seeing an error, we run our stacks in CI, so they run whether or not theres an update. The stack has no actual changes, but every resource has a provider change (all resources are AWS) and the deployment fails because the resource cannot be replaced because it already exists. Any ideas? edit: It looks like all my stacks that use the Terraform provider have this issue

Can you share more details on what you are seeing - either here or in a GitHub issue at https://github.com/pulumi/pulumi-aws (assuming you're using AWS classic)

@quick-house-41860 I work with Anthony and here's an example output

+-  ├─ aws:dms:ReplicationSubnetGroup  my-subnet-group                                  replace     [diff: ~provider]

We didn't change anything, but nothing works on

pulumi up

because it says the name already exists when it tries to perform the replace. Some people are saying this might be fixed after the upstream is updated to v5.73.0 (this issue follows that upgrade) but others are saying the fix is to delete and re-up all projects, which isn't exactly a feasible option in production

You certainly shouldn’t have to delete and re-up your projects. Can you share why you expect this is related to the upgrade to upstream v5.73.0? What change did you make that started triggering this for you? Did you pick up a new AWS provider version? Or new Pulumi CLI version? Or anything else?

We have made no change locally that triggered this. We did not change pulumi cli version, didn't change aws provider version, and see this issue across all of our organization on various versions including the latest pulumi cli. No local changes to the code. It worked last week and is failing this week. I definitely don't know if it's related to upstream v5.73.0 or not, someone mentioned that the provider changed recently and that might fix it. That was hearsay though so I wouldn't put much into that.

It would be great if you could additionally share how you're configuring the provider. Do you see any indications in the diff as to why the provider is getting replaced? Is this happening for everybody in your team or does it only affect certain developers (or maybe only CI)?

ok we figured out the issue

Great to hear you resolved this!

i am guessing this is because the region is used to build the provider

Yes - that variable determines the

region

property on the provider if not specified elsewhere. You can explicitly specify this instead in code or Pulumi config to ensure it won't get picked up from the ambient environment. More details on AWS provider configuration at https://www.pulumi.com/registry/packages/aws/installation-configuration/. Was there a line in your output that told you that the

aws:Provider

was replacing due to a change to the

region

property? That would be what should happen in this case. That change to the provider would then suggest changes to all other resources (to deploy into a new region and destroy in the existing region).

Unfortunately not, there was nothing in our output that indicated region. Here is an example output of

pulumi preview

without the region set

$ pulumi preview        
Previewing update (qa):
     Type                               Name                                                                       Plan        Info
     pulumi:pulumi:Stack                dms-qa                                                                                 2 warnings; 3 messages
 +-  ├─ aws:dms:ReplicationSubnetGroup  redacted-dms-qa-replication-subnet-group                                   replace     [diff: ~provider]
 +-  ├─ aws:dms:ReplicationInstance     redacted-dms-qa-replication-instance                                       replace     [diff: ~provider]
 +-  ├─ aws:dms:Endpoint                redacted-qa-task-redacted-redacted-redacted-source-endpoint                replace     [diff: ~provider,secretsManagerAccessRoleArn]
 +-  ├─ aws:dms:ReplicationTask         redacted-qa-task-redacted-redacted-redacted                                replace     [diff: ~provider,replicationInstanceArn,replicationTaskSettings,sourceEn
 +-  ├─ aws:dms:Endpoint                redacted-qa-task-redacted-redacted-redacted-target-endpoint                replace     [diff: ~provider,secretsManagerAccessRoleArn]
 +-  ├─ aws:dms:Endpoint                redacted-qa-task-redacted-redacted-redacted-source-endpoint                replace     [diff: ~provider,secretsManagerAccessRoleArn]
 +-  ├─ aws:dms:Endpoint                redacted-qa-task-redacted-redacted-redacted-target-endpoint                replace     [diff: ~provider,secretsManagerAccessRoleArn]
 +-  ├─ aws:dms:ReplicationTask         redacted-qa-task-redacted-redacted-redacted                                replace     [diff: ~provider,replicationInstanceArn,replicationTaskSettings,sourceEn
 +-  ├─ aws:dms:Endpoint                redacted-qa-task-redacted-redacted-source-endpoint                         replace     [diff: ~provider,secretsManagerAccessRoleArn]
 +-  ├─ aws:dms:Endpoint                redacted-qa-task-redacted-redacted-target-endpoint                         replace     [diff: ~provider,secretsManagerAccessRoleArn]
 +-  ├─ aws:dms:ReplicationTask         redacted-qa-task-redacted-redacted                                         replace     [diff: ~provider,replicationInstanceArn,replicationTaskSettings,sourceEn
 +-  ├─ aws:dms:Endpoint                redacted-qa-task-redacted-redacted-redacted-source-endpoint                replace     [diff: ~provider,secretsManagerAccessRoleArn]
 +-  ├─ aws:dms:Endpoint                redacted-qa-task-redacted-redacted-redacted-target-endpoint                replace     [diff: ~provider,secretsManagerAccessRoleArn]
 +-  ├─ aws:dms:ReplicationTask         redacted-qa-task-redacted-redacted-redacted                                replace     [diff: ~provider,replicationInstanceArn,replicationTaskSettings,sourceEn
 +-  ├─ aws:dms:Endpoint                redacted-qa-task-redacted-redacted-redacted-source-endpoint                replace     [diff: ~provider,secretsManagerAccessRoleArn]
 +-  ├─ aws:dms:Endpoint                redacted-qa-task-redacted-redacted-redacted-target-endpoint                replace     [diff: ~provider,secretsManagerAccessRoleArn]
 +-  ├─ aws:dms:ReplicationTask         redacted-qa-task-redacted-redacted-redacted                                replace     [diff: ~provider,replicationInstanceArn,replicationTaskSettings,sourceEn
 +-  ├─ aws:iam:RolePolicy              qa-promote-redacted-lambda-role-policy                                     replace     [diff: ~name,policy,provider,role]
 +-  ├─ aws:lambda:Function             qa-promote-redacted-lambda                                                 replace     [diff: ~environment,name,provider,role]
 +-  ├─ aws:iam:Role                    qa-replicate-redacted-lambda-role                                          replace     [diff: ~name,provider]
 +-  ├─ aws:cloudwatch:EventTarget      qa-promote-redacted-lambda-target                                          replace     [diff: ~arn,provider,rule,targetId]
 +-  ├─ aws:cloudwatch:EventRule        qa-replicate-redacted-event-rule                                           replace     [diff: ~eventPattern,name,provider]
 +-  ├─ aws:lambda:Function             qa-replicate-redacted-lambda                                               replace     [diff: ~environment,name,provider,role]
 +-  ├─ aws:lambda:Permission           qa-promote-redacted-lambda-permission                                      replace     [diff: ~function,provider,sourceArn,statementId]
 +-  ├─ aws:lambda:Permission           qa-replicate-redacted-lambda-permission                                    replace     [diff: ~function,provider,sourceArn,statementId]
 +-  ├─ aws:iam:RolePolicy              qa-replicate-redacted-lambda-role-policy                                   replace     [diff: ~name,policy,provider,role]
 +-  ├─ aws:cloudwatch:EventTarget      qa-replicate-redacted-lambda-target                                        replace     [diff: ~arn,provider,rule,targetId]
 +-  ├─ aws:iam:RolePolicy              redacted-dms-qa-secretsmanager-access-role-secrets-manager-access-policy   replace     
 +-  ├─ aws:cloudwatch:EventRule        qa-promote-redacted-event-rule                                             replace     
 +-  ├─ aws:iam:Role                    qa-promote-redacted-lambda-role                                            replace     
 +-  └─ aws:iam:Role                    redacted-dms-qa-dms-secrets-manager-access-role                            replace

Interesting. That does not sound expected. There may be an issue where we are not reporting the diff on the Provider to the UI here when it is caused by a change in an environment variable. We'll look into that and open an issue if needed.

@kind-eye-56938 @hundreds-printer-10986 Are you using the default provider or configure an explicit provider? Default providers do not show up in the diff, but explicitly configured providers do and also show why there's a diff. E.g. I changed the region via the

AWS_REGION

env variable here and it shows that in the diff for the explicit provider.

Type                     Name                                               Plan        Info
     pulumi:pulumi:Stack      aws-provider-env-changes-aws-provider-env-changes
 +-  ├─ pulumi:providers:aws  explicit                                           replace     [diff: ~region]
 +-  ├─ aws:s3:BucketV2       my-other-bucket                                    replace     [diff: ~bucket,provider]
 +-  └─ aws:s3:BucketV2       my-bucket                                          replace     [diff: ~bucket,provider]

we are using the default provider