Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security group shows change on every run #2947

Closed
mjaggard opened this issue Nov 1, 2023 · 4 comments
Closed

Security group shows change on every run #2947

mjaggard opened this issue Nov 1, 2023 · 4 comments
Assignees
@mjeffryes
Labels
awaiting-feedback Blocked on input from the author bug/diff kind/bug related to Pulumi generating wrong diffs on preview or up. kind/bug Some behavior is incorrect or out of spec resolution/no-repro This issue wasn't able to be reproduced

Comments

@mjaggard
Copy link

mjaggard commented Nov 1, 2023
edited
Loading

What happened?

I am trying to add ingress for multiple source SecurityGroups to a new SecurityGroup which is working but every time I run I get a change shown.

Example

    var ingress: pulumi.Input<inputs.ec2.SecurityGroupIngress>[] = config.getObject("extra_ingress") || [];

    ingress = ingress.concat([
        //..other rule omited
        { protocol: "all", fromPort: 0, toPort: 0, securityGroups: [old_sg], self: true },
    ]);


    const rancherSg = new aws.ec2.SecurityGroup(env + "-host-sg", {
        vpcId: vpcId,
        ingress: ingress,
        egress: [
            { protocol: "-1", fromPort: 0, toPort: 0, cidrBlocks: ["0.0.0.0/0"]},
            { protocol: "-1", fromPort: 0, toPort: 0, ipv6CidrBlocks: ["::/0"]} //Allow anything outbound
        ]
    });

where extra_ingress contains (amongst other things)

    - securityGroups: ['sg-57dbeb70421482846']
      fromPort: 0
      toPort: 0
      protocol: 'all'

Output of pulumi about

CLI
Version 3.91.1
Go Version go1.21.3
Go Compiler gc

Plugins
NAME VERSION
aws 6.0.4
aws 5.42.0
aws 5.31.0
awsx 1.0.5
docker 3.6.1
eks 1.0.3
kubernetes 4.1.1
kubernetes 3.30.2
nodejs unknown
random 4.13.2

Host
OS darwin
Version 13.6
Arch x86_64

This project is written in nodejs: version='v20.6.1'

Found no resources associated with transit

Found no pending operations associated with transit

Dependencies:
NAME VERSION
@pulumi/kubernetes 4.1.1
@pulumi/pulumi 3.82.0
@pulumi/random 4.13.2
@types/node 16.18.50
handlebars 4.7.8
@pulumi/aws 6.0.4
@pulumi/awsx 1.0.5
@pulumi/eks 1.0.3

Additional context

$ pulumi up -s sandbox
Previewing update (sandbox):
     Type                      Name                     Plan       Info
     pulumi:pulumi:Stack       MyOrg-sandbox                 1 message
 ~   └─ aws:ec2:SecurityGroup  sandbox-host-sg  update     [diff: ~ingress]

Diagnostics:
  pulumi:pulumi:Stack (MyOrg-sandbox):
    sandbox-host-a1fc9e3

Resources:
    ~ 1 to update
    4 unchanged

Do you want to perform this update? details
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:sandbox::MyOrg::pulumi:pulumi:Stack::MyOrg-sandbox]
    ~ aws:ec2/securityGroup:SecurityGroup: (update)
        [id=sg-65c2556cd1d096fd8]
        [urn=urn:pulumi:sandbox::MyOrg::aws:ec2/securityGroup:SecurityGroup::sandbox-host-sg]
        [provider=urn:pulumi:sandbox::MyOrg::pulumi:providers:aws::default_6_0_4::c8e336a6-a0a3-431f-97e9-7fd84f11d24f]
      ~ ingress: [
          ~ [2]: {
                  + fromPort      : 0
                  ~ protocol      : "-1" => "all"
                  ~ securityGroups: [
                      ~ [0]: "sg-ee3c6aa732bcbe806" => "sg-57dbeb70421482846"
                      - [1]: "sg-57dbeb70421482846"
                    ]
                  ~ self          : true => false
                  + toPort        : 0
                }
          ~ [6]: {
                  + fromPort      : 0
                  + protocol      : "all"
                  ~ securityGroups: [
                      + [0]: "sg-ee3c6aa732bcbe806"
                    ]
                  + self          : true
                  + toPort        : 0
                }
        ]

Do you want to perform this update? yes
Updating (sandbox):
     Type                      Name                     Status              Info
     pulumi:pulumi:Stack       MyOrg-sandbox                          1 message
 ~   └─ aws:ec2:SecurityGroup  sandbox-host-sg  updated (0.62s)     [diff: ~ingress]

Diagnostics:
  pulumi:pulumi:Stack (MyOrg-sandbox):
    sandbox-host-a1fc9e3

Resources:
    ~ 1 updated
    4 unchanged

Duration: 5s

$ pulumi up -s sandbox
Previewing update (sandbox):
     Type                      Name                     Plan       Info
     pulumi:pulumi:Stack       MyOrg-sandbox                 1 message
 ~   └─ aws:ec2:SecurityGroup  sandbox-host-sg  update     [diff: ~ingress]

Diagnostics:
  pulumi:pulumi:Stack (MyOrg-sandbox):
    sandbox-host-a1fc9e3

Resources:
    ~ 1 to update
    4 unchanged

Do you want to perform this update? details
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:sandbox::MyOrg::pulumi:pulumi:Stack::MyOrg-sandbox]
    ~ aws:ec2/securityGroup:SecurityGroup: (update)
        [id=sg-65c2556cd1d096fd8]
        [urn=urn:pulumi:sandbox::MyOrg::aws:ec2/securityGroup:SecurityGroup::sandbox-host-sg]
        [provider=urn:pulumi:sandbox::MyOrg::pulumi:providers:aws::default_6_0_4::c8e336a6-a0a3-431f-97e9-7fd84f11d24f]
      ~ ingress: [
          ~ [2]: {
                  + fromPort      : 0
                  ~ protocol      : "-1" => "all"
                  ~ securityGroups: [
                      ~ [0]: "sg-ee3c6aa732bcbe806" => "sg-57dbeb70421482846"
                      - [1]: "sg-57dbeb70421482846"
                    ]
                  ~ self          : true => false
                  + toPort        : 0
                }
          ~ [6]: {
                  + fromPort      : 0
                  + protocol      : "all"
                  ~ securityGroups: [
                      + [0]: "sg-ee3c6aa732bcbe806"
                    ]
                  + self          : true
                  + toPort        : 0
                }
        ]

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@mjaggard mjaggard added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Nov 1, 2023
@mikhailshilkov mikhailshilkov added awaiting-feedback Blocked on input from the author and removed needs-triage Needs attention from the triage team labels Nov 3, 2023
@mikhailshilkov
Copy link
Member

@mjaggard Thank you for reporting this issue. I tried some version of this code locally but wasn't able to repro the issue. Could you please provide a self-contained repro, so that I could run it locally?

@mjaggard
Copy link
Author

mjaggard commented Nov 3, 2023

Fair point @mikhailshilkov, I think the difficulty is that this likely happened due to previous changes in state and I'm not sure what they all were, although all changes were applied using Pulumi. I've included what I think is the relevant part of the current state JSON below which might help?

{
    "urn": "urn:pulumi:sandbox::MyOrg::aws:ec2/securityGroup:SecurityGroup::sandbox-host-sg",
    "custom": true,
    "id": "sg-65c2556cd1d096fd8",
    "type": "aws:ec2/securityGroup:SecurityGroup",
    "inputs": {
        "__defaults": [
            "name",
            "revokeRulesOnDelete"
        ],
        "description": "Managed by Pulumi",
        "egress": [
            {
                "__defaults": [
                    "self"
                ],
                "cidrBlocks": [
                    "0.0.0.0/0"
                ],
                "fromPort": 0,
                "protocol": "-1",
                "self": false,
                "toPort": 0
            },
            {
                "__defaults": [
                    "self"
                ],
                "fromPort": 0,
                "ipv6CidrBlocks": [
                    "::/0"
                ],
                "protocol": "-1",
                "self": false,
                "toPort": 0
            }
        ],
        "ingress": [
            {
                "__defaults": [
                    "self"
                ],
                "fromPort": 0,
                "protocol": "all",
                "securityGroups": [
                    "sg-57dbeb70421482846"
                ],
                "self": false,
                "toPort": 0
            },
            {
                "__defaults": [],
                "fromPort": 0,
                "protocol": "all",
                "securityGroups": [
                    "sg-ee3c6aa732bcbe806"
                ],
                "self": true,
                "toPort": 0
            }
        ],
        "name": "sandbox-host-sg-db71a61",
        "revokeRulesOnDelete": false,
        "vpcId": "vpc-d7b19698c912a68ca"
    },
    "outputs": {
        "__meta": "{\"4b955b4b-39ad-4855-9bf8-70c656c51994\":{\"create\":600000000000,\"delete\":900000000000},\"schema_version\":\"1\"}",
        "arn": "arn:aws:ec2:us-east-1:123456789012:security-group/sg-65c2556cd1d096fd8",
        "description": "Managed by Pulumi",
        "egress": [
            {
                "cidrBlocks": [
                    "0.0.0.0/0"
                ],
                "description": "",
                "fromPort": 0,
                "ipv6CidrBlocks": [],
                "prefixListIds": [],
                "protocol": "-1",
                "securityGroups": [],
                "self": false,
                "toPort": 0
            },
            {
                "cidrBlocks": [],
                "description": "",
                "fromPort": 0,
                "ipv6CidrBlocks": [
                    "::/0"
                ],
                "prefixListIds": [],
                "protocol": "-1",
                "securityGroups": [],
                "self": false,
                "toPort": 0
            }
        ],
        "id": "sg-65c2556cd1d096fd8",
        "ingress": [
            {
                "cidrBlocks": [],
                "description": "",
                "fromPort": 0,
                "ipv6CidrBlocks": [],
                "prefixListIds": [],
                "protocol": "-1",
                "securityGroups": [
                    "sg-ee3c6aa732bcbe806",
                    "sg-57dbeb70421482846"
                ],
                "self": true,
                "toPort": 0
            }
        ],
        "name": "sandbox-host-sg-db71a61",
        "namePrefix": "",
        "ownerId": "123456789012",
        "revokeRulesOnDelete": false,
        "tags": {},
        "tagsAll": {},
        "vpcId": "vpc-d7b19698c912a68ca"
    },
    "parent": "urn:pulumi:sandbox::MyOrg::pulumi:pulumi:Stack::Billforward-sandbox",
    "provider": "urn:pulumi:sandbox::MyOrg::pulumi:providers:aws::default_6_0_4::14ad878c-f591-4341-99ba-aacc6c4d2efd",
    "propertyDependencies": {
        "description": null,
        "egress": null,
        "ingress": null,
        "vpcId": null
    },
    "created": "2023-10-31T12:54:59.725239Z",
    "modified": "2023-11-01T11:19:15.986033Z",
    "sourcePosition": "project:///my-source-file.ts#33,23"
},

@mjaggard
Copy link
Author

mjaggard commented Nov 3, 2023

My assumption is that the issue relates to the contraction of the multiple ingress rules in the input being contracted to a single ingress rule output. I can't fix the input becaues the two ingress rules come from different locations (one is general and one is environment specific)

@pulumi-bot pulumi-bot added needs-triage Needs attention from the triage team and removed awaiting-feedback Blocked on input from the author labels Nov 3, 2023
@mikhailshilkov
Copy link
Member

@mjaggard The state file is useful but could you also share the other part - the actual code that would be fully runnable? I'm guessing I need the //..other rule omited part, as well as other concrete data. A runnable step-by-step repro would be ideal.

@mikhailshilkov mikhailshilkov added awaiting-feedback Blocked on input from the author and removed needs-triage Needs attention from the triage team labels Nov 3, 2023
@t0yv0 t0yv0 added the bug/diff kind/bug related to Pulumi generating wrong diffs on preview or up. label Dec 14, 2023
@mjeffryes mjeffryes added the resolution/no-repro This issue wasn't able to be reproduced label May 20, 2024
@mjeffryes mjeffryes self-assigned this May 24, 2024
@mjeffryes mjeffryes assigned mjeffryes and unassigned mjeffryes Jun 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mjeffryes mjeffryes

Labels
awaiting-feedback Blocked on input from the author bug/diff kind/bug related to Pulumi generating wrong diffs on preview or up. kind/bug Some behavior is incorrect or out of spec resolution/no-repro This issue wasn't able to be reproduced
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@t0yv0 @mjeffryes @mjaggard @mikhailshilkov @pulumi-bot