I m trying to apply a Pulumi update that replaces a security Pulumi Community #aws

I'm trying to apply a Pulumi update that replaces ...

gray-tent-43205

09/25/2024, 7:43 PM

I'm trying to apply a Pulumi update that replaces a security group in AWS. Pulumi first tries to delete the security group before creating the replacement, however, the old security group is still in use and so AWS prevents the deletion (and Pulumi just hangs). How are folks orchestrating this kind of change?

gray-tent-43205

09/25/2024, 7:52 PM

Reading a little more about this... I do NOT have

delete_before_replace=True

set so I would expect Pulumi to create the new security group first, update the resources using the security group and then delete the old one.

little-cartoon-10569

09/25/2024, 8:24 PM

That would work in most cases, but there's plenty of places where the security group is in use in some way that Pulumi can't detect. For example, the dependency is via a string that's build up to have to the same value as its ARN, without actually being the Output from the security group object.

little-cartoon-10569

09/25/2024, 8:24 PM

A very common cause of this sort of problem is that the Pulumi name of the object is changing

little-cartoon-10569

09/25/2024, 8:25 PM

This one cannot be worked around.

little-cartoon-10569

09/25/2024, 8:25 PM

In general, you need to design around this. There are plenty of options.

gray-tent-43205

09/25/2024, 8:25 PM

OK yeah I was just going through and seeing if there was anywhere that I need to explicitly add

depends_on

little-cartoon-10569

09/25/2024, 8:25 PM

You could change what you're changing in the security group to not require a replacement. For example, going from internal rules to attach rules means prevents this problem in the future (but not this first time).

gray-tent-43205

09/25/2024, 8:25 PM

It looks like they're all outputs but I need to debug a bit further

little-cartoon-10569

09/25/2024, 8:26 PM

In your

pulumi preview

it'll say why it is deciding to delete the SG. What is the reason?

gray-tent-43205

09/25/2024, 8:28 PM

I'm moving some things to a new VPC so probably that but let me check

gray-tent-43205

09/25/2024, 8:28 PM

yeah:

Copy code

[diff: ~vpcId]

little-cartoon-10569

09/25/2024, 8:28 PM

Have you read this? https://www.pulumi.com/registry/packages/aws/api-docs/ec2/securitygroup/#recreating-a-security-group

gray-tent-43205

09/25/2024, 8:29 PM

Oh I had not seen that - thank you!

little-cartoon-10569

09/25/2024, 8:32 PM

The best solution for this particular problem, in my experience, is also by far the most awkward. You may need an interim state where you have to duplicate some resources. That is, you project may need to know about VPC1 and VPC2, and some of the resources in both. And you may need to change the code to point old things at new things, And so on. However, if you're moving all your resources to a new VPC, then it's likely that simply destroying the entire stack in the old VPC and creating it again in the new VPC is the way to go.

gray-tent-43205

09/25/2024, 8:33 PM

Yeah, thanks, I think I'll probably just destroy everything except the databases and then recreate everything

little-cartoon-10569

09/25/2024, 8:33 PM

(I just hope you don't have peering set up on the old VPC.. that adds many tonnes of problems to the effort...)

gray-tent-43205

09/25/2024, 8:33 PM

I do not but peering will be setup on the new VPC

little-cartoon-10569

09/25/2024, 8:34 PM

Ok, well don't do that until you've fully migrated! Peering is a real headache via IaC.

gray-tent-43205

09/25/2024, 8:34 PM

Thanks a lot - appreciate the help!

67 Views

Open in Slack

Previous Next