https://pulumi.com logo
#general
Title
# general
m

microscopic-xylophone-28322

12/19/2023, 11:09 AM
Hi everyone. I just started using pulumi and I am in the process of migrating our resources to be managed by pulumi. I want to know is there any way to tell pulumi to ignore a property of a resource. So what happen is that I want to manage my AWS codebuild projects using pulumi. When I run
pulumi up
this error shows up:
Copy code
error: aws:codebuild/project:Project resource 'codebuild_finscore_v4' has a problem: expected project_visibility to be one of ["PUBLIC_READ" "PRIVATE"], got . Examine values at 'codebuild_finscore_v4.projectVisibility'.
I tried to import the resource then it turns out that the value of
project_visibility
is empty string. So is there a way to tell Pulumi to just ignore that attribute? Thanks
d

dry-keyboard-94795

12/19/2023, 12:13 PM
You can use the resource option ignoreChanges, however this relates to updates not creation. https://www.pulumi.com/docs/concepts/options/ignorechanges/
If it's importing with a blank string, this sounds like a bug. You can either remove the attribute which will use the pulumi/aws default of "PRIVATE", or set it to "PRIVATE" yourself
Can you report on github that
pulumi import
isn't correctly generating code in this case to github please: https://github.com/pulumi/pulumi-aws/issues
m

microscopic-xylophone-28322

12/19/2023, 12:24 PM
Is it possible that the fault is in the aws side? When I run this:
Copy code
aws codebuild batch-get-projects --names <project_name>
, there is no
projectVisibility
attribute for that project.
Also I try to update the project visibility using aws cli with this command:
Copy code
aws codebuild update-project-visibility --project-arn <proj_arn> --project-visibility PRIVATE  --debug
, I got this error
Also I tried the
ignoreChanges
option but it doesn't help.
d

dry-keyboard-94795

12/19/2023, 12:27 PM
Are you on govcloud by any chance?
m

microscopic-xylophone-28322

12/19/2023, 12:28 PM
No I am not
d

dry-keyboard-94795

12/19/2023, 12:30 PM
The import bug and cli bug is an aws issue by the sounds of it. Going based on this, the China regions also don't support projectVisibility, so it's possible other regions don't too. https://github.com/hashicorp/terraform-provider-aws/issues/22473
I think you should use ignoreChanges, and remove the project_visibility attribute. That way pulumi will avoid trying to use it anywhere
m

microscopic-xylophone-28322

12/19/2023, 12:37 PM
The problem is that this is an existing resource. When I run
pulumi up
it shows an error.
And this is the snippet of my pulumi code:
Copy code
opts=pulumi.ResourceOptions(
            import_=project['service'],
            ignore_changes=["projectVisibility"], 
            protect=False))
project['service']
is a string with the codebuild project name in it
d

dry-keyboard-94795

12/19/2023, 12:38 PM
This is with project_visibility removed as an attribute?
m

microscopic-xylophone-28322

12/19/2023, 12:38 PM
Yes correct
I am not sure but probably because when pulumi tries to import it, it sees that the
project_visibility
is empty
d

dry-keyboard-94795

12/19/2023, 12:42 PM
Can you try setting it to "PRIVATE". Failing that, you'll need to report a bug to the provider as it looks like there isn't a way to import in your situation
m

microscopic-xylophone-28322

12/19/2023, 1:26 PM
Setting it to PRIVATE doesn't work either
I tried to import the resource just now using
pulumi import
and it worked but with warning
d

dry-keyboard-94795

12/19/2023, 1:28 PM
Getting the resource into the state is a good step. You should be able to use
ignoreChanges
now that it's created
m

microscopic-xylophone-28322

12/19/2023, 1:28 PM
Then I tried running
pulumi up
again with this option:
Copy code
ignore_changes=["projectVisibility"],
and it failed. It showed the error telling me about the
projectVisibility
value not correct just like before.
d

dry-keyboard-94795

12/19/2023, 1:30 PM
Hmm. You might need to manually modify the state to either remove the input or set it to "PRIVATE". You can use this to export the json, which you can modify. https://www.pulumi.com/docs/cli/commands/pulumi_stack_export/ Then import the modified file with
pulumi stack import
You should keep a copy of the first export incase you need to rollback your manual changes
m

microscopic-xylophone-28322

12/19/2023, 1:31 PM
Good idea. Let me try it.
It works!! Thanks @dry-keyboard-94795
I just run
pulumi refresh
, because I am curious whether the same problem will reoccur and it turns out it does. Is there any way to tell pulumi to ignore the
projectVisiblity
attribute when we run
pulumi refresh
?
d

dry-keyboard-94795

12/19/2023, 1:42 PM
It should already be ignored :/
m

microscopic-xylophone-28322

12/19/2023, 1:43 PM
When I export the stack after I run
pulumi refresh
the
projectVisibility
attribute is in the json file
Well anyway at least I have a workaround for now. Thanks @dry-keyboard-94795.
d

dry-keyboard-94795

12/19/2023, 1:45 PM
If you set it to "PRIVATE" instead of removing, does the refresh still clobber it?
m

microscopic-xylophone-28322

12/19/2023, 1:46 PM
Hmm, wait I'll try it
the same thing
I answered yes then I run
pulumi up
then I am back to the previous error
d

dry-keyboard-94795

12/19/2023, 1:54 PM
This is unfortunate. I thought
ignoreChanges
was supposed to also prevent property refreshes too. The underlying bug needs reporting on github regardless
m

microscopic-xylophone-28322

12/19/2023, 1:55 PM
The bug is in the aws provider then right?
d

dry-keyboard-94795

12/19/2023, 1:55 PM
Yes
m

microscopic-xylophone-28322

12/19/2023, 1:55 PM
Okay, I will create an issue for that
d

dry-keyboard-94795

12/19/2023, 1:56 PM
Thanks. Make sure to include your aws region, as this seems to be related to the unavailability of this api in select regions
m

microscopic-xylophone-28322

12/19/2023, 2:22 PM
d

dry-keyboard-94795

12/19/2023, 2:24 PM
Brilliant, thanks for including the aws cli example too
I was just reading the blog announcement for public codebuild, and it mentions that aws organisation SCP can be used to disable the UpdateProjectVisibility api. Having not used them before, I don't know what kind of errors it gives to the client. It's worth checking if you have anything setup: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_info-operations.html
m

microscopic-xylophone-28322

12/19/2023, 2:50 PM
I just checked it and we don't have any policy for codebuild