provider rotation #432
provider rotation #432
Conversation
nyobe
force-pushed
the
claire/provider-rotation
branch
from
be5df41 to
4e22ea2
Compare
nyobe
force-pushed
the
claire/provider-rotation
branch
from
823ab99 to
9648bb6
Compare
nyobe
force-pushed
the
claire/provider-rotation
branch
from
2e67fef to
a208a03
Compare
nyobe
force-pushed
the
claire/provider-rotation
branch
from
3a38658 to
2aefb1c
Compare
nyobe
force-pushed
the
claire/provider-rotation
branch
from
2aefb1c to
53ccc3c
Compare
|
I don't love the short form intermixing commonInputs:
...
foo:
fn::rotate::provider:
inputs: ${commonInputs}
state: ...I think this is kind of a fundamental issue, FWIW. Even if we store state out-of-band, unless we reference it by path (which kills the ability to refactor via cut-and-paste), we'd need something in the provider inputs that serves as an identifier for the state. |
ast/expr.go
Outdated
| if !ok && state != nil { | ||
| diags := syntax.Diagnostics{ExprError(stateExpr, "rotation state must be an object literal")} | ||
| return RotateSyntax(node, name, args, nil, nil, nil), diags | ||
| } |
There was a problem hiding this comment.
Just want to check, we are ok if there is no initial state set on the rotator? (This makes sense but I vaguely recall us mentioning that users would set at least current on this when adding a new rotator)
There was a problem hiding this comment.
I think it depends on the Rotator- the schema can be used to enforce it being present or optional. But I think it's also fine to make the key required 🤷♀️
| inputs.export("").Value.(map[string]esc.Value), | ||
| state.export("").Value.(map[string]esc.Value), |
There was a problem hiding this comment.
Just for my own knowledge, what does export("") do?
There was a problem hiding this comment.
This is supposed to be the environment name which I think is just used for annotating source ranges?
Yeah, hoisting the state out of inputs for the short form is a bit cheeky. I've removed it: 53dc66c |
Co-authored-by: Derek <[email protected]>
nyobe
force-pushed
the
claire/provider-rotation
branch
from
7333173 to
58732fa
Compare
| inputs.export("").Value.(map[string]esc.Value), | ||
| state.export("").Value.(map[string]esc.Value), |
Co-authored-by: Pat Gavlin <[email protected]>
This reverts commit 53ccc3c.
nyobe
force-pushed
the
claire/provider-rotation
branch
from
aa8712f to
d5f036c
Compare
Introduces a new provider type and verb to support rotating static credentials.
Rotator providers have an additional
stateinput which is used as a write-back target. The result of invoking Rotate is persisted back into the environment to this key. This provides a stable location to write to without accidentally clobbering interpolations that might be used for other inputs.The new
fn::rotatefunction type is used to invoke this new type of provider. It behaves similarly to existing providers during Open, but during rotation the evaluator will invoke the Rotate methods and collect their outputs, which are returned to the caller. The caller is expected to persist these updates back into the environment as a new revision.Closes https://github.com/pulumi/pulumi-service/issues/24986