https://pulumi.com logo
#aws
Title
# aws
l

limited-guitar-4572

01/10/2024, 8:48 PM
Seeing some potentially concerning behavior with awsx vpc and subnets. Our current preview is showing that it wants to replace all of our current subnets. There are existing resources in these subnets. After pulling a diff of the preview it appears Pulumi is generating new cidr blocks for all of our VPC subnets. This seems unnecessary. Any thoughts or input, I would really like to prevent a possible outage.
s

salmon-account-74572

01/10/2024, 10:15 PM
Have you recently upgraded/updated the AWSX version you're using? While figuring out why it's suggesting changes, you could add an
ignoreChanges
to those resources to see if that helps.
l

limited-guitar-4572

01/11/2024, 2:28 PM
We did about 3 weeks ago, v1.0.2 > v2.3.0 (Python) according to my co-worker we didn't see these changes then. It only recently wants to update the CIDR blocks. I will look into the provided materials.
s

salmon-account-74572

01/11/2024, 3:41 PM
OK. While you do that, I’ll ask internally about any changes between those versions that might prompt changing CIDRs for subnets.
l

limited-guitar-4572

01/12/2024, 2:30 PM
Any update? I'm struggling to get ignoreChanges working. I don't know if I'm calling the wrong property or path to the property or even if I'm attempting to apply the ignore to the correct resources.
s

salmon-account-74572

01/12/2024, 4:25 PM
I suspect you’re running into a change made in how AWSX calculates subnets. In theory this shouldn’t have affected you, but theory and practice are often different. What I’m trying to confirm internally is if specifying a
subnetStrategy
of Legacy will fix your issue. If you’d like to try that (in a separate branch using
pulumi preview
so as not to affect your provisioned resources), let me know if that fixes it.
l

limited-guitar-4572

01/12/2024, 4:30 PM
We are already specifying the subnet strategy as legacy.
Copy code
vpc = awsx.ec2.Vpc(
        f"{cluster_config.name}-vpc",
        enable_dns_hostnames=True,
        availability_zone_names=availability_zone_names,
        cidr_block=cluster_config.vpc_cidr_block,
        subnet_strategy=awsx.ec2.SubnetAllocationStrategy("Legacy"),
        subnet_specs=[
            awsx.ec2.SubnetSpecArgs(
                # name=f"private-subnet-{cluster_config.name}-vpc",
                type=awsx.ec2.SubnetType.PRIVATE
            ),
            awsx.ec2.SubnetSpecArgs(
                # name=f"public-subnet-{cluster_config.name}-vpc",
                type=awsx.ec2.SubnetType.PUBLIC
            ),
            awsx.ec2.SubnetSpecArgs(
                # name=f"rds-subnet-{cluster_config.name}-vpc",
                type=awsx.ec2.SubnetType.ISOLATED,
                name="rds",
                tags={"Service": "RDS", "Cluster": cluster_config.name},
            ),
            awsx.ec2.SubnetSpecArgs(
                #  name=f"elasticache-subnet-{cluster_config.name}-vpc",
                type=awsx.ec2.SubnetType.ISOLATED,
                name="elasticache",
                tags={"Service": "ElastiCache", "Cluster": cluster_config.name},
            ),
        ],
        tags={
            "Name": f"VPC-{cluster_config.name}",
            "Environment": cluster_config.environment,
            "Client": "regard",
            "Platform": "pulumi",
        },
        # opts=pulumi.ResourceOptions(transformations=[transformation])
    )
s

salmon-account-74572

01/12/2024, 4:35 PM
I see. Well, darn. I was hoping I’d found a solution. Can you go ahead and open an issue on pulumi-awsx? I’ll ask again internally but it would be good to have an issue open as well.
l

limited-guitar-4572

01/12/2024, 4:38 PM
Sure, I'll work on that. I like the idea of ignoring the changes as an interim, But it appears that awsx doesnt have subnet capabilities and we would have to rely on aws to do so. That seems to be more difficult than anticipated in terms of implementation.
s

salmon-account-74572

01/12/2024, 5:15 PM
Awesome, thanks. Can you share the proposed changes to the CIDRs? Here, or in the issue…whichever is easier for you. Having access to the current CIDRs and then proposed CIDRs will help track down where the changes are originating.
l

limited-guitar-4572

01/12/2024, 5:23 PM
See attached
m

miniature-rocket-28706

01/14/2024, 10:34 AM
Is this thread related to the warning:
warning: The default subnetStrategy will change from "Legacy" to "Auto" in the next major version. Please specify the subnetStrategy explicitly. The current subnet layout can be specified via "Auto" as:
I’ve set the subnetStratergy as auto but can’t seem to get rid of the warning: code snippet:
Copy code
{
        numberOfAvailabilityZones: numberOfAzs,
        cidrBlock: regionalCidrBlock,
        description: workloadVpcDescription,
        subnetStrategy: awsx.ec2.SubnetAllocationStrategy.Auto,
        subnetSpecs: [
          {
            type: SubnetType.Public,
            cidrMask: 24,
            tags: {
              Name: `${workloadVpcDescription}-public-subnet`,
              Monitor: 'true',
              Provisioned: 'Pulumi',
            },
          },
          {
            type: SubnetType.Private,
            cidrMask: 24,
            tags: {
              Name: `${workloadVpcDescription}-workload-subnet`,
              Monitor: 'true',
              Provisioned: 'Pulumi',
            },
          },
          {
            type: SubnetType.Isolated,
            cidrMask: 28,
            tags: {
              Name: `${workloadVpcDescription}-attachment-subnet`,
              Monitor: 'true',
              Provisioned: 'Pulumi',
            },
          },
        ],
        natGateways: {
          strategy: awsx.ec2.NatGatewayStrategy.OnePerAz,
        },
        tags: {
          Name: workloadVpcDescription,
        },
      }
l

limited-guitar-4572

01/16/2024, 2:25 PM
@miniature-rocket-28706 No, its in regards to the subnets generated by subnetSpecs recalculating their subnet and re-provisioning/replacing the existing subnets with new values.
m

miniature-rocket-28706

01/16/2024, 2:26 PM
Magic! Apologies as also found that and now it works a treat (and no moaning at me with warning 😊 ) Thanks @limited-guitar-4572
l

limited-guitar-4572

01/16/2024, 8:36 PM
I think I may have found the cause: All public and private subnets default to a /19 size. If exporting the current vpc_layout its showing a /20 for all public and private types. I'm assuming there was a change to defaults in the awsx package.
s

salmon-account-74572

01/16/2024, 11:07 PM
There was a change to how the AWSX VPC component calculated subnets. It shouldn't be prompting to recreate subnets, but clearly that's not the case here. Shawn, could you update the GH issue (https://github.com/pulumi/pulumi-awsx/issues/1204) with this additional information?