Add support for PULUMI_ACCESS_TOKEN (#1050)

* Add support for PULUMI_ACCESS_TOKEN

* Return err if PULUMI_ACCESS_TOKEN is not set

* Add Domainname field to ServiceInfo in BYOC update method

* Change pulumi-backend flag to persistent in CD and compose commands

* Improve error message for unset PULUMI_ACCESS_TOKEN in Pulumi Cloud

Author: lionello

README.md

@@ -116,9 +116,12 @@ The Defang CLI recognizes the following environment variables:
 - `DEFANG_NO_CACHE` - If set to `true`, disables pull-through caching of container images; defaults to `false`
 - `DEFANG_PREFIX` - The prefix to use for all BYOC resources; defaults to `Defang`
 - `DEFANG_PROVIDER` - The name of the cloud provider to use, `auto` (default), `aws`, `digitalocean`, `gcp`, or `defang`
+- `DEFANG_PULUMI_BACKEND` - The Pulumi backend URL or `"pulumi-cloud"`; defaults to a self-hosted backend
 - `DEFANG_PULUMI_DIR` - Run Pulumi from this folder, instead of spawning a cloud task; requires `--debug` (BYOC only)
 - `DEFANG_PULUMI_VERSION` - Override the version of the Pulumi image to use (`aws` provider only)
 - `NO_COLOR` - If set to any value, disables color output; by default, color output is enabled depending on the terminal
+- `PULUMI_ACCESS_TOKEN` - The Pulumi access token to use for authentication to Pulumi Cloud; see `DEFANG_PULUMI_BACKEND`
+- `PULUMI_CONFIG_PASSPHRASE` - Passphrase used to generate a unique key for your stack, and configuration and encrypted state values
 - `TZ` - The timezone to use for log timestamps: an IANA TZ name like `UTC` or `Europe/Amsterdam`; defaults to `Local`
 - `XDG_STATE_HOME` - The directory to use for storing state; defaults to `~/.local/state`
 

src/cmd/cli/command/commands.go

@@ -18,6 +18,7 @@ import (
 	"github.com/DefangLabs/defang/src/pkg"
 	"github.com/DefangLabs/defang/src/pkg/cli"
 	cliClient "github.com/DefangLabs/defang/src/pkg/cli/client"
+	"github.com/DefangLabs/defang/src/pkg/cli/client/byoc"
 	"github.com/DefangLabs/defang/src/pkg/cli/compose"
 	"github.com/DefangLabs/defang/src/pkg/clouds/aws"
 	"github.com/DefangLabs/defang/src/pkg/logs"
@@ -173,6 +174,7 @@ func SetupCommands(ctx context.Context, version string) {
 
 	// CD command
 	RootCmd.AddCommand(cdCmd)
+	cdCmd.PersistentFlags().StringVar(&byoc.DefangPulumiBackend, "pulumi-backend", "", `specify an alternate Pulumi backend URL or "pulumi-cloud"`)
 	cdCmd.AddCommand(cdDestroyCmd)
 	cdCmd.AddCommand(cdDownCmd)
 	cdCmd.AddCommand(cdRefreshCmd)

src/cmd/cli/command/compose.go

@@ -11,6 +11,7 @@ import (
 	"github.com/DefangLabs/defang/src/pkg"
 	"github.com/DefangLabs/defang/src/pkg/cli"
 	cliClient "github.com/DefangLabs/defang/src/pkg/cli/client"
+	"github.com/DefangLabs/defang/src/pkg/cli/client/byoc"
 	"github.com/DefangLabs/defang/src/pkg/cli/compose"
 	"github.com/DefangLabs/defang/src/pkg/logs"
 	"github.com/DefangLabs/defang/src/pkg/term"
@@ -521,6 +522,7 @@ services:
 	// composeCmd.Flags().Int("parallel", -1, "Control max parallelism, -1 for unlimited (default -1)"); TODO: Implement compose option
 	// composeCmd.Flags().String("profile", "", "Specify a profile to enable"); TODO: Implement compose option
 	// composeCmd.Flags().String("project-directory", "", "Specify an alternate working directory"); TODO: Implement compose option
+	composeCmd.PersistentFlags().StringVar(&byoc.DefangPulumiBackend, "pulumi-backend", "", `specify an alternate Pulumi backend URL or "pulumi-cloud"`)
 	composeCmd.AddCommand(makeComposeUpCmd())
 	composeCmd.AddCommand(makeComposeConfigCmd())
 	composeCmd.AddCommand(makeComposeDownCmd())

src/pkg/cli/client/byoc/aws/byoc.go

@@ -399,18 +399,24 @@ func (b *ByocAws) bucketName() string {
 	return pkg.Getenv("DEFANG_CD_BUCKET", b.driver.BucketName)
 }
 
-func (b *ByocAws) environment(projectName string) map[string]string {
+func (b *ByocAws) environment(projectName string) (map[string]string, error) {
 	region := b.driver.Region // TODO: this should be the destination region, not the CD region; make customizable
+	defangStateUrl := fmt.Sprintf(`s3://%s?region=%s&awssdk=v2`, b.bucketName(), region)
+	pulumiBackendKey, pulumiBackendValue, err := byoc.GetPulumiBackend(defangStateUrl)
+	if err != nil {
+		return nil, err
+	}
 	env := map[string]string{
 		// "AWS_REGION":               region.String(), should be set by ECS (because of CD task role)
 		"DEFANG_DEBUG":               os.Getenv("DEFANG_DEBUG"), // TODO: use the global DoDebug flag
 		"DEFANG_ORG":                 b.TenantName,
 		"DEFANG_PREFIX":              byoc.DefangPrefix,
+		"DEFANG_STATE_URL":           defangStateUrl,
 		"NPM_CONFIG_UPDATE_NOTIFIER": "false",
 		"PRIVATE_DOMAIN":             byoc.GetPrivateDomain(projectName),
-		"PROJECT":                    projectName, // may be empty
-		"PULUMI_BACKEND_URL":         fmt.Sprintf(`s3://%s?region=%s&awssdk=v2`, b.bucketName(), region),
-		"PULUMI_CONFIG_PASSPHRASE":   pkg.Getenv("PULUMI_CONFIG_PASSPHRASE", "asdf"), // TODO: make customizable
+		"PROJECT":                    projectName,                 // may be empty
+		pulumiBackendKey:             pulumiBackendValue,          // TODO: make secret
+		"PULUMI_CONFIG_PASSPHRASE":   byoc.PulumiConfigPassphrase, // TODO: make secret
 		"PULUMI_SKIP_UPDATE_CHECK":   "true",
 		"STACK":                      b.PulumiStack,
 	}
@@ -419,7 +425,7 @@ func (b *ByocAws) environment(projectName string) map[string]string {
 		env["NO_COLOR"] = "1"
 	}
 
-	return env
+	return env, nil
 }
 
 type cdCmd struct {
@@ -432,7 +438,10 @@ type cdCmd struct {
 
 func (b *ByocAws) runCdCommand(ctx context.Context, cmd cdCmd) (ecs.TaskArn, error) {
 	// Setup the deployment environment
-	env := b.environment(cmd.project)
+	env, err := b.environment(cmd.project)
+	if err != nil {
+		return nil, err
+	}
 	if cmd.delegationSetId != "" {
 		env["DELEGATION_SET_ID"] = cmd.delegationSetId
 	}

src/pkg/cli/client/byoc/baseclient.go

@@ -4,8 +4,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"os"
-	"os/exec"
 	"strings"
 
 	"github.com/DefangLabs/defang/src/pkg"
@@ -17,25 +15,6 @@ import (
 	composeTypes "github.com/compose-spec/compose-go/v2/types"
 )
 
-const (
-	CdDefaultImageTag = "public-beta" // for when a project has no cd version, this would be a old deployment
-	CdLatestImageTag  = "public-beta" // Update this to the latest CD service major version number whenever cd major is changed
-	CdTaskPrefix      = "defang-cd"   // WARNING: renaming this practically deletes the Pulumi state
-)
-
-var (
-	DefangPrefix = pkg.Getenv("DEFANG_PREFIX", "Defang") // prefix for all resources created by Defang
-)
-
-// This function was copied from Fabric controller and slightly modified to work with BYOC
-func DnsSafeLabel(fqn string) string {
-	return strings.ReplaceAll(DnsSafe(fqn), ".", "-")
-}
-
-func DnsSafe(fqdn string) string {
-	return strings.ToLower(fqdn)
-}
-
 type ErrMultipleProjects struct {
 	ProjectNames []string
 }
@@ -82,37 +61,6 @@ func MakeEnv(key string, value any) string {
 	return fmt.Sprintf("%s=%q", key, value)
 }
 
-func runLocalCommand(ctx context.Context, dir string, env []string, cmd ...string) error {
-	command := exec.CommandContext(ctx, cmd[0], cmd[1:]...)
-	command.Dir = dir
-	command.Env = env
-	command.Stdout = os.Stdout
-	command.Stderr = os.Stderr
-	return command.Run()
-}
-
-func DebugPulumi(ctx context.Context, env []string, cmd ...string) error {
-	// Locally we use the "dev" script from package.json to run Pulumi commands, which uses ts-node
-	localCmd := append([]string{"npm", "run", "dev"}, cmd...)
-	term.Debug(strings.Join(append(env, localCmd...), " "))
-
-	dir := os.Getenv("DEFANG_PULUMI_DIR")
-	if dir == "" {
-		return nil // show the shell command, but use regular Pulumi command in cloud task
-	}
-
-	// Run the Pulumi command locally
-	env = append([]string{
-		"PATH=" + os.Getenv("PATH"),
-		"USER=" + pkg.GetCurrentUser(), // needed for Pulumi
-	}, env...)
-	if err := runLocalCommand(ctx, dir, env, localCmd...); err != nil {
-		return err
-	}
-	// We always return an error to stop the CLI from "tailing" the cloud logs
-	return errors.New("local pulumi command succeeded; stopping")
-}
-
 func (b *ByocBaseClient) GetProjectLastCDImage(ctx context.Context, projectName string) (string, error) {
 	projUpdate, err := b.projectBackend.GetProjectUpdate(ctx, projectName)
 	if err != nil {
@@ -126,11 +74,6 @@ func (b *ByocBaseClient) GetProjectLastCDImage(ctx context.Context, projectName
 	return projUpdate.CdVersion, nil
 }
 
-func ExtractImageTag(fullQualifiedImageURI string) string {
-	index := strings.LastIndex(fullQualifiedImageURI, ":")
-	return fullQualifiedImageURI[index+1:]
-}
-
 func (b *ByocBaseClient) Debug(context.Context, *defangv1.DebugRequest) (*defangv1.DebugResponse, error) {
 	return nil, client.ErrNotImplemented("AI debugging is not yet supported for BYOC")
 }
@@ -139,11 +82,6 @@ func (b *ByocBaseClient) SetCDImage(image string) {
 	b.CDImage = image
 }
 
-func (b *ByocBaseClient) GetVersions(context.Context) (*defangv1.Version, error) {
-	// we want only the latest version of the CD service this CLI was compiled to expect
-	return &defangv1.Version{Fabric: CdLatestImageTag}, nil
-}
-
 func (b *ByocBaseClient) ServiceDNS(name string) string {
 	return DnsSafeLabel(name) // TODO: consider merging this with getPrivateFqdn
 }
@@ -194,7 +132,7 @@ func (b *ByocBaseClient) GetServiceInfos(ctx context.Context, projectName, deleg
 		serviceInfo.Etag = etag // same etag for all services
 		serviceInfoMap[service.Name] = &Node{
 			Name:        service.Name,
-			Deps:        getDependencies(service),
+			Deps:        service.GetDependencies(),
 			ServiceInfo: serviceInfo,
 		}
 	}
@@ -234,14 +172,6 @@ func topologicalSort(nodes map[string]*Node) []*defangv1.ServiceInfo {
 	return serviceInfos
 }
 
-func getDependencies(service composeTypes.ServiceConfig) []string {
-	deps := []string{}
-	for depServiceName := range service.DependsOn {
-		deps = append(deps, depServiceName)
-	}
-	return deps
-}
-
 // This function was based on update function from Fabric controller and slightly modified to work with BYOC
 func (b *ByocBaseClient) update(ctx context.Context, projectName, delegateDomain string, service composeTypes.ServiceConfig) (*defangv1.ServiceInfo, error) {
 	if err := compose.ValidateService(&service); err != nil {
@@ -250,9 +180,10 @@ func (b *ByocBaseClient) update(ctx context.Context, projectName, delegateDomain
 
 	pkg.Ensure(projectName != "", "ProjectName not set")
 	si := &defangv1.ServiceInfo{
-		Etag:    pkg.RandomID(), // TODO: could be hash for dedup/idempotency
-		Project: projectName,    // was: tenant
-		Service: &defangv1.Service{Name: service.Name},
+		Etag:       pkg.RandomID(), // TODO: could be hash for dedup/idempotency
+		Project:    projectName,    // was: tenant
+		Service:    &defangv1.Service{Name: service.Name},
+		Domainname: service.DomainName,
 	}
 
 	hasHost := false
@@ -340,7 +271,3 @@ func (b ByocBaseClient) GetPrivateFqdn(projectName string, fqn string) string {
 	safeFqn := DnsSafeLabel(fqn)
 	return fmt.Sprintf("%s.%s", safeFqn, GetPrivateDomain(projectName)) // TODO: consider merging this with ServiceDNS
 }
-
-func GetPrivateDomain(projectName string) string {
-	return DnsSafeLabel(projectName) + ".internal"
-}

src/pkg/cli/client/byoc/common.go

@@ -0,0 +1,87 @@
+package byoc
+
+import (
+	"context"
+	"errors"
+	"os"
+	"os/exec"
+	"strings"
+
+	"github.com/DefangLabs/defang/src/pkg"
+	"github.com/DefangLabs/defang/src/pkg/term"
+)
+
+const (
+	CdTaskPrefix = "defang-cd" // WARNING: renaming this practically deletes the Pulumi state
+)
+
+var (
+	DefangPrefix           = pkg.Getenv("DEFANG_PREFIX", "Defang") // prefix for all resources created by Defang
+	DefangPulumiBackend    = os.Getenv("DEFANG_PULUMI_BACKEND")
+	PulumiConfigPassphrase = pkg.Getenv("PULUMI_CONFIG_PASSPHRASE", "asdf")
+)
+
+func getPulumiAccessToken() (string, error) {
+	pat := os.Getenv("PULUMI_ACCESS_TOKEN")
+	if pat == "" {
+		// TODO: could consider parsing ~/.pulumi/credentials.json
+		return "", errors.New("PULUMI_ACCESS_TOKEN must be set for Pulumi Cloud")
+	}
+	return pat, nil
+}
+
+func GetPulumiBackend(stateUrl string) (string, string, error) {
+	switch strings.ToLower(DefangPulumiBackend) {
+	case "pulumi-cloud":
+		pat, err := getPulumiAccessToken()
+		return "PULUMI_ACCESS_TOKEN", pat, err
+	case "":
+		return "PULUMI_BACKEND_URL", stateUrl, nil
+	default:
+		return "PULUMI_BACKEND_URL", DefangPulumiBackend, nil
+	}
+}
+
+// This function was copied from Fabric controller and slightly modified to work with BYOC
+func DnsSafeLabel(fqn string) string {
+	return strings.ReplaceAll(DnsSafe(fqn), ".", "-")
+}
+
+func DnsSafe(fqdn string) string {
+	return strings.ToLower(fqdn)
+}
+
+func runLocalCommand(ctx context.Context, dir string, env []string, cmd ...string) error {
+	command := exec.CommandContext(ctx, cmd[0], cmd[1:]...)
+	command.Dir = dir
+	command.Env = env
+	command.Stdout = os.Stdout
+	command.Stderr = os.Stderr
+	return command.Run()
+}
+
+func DebugPulumi(ctx context.Context, env []string, cmd ...string) error {
+	// Locally we use the "dev" script from package.json to run Pulumi commands, which uses ts-node
+	localCmd := append([]string{"npm", "run", "dev"}, cmd...)
+	term.Debug(strings.Join(append(env, localCmd...), " "))
+
+	dir := os.Getenv("DEFANG_PULUMI_DIR")
+	if dir == "" {
+		return nil // show the shell command, but use regular Pulumi command in cloud task
+	}
+
+	// Run the Pulumi command locally
+	env = append([]string{
+		"PATH=" + os.Getenv("PATH"),
+		"USER=" + pkg.GetCurrentUser(), // needed for Pulumi
+	}, env...)
+	if err := runLocalCommand(ctx, dir, env, localCmd...); err != nil {
+		return err
+	}
+	// We always return an error to stop the CLI from "tailing" the cloud logs
+	return errors.New("local pulumi command succeeded; stopping")
+}
+
+func GetPrivateDomain(projectName string) string {
+	return DnsSafeLabel(projectName) + ".internal"
+}