Dynamic value for build argument or secret always triggers an update

[saadismail]

Hi, thank you for this package, seems a massive improvement coming from pulumi-docker package.

Similar to pulumi/pulumi-docker#539 (comment), I am using AWS Code Artifact to store my application dependencies:

1. my docker images need AWS CodeArtifact credentials to download libraries
2. the credentials are passed as build argument for the purpose of downloading the libraries
3. credentials are temporary so next CI run uses different credentials
4. this always triggers an "update" because "build context" is different between the old state and the new state: https://github.com/pulumi/pulumi-docker/blob/master/provider/provider.go#L295-L295

I have skimmed some code and this seem like an intentional "feature" as secret/arg might change and it would be better to rebuild the image for 99.99+% cases - but I have that remaining 0.01% case :D

How would you suggest to avoid the unnecessary rebuilds in this case?

I think it would be worthwhile to allow users to add an exclusion list for arg/secret (ideally both) and then similar to how registry credentials update do not trigger an update, we can do the same for user-defined exclusions.

I can help with the above change if that makes sense. P.S. This will be my first Pulumi contribution so might need some pointers.

[saadismail]

Raised a PR for the change: #683

[blampe]

Hi @saadismail, can you share a code snippet for the image you're building? That will help us understand the specific inputs involved.

[saadismail]

Example:

const awsCodeArtifactToken = aws.codeartifact.getAuthorizationTokenOutput({...}).authorizationToken // short-lived token
const image = new docker_build.Image(useClusterName(name), {
	push: true,
	tags: [imageName],
	context: {
		location: contextPath,
	},
	dockerfile: {
		location: dockerfilePath,
	},
	buildArgs: {
		BUILDKIT_INLINE_CACHE: '1',
	},
	cacheFrom: [
		{
			registry: {
				ref: pulumi.interpolate`${repo.repositoryUrl}:${imageTag}`,
			},
		},
	],
	registries: [
		{
			address: repo.repositoryUrl,
			username: ecrAuthToken.then(token => token.userName),
			password: ecrAuthToken.then(token => token.password),
		},
	],
	secrets: {
		codeartifact: secret(awsCodeArtifactToken),
	},
})

On every pulumi deployment, the value for secrets.codeartifact is different which triggers a new re-build of the docker image even though it wasn't necessary.

[blampe]

Ah OK thanks for sharing that, I was overlooking that this was about secrets specifically. Does ignoreChanges or hideDiffs help here?

[jkodroff]

I don't think ignoreChanges works here b/c ignoreChanges will use the old value of the secret every time.