Seeing some potentially concerning behavior with awsx vpc and subnets. Our current preview is showing that it wants to replace all of our current subnets. There are existing resources in these subnets. After pulling a diff of the preview it appears Pulumi is generating new cidr blocks for all of our VPC subnets. This seems unnecessary. Any thoughts or input, I would really like to prevent a possible outage.

Have you recently upgraded/updated the AWSX version you're using? While figuring out why it's suggesting changes, you could add an

ignoreChanges

to those resources to see if that helps.

We did about 3 weeks ago, v1.0.2 > v2.3.0 (Python) according to my co-worker we didn't see these changes then. It only recently wants to update the CIDR blocks. I will look into the provided materials.

OK. While you do that, I’ll ask internally about any changes between those versions that might prompt changing CIDRs for subnets.

Any update? I'm struggling to get ignoreChanges working. I don't know if I'm calling the wrong property or path to the property or even if I'm attempting to apply the ignore to the correct resources.

I suspect you’re running into a change made in how AWSX calculates subnets. In theory this shouldn’t have affected you, but theory and practice are often different. What I’m trying to confirm internally is if specifying a

subnetStrategy

of Legacy will fix your issue. If you’d like to try that (in a separate branch using

pulumi preview

so as not to affect your provisioned resources), let me know if that fixes it.

We are already specifying the subnet strategy as legacy.

vpc = awsx.ec2.Vpc(
        f"{cluster_config.name}-vpc",
        enable_dns_hostnames=True,
        availability_zone_names=availability_zone_names,
        cidr_block=cluster_config.vpc_cidr_block,
        subnet_strategy=awsx.ec2.SubnetAllocationStrategy("Legacy"),
        subnet_specs=[
            awsx.ec2.SubnetSpecArgs(
                # name=f"private-subnet-{cluster_config.name}-vpc",
                type=awsx.ec2.SubnetType.PRIVATE
            ),
            awsx.ec2.SubnetSpecArgs(
                # name=f"public-subnet-{cluster_config.name}-vpc",
                type=awsx.ec2.SubnetType.PUBLIC
            ),
            awsx.ec2.SubnetSpecArgs(
                # name=f"rds-subnet-{cluster_config.name}-vpc",
                type=awsx.ec2.SubnetType.ISOLATED,
                name="rds",
                tags={"Service": "RDS", "Cluster": cluster_config.name},
            ),
            awsx.ec2.SubnetSpecArgs(
                #  name=f"elasticache-subnet-{cluster_config.name}-vpc",
                type=awsx.ec2.SubnetType.ISOLATED,
                name="elasticache",
                tags={"Service": "ElastiCache", "Cluster": cluster_config.name},
            ),
        ],
        tags={
            "Name": f"VPC-{cluster_config.name}",
            "Environment": cluster_config.environment,
            "Client": "regard",
            "Platform": "pulumi",
        },
        # opts=pulumi.ResourceOptions(transformations=[transformation])
    )

I see. Well, darn. I was hoping I’d found a solution. Can you go ahead and open an issue on pulumi-awsx? I’ll ask again internally but it would be good to have an issue open as well.

Sure, I'll work on that. I like the idea of ignoring the changes as an interim, But it appears that awsx doesnt have subnet capabilities and we would have to rely on aws to do so. That seems to be more difficult than anticipated in terms of implementation.

Awesome, thanks. Can you share the proposed changes to the CIDRs? Here, or in the issue…whichever is easier for you. Having access to the current CIDRs and then proposed CIDRs will help track down where the changes are originating.

See attached

Is this thread related to the warning:

warning: The default subnetStrategy will change from "Legacy" to "Auto" in the next major version. Please specify the subnetStrategy explicitly. The current subnet layout can be specified via "Auto" as:

I’ve set the subnetStratergy as auto but can’t seem to get rid of the warning: code snippet:

{
        numberOfAvailabilityZones: numberOfAzs,
        cidrBlock: regionalCidrBlock,
        description: workloadVpcDescription,
        subnetStrategy: awsx.ec2.SubnetAllocationStrategy.Auto,
        subnetSpecs: [
          {
            type: SubnetType.Public,
            cidrMask: 24,
            tags: {
              Name: `${workloadVpcDescription}-public-subnet`,
              Monitor: 'true',
              Provisioned: 'Pulumi',
            },
          },
          {
            type: SubnetType.Private,
            cidrMask: 24,
            tags: {
              Name: `${workloadVpcDescription}-workload-subnet`,
              Monitor: 'true',
              Provisioned: 'Pulumi',
            },
          },
          {
            type: SubnetType.Isolated,
            cidrMask: 28,
            tags: {
              Name: `${workloadVpcDescription}-attachment-subnet`,
              Monitor: 'true',
              Provisioned: 'Pulumi',
            },
          },
        ],
        natGateways: {
          strategy: awsx.ec2.NatGatewayStrategy.OnePerAz,
        },
        tags: {
          Name: workloadVpcDescription,
        },
      }

@miniature-rocket-28706 No, its in regards to the subnets generated by subnetSpecs recalculating their subnet and re-provisioning/replacing the existing subnets with new values.

Magic! Apologies as also found that and now it works a treat (and no moaning at me with warning 😊 ) Thanks @limited-guitar-4572

I think I may have found the cause: All public and private subnets default to a /19 size. If exporting the current vpc_layout its showing a /20 for all public and private types. I'm assuming there was a change to defaults in the awsx package.

There was a change to how the AWSX VPC component calculated subnets. It shouldn't be prompting to recreate subnets, but clearly that's not the case here. Shawn, could you update the GH issue (https://github.com/pulumi/pulumi-awsx/issues/1204) with this additional information?