Ensuring env var is always taken over account backend url

[IaroslavTitov]

Summary

• Fixes pulumi env ls doesn't respect PULUMI_BACKEND_URL #473
• Makes ESC CLI always prefer env var PULUMI_BACKEND_URL over backend url saved into the account
• If backendURL is overridden, then login will run and look for PULUMI_ACCESS_TOKEN env var, falling back to accounts if it's not specified

Testing

• Manually tested, the scenario in ticket now works
• Manually tested case when invalid backend URL is set via env var (or if user never logged in with that backend), user will see Error: no credentials. Please run esc login to log in.

[ringods]

@IaroslavTitov I don't agree with your statement here:

Instead of setting a variable, user should just run pulumi login --cloud-url ... to switch accounts

I even have a complete opposite standpoint. If someone is working with multiple accounts, using different values for a specific environment variable allows for easy switching, definitely if you do this using direnv. This all becomes automatic by going into a specific directory.

I would also favor to remain consistent with the core Pulumi CLI, where I requested this via pulumi/pulumi#13919 and this was integrated in Pulumi v3.130.0.

[ringods]

This is not correct IMO. If both PULUMI_BACKEND_URL and PULUMI_ACCESS_TOKEN are defined, and this is the first time that we use this backend, Pulumi will auto login using these environment variables.

[IaroslavTitov]

I would also favor to remain consistent with the core Pulumi CLI

Sounds good, I didn't realize there's a precedent with Pulumi CLI, ignore the comment 😅

This is not correct IMO

I was trying to prevent user footgun, when one sets PULUMI_BACKEND_URL, but not the token. In that case, Error: listing environments: [401] Unauthorized: No credentials provided or are invalid. will be returned. So the scenario in the ticket wouldn't work unless a token is specified along with the backend URL. But yeah, if that's the desirable behavior, I'll just remove this block.

[IaroslavTitov]

Actually, changed the check to run login if backendURL is different than the one in logged in account - this way it runs the same login logic, preferring PULUMI_ACCESS_TOKEN, but still falling back to accounts, so best of both worlds

[tobiashenkel]

@IaroslavTitov I don't agree with your statement here:

Instead of setting a variable, user should just run pulumi login --cloud-url ... to switch accounts

I even have a complete opposite standpoint. If someone is working with multiple accounts, using different values for a specific environment variable allows for easy switching, definitely if you do this using direnv. This all becomes automatic by going into a specific directory.

I would also favor to remain consistent with the core Pulumi CLI, where I requested this via pulumi/pulumi#13919 and this was integrated in Pulumi v3.130.0.

Our use case here (besides consistency with the pulumi cli): Suppose you have two shell sessions open on different stacks using different backends. Using the env var will make running the two possible in a seamless way (e.g. by using direnv) where a pulumi login ... call writes into a global file which makes it impossible to select the backend per session (unless you have completely different PULUMI_HOME dirs with their own config files).

[komalali]

Can we add tests for this?

[IaroslavTitov]

Can we add tests for this?

Done! Please take a look, recreated the scenario from the issue as a test

[pulumi-bot]

This PR has been shipped in release v0.13.1.

[pulumi-bot]

This PR has been shipped in release v0.13.2.