https://pulumi.com logo
#azure
Title
# azure
m

miniature-leather-70472

06/28/2020, 4:25 PM
I'm seeing a weird issue when creating network security groups. I'm aware of the issue with specifying NSG rules both in the NSG object and in seperate rule objects, so I have created an NSG with no rules, then create seperate rule objects for that NSG. When I deploy the NSG it works fine, however if I change anything, like adding a tag to the NSG, when I re-run Pulumi Up then all of the NSG rules are deleted. Any ideas? If it makes any different I am creating the NSG in a custom component.
g

gentle-diamond-70147

06/28/2020, 9:34 PM
That's very strange. Can you share the code for your custom component?
c

colossal-room-15708

06/28/2020, 10:04 PM
That's actually "expected" unfortunately. @miniature-leather-70472 I had a chat to Alex from the ARM team a while ago and he confirmed it's because the ARM platform receives the empty nsg resource in the second run where in actuality the resource has all these child resources now. In those situations you need to run
pulumi up --refresh
Terraform always runs a refresh first. Pulumi decided to not make this a default.
m

miniature-leather-70472

06/29/2020, 6:55 AM
Wow, ok that's pretty bad. So I've now got to rely on the user adding the refresh flag, otherwise it's going to break their environment. Is there no other way round it? Being idempotent is a pretty key factor for an IaC tool.
c

colossal-room-15708

06/29/2020, 8:47 AM
It's not pulumi nor terraform. Terraform always runs a refresh and there's no way for a user to not run the refresh. The ARM team said this:
Copy code
My guess is this is because the subnet is provisioned as a child resource, not as a property of the subnet. When the VNET is created it will attempt to delete the subnets if they are not declared in the VNET PUT body. So when you resubmit the PUT with a tag but no subnets, NRP is trying to delete the subnets in the process.
so yeah, if you're fine with getting hit by the "refresh" tax, just always add
refresh
to every time you call pulumi, but it's not required always.
t

tall-librarian-49374

06/29/2020, 9:50 AM
Yeah, the Microsoft.Network ARM API is broken in this way. A security group is a resource which demands rules to be present in the PUT payload, otherwise it tries to wipe them. Here is the place in the spec: https://github.com/Azure/azure-rest-api-specs/blob/master/specification/network/resource-manager/Microsoft.Network/stable/2020-05-01/networkSecurityGroup.json#L869
The same applies to vnets/subnets.
@miniature-leather-70472 I’m curious how you deal with this in ARM Templates. Do you define all rules as properties of an NSG?
m

miniature-leather-70472

06/29/2020, 10:55 AM
Ok, makes sense. In ARM I believe I have done both, but then ARM is running the whole template every time anyway, so you wouldn't notice a difference. In Terraform I've always set them up as separate objects but as you say the automatic refresh takes care of it
An I agree, or does sound like the API is broken if it allows you to specify them as separate object and yet expects them to be in the main object.
t

tall-librarian-49374

06/29/2020, 12:02 PM
If your rules are separate objects, then ARM templates would temporarily delete them while applying the NSG, wouldn’t it? Doesn’t that cause issues? I definitely experienced this with vnet/subnets.
m

miniature-leather-70472

06/30/2020, 11:29 AM
Yes it would cause issues, I'd have to check to see how it has worked in the past, it may be I've always used them as sub objects.
3 Views