https://pulumi.com logo
Join Slack
Powered by
Hi, I have a program that creates an ACM cert and ...
# aws
s
Hi, I have a program that creates an ACM cert and a cloudfront distro that uses it. Everything is functioning correctly except that every time I run 
pulumi up
it updates the 
viewerCertificate
even though nothing has changed. Not sure how to debug this. Can anyone suggest anything please?
b
Hi @stocky-lion-56153 Can you get some indication from the pulumi up (via the details view) of what is changing in there?
s
Hi @broad-dog-22463 I’m not sure what you mean by details view but I ran 
pulumi up --yes --debug
and it dumped a lot of stuff at me. What should I be looking for? Thanks
b
when you run 
pulumi up
without 
--yes
it will ask 
yes / no /details
the details view will tell you what it is doing
s
Ah ok, got you now. It just says the viewerCertificate is different even though it has not changed.
Copy code
Type                            Name     Plan       Info
     pulumi:pulumi:Stack             cli-dev
 ~   ├─ aws:cloudfront:Distribution  cdn      update     [diff: ~viewerCertificate]
 ~   └─ aws:route53:Record           get-dev  update     [diff: ~aliases]
The route53 record depends on the cloudfront distro so that’s expected
b
So the issue here is that aliases are a non-deterministic order 😕 This is abug in the upstream TF provider that we are desperate for a fix for...
Of course, that's no excuse - but ow we know what the issue is
if the record rarely changes, then you can use ignoreChanges on the aliases and it will stop that perpetual diff
s
Hi @broad-dog-22463 I tried commenting out the Alias and running the program (so it deletes the alias) and then re-running to see if the problem I originally asked about with the cloudfront distro goes away and I found it’s not made any difference.
Copy code
❯ pulumi up
Previewing update (dev):
     Type                            Name     Plan       Info
     pulumi:pulumi:Stack             cli-dev
 ~   └─ aws:cloudfront:Distribution  cdn      update     [diff: ~viewerCertificate]

Resources:
    ~ 1 to update
    11 unchanged
b
What’s the diff of the certificate ?
s
There is none
That’s the full output and the cert has not changed.
Copy code
pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:dev::cli::pulumi:pulumi:Stack::cli-dev]
    ~ aws:cloudfront/distribution:Distribution: (update)
        [id=E3FUPHGDNK3CR3]
        [urn=urn:pulumi:dev::cli::aws:cloudfront/distribution:Distribution::cdn]
        [provider=urn:pulumi:dev::cli::pulumi:providers:aws::default_2_13_0::8beca890-e310-4e01-92db-d9ade05b9fd9]
      ~ viewerCertificate: {
          ~ cloudfrontDefaultCertificate: false => true
        }
b
And in the details what’s the diff about the viewer cert? Anything obvious?
s
Actually - just noticed I can do that
b
Yeah that is the issue - looks like we have a default that isn’t being set back to state...
(In TF)
s
Ah OK
Are there any github issues I can look at so I can understand the problem a bit better?
b
Not that I know off hand but I can look
s
Thanks 🙂
Open in Slack
PreviousNext
Powered by