Compute "tags" in Check

[iwahbe]

Fixes #2633
Fixes #2550

Relies on pulumi/pulumi-terraform-bridge#1310.

Description copied from applyTags's doc comment:

Historically, Pulumi has struggles to handle the "tags" and "tags_all" fields correctly:

• Removing default tags fails to untag resources on v6 #2633
• unexpected behavior of defaultTags #1655

terraform-provider-aws has also struggled with implementing their desired behavior:

• [Proposal] Default Tags Updates hashicorp/terraform-provider-aws#29747
• [Announcement] Upcoming Changes in Version 5.0 of the AWS Provider hashicorp/terraform-provider-aws#29842
• Setting tags to have empty values or changing tags from having a value to having no value is not correctly handled hashicorp/terraform-provider-aws#24449

The Terraform lifecycle simply does not have a good way to map provider configuration onto resource values, so terraform-provider-aws is forced to work around limitations in unreliable ways. For example, terraform-provider-aws does not apply tags correctly with -refresh=false.

This gives pulumi the same limitations by default. However, unlike Terraform, Pulumi does have a clear way to insert provider configuration into resource properties: Check. By writing a custom check function that applies "default_tags" to "tags" before the Terraform provider sees any resource configuration, we can give a consistent, reliable and good experience for Pulumi users.

---

This strategy gives concrete benefits for Pulumi users. Diffs are applied correctly with high resolution. Consider this change:

name: our-example
runtime: yaml
resources:
  p:
    type: pulumi:providers:aws
    properties:
      defaultTags:
        tags:
          foo: buzz
          abc: def
      region: us-west-2
  b:
    type: aws:s3:BucketV2
-   properties:
-     tags:
-       foo: fizz
    options:
      provider: ${p}

We now can give users an accurate diff:

𝛌 pulumi preview --diff
Previewing update (test)

View Live: https://app.pulumi.com/pulumi/our-example/test/previews/*

  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:test::our-example::pulumi:pulumi:Stack::our-example-test]
warning: provider config warning: skip_metadata_api_check: the use of values other than "true" and "false" is deprecated and will be removed in a future version of the provider
    ~ aws:s3/bucketV2:BucketV2: (update)
        [id=b-f4d2684]
        [urn=urn:pulumi:test::our-example::aws:s3/bucketV2:BucketV2::b]
        [provider=urn:pulumi:test::our-example::pulumi:providers:aws::p::aaefc0bd-e75f-47b8-9d61-dc8c5cba05b0]
      ~ tags: {
          ~ foo: "fizz" => "buzz"
        }
Resources:
    ~ 1 to update
    2 unchanged

Changing defaultTags in a way that doesn't effect a resource no longer shows as an update for that resource, just for the provider:

name: our-example
runtime: yaml
resources:
  p:
    type: pulumi:providers:aws
    properties:
      defaultTags:
        tags:
-         foo: buzz
          abc: def
      region: us-west-2
  b:
    type: aws:s3:BucketV2
    properties:
      tags:
        foo: fizz
    options:
      provider: ${p}

𝛌 pulumi preview --diff
Previewing update (test)

View Live: https://app.pulumi.com/pulumi/our-example/test/previews/0*

  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:test::our-example::pulumi:pulumi:Stack::our-example-test]
warning: provider config warning: skip_metadata_api_check: the use of values other than "true" and "false" is deprecated and will be removed in a future version of the provider
    ~ pulumi:providers:aws: (update)
        [id=aaefc0bd-e75f-47b8-9d61-dc8c5cba05b0]
        [urn=urn:pulumi:our-example::pulumi:providers:aws::p]
      ~ defaultTags              : "\"{\\\"tags\\\":{\\\"abc\\\":\\\"def\\\",\\\"foo\\\":\\\"buzz\\\"}}\"" => "\"{\\\"tags\\\":{\\\"abc\\\":\\\"def\\\"}}\""
        region                   : "us-west-2"
        skipCredentialsValidation: "false"
        skipMetadataApiCheck     : "true"
        skipRegionValidation     : "true"
Resources:              
    ~ 1 to update
    2 unchanged

Of course, this also fixes the original issue; removing all defaultTags correctly removes them from the resource.

name: our-example
runtime: yaml
resources:
  p:
    type: pulumi:providers:aws
    properties:
-     defaultTags:
-       tags:
-         foo: buzz
-         abc: def
      region: us-west-2
  b:
    type: aws:s3:BucketV2
    options:
      provider: ${p}

𝛌 pulumi preview --diff
Previewing update (test)

View Live: https://app.pulumi.com/pulumi/our-example/test/previews/*

  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:test::our-example::pulumi:pulumi:Stack::our-example-test]
warning: provider config warning: skip_metadata_api_check: the use of values other than "true" and "false" is deprecated and will be removed in a future version of the provider
    ~ pulumi:providers:aws: (update)
        [id=aaefc0bd-e75f-47b8-9d61-dc8c5cba05b0]
        [urn=urn:pulumi:test::our-example::pulumi:providers:aws::p]
      - defaultTags              : (json) {
          - tags: {
              - abc: "def"
              - foo: "buzz"
            }
        }

        region                   : "us-west-2"
        skipCredentialsValidation: "false"
        skipMetadataApiCheck     : "true"
        skipRegionValidation     : "true"
    ~ aws:s3/bucketV2:BucketV2: (update)
        [id=b-f4d2684]
        [urn=urn:pulumi:test::our-example::aws:s3/bucketV2:BucketV2::b]
        [provider=urn:pulumi:test::our-example::pulumi:providers:aws::p::aaefc0bd-e75f-47b8-9d61-dc8c5cba05b0]
      - tags: {
          - abc: "def"
          - foo: "buzz"
        }
    --outputs:--        
  ~ tags: {
      - abc: "def"
      - foo: "buzz"
    }
Resources:
    ~ 2 to update
    1 unchanged

---

A bonus for maintainers is that because this change takes effect at the pulumi level, we no longer rely on changing how our involved diff method works, allowing us to remove XComputedInput from this provider (and then from the bridge).

[iwahbe]

This will show diffs on tags when upgrading from v5 to v6, so it must be introduced as part of the major version upgrade and called out in the changelog.

[iwahbe]

Currently, this works for:

• Create
• Check (by construction)
• Diff
• Update
• Destroy (noop)
• Read

Read is the only CRUD+ method that does not go through Check, so it will also need special behavior so that pulumi up --yes && pulumi refresh --expect-no-changes doesn't show a diff.

[t0yv0]

For example, terraform-provider-aws does not apply tags correctly with -refresh=false.

I was not able to isolate this, do you have a repro? Can we file a bug upstream with a repro?

[t0yv0]

How can we demonstrate that import and refresh scenarios exercising Read work as expected?

[t0yv0]

What happens if a provider with this set of changes runs against stacks that used the old method and perhaps populated tags_all?

[t0yv0]

Overall I appreciate this approach, if we cannot find a clean way to interface with the functionality in upstream provider, maintaining custom code around default tags seems worth it as it is a feature impacting every resource; if we can do this cleanly. There is a cost of doing so in maintaining this new code and ensuring that it does not interact in weird ways with the upstream machinery that attempts to solve the problem as well.

[iwahbe]

How can we demonstrate that import and refresh scenarios exercising Read work as expected?

By adding a test that exercises the behavior. We can't do that yet, since any such test will fail until pulumi/pulumi-terraform-bridge#1312 merges.

[iwahbe]

What happens if a provider with this set of changes runs against stacks that used the old method and perhaps populated tags_all?

They will see a diff on "tags" (see #2655 (comment)), but otherwise everything will work as expected. This doesn't change anything about "tags_all", we won't see a problem here.

[t0yv0]

We can't do that yet, since any such test will fail until

Ah super, you have a way to demonstrate in a test, that's great, let's try it. I think you can make the CI exercise pre-release code via go mod-replace. Alternatively, I had some nits on pulumi/pulumi-terraform-bridge#1312 but it's also mergeable once we add a quick test in there.

[t0yv0]

Having a look at this again shortly.

[danielrbradley]

Would it make sense to just combine this into, or put this this change alongside patch 003 where we add this code?

[t0yv0]

This is interesting. The patch is still needed it just got shorter?

[t0yv0]

OK with introducing a test-specific module? I've done it elsewhere but was wondering if that's idiomatic Go for the problem of isolating test dependencies.

[t0yv0]

I had a question about the semantic of one of the tests, and I'm not familiar with the underlying patch being edited. Otherwise LGTM.