https://pulumi.com logo
#aws
Title
# aws
b

best-lifeguard-91445

01/13/2021, 2:38 PM
pulumi preview
keeps showing changes to the stack, when none are made: Looks like the container definition / task definitions are showing changes due to ouputs being mapped to the environments: [] array, or secrets: [] array. Any ideas on how to solve this?
Copy code
+-aws:ecs/taskDefinition:TaskDefinition: (replace)
            [id=use1-dev-registrar-api]
            [urn=urn:pulumi:dev::aws::awsx:x:ecs:EC2TaskDefinition$aws:ecs/taskDefinition:TaskDefinition::use1-dev-registrar-api]
            [provider=urn:pulumi:dev::aws::pulumi:providers:aws::default_3_21_0::10e8b33b-1a70-4ffc-bb0e-8c586673f58f]
          ~ containerDefinitions: "[secret]" => "[secret]"
            > aws:autoscaling/group:Group: (read)
                [id=ecs-use1-dev-edge-services-df916d8-Instances-OEURTU97PJME]
                [urn=urn:pulumi:dev::aws::awsx:x:ecs:Cluster$awsx:x:autoscaling:AutoScalingGroup$aws:autoscaling/group:Group::ecs-use1-dev-edge-services]
                [provider=urn:pulumi:dev::aws::pulumi:providers:aws::default_3_21_0::10e8b33b-1a70-4ffc-bb0e-8c586673f58f]
        ~ aws:ecs/service:Service: (update)
            [id=arn:aws:ecs:us-east-1:REDACTED:service/ecs-use1-dev-edge-services-cluster-7f77f63/use1-dev-registrar-api-ff48eab]
            [urn=urn:pulumi:dev::aws::awsx:x:ecs:EC2Service$aws:ecs/service:Service::use1-dev-registrar-api]
            [provider=urn:pulumi:dev::aws::pulumi:providers:aws::default_3_21_0::10e8b33b-1a70-4ffc-bb0e-8c586673f58f]
          ~ taskDefinition: "arn:aws:ecs:us-east-1:REDACTED:task-definition/use1-dev-registrar-api:569" => output<string>
a

acceptable-jackal-53536

01/13/2021, 3:46 PM
i think pulumi is using the terraform aws provider underneath
what i've seen with terraform/aws is that with specific resources it can change the representation when it gets saved
in my case it was with ipv6 addresses
in my script it was
2400:cb00::/32
which got converted to
2400:cb00:0000:0000:0000:0000:0000:0000/32
so when it compared the addresses, it saw it as different and an update would always run
solution was to take the format as it appeared in aws and update my script to be the same
b

best-lifeguard-91445

01/13/2021, 6:35 PM
hm. thank you for the insight. However, I'm not sure what is expected, because it's converting from [secret] => [secret]
l

little-cartoon-10569

01/13/2021, 7:01 PM
Try
pulumi stack export --file mine.json ; pulumi refresh ; pulumi stack export --file theirs.json
and compare.
b

best-lifeguard-91445

01/13/2021, 8:08 PM
k, will do, give me 2 mins
@little-cartoon-10569 - sorry for the delayed response. There are thousands of differences. The outputs.secretBinary.cipherText and outputs.secretString.cipherText for
aws:ecs/taskDefinition:TaskDefinition
are showing differences. and assumeRolePolicy for
aws:iam/role:Role
l

little-cartoon-10569

01/14/2021, 3:57 AM
Some of those might have to be copied as per @acceptable-jackal-53536’s suggestion.. hard to tell which ones..
b

best-lifeguard-91445

01/14/2021, 3:58 AM
Theirs
Copy code
"assumeRolePolicy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"<http://sqs.amazonaws.com|sqs.amazonaws.com>\",\"<http://ecs-tasks.amazonaws.com|ecs-tasks.amazonaws.com>\",\"<http://ec2.amazonaws.com|ec2.amazonaws.com>\",\"<http://sns.amazonaws.com|sns.amazonaws.com>\"]},\"Action\":\"sts:AssumeRole\"}]}",
Mine:
Copy code
"assumeRolePolicy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"<http://sns.amazonaws.com|sns.amazonaws.com>\",\"<http://ec2.amazonaws.com|ec2.amazonaws.com>\",\"<http://sqs.amazonaws.com|sqs.amazonaws.com>\",\"<http://ecs-tasks.amazonaws.com|ecs-tasks.amazonaws.com>\"]},\"Action\":\"sts:AssumeRole\"}]}",
l

little-cartoon-10569

01/14/2021, 3:58 AM
Yep, I want through that exercise in a few policies. Took a few hours, but it's been solid ever since.
b

best-lifeguard-91445

01/14/2021, 3:59 AM
okay cool. what about the secrets tho? it's encoded. I have no idea what it should be
l

little-cartoon-10569

01/14/2021, 4:00 AM
Generally you can ignore those, they won't be the problem. It'll be list-like things (orders change) or encoded JSON docs.
b

best-lifeguard-91445

01/14/2021, 4:00 AM
okay cool
l

little-cartoon-10569

01/14/2021, 4:01 AM
Pulumi does quite well at detecting non-identical similarities. Just needs occasional help.
b

best-lifeguard-91445

01/14/2021, 4:01 AM
Thank you very much
👍 1
2 Views