-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inconsistent behavior and unable to update aws.ssm.Document
#2555
Comments
Hi @aureq, I'm not quite sure yet what's happening here but I notice the error is about the |
I have tried setting |
Hi @dpreble-cisco, we don't have a full working example, I'm afraid. Were you able to solve this or work around it in the meantime? |
@thomas11 Unfortunately, no. Revisiting it now as I need to make an update and I am feeling the burn. |
I have the exact same issue with a |
Hi @dpreble-cisco and @oliparcol, sorry you're still struggling with this. We'll take another look at Pulumi. In the meantime, you could unblock yourself by creating the resource outside of Pulumi (console, cli, or SDK) and then importing it. |
Looks similar to hashicorp/terraform-provider-aws#31131 |
I'm currently working around this by adding the following resource options const doc = new aws.ssm.Document(name, {
...
},
{
replaceOnChanges: ["*"],
deleteBeforeReplace: true,
} |
We were able to work around the issue by downgrading to |
Hi @eli-fine-res, that's a great data point. What versions did you downgrade from? |
we try to be on pulumi-aws==5.42 |
we looked back through the pulumi-aws changelog and found the version that was using an earlier version of the hasicorp provider than the one described in the link above as having the issue |
Thanks. I suspect that pulumi-aws 5.34.0 is the last one that doesn't have this issue, corresponding to upstream 4.60. Their next one 4.61 has this issue which looks related. |
Is there any update on this? Was hoping v6.x would include a fix. It does not 😢 |
No, v6 just added other bugs from Terraform upstream 🤦 |
Possibly related, also has a repro: pulumi/pulumi#15066 |
The root of the inconsistent behavior is that the bridge saves partial updates (and creates): |
I have a narrowed down repro that succeeds in TF but fails in Pulumi: #!/usr/bin/env bash
set -euo pipefail
export AWS_PROFILE=devsandbox
export PATH="/Users/t0yv0/code/pulumi-aws/bin:$PATH"
rm -rf "*-log.json"
rm -rf "*-state.json"
pulumi destroy --yes
pulumi config set step 1
pulumi up --yes --skip-preview
pulumi stack export > step1-state.json
pulumi config set step 2
PULUMI_DEBUG_GPRC="$PWD/up12-log.json" pulumi up --yes --skip-preview || echo "IGNORE"
pulumi stack export > step2-state.json import * as aws from "@pulumi/aws";
import * as pulumi from '@pulumi/pulumi';
let config = new pulumi.Config();
let step = config.getNumber("step") || 1;
const doc = `
---
schemaVersion: "0.3"
description: Executes a patching event on the instance followed by a healthcheck
parameters:
InstanceIds:
type: StringList
description: The instance to target
mainSteps:
- name: InvokePatchEvent
action: aws:runCommand
inputs:
DocumentName: AWS-RunPatchBaseline
InstanceIds: "{{ InstanceIds }}"
OutputS3BucketName: "{output_s3_bucket_name}"
OutputS3KeyPrefix: "{STEP}"
Parameters:
Operation: Scan
`;
let content = doc.replace("{STEP}", String(step));
// Create the SSM Automation Runbook
const nodeBuildRunbookDoc = new aws.ssm.Document('nodeBuildRunbook-doc', {
name: 'nodeBuildRunbook',
content: content,
documentType: 'Automation',
documentFormat: 'YAML',
}); |
input := &ssm.UpdateDocumentInput{
Content: aws.String(d.Get("content").(string)),
DocumentFormat: aws.String(d.Get("document_format").(string)),
DocumentVersion: aws.String(d.Get("default_version").(string)),
Name: aws.String(d.Id()),
} The error is coming out of this call: output, err := conn.UpdateDocumentWithContext(ctx, input) Because Pulumi is passing an empty string "" to DocumentVersion during the update. In DiffCustomizer: if d.HasChange("content") {
...
if err := d.SetNewComputed("default_version"); err != nil {
return err
} This code seems to be called by Pulumi and resets default_version to "". Although in the state prior to the update it is available as:
This is a Computed field:
|
Using differential debugging I narrowed down the difference to pulumi/pulumi-terraform-bridge#1505 Under actual TF, PlanResourceChange is done and produces a triple (config, state, plan) to pass to ApplyResourceChange. At the time it is doing ApplyResoureChange, it is recovering a Diff object using DiffFromValues that does not run diff customizers, intentionally: https://github.com/hashicorp/terraform-plugin-sdk/blob/master/helper/schema/grpc_provider.go#L1013a |
Fixes #1505 Requires pulumi/terraform-plugin-sdk#35 sdk-v2 bridge has a new option that changes the implementation of resource lifecycle to go through TF SDKv2 gRPC methods. ```go // Selectively opt-in resources that pass the filter to using PlanResourceChange. Resources are // identified by their TF type name such as aws_ssm_document. func WithPlanResourceChange(filter func(tfResourceType string) bool) providerOption { //nolint:revive ``` Methods from the TF SDKv2 lifecycle integrated with this flag: - PlanResourceChange - ApplyResourceChange - ReadResource - ImportResourceState Enables fixing: pulumi/pulumi-aws#2555 Known differences: state returned by the new method will include explicit entries `"foo": null` for properties that are known by the schema but not set in the state. This seems to be benign for repeated diffs and refresh applications.
Fixes #2555 - aws.ssm.Document no longer gets into incorrectly failed state on updates. The fix is propagated via pulumi-terraform-bridge update.
What happened?
(context from customer)
I have a simple Pulumi app that deploys an AWS SSM Document (Automation Runbook). When the Runbook doesn't exist, it is created as expected ✅.
However, if the YAML data is changed, then Pulumi fails to update the document ❌. The AWS API returns the following message.
Furthermore, running the Pulumi app a second time, Pulumi returns no error. However, the SSM Document isn't updated either ‼ (I checked in the AWS Console). This makes things really complicated.
I've attached the verbose logs (-v=9) in case there's any relevant information.
logs-error.txt
logs-no-error.txt
Finally, to remove some possible confusion. The YAML data may contain a
documentVersion
field (underinputs
) but setting or removing this field doesn't change anything.Expected Behavior
Steps to reproduce
pulumi up
. The deployment should finish as expected. A new SSM document is visible in the AWS Console.runbook.yaml
and change adescription
field.pulumi up
. The command ends with the error shown above ❌.pulumi up
a second time (no changes). The command completes and it seems the Document was updated but the console shows the same previous content ‼.Output of
pulumi about
Additional context
package.json
index.ts
runbook.yaml
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: