I'm seeing a weird issue when creating network security groups. I'm aware of the issue with specifying NSG rules both in the NSG object and in seperate rule objects, so I have created an NSG with no rules, then create seperate rule objects for that NSG. When I deploy the NSG it works fine, however if I change anything, like adding a tag to the NSG, when I re-run Pulumi Up then all of the NSG rules are deleted. Any ideas? If it makes any different I am creating the NSG in a custom component.

That's very strange. Can you share the code for your custom component?

That's actually "expected" unfortunately. @miniature-leather-70472 I had a chat to Alex from the ARM team a while ago and he confirmed it's because the ARM platform receives the empty nsg resource in the second run where in actuality the resource has all these child resources now. In those situations you need to run

pulumi up --refresh

Terraform always runs a refresh first. Pulumi decided to not make this a default.

Wow, ok that's pretty bad. So I've now got to rely on the user adding the refresh flag, otherwise it's going to break their environment. Is there no other way round it? Being idempotent is a pretty key factor for an IaC tool.

It's not pulumi nor terraform. Terraform always runs a refresh and there's no way for a user to not run the refresh. The ARM team said this:

My guess is this is because the subnet is provisioned as a child resource, not as a property of the subnet. When the VNET is created it will attempt to delete the subnets if they are not declared in the VNET PUT body. So when you resubmit the PUT with a tag but no subnets, NRP is trying to delete the subnets in the process.

Yeah, the Microsoft.Network ARM API is broken in this way. A security group is a resource which demands rules to be present in the PUT payload, otherwise it tries to wipe them. Here is the place in the spec: https://github.com/Azure/azure-rest-api-specs/blob/master/specification/network/resource-manager/Microsoft.Network/stable/2020-05-01/networkSecurityGroup.json#L869

Ok, makes sense. In ARM I believe I have done both, but then ARM is running the whole template every time anyway, so you wouldn't notice a difference. In Terraform I've always set them up as separate objects but as you say the automatic refresh takes care of it

If your rules are separate objects, then ARM templates would temporarily delete them while applying the NSG, wouldn’t it? Doesn’t that cause issues? I definitely experienced this with vnet/subnets.

Yes it would cause issues, I'd have to check to see how it has worked in the past, it may be I've always used them as sub objects.