Hello everyone, We have migrated our entire engineering platform’s definition from CloudFormation to Pulumi, which has been a great success. The platform is split over multiple projects, such as the common infrastructure and a project per service in the platform. They can all be set up in differents stacks, such as

production

,

recovery

,

preprod

and others, but regardless of which stack we set up or upgrade, there is one problem we cannot figure out or find a solution for: We normally set up stacks using an AWS State Machine (which is itself defined in Pulumi), which lets us control all aspects of deployment, readiness, recovery, upgrades and much more. This works flawlessly across all projects, and we can if needed run a

pulumi up

from any local machine to try out changes in, for instance,

preprod

. This works for every single project, except one, which, when run from ay other place than the State Machine, always wants to replace every single resource due to

replace   [diff: ~provider]

. We do not use any custom providers or explicit provider configurations, and it happens for only one project. Has anyone seen something similar, or have an idea of things to look for or try, in order to resolve this? Grateful for any help you may be able to provide.

Does

pulumi up --diff

or

pulumi preview --diff

show what exactly it thinks has changed about the provider?

Great suggestion, it didn’t occur to me to check. I get “urnpulumipreprod:gitlabpulumiprovidersawsdefault 6 60 0:4bf6ece5-4ce6-4006-8ace-eb5757b6108d => urnpulumipreprod:gitlabpulumiprovidersawsdefault 6 60 0:outputstring” So the provider are both

default_6_60_0

but the existing one is

default_6_60_0::4bf6ece5-4ce6-4006-8ace-eb5757b6108d

where as the “new” one is

default_6_60_0::output<string>

. What in the world does that come from? There seems to be an unresolved Output tacked on to the “new” one? Unless it's the normal

output<string>

during the preview phase, and it is in fact the same value as the existing one. Or a different one. Either way, it's not really helpful, I think?

How are you configuring the provider (i.e. credentials, region, etc.)? This could happen for example if the pulumi program executed in the state machine picks up a different

AWS_REGION

environment variable than the environment where you're running into that issue. I'd recommend checking if there's a diff in any of the configurations related to credentials and regions (e.g.

AWS_REGION

,

AWS_PROFILE

, etc.). It's a bit trickier to pin-point when using default providers because they do not show up in the diff as resources themselves.

Super late reaction here: the config files across projects are identical and no special config is done for the providers; I use the default ones. The one difference between the project with this issue and the others are that it uses StackReference to grab a few values (such as ARNs of VPC, load balancers and more. I just ran it

pulumi up

on my local machine, which worked as expected during subsequent

pulumi up

, until it installed a new

pulumi-aws

plugin (I guess a new plugin was released). Immediately it wanted to replace every single resource in the project. Same would happen if I upgrade Pulumi itself. All other projects behave just fine even when a new plugin is installed.