https://pulumi.com logo
#aws
Title
# aws
s

stocky-lion-56153

07/11/2020, 8:51 PM
Hi, I have a program that creates an ACM cert and a cloudfront distro that uses it. Everything is functioning correctly except that every time I run
pulumi up
it updates the
viewerCertificate
even though nothing has changed. Not sure how to debug this. Can anyone suggest anything please?
b

broad-dog-22463

07/13/2020, 3:37 PM
Hi @stocky-lion-56153 Can you get some indication from the pulumi up (via the details view) of what is changing in there?
s

stocky-lion-56153

07/13/2020, 6:52 PM
Hi @broad-dog-22463 I’m not sure what you mean by details view but I ran
pulumi up --yes --debug
and it dumped a lot of stuff at me. What should I be looking for? Thanks
b

broad-dog-22463

07/13/2020, 6:53 PM
when you run
pulumi up
without
--yes
it will ask
yes / no /details
the details view will tell you what it is doing
s

stocky-lion-56153

07/13/2020, 7:37 PM
Ah ok, got you now. It just says the viewerCertificate is different even though it has not changed.
Copy code
Type                            Name     Plan       Info
     pulumi:pulumi:Stack             cli-dev
 ~   ├─ aws:cloudfront:Distribution  cdn      update     [diff: ~viewerCertificate]
 ~   └─ aws:route53:Record           get-dev  update     [diff: ~aliases]
The route53 record depends on the cloudfront distro so that’s expected
b

broad-dog-22463

07/14/2020, 4:42 AM
So the issue here is that aliases are a non-deterministic order 😕 This is abug in the upstream TF provider that we are desperate for a fix for...
Of course, that's no excuse - but ow we know what the issue is
if the record rarely changes, then you can use ignoreChanges on the aliases and it will stop that perpetual diff
s

stocky-lion-56153

07/14/2020, 3:46 PM
Hi @broad-dog-22463 I tried commenting out the Alias and running the program (so it deletes the alias) and then re-running to see if the problem I originally asked about with the cloudfront distro goes away and I found it’s not made any difference.
Copy code
❯ pulumi up
Previewing update (dev):
     Type                            Name     Plan       Info
     pulumi:pulumi:Stack             cli-dev
 ~   └─ aws:cloudfront:Distribution  cdn      update     [diff: ~viewerCertificate]

Resources:
    ~ 1 to update
    11 unchanged
b

broad-dog-22463

07/14/2020, 3:46 PM
What’s the diff of the certificate ?
s

stocky-lion-56153

07/14/2020, 3:47 PM
There is none
That’s the full output and the cert has not changed.
Copy code
pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:dev::cli::pulumi:pulumi:Stack::cli-dev]
    ~ aws:cloudfront/distribution:Distribution: (update)
        [id=E3FUPHGDNK3CR3]
        [urn=urn:pulumi:dev::cli::aws:cloudfront/distribution:Distribution::cdn]
        [provider=urn:pulumi:dev::cli::pulumi:providers:aws::default_2_13_0::8beca890-e310-4e01-92db-d9ade05b9fd9]
      ~ viewerCertificate: {
          ~ cloudfrontDefaultCertificate: false => true
        }
b

broad-dog-22463

07/14/2020, 3:48 PM
And in the details what’s the diff about the viewer cert? Anything obvious?
s

stocky-lion-56153

07/14/2020, 3:48 PM
Actually - just noticed I can do that
b

broad-dog-22463

07/14/2020, 3:48 PM
Yeah that is the issue - looks like we have a default that isn’t being set back to state...
(In TF)
s

stocky-lion-56153

07/14/2020, 3:49 PM
Ah OK
Are there any github issues I can look at so I can understand the problem a bit better?
b

broad-dog-22463

07/14/2020, 3:51 PM
Not that I know off hand but I can look
s

stocky-lion-56153

07/14/2020, 3:52 PM
Thanks 🙂