Improved Pulumi Previews

Posted on

Today we are announcing a minor but significant improvement to the Pulumi preview experience.

Change in Behaviour

We can look at a sample Pulumi application that creates a Google GKE cluster. Pulumi then deploys an application into the Kubernetes cluster.

import * as gcp from "@pulumi/gcp";
import * as k8s from "@pulumi/kubernetes";
import * as pulumi from "@pulumi/pulumi";

const name = "helloworld";

const config = new pulumi.Config();
export const masterVersion = config.get("masterVersion") ||
    gcp.container.getEngineVersions().then(it => it.latestMasterVersion);

// Create a GKE cluster
const cluster = new gcp.container.Cluster(name, {
    // We can't create a cluster with no node pool defined, but we want to only use
    // separately managed node pools. So we create the smallest possible default
    // node pool and immediately delete it.
    initialNodeCount: 1,
    removeDefaultNodePool: true,

    minMasterVersion: masterVersion,
    resourceLabels: {
        "stack": pulumi.getStack()
    },
});

const nodePool = new gcp.container.NodePool(`primary-node-pool`, {
    cluster: cluster.name,
    initialNodeCount: 2,
    location: cluster.location,
    nodeConfig: {
        preemptible: true,
        machineType: "n1-standard-1",
        oauthScopes: [
            "https://www.googleapis.com/auth/compute",
            "https://www.googleapis.com/auth/devstorage.read_only",
            "https://www.googleapis.com/auth/logging.write",
            "https://www.googleapis.com/auth/monitoring",
        ],
    },
    version: masterVersion,
    management: {
        autoRepair: true,
    },
}, {
    dependsOn: [cluster],
});

const clusterName = cluster.name;

// Manufacture a GKE-style kubeconfig. Note that this is slightly "different"
// because of the way GKE requires gcloud to be in the picture for cluster
// authentication (rather than using the client cert/key directly).
export const kubeconfig = pulumi.
    all([ cluster.name, cluster.endpoint, cluster.masterAuth ]).
    apply(([ name, endpoint, masterAuth ]) => {
        const context = `${gcp.config.project}_${gcp.config.zone}_${name}`;
        return `apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ${masterAuth.clusterCaCertificate}
    server: https://${endpoint}
  name: ${context}
contexts:
- context:
    cluster: ${context}
    user: ${context}
  name: ${context}
current-context: ${context}
kind: Config
preferences: {}
users:
- name: ${context}
  user:
    auth-provider:
      config:
        cmd-args: config config-helper --format=json
        cmd-path: gcloud
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp
`;
    });

// Create a Kubernetes provider instance that uses our cluster from above.
const clusterProvider = new k8s.Provider(name, {
    kubeconfig: kubeconfig,
}, {
  dependsOn: [nodePool],
});

// Create a Kubernetes Namespace
const ns = new k8s.core.v1.Namespace(name, {}, { provider: clusterProvider });
const namespaceName = ns.metadata.name;

// Create a NGINX Deployment
const appLabels = { appClass: name };
const deployment = new k8s.apps.v1.Deployment(name,
    {
        metadata: {
            namespace: namespaceName,
            labels: appLabels,
        },
        spec: {
            replicas: 1,
            selector: { matchLabels: appLabels },
            template: {
                metadata: {
                    labels: appLabels,
                },
                spec: {
                    containers: [
                        {
                            name: name,
                            image: "nginx:latest",
                            ports: [{ name: "http", containerPort: 80 }],
                        },
                    ],
                },
            },
        },
    },
    {
        provider: clusterProvider,
    },
);

// Create a LoadBalancer Service for the NGINX Deployment
const service = new k8s.core.v1.Service(name,
    {
        metadata: {
            labels: appLabels,
            namespace: namespaceName,
        },
        spec: {
            type: "LoadBalancer",
            ports: [{ port: 80, targetPort: "http" }],
            selector: appLabels,
        },
    },
    {
        provider: clusterProvider,
    },
);

A simple change to the labels for the GKE cluster led to a preview that suggested that the dependent resources would need to be replaced.

     Type                              Name                         Plan        Info
     pulumi:pulumi:Stack               gcp-ts-gke-hello-world-dev2
 ~   β”œβ”€ gcp:container:Cluster          helloworld                   update      [diff: ~resourceLabels]
 +-  β”œβ”€ gcp:container:NodePool         primary-node-pool            replace     [diff: ~location]
 +-  β”œβ”€ pulumi:providers:kubernetes    helloworld                   replace     [diff: ~kubeconfig]
 +-  β”œβ”€ kubernetes:core/v1:Namespace   helloworld                   replace     [diff: -metadata~provider]
 +-  β”œβ”€ kubernetes:core/v1:Service     helloworld                   replace     [diff: ~metadata,provider]
 +-  └─ kubernetes:apps/v1:Deployment  helloworld                   replace     [diff: ~metadata,provider]

Resources:
    ~ 1 to update
    +-5 to replace
    6 changes. 1 unchanged

The result of the Pulumi apply showed that only the gcp:container:Cluster changed, and no other Kubernetes resources were replaced. This is because Pulumi was trying to be conservative and let you know what “could” happen. It was calculating that changes to the cluster could potentially lead to the outputs changing which other resource rely on. In practice, that wasn’t going to happen. Pulumi previously had to be conservative for correctness because it didn’t have a way to check.

     Type                      Name                         Status      Info
     pulumi:pulumi:Stack       gcp-ts-gke-hello-world-dev2
 ~   └─ gcp:container:Cluster  helloworld                   updated     [diff: ~resourceLabels]

Resources:
    ~ 1 updated
    6 unchanged

Pulumi now supports asking the individual resource providers about what outputs will change as part of an update to a resource. This allows the providers (like the GCP provider in this case) to give more specific information, which allows Pulumi to provide more accurate previews:

     Type                      Name                         Plan       Info
     pulumi:pulumi:Stack       gcp-ts-gke-hello-world-dev2
 ~   └─ gcp:container:Cluster  helloworld                   update     [diff: ~resourceLabels]

Resources:
    ~ 1 to update
    6 unchanged

Conclusion

The improved preview is available in Pulumi v2.12.0 and is supported in all new provider releases. If you would like to disable this new behaviour and preserve the previous, more conservative behaviour, you can set an environment variable PULUMI_DISABLE_PROVIDER_PREVIEW to a truthy value (1 or true).