we're seeing an odd behavior where self-managed GCP certs are always showing that they need to be replaced, and the diff shows that the cert material needs to be added, which is odd because

pulumi stack export

shows exactly the cert material we expect. a sample diff:

+-gcp:certificatemanager/certificate:Certificate: (replace)
    [id=projects/myproject/locations/global/certificates/wildcard--app-gcp-cert-5da1faa]
    [urn=urn:pulumi:staging::app::company:app:infrastructure$company:app:dns$gcp:certificatemanager/certificate:Certificate::wildcard--app-gcp-cert]
    [provider=urn:pulumi:staging::app::pulumi:providers:gcp::default_6_59_0::45fa4902-44fd-4f64-bf52-927b03c5043d]
  ~ selfManaged: {
      + pemCertificate: "-----BEGIN CERTIFICATE-----\n...snip...\n-----END CERTIFICATE-----\n"
      + pemPrivateKey : [secret]
    }

pulumi stack export

includes certificate data that matches exactly what's in the diff. i obviously can't compare the key material, but it's odd that the diff a) shows that the key needs to be added, not changed; and b) shows that both the cert and key need to be added, when i can verify that the cert in the diff matches the cert in the current stack state. anyone have any idea what might be going on here, or how to gather more info on it?

Repeated diffs like this indicate a bug in the diff. If you have a self contained reproduction, please open a bug.

in this case i think the perpetual diff would be preferable to the workaround. i'll see if i can create a minimal replication scenario, thanks

Reviving this thread: I have tried using

ignore_changes

as a workaround, but am running into another issue there. When I attempt to ignore the

self_managed

field and then run

pulumi up

I get the following error:

error: gcp:certificatemanager/certificate:Certificate resource 'gcp-cert' has a problem: Invalid combination of arguments. "managed": one of `managed,self_managed` must be specified. Examine values at gcp-cert.managed'.

With code such as this:

# Create new GCP certificate using Certificate Manager
self.gcp_cert = gcp.certificatemanager.Certificate(
    "gcp-cert",
    self_managed=gcp.certificatemanager.CertificateSelfManagedArgs(
        pem_certificate=self.cf_cert.certificate,
        pem_private_key=self.private_key.private_key_pem,
    ),
    opts=pulumi.ResourceOptions.merge(
        opts, pulumi.ResourceOptions(
            ignore_changes=["selfManaged"]    
        )
    ),
)

The call to

pulumi up

works fine, but after issuing a

pulumi refresh

all additional calls have the same problem. A similar issue occurs if I specify

["selfManaged.certificatePem", "selfManaged.certificatePrivateKey"]

as the args to

ignore_changes

:

error: gcp:certificatemanager/certificate:Certificate resource 'gcp-cert' has a problem: Invalid combination of arguments. "self_managed.0.certificate_pem": one of `self_managed.0.certificate_pem,self_managed.0.pem_certificate` must be specified. Examine values at 'gcp-cert.selfManaged.certificatePem'.