Pulumi Command CopyFile replacements

.gitignore

*.pyc
venv/
rsa
rsa.pub

__main__.py

import pulumi
import pulumi_aws as aws
import pulumi_command as command
import base64
import keys


profile = 'devsandbox'
region = 'us-east-1'
prefix = 'repro'
size = 'm6i.large'


key_name = keys.key_name
public_key = keys.public_key
private_key = keys.private_key


aws_provider = aws.Provider(f"{prefix}-provider",
                            region=region,
                            profile=profile)


# Create a new security group that permits SSH access.
secgrp = aws.ec2.SecurityGroup(f"{prefix}-secgrpallowssh",
    description='allow-port-22-ssh-access',
    ingress=[
        aws.ec2.SecurityGroupIngressArgs(
            protocol='tcp',
            from_port=22,
            to_port=22,
            cidr_blocks=['0.0.0.0/0']),
    ],
    egress=[aws.ec2.SecurityGroupEgressArgs(
        from_port=0,
        to_port=0,
        protocol="-1",
        cidr_blocks=["0.0.0.0/0"],
        ipv6_cidr_blocks=["::/0"],
    )],
    opts=pulumi.ResourceOptions(provider=aws_provider))


# Get the AMI
ami = aws.ec2.get_ami(
    owners=['amazon'],
    most_recent=True,
    filters=[aws.ec2.GetAmiFilterArgs(
        name='name',
        values=['amzn2-ami-hvm-*x86_64*'],
    )],
    opts=pulumi.invoke.InvokeOptions(provider=aws_provider))


# Maybe generate a KeyPair.
if key_name is None:
    key = aws.ec2.KeyPair(f"{prefix}-key",
        public_key=public_key,
        opts=pulumi.ResourceOptions(provider=aws_provider)
    )
    key_name = key.key_name


# Provision a server as an EC2 instance.
server = aws.ec2.Instance(f"{prefix}-server",
    instance_type=size,
    ami=ami.id,
    key_name=key_name,
    vpc_security_group_ids=[secgrp.id],
    opts=pulumi.ResourceOptions(provider=aws_provider)
)


# Configure SSH connector.
connection = command.remote.ConnectionArgs(
    host=server.public_ip,
    user='ec2-user',
    private_key=private_key
)


def contents(f):
    with open(f, 'r') as fp:
        return fp.read()


# Copy an example file.
cp = command.remote.CopyFile(f"{prefix}-file",
    connection=connection,
    local_path='example.txt',
    remote_path='example.txt',
    opts=pulumi.ResourceOptions(depends_on=[server]),
    # triggers=[contents('example.txt')],
)


# Observe the contents of the copied file.
observe = command.remote.Command(f"{prefix}-observe",
    connection=connection,
    create='cat example.txt',
    opts=pulumi.ResourceOptions(depends_on=[cp]),
    # triggers=[contents('example.txt')],
)


pulumi.export('public_ip', server.public_ip)
pulumi.export('public_dns', server.public_dns)
pulumi.export('observe_stdout', observe.stdout)

README.md

Does CopyFile detect changes in a local file to initiate a replacement on the remote machine?

./make-keys.sh
pulumi stack init repro
pulumi stack select repro
./configure-keys.sh

pulumi up --yes

pulumi stack output observe_stdout  # "Hello"

echo "World" > example.txt

pulumi up --yes

# Resources: 7 unchanged?

pulumi stack output observe_stdout  # "Hello" ?

It appears that editing the file locally does not trigger a replacement by default.

It is possible to make the example work as expected using triggers:

triggers=[contents('example.txt')]

Using contents of the file here, but a hash would do also.

But this feels a little surprising and something that needs to be documented in examples to the user.

Consider making file hash a default implicit trigger for CopyFile?

Also, is it possible for replacements to cascade in Pulumi via depends_on, so that Command that depends_on a CopyFile will replace itself once the CopyFile is replaced, or this is convtroversial?

configure-keys.sh

#!/usr/bin/env bash

set -euo pipefail

cat rsa.pub | pulumi config set publicKey --
cat rsa | pulumi config set privateKey --secret --

example.txt

Hello

keys.py

import pulumi


# Get the config ready to go.
config = pulumi.Config()


# If keyName is provided, an existing KeyPair is used, else if publicKey is provided a new KeyPair derived from the
# publicKey is created.
key_name = config.get('keyName')
public_key = config.get('publicKey')


# The privateKey associated with the selected key must be provided (either directly or base64 encoded)
def decode_key(key):
    try:
        key = base64.b64decode(key.encode('ascii')).decode('ascii')
    except:
        pass
    if key.startswith('-----BEGIN RSA PRIVATE KEY-----'):
        return key
    return key.encode('ascii')


# Decode priviate key.
private_key = config.require_secret('privateKey').apply(decode_key)

make-keys.sh

#!/usr/bin/env bash

set -euo pipefail

ssh-keygen -t rsa -f rsa -b 4096 -m PEM

Pulumi.yaml

name: addb78402b3e91a910b2021bce7c8e1d
description: A minimal Python Pulumi program
runtime:
    name: python
    options:
        virtualenv: venv

requirements.txt

pulumi>=3.0.0,<4.0.0
pulumi-aws>=5.0.0,<6.0.0
pulumi-command