Serverless Repository CFN Stacks Fail with No Changes

[blakeromano]

What happened?

When you create a serverlessrepository.CloudFormationStack the first execution of pulumi up works fine. Subsequent executions of pulumi up fail when there is no changes to the CFN Stack because it can't create a changeset.

Expected Behavior

The resource shouldn't be modified when there is no changes, or it shouldn't fail on changeset creations when there is no changes.

Steps to reproduce

import * as aws from "@pulumi/aws";

  const mysqlRotator = new aws.serverlessrepository.CloudFormationStack("mysql-rotation-lambda", {
    applicationId: "arn:aws:serverlessrepo:us-east-1:297356227824:applications/SecretsManagerRDSMySQLRotationSingleUser",
    capabilities: [
      "CAPABILITY_IAM",
      "CAPABILITY_RESOURCE_POLICY",
    ],
    parameters: {
      endpoint: "https://secretsmanager.us-east-2.amazonaws.com",
      functionName: "mysql-rotation-lambda",
      invokingServicePrincipal: "secretsmanager.amazonaws.com",
    },
  });

Output of pulumi about

CLI          
Version      3.78.1
Go Version   go1.20.7
Go Compiler  gc

Plugins
NAME        VERSION
aws         5.42.0
aws         5.31.0
aws-native  0.73.0
awsx        1.0.2
docker      3.6.1
eks         1.0.2
github      5.15.0
kubernetes  3.30.2
nodejs      unknown

Host     
OS       darwin
Version  13.4
Arch     arm64

This project is written in nodejs: executable='/opt/homebrew/bin/node' version='v20.3.1'

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/FOO
User           FOO
Organizations FOO

Dependencies:
NAME                VERSION
@pulumi/aws         5.42.0
@pulumi/aws-native  0.73.0
@pulumi/awsx        1.0.2
@pulumi/eks         1.0.2
@pulumi/github      5.15.0
@pulumi/pulumi      3.76.1
@types/js-yaml      4.0.5
js-yaml             4.1.0
@types/node         16.18.39

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[iwahbe]

Hi @blakeromano. Thanks for reporting the issue. I was able to replicate cleanly on pulumi-aws v5.42.0 and v6.0.2. Of note, we are showing a diff on parameters immediately after the resource is created. Since the error is No updates are to be performed, I think the underlying cause is a spurious diff.

[blakeromano]

@iwahbe what's the status of this?

[mikhailshilkov]

Hi @blakeromano

Diff calculation is one particular area of interest for us: you may have noticed we've labeled this issue as bug/diff and there are quite a few other issues with this label across our repos. We obviously need to invest in this area, and we have plans how to do so in a holistic way, increasing our test coverage and confidence. Having said that, unfortunately I can't promise you any concrete dates when this particular issue is going to be fixed.

I hope you can work around the issue for now by adding the ignoreChanges: ["parameters"] option. Thank you for your patience.

[corymhall]

It looks like this is due to how upstream handles default values. The state only reflects non-default values of the app parameters, so if any parameters are set to the default value this will conflict as the resource will constantly try to remediate this perceived difference.

In the example provided invokingServicePrincipal: "secretsmanager.amazonaws.com", is the default value. If this is removed there is no diff and the update won't be performed and fail.

Upstream issue hashicorp/terraform-provider-aws#16485