Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pulumi replaces appconfig HostedConfigurationVersion and Deployment every time #2172

Open
karthik-rangarajan opened this issue Oct 7, 2022 · 4 comments
Open

Pulumi replaces appconfig HostedConfigurationVersion and Deployment every time #2172

karthik-rangarajan opened this issue Oct 7, 2022 · 4 comments
Labels
awaiting-upstream The issue cannot be resolved without action in another repository (may be owned by Pulumi). bug/diff kind/bug related to Pulumi generating wrong diffs on preview or up. impact/reliability Something that feels unreliable or flaky impact/usability Something that impacts users' ability to use the product easily and intuitively kind/bug Some behavior is incorrect or out of spec

Comments

@karthik-rangarajan
Copy link

karthik-rangarajan commented Oct 7, 2022
edited
Loading

What happened?

We have an appconfig.HostedConfiguration and appconfig.Deployment that is used in our infrastructure, and every time we run pulumi up, it assumes there is new content, replaces that content, bumps the configuration version, and updates the resources.

Steps to reproduce

We have the following code:

    const application = new aws.appconfig.Application('companyAppServerConfig', {
        description: 'AppConfig Application',
        tags: {
            Name: 'AppConfig Application',
        },
    });

    const applicationIdParam = new aws.ssm.Parameter('appconfigApplicationIdParam', {
        name: 'FEATUREFLAG_APP_ID',
        tier: 'Standard',
        type: 'String',
        value: application.id,
    });

    const environment = new aws.appconfig.Environment('companyAppServerEnv', {
        description: 'AppConfig Environment',
        applicationId: application.id,
        tags: {
            Name: 'AppConfig Environment',
        },
    });

    // used for the app server to access the environment id
    const environmentIdParam = new aws.ssm.Parameter('appconfigEnvironmentIdParam', {
        name: 'FEATUREFLAG_ENV_ID',
        tier: 'Standard',
        type: 'String',
        value: environment.environmentId,
    });

    const featureFlagConfigurationProfile = new aws.appconfig.ConfigurationProfile('featureFlagConfigProfile', {
        description: 'Basic Feature Flag Configuration Profile',
        applicationId: application.id,
        locationUri: 'hosted',
        type: 'AWS.AppConfig.FeatureFlags',
        validators: [
            {
                content: JSON.stringify(validatorJson),
                type: 'JSON_SCHEMA',
            },
        ],
        tags: {
            Type: 'AppConfig Configuration Profile',
        },
    });

    // used for the app server to access the configuration profile id
    const profileIdParam = new aws.ssm.Parameter('appconfigProfileIdParam', {
        name: 'FEATUREFLAG_PROFILE_ID',
        tier: 'Standard',
        type: 'String',
        value: featureFlagConfigurationProfile.configurationProfileId,
    });

    const featureFlagsJson: Input<string> = JSON.stringify(featureFlagJson);

    const featureFlagsConfiguration = new aws.appconfig.HostedConfigurationVersion('featureFlagsConfiguration', {
        applicationId: application.id,
        configurationProfileId: featureFlagConfigurationProfile.configurationProfileId,
        description: 'Feature Flags Hosted Configuration',
        contentType: 'application/json',
        content: featureFlagsJson,
    });

    const featureFlagsDeployment = new aws.appconfig.Deployment('featureFlagsDeployment', {
        applicationId: application.id,
        configurationProfileId: featureFlagsConfiguration.configurationProfileId,
        configurationVersion: pulumi.interpolate`${featureFlagsConfiguration.versionNumber}`,
        deploymentStrategyId: 'AppConfig.AllAtOnce',
        description: 'Demo feature flag deployment',
        environmentId: environment.environmentId,
        tags: {
            Type: 'AppConfig Deployment',
        },
    });

and some other code to modify IAM policy and attach this to ECS.

Expected Behavior

There are no changes unless the feature flags defined in featureFlagsJson actually change.

Actual Behavior

Whenever we run pulumi up the following happens:

++aws:appconfig/hostedConfigurationVersion:HostedConfigurationVersion: (create-replacement)
        [id=bw9uhy5/pqvw63r/12]
        [urn=urn:pulumi:prod::company::aws:appconfig/hostedConfigurationVersion:HostedConfigurationVersion::featureFlagsConfiguration]
        [provider=urn:pulumi:prod::company::pulumi:providers:aws::default_5_11_0::683dfff3-88e1-4c79-bc9f-9818f6e62c98]
      ~ content: [secret] => (json) {
          + flags  : {
              + demoDisabled: {
                  + attributes: {
                      + user_ids: {
                          + constraints: {
                              + type: "array"
                            }
                        }
                      + value      : {
                          + constraints: {
                              + type: "boolean"
                            }
                        }
                    }
                  + name      : "demoDisabled"
                }
            + version: "1"
         }

    +-aws:appconfig/hostedConfigurationVersion:HostedConfigurationVersion: (replace)
        [id=bw9uhy5/pqvw63r/12]
        [urn=urn:pulumi:prod::company::aws:appconfig/hostedConfigurationVersion:HostedConfigurationVersion::featureFlagsConfiguration]
        [provider=urn:pulumi:prod::company::pulumi:providers:aws::default_5_11_0::683dfff3-88e1-4c79-bc9f-9818f6e62c98]
      ~ content: [secret] => (json) {
          + flags  : {
              + demoDisabled: {
                  + attributes: {
                      + user_ids: {
                          + constraints: {
                              + type: "array"
                            }
                        }
                      + value      : {
                          + constraints: {
                              + type: "boolean"
                            }
                        }
                    }
                  + name      : "demoDisabled"
                }
          + version: "1"
        }

    ++aws:appconfig/deployment:Deployment: (create-replacement)
        [id=bw9uhy5/89x86oq/8]
        [urn=urn:pulumi:prod::company::aws:appconfig/deployment:Deployment::featureFlagsDeployment]
        [provider=urn:pulumi:prod::company::pulumi:providers:aws::default_5_11_0::683dfff3-88e1-4c79-bc9f-9818f6e62c98]
      ~ configurationVersion: "12" => output<string>
    +-aws:appconfig/deployment:Deployment: (replace)
        [id=bw9uhy5/89x86oq/8]
        [urn=urn:pulumi:prod::company::aws:appconfig/deployment:Deployment::featureFlagsDeployment]
        [provider=urn:pulumi:prod::company::pulumi:providers:aws::default_5_11_0::683dfff3-88e1-4c79-bc9f-9818f6e62c98]
      ~ configurationVersion: "12" => output<string>

Output of pulumi about

Version      3.42.0
Go Version   go1.19.1
Go Compiler  gc

Plugins
NAME    VERSION
aws     5.11.0
docker  3.4.1
nodejs  unknown

Host
OS       darwin
Version  12.6
Arch     arm64

This project is written in nodejs: executable='/Users/karthik/.nvm/versions/node/v16.15.1/bin/node' version='v16.15.1'

Current Stack: company/prod

TYPE                                                                 URN
pulumi:pulumi:Stack                                                  urn:pulumi:prod::company::pulumi:pulumi:Stack::company-prod
pulumi:providers:aws                                                 urn:pulumi:prod::company::pulumi:providers:aws::default_5_11_0
aws:ssm/parameter:Parameter                                          urn:pulumi:prod::company::aws:ssm/parameter:Parameter::metabasePostgresUser
aws:kms/key:Key                                                      urn:pulumi:prod::company::aws:kms/key:Key::s3EncryptionKey
aws:iam/role:Role                                                    urn:pulumi:prod::company::aws:iam/role:Role::ecsTaskExecutionRole
aws:iam/role:Role                                                    urn:pulumi:prod::company::aws:iam/role:Role::ecsInstanceRole
aws:ecs/cluster:Cluster                                              urn:pulumi:prod::company::aws:ecs/cluster:Cluster::prod
aws:ec2/launchTemplate:LaunchTemplate                                urn:pulumi:prod::company::aws:ec2/launchTemplate:LaunchTemplate::ecs-instances-reserved
aws:ec2/vpc:Vpc                                                      urn:pulumi:prod::company::aws:ec2/vpc:Vpc::prod
aws:appconfig/application:Application                                urn:pulumi:prod::company::aws:appconfig/application:Application::companyAppServerConfig
aws:ssm/parameter:Parameter                                          urn:pulumi:prod::company::aws:ssm/parameter:Parameter::metabasePostgresPassword
aws:iam/policy:Policy                                                urn:pulumi:prod::company::aws:iam/policy:Policy::appConfigDataPolicy
aws:s3/bucket:Bucket                                                 urn:pulumi:prod::company::aws:s3/bucket:Bucket::userUploadedFiles
aws:s3/bucket:Bucket                                                 urn:pulumi:prod::company::aws:s3/bucket:Bucket::migrationSnapshots
aws:ecs/taskDefinition:TaskDefinition                                urn:pulumi:prod::company::aws:ecs/taskDefinition:TaskDefinition::metabase
aws:iam/rolePolicyAttachment:RolePolicyAttachment                    urn:pulumi:prod::company::aws:iam/rolePolicyAttachment:RolePolicyAttachment::ecsInstanceRole-AmazonECSTaskExecutionRolePolicy
aws:iam/rolePolicy:RolePolicy                                        urn:pulumi:prod::company::aws:iam/rolePolicy:RolePolicy::retrieveFromSSM
aws:iam/rolePolicyAttachment:RolePolicyAttachment                    urn:pulumi:prod::company::aws:iam/rolePolicyAttachment:RolePolicyAttachment::ecsInstanceRole
aws:iam/instanceProfile:InstanceProfile                              urn:pulumi:prod::company::aws:iam/instanceProfile:InstanceProfile::ecsInstanceProfile
aws:alb/targetGroup:TargetGroup                                      urn:pulumi:prod::company::aws:alb/targetGroup:TargetGroup::main
aws:ec2/subnet:Subnet                                                urn:pulumi:prod::company::aws:ec2/subnet:Subnet::private_us_west_2a
aws:ec2/routeTable:RouteTable                                        urn:pulumi:prod::company::aws:ec2/routeTable:RouteTable::privateRouteTable
aws:ec2/internetGateway:InternetGateway                              urn:pulumi:prod::company::aws:ec2/internetGateway:InternetGateway::igw
aws:ec2/subnet:Subnet                                                urn:pulumi:prod::company::aws:ec2/subnet:Subnet::private_us_west_2b
aws:ec2/subnet:Subnet                                                urn:pulumi:prod::company::aws:ec2/subnet:Subnet::public_us_west_2c
aws:ec2/securityGroup:SecurityGroup                                  urn:pulumi:prod::company::aws:ec2/securityGroup:SecurityGroup::alb
aws:ec2/subnet:Subnet                                                urn:pulumi:prod::company::aws:ec2/subnet:Subnet::public_us_west_2a
aws:ec2/subnet:Subnet                                                urn:pulumi:prod::company::aws:ec2/subnet:Subnet::public_us_west_2b
aws:ec2/subnet:Subnet                                                urn:pulumi:prod::company::aws:ec2/subnet:Subnet::private_us_west_2c
aws:alb/targetGroup:TargetGroup                                      urn:pulumi:prod::company::aws:alb/targetGroup:TargetGroup::metabase-tg
aws:appconfig/environment:Environment                                urn:pulumi:prod::company::aws:appconfig/environment:Environment::companyAppServerEnv
aws:ssm/parameter:Parameter                                          urn:pulumi:prod::company::aws:ssm/parameter:Parameter::appconfigApplicationIdParam
aws:iam/rolePolicyAttachment:RolePolicyAttachment                    urn:pulumi:prod::company::aws:iam/rolePolicyAttachment:RolePolicyAttachment::attachAppConfigPolicyToEcsInstance
aws:iam/policy:Policy                                                urn:pulumi:prod::company::aws:iam/policy:Policy::userUploadedFilesBucketPolicy
aws:iam/policy:Policy                                                urn:pulumi:prod::company::aws:iam/policy:Policy::migrationBucketPolicy
aws:ec2/routeTableAssociation:RouteTableAssociation                  urn:pulumi:prod::company::aws:ec2/routeTableAssociation:RouteTableAssociation::privateRouteTableAssociation0
aws:ec2/routeTable:RouteTable                                        urn:pulumi:prod::company::aws:ec2/routeTable:RouteTable::publicRouteTable
aws:ec2/routeTableAssociation:RouteTableAssociation                  urn:pulumi:prod::company::aws:ec2/routeTableAssociation:RouteTableAssociation::privateRouteTableAssociation1
aws:ec2/securityGroup:SecurityGroup                                  urn:pulumi:prod::company::aws:ec2/securityGroup:SecurityGroup::ecs-instances
aws:autoscaling/group:Group                                          urn:pulumi:prod::company::aws:autoscaling/group:Group::ecs-instances-asg
aws:alb/loadBalancer:LoadBalancer                                    urn:pulumi:prod::company::aws:alb/loadBalancer:LoadBalancer::main
aws:ec2/routeTableAssociation:RouteTableAssociation                  urn:pulumi:prod::company::aws:ec2/routeTableAssociation:RouteTableAssociation::privateRouteTableAssociation2
aws:rds/subnetGroup:SubnetGroup                                      urn:pulumi:prod::company::aws:rds/subnetGroup:SubnetGroup::rds-private-subnet-group
aws:ecs/service:Service                                              urn:pulumi:prod::company::aws:ecs/service:Service::metabase
aws:ssm/parameter:Parameter                                          urn:pulumi:prod::company::aws:ssm/parameter:Parameter::appconfigEnvironmentIdParam
aws:iam/rolePolicyAttachment:RolePolicyAttachment                    urn:pulumi:prod::company::aws:iam/rolePolicyAttachment:RolePolicyAttachment::attachS3UserFileUploadsPolicyToEcsInstance
aws:iam/rolePolicyAttachment:RolePolicyAttachment                    urn:pulumi:prod::company::aws:iam/rolePolicyAttachment:RolePolicyAttachment::attachS3PolicyToEcsInstance
aws:ec2/routeTableAssociation:RouteTableAssociation                  urn:pulumi:prod::company::aws:ec2/routeTableAssociation:RouteTableAssociation::publicRouteTableAssociation0
aws:ec2/routeTableAssociation:RouteTableAssociation                  urn:pulumi:prod::company::aws:ec2/routeTableAssociation:RouteTableAssociation::publicRouteTableAssociation1
aws:ec2/routeTableAssociation:RouteTableAssociation                  urn:pulumi:prod::company::aws:ec2/routeTableAssociation:RouteTableAssociation::publicRouteTableAssociation2
aws:ec2/securityGroup:SecurityGroup                                  urn:pulumi:prod::company::aws:ec2/securityGroup:SecurityGroup::rds
aws:ec2/launchTemplate:LaunchTemplate                                urn:pulumi:prod::company::aws:ec2/launchTemplate:LaunchTemplate::ecs-instances
aws:alb/listener:Listener                                            urn:pulumi:prod::company::aws:alb/listener:Listener::http
aws:rds/instance:Instance                                            urn:pulumi:prod::company::aws:rds/instance:Instance::main
aws:alb/listenerRule:ListenerRule                                    urn:pulumi:prod::company::aws:alb/listenerRule:ListenerRule::metabaseListenerRule
aws:appconfig/configurationProfile:ConfigurationProfile              urn:pulumi:prod::company::aws:appconfig/configurationProfile:ConfigurationProfile::featureFlagConfigProfile
aws:ssm/parameter:Parameter                                          urn:pulumi:prod::company::aws:ssm/parameter:Parameter::appconfigProfileIdParam
aws:appconfig/hostedConfigurationVersion:HostedConfigurationVersion  urn:pulumi:prod::company::aws:appconfig/hostedConfigurationVersion:HostedConfigurationVersion::featureFlagsConfiguration
aws:appconfig/deployment:Deployment                                  urn:pulumi:prod::company::aws:appconfig/deployment:Deployment::featureFlagsDeployment


Found no pending operations associated with company/prod

Backend
Name           pulumi.com
URL            https://app.pulumi.com/karthik-rangarajan
User           karthik-rangarajan
Organizations  karthik-rangarajan, company

Pulumi locates its logs in /var/folders/t0/gshbmh7x3xs2t2wkqwg_j1b40000gn/T/ by default
warning: Failed to get information about the Pulumi program's dependencies: Failed to run "/Users/karthik/.nvm/versions/node/v16.15.1/bin/npm ls --json --depth=0": exit status 1

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@karthik-rangarajan karthik-rangarajan added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Oct 7, 2022
@Frassle Frassle transferred this issue from pulumi/pulumi Oct 7, 2022
@Frassle
Copy link
Member

Frassle commented Oct 7, 2022

Looks like a provider diff issue, moving to pulumi-aws.

@danielrbradley
Copy link
Member

@karthik-rangarajan does the replacement only show during the preview, or does it actually attempt to re-create the resource at the point of deployment?

Also, from the preview, it appears that the previous configuration value was a secret. Do you know why this might have been flagged as a secret? I'm wondering if the secret value could be causing an issue during the diff.

@danielrbradley danielrbradley added impact/usability Something that impacts users' ability to use the product easily and intuitively impact/reliability Something that feels unreliable or flaky awaiting-feedback Blocked on input from the author and removed needs-triage Needs attention from the triage team labels Oct 10, 2022
@karthik-rangarajan
Copy link
Author

It actually recreates the resource to the point where our configuration version is all the way up to 20 now, even though the JSON itself hasn't changed.

I have been trying to debug why the value shows up as a secret - it wasn't ever a secret, as far as I can tell. The secret value is definitely what is causing an issue during the diff however, at least from my read of pulumi's diffing algorithm.

@danielrbradley danielrbradley removed the awaiting-feedback Blocked on input from the author label Oct 12, 2022
@thomas11 thomas11 added the bug/diff kind/bug related to Pulumi generating wrong diffs on preview or up. label Apr 26, 2023
@t0yv0 t0yv0 mentioned this issue Jul 7, 2023
Closed
8 tasks
@corymhall
Copy link
Contributor

Linking to upstream issue hashicorp/terraform-provider-aws#20273 (comment)

@corymhall corymhall added the awaiting-upstream The issue cannot be resolved without action in another repository (may be owned by Pulumi). label Jan 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
awaiting-upstream The issue cannot be resolved without action in another repository (may be owned by Pulumi). bug/diff kind/bug related to Pulumi generating wrong diffs on preview or up. impact/reliability Something that feels unreliable or flaky impact/usability Something that impacts users' ability to use the product easily and intuitively kind/bug Some behavior is incorrect or out of spec
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@thomas11 @danielrbradley @Frassle @karthik-rangarajan @corymhall