pulumi/pulumi-tls

Breaking change between v4.4.0 to v4.5.0+ on SelfSignedCertArgs property subjects

mitchellmaler opened this issue · 5 comments

mitchellmaler commented

What happened?

Upgrading python pulumi-tls from 4.4.0 to the latest which is 4.6.0 and running into error. It looks like the property subjects of SelfSignedCertArgs has been removed in favor of subject and is not a list. If I update my definition of my SelfSignedCert to provide subject instead of subjects it takes it but now wants to replace the resource even though technically nothing changed (still a single subject but just not a list).

https://github.com/pulumi/pulumi-tls/blob/v4.4.0/sdk/python/pulumi_tls/self_signed_cert.py#L20
https://github.com/pulumi/pulumi-tls/blob/v4.6.0/sdk/python/pulumi_tls/self_signed_cert.py#L28

Steps to reproduce

Use provider 4.4.0 tls and SelfSignedCertArgs with subjects. Upgrade to 4.6.0

args=SelfSignedCertArgs(
    TypeError: SelfSignedCertArgs.__init__() got an unexpected keyword argument 'subjects'

Expected Behavior

  1. accept either subject or subjects, allowing for a deprecation
  2. if switching from a single subject list on subjects to the property subject with the same exact subject should not replace the resource

Actual Behavior

Upgrade returns an unknown argument error for subjects. Tying to switch to it wants to replace the cert even though it is the exact same subject.

Output of pulumi about

No response

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

mitchellmaler commented

I just noticed on the release notes of 4.5.0 that this is a breaking change pulled in from upstream.
It would have been good to have a deprecation period, but I am unable to switch from subjects to subject as it wants to replace the certs, but nothing has changed.

guineveresaenger commented

hi @mitchellmaler - we hear your concern and yours is not unique, unfortunately. Please chime in with your experience on this related issue in pulumi/pulumi - we really need to come up with an easier way to alias renamed resources.

For now, unfortunately your workaround to be able to upgrade will look something like this:

  1. Set your SelfSignedCertArgs to retainOnDelete
  2. Run pulumi up to set retainOnDelete in your Pulumi state
  3. Remove the code for SelfSignedCertArgs from your program
  4. Run pulumi up again - this will remove your resource from your Pulumi state, but not your backend, because you set retainOnDelete
  5. Import your still-existing SelfSignedCertArgs using pulumi import with your resource URN - this will re-add the resource to your pulumi stack, but with the correct resource field name
  6. Add the generated code from pulumi import back to your code (with necessary tweaks) - this will now have the updated field
  7. Run pulumi up a final time.

Again, we apologize for the pain.

mitchellmaler commented

@guineveresaenger SelfSignedCert is a cert that is saved in Pulumi and not created in some provider (cloud, etc.) which is then used in multiple of our other resources as inputs. I am unsure how that workflow works in this case.

mitchellmaler commented

@guineveresaenger Is this something you can help me with or should I log a new issue?