https://github.com/pulumi/examples/tree/master/aws-ts-organizations panics

[Frassle]

What happened?

Trying to run https://github.com/pulumi/examples/tree/master/aws-ts-organizations (with some minor fixups to create the organization) causes a panic in the aws provider.

    panic: interface conversion: interface {} is resource.Computed, not resource.PropertyMap
    goroutine 40 [running]:
    github.com/pulumi/pulumi/sdk/v3/go/common/resource.PropertyValue.ObjectValue(...)
        /home/runner/go/pkg/mod/github.com/pulumi/pulumi/sdk/v3@v3.64.0/go/common/resource/properties.go:435
    github.com/pulumi/pulumi-aws/provider/v5.preConfigureCallback(0xc002ffc500?, {0x71?, 0x1000000000101?})
        /home/runner/work/pulumi-aws/pulumi-aws/provider/resources.go:361 +0xbbb
    github.com/pulumi/pulumi-terraform-bridge/v3/pkg/tfbridge.(*Provider).CheckConfig(0xc002ffc500, {0xf1666e8, 0xc0013a57d0}, 0xc0013aa240)
        /home/runner/go/pkg/mod/github.com/pulumi/pulumi-terraform-bridge/v3@v3.45.3/pkg/tfbridge/provider.go:327 +0x346
    github.com/pulumi/pulumi/sdk/v3/proto/go._ResourceProvider_CheckConfig_Handler.func1({0xf1666e8, 0xc0013a57d0}, {0xd405160?, 0xc0013aa240})
        /home/runner/go/pkg/mod/github.com/pulumi/pulumi/sdk/v3@v3.64.0/proto/go/provider_grpc.pb.go:426 +0x78
    github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc.OpenTracingServerInterceptor.func1({0xf1666e8, 0xc0013a4600}, {0xd405160, 0xc0013aa240}, 0xc0013a22c0, 0xc0013da858)
        /home/runner/go/pkg/mod/github.com/grpc-ecosystem/grpc-opentracing@v0.0.0-20180507213350-8e809c8a8645/go/otgrpc/server.go:57 +0x3f9
    github.com/pulumi/pulumi/sdk/v3/proto/go._ResourceProvider_CheckConfig_Handler({0xda337a0?, 0xc002ffc500}, {0xf1666e8, 0xc0013a4600}, 0xc002422070, 0xc0030f44a0)
        /home/runner/go/pkg/mod/github.com/pulumi/pulumi/sdk/v3@v3.64.0/proto/go/provider_grpc.pb.go:428 +0x138
    google.golang.org/grpc.(*Server).processUnaryRPC(0xc000566000, {0xf1782a0, 0xc003100b60}, 0xc0005f0000, 0xc0030e5980, 0x17cbecf8, 0x0)
        /home/runner/go/pkg/mod/google.golang.org/grpc@v1.54.0/server.go:1345 +0xdf0
    google.golang.org/grpc.(*Server).handleStream(0xc000566000, {0xf1782a0, 0xc003100b60}, 0xc0005f0000, 0x0)
        /home/runner/go/pkg/mod/google.golang.org/grpc@v1.54.0/server.go:1722 +0xa2f
    google.golang.org/grpc.(*Server).serveStreams.func1.2()
        /home/runner/go/pkg/mod/google.golang.org/grpc@v1.54.0/server.go:966 +0x98
    created by google.golang.org/grpc.(*Server).serveStreams.func1
        /home/runner/go/pkg/mod/google.golang.org/grpc@v1.54.0/server.go:964 +0x28a

Expected Behavior

The example to work

Steps to reproduce

1. Checkout https://github.com/pulumi/examples/tree/master/aws-ts-organizations
2. Change the example to create the org (see Fix up aws-ts-organizations example examples#1418 for some fixups for this)
3. Set required config values (aws:region and aws-ts-organizations:devAccountEmailContact)
4. Run pulumi up

Output of pulumi about

CLI
Version      3.65.2-dev.0
Go Version   go1.20
Go Compiler  gc

Plugins
NAME    VERSION
aws     5.39.0
docker  3.6.1
nodejs  unknown

Host
OS       ubuntu
Version  20.04
Arch     x86_64

This project is written in nodejs: executable='/home/linuxbrew/.linuxbrew/bin/node' version='v19.8.1'

Current Stack: Frassle/aws-ts-organizations/dev

Found no resources associated with dev

Found no pending operations associated with dev

Backend
Name           pulumi.com
URL            https://app.pulumi.com/Frassle
User           Frassle
Organizations  Frassle, pulumi

Dependencies:
NAME            VERSION
@types/node     14.18.44
@pulumi/aws     5.39.0
@pulumi/awsx    0.40.1
@pulumi/pulumi  3.66.0

Pulumi locates its logs in /tmp by default

Additional context

Reported initially on community slack at https://pulumi-community.slack.com/archives/C01PF3E1B8V/p1683276289324129

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[thomas11]

Can you share your assumeRole config? According to the stack trace, in if details, ok := vars["assumeRole"]; ok, ok is true.

[Frassle]

It's set in the example (explicit provider):

const devAccountProvider = new aws.Provider("devAccountProvider", {
    allowedAccountIds: [devAccount.id],
    assumeRole: {
        roleArn: pulumi.interpolate`arn:aws:iam::${devAccount.id}:role/${initialRoleName}`,
    },
});

[t0yv0]

Looks like there's might be a behavior change originating from pulumi/pulumi-terraform-bridge#991 work. Looks like PreConfigureCallback may now be exposed to to Computed values representing "unknowns" at preview. This is an unintentional change.

What should we do here, what's the desired by-design behavior, 🤔 Perhaps we should skip PreConfigurCallback? Replace unknowns with null before calling it?

[t0yv0]

Let's see what the prior behavior was. I think what happens is if there are unknowns, the engine would call CheckConfig with the unknowns but if CheckConfig returns the unknowns back it would not call Configure. So the prior behavior was that the PreConfigureCallback would not get called at all in this situation I think. I can confirm experimentally.

[t0yv0]

Updating to https://github.com/pulumi/pulumi-terraform-bridge/releases/tag/v3.46.1 bridge should fix the issue.

[troinine]

As the original reporter of the issue in Slack, I can confirm that this issue is now resolved in v5.40.0 and aws.Provider can now be used to assume a role in a different organization. Many, many thanks for the quick resolution!