',
        storageClass: 'ONEZONE_IA',
      },
      { parent: this, ignoreChanges: ['etag', 'source'] }
    )

Expected: I can control when objects are updated using a deterministic sourceHash Actual: sourceHash is ignored

chrisui avatar Jan 13 '22 19:01 chrisui

Ah.

Looking at the source code of TranslateAsset there's a suspicious TODO which also links back to a 4/5 year old change 🙃

// TODO[pulumi/pulumi#153]: support HashField.

https://github.com/pulumi/pulumi-terraform-bridge/blob/30ae8ae5cc2d2f5987854984243c74ace4ccc952/pkg/tfbridge/assets.go#L130

chrisui avatar Jan 19 '22 13:01 chrisui

The referenced issue is now closed so this might just be a left-over comment. To clarify your use-case; are you wanting to ignore the hash from the FileArchive and provide your own instead?

danielrbradley avatar Jan 19 '22 20:01 danielrbradley

That is indeed the use case. Exactly the same behaviour as in terraform and as is pulled through to the pulumi docs.

chrisui avatar Jan 19 '22 22:01 chrisui

Any chance of an update on support for this documented feature?

chrisui avatar Mar 07 '23 22:03 chrisui