pulumi-azure icon indicating copy to clipboard operation
pulumi-azure copied to clipboard

Published 20 hours ago verified publisher icon pulumi

Provider Feature defaults

Open JasonWhall opened this issue 2 years ago • 1 comments

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Considering the below Pulumi C# code to create a KeyVault Secret:

_ = new Secret("Secret", new SecretArgs
{
    Name = "MySecret",
    Value = "SuperSecret!",   
    KeyVaultId = existingKeyVault.Id,         
});

if we run pulumi up to create the secret, followed by pulumi destroy. The secret will be moved into a soft-delete state as this is now the default behaviour in KeyVaults.

If we run pulumi up again will subsequently fail as by default the provider does not know to recover the secret from a soft-delete state. This scenario to delete and re-create is common for ephemeral environments or resources. Additionally, applications that rely on KeyVault secrets typically do so via convention, rather than by reference. This means using Pulumi auto-naming may not be an option.

The Provider configuration does offer options to recover soft deleted objects as shown below:

var clientConfig = Output.Create(GetClientConfig.InvokeAsync());

var provider = new Provider("KeyVault-Provider", new ProviderArgs
{
    Features = new ProviderFeaturesArgs
    {
        KeyVault = new ProviderFeaturesKeyVaultArgs
        {
            RecoverSoftDeletedSecrets = true,
            PurgeSoftDeletedSecretsOnDestroy = false,
        },
    },
    // Subscription Id seems to be nullified when deleting Secrets. Explicitly setting this as a workaround.
    SubscriptionId = clientConfig.Apply(x => x.SubscriptionId),
});

_ = new Secret("Secret", new SecretArgs
{
    Name = "MySecret",
    Value = "SuperSecret!",   
    KeyVaultId = existingKeyVault.Id,         
}, new CustomResourceOptions { Provider = provider });

However, this requires significantly more boilerplate code to work with secrets. When comparing to the Terraform AzureRM provider which defines these features, some of these are set by default.

Instead, it would seem sensible to default the provider features to the same values that the AzureRM provider uses.

Affected area/feature

JasonWhall avatar Nov 23 '22 11:11 JasonWhall

Hi @JasonWhall - thank you for the very detailed writeup here. We'll take a look!

guineveresaenger avatar Nov 23 '22 23:11 guineveresaenger