https://pulumi.com logo
Join Slack
Powered by
Hi everyone. I just started using pulumi and I am ...
# general
m
Hi everyone. I just started using pulumi and I am in the process of migrating our resources to be managed by pulumi. I want to know is there any way to tell pulumi to ignore a property of a resource. So what happen is that I want to manage my AWS codebuild projects using pulumi. When I run 
pulumi up
this error shows up:
Copy code
error: aws:codebuild/project:Project resource 'codebuild_finscore_v4' has a problem: expected project_visibility to be one of ["PUBLIC_READ" "PRIVATE"], got . Examine values at 'codebuild_finscore_v4.projectVisibility'.
I tried to import the resource then it turns out that the value of 
project_visibility
is empty string. So is there a way to tell Pulumi to just ignore that attribute? Thanks
d
You can use the resource option ignoreChanges, however this relates to updates not creation. https://www.pulumi.com/docs/concepts/options/ignorechanges/
If it's importing with a blank string, this sounds like a bug. You can either remove the attribute which will use the pulumi/aws default of "PRIVATE", or set it to "PRIVATE" yourself
Can you report on github that 
pulumi import
isn't correctly generating code in this case to github please: https://github.com/pulumi/pulumi-aws/issues
m
Is it possible that the fault is in the aws side? When I run this:
Copy code
aws codebuild batch-get-projects --names <project_name>
, there is no 
projectVisibility
attribute for that project.
Also I try to update the project visibility using aws cli with this command:
Copy code
aws codebuild update-project-visibility --project-arn <proj_arn> --project-visibility PRIVATE  --debug
, I got this error
Also I tried the 
ignoreChanges
option but it doesn't help.
d
Are you on govcloud by any chance?
m
No I am not
d
The import bug and cli bug is an aws issue by the sounds of it. Going based on this, the China regions also don't support projectVisibility, so it's possible other regions don't too. https://github.com/hashicorp/terraform-provider-aws/issues/22473
I think you should use ignoreChanges, and remove the project_visibility attribute. That way pulumi will avoid trying to use it anywhere
m
The problem is that this is an existing resource. When I run 
pulumi up
it shows an error.
And this is the snippet of my pulumi code:
Copy code
opts=pulumi.ResourceOptions(
            import_=project['service'],
            ignore_changes=["projectVisibility"], 
            protect=False))
project['service']
is a string with the codebuild project name in it
d
This is with project_visibility removed as an attribute?
m
Yes correct
I am not sure but probably because when pulumi tries to import it, it sees that the 
project_visibility
is empty
d
Can you try setting it to "PRIVATE". Failing that, you'll need to report a bug to the provider as it looks like there isn't a way to import in your situation
m
Setting it to PRIVATE doesn't work either
I tried to import the resource just now using 
pulumi import
and it worked but with warning
d
Getting the resource into the state is a good step. You should be able to use 
ignoreChanges
now that it's created
m
Then I tried running 
pulumi up
again with this option:
Copy code
ignore_changes=["projectVisibility"],
and it failed. It showed the error telling me about the 
projectVisibility
value not correct just like before.
d
Hmm. You might need to manually modify the state to either remove the input or set it to "PRIVATE". You can use this to export the json, which you can modify. https://www.pulumi.com/docs/cli/commands/pulumi_stack_export/ Then import the modified file with 
pulumi stack import
You should keep a copy of the first export incase you need to rollback your manual changes
m
Good idea. Let me try it.
It works!! Thanks @dry-keyboard-94795
I just run 
pulumi refresh
, because I am curious whether the same problem will reoccur and it turns out it does. Is there any way to tell pulumi to ignore the 
projectVisiblity
attribute when we run 
pulumi refresh
?
d
It should already be ignored :/
m
When I export the stack after I run 
pulumi refresh
the 
projectVisibility
attribute is in the json file
Well anyway at least I have a workaround for now. Thanks @dry-keyboard-94795.
d
If you set it to "PRIVATE" instead of removing, does the refresh still clobber it?
m
Hmm, wait I'll try it
the same thing
I answered yes then I run 
pulumi up
then I am back to the previous error
d
This is unfortunate. I thought 
ignoreChanges
was supposed to also prevent property refreshes too. The underlying bug needs reporting on github regardless
m
The bug is in the aws provider then right?
d
Yes
m
Okay, I will create an issue for that
d
Thanks. Make sure to include your aws region, as this seems to be related to the unavailability of this api in select regions
m
d
Brilliant, thanks for including the aws cli example too
I was just reading the blog announcement for public codebuild, and it mentions that aws organisation SCP can be used to disable the UpdateProjectVisibility api. Having not used them before, I don't know what kind of errors it gives to the client. It's worth checking if you have anything setup: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_info-operations.html
m
I just checked it and we don't have any policy for codebuild
Open in Slack
PreviousNext
Powered by