https://pulumi.com logo
Join Slack
Powered by
I just ran `pulumi up` to create a bunch of GuardD...
# aws
m
I just ran 
pulumi up
to create a bunch of GuardDuty members and it created them. But I immediatly ran 
pulumi preview
with no code changes and it says it's going to replace a member. Why would that be?
l
Can't say for sure, but it could be to do with default values, and whether or not they differ from imported guessed values.
In this specific case, it looks like changing the member email address causes a new member resource. So to prevent this, you need to ensure that the value in your code exactly matches what's in AWS.
You could also see if the invite property is at fault, but that's less likely. The docs don't imply that: the property is correctly mutable.
m
hmmm...but I run 
pulumi up
again and it does the replace....but if I do 
pulumi preview
again it shows the same diff...rinse and repeat.
This is for the organization master account...I wonder if this has something to do with from the master account, you enabled GD and then delegate to another account to be the GD master account...and now the GD master account is trying to add the org master as a GD member??
l
This is because of default values. You need to set the value for whichever field is missing from your code, so that it matches AWS.
m
hmmm...maybe 
invite: false
?
l
Maybe.. if it's not in your code, 
pulumi up
won't be updating it. And if the value in AWS doesn't match the value in the state, then the preview will show a diff.
m
hmm.. 
invite:false
didn't help.
l
And the email is the same in code and AWS?
m
I create an array of accounts and then map() over them,
Copy code
// loop over the accounts to add the GD member
accounts.map(
	account =>
		new aws.guardduty.Member(account.name, {
			detectorId: primaryDetectorId,
			accountId: account.accountId,
			email: account.email,
			invite: false
		})
);
I have like 15 accounts in the array and it's only an issue for this one.
l
Aside: Pulumi name = account.name... 😨
I would check the email address for exact-sameness.
m
double/triple-checked the email and it's exact.
hmm...here's a difference...not sure how S3 protection got enabled there as I have not set that. and I don't see an option to set that in Member.
l
An easy way to test if that's the problem would be to temporarily turn it off using the console, and see if Pulumi works as expected.
m
hmm...don't see how that's configured in the console.
l
Here's the CLI to do it, it looks like it can be done in Pulumi too: https://docs.aws.amazon.com/guardduty/latest/ug/s3_detection.html
Yea, the console text and the api property name don't seem in any way related, but there you go. Pulumi property for that CLI config is here: https://www.pulumi.com/registry/packages/aws/api-docs/guardduty/detector/#detectordatasourcess3logs
m
Thanks. Have to jump to a meeting but I'll try these and report back later...
@little-cartoon-10569 I tried some things and I don't think it was related to default values. I removed that account from the list of accounts to create a Member ran 
pulumi up
and it "deleted" the account. I use quotes because Pulumi says it deleted yet, I still see that member in AWS console. Now whene I do 
pulumi preview
(or 
up
) I see no changes as expected. I think this must have something to do with when the master AWS org account creates the GD master account, it must add itself as a member at that point.
hmm...actually I just ran the code to add the accounts for another region and getting this issue of diffs on 4 other accounts. So I think it's just a bug at this point.
@little-cartoon-10569 Just to close the loop on this. I created a ticket with Pulumi support and they had me send a log file. On reviewing the file they said "..it looks like a bug in the upstream provider. I would use 
ignoreChanges
...." So I changed the code to
Copy code
// loop over the accounts to add the GD member
accounts.map(
	account =>
		new aws.guardduty.Member(account.name, {
			detectorId: primaryDetector.id,
			accountId: account.accountId,
			email: account.email,
			invite: false
		},{ignoreChanges: ["email","invite"]})
);
and I no longer get diffs.
and here is the github issue in terraform https://github.com/hashicorp/terraform-provider-aws/issues/8206
👍 1
Open in Slack
PreviousNext
Powered by