Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
m
miniature-leather-70472
06/28/2020, 4:25 PMI'm seeing a weird issue when creating network security groups. I'm aware of the issue with specifying NSG rules both in the NSG object and in seperate rule objects, so I have created an NSG with no rules, then create seperate rule objects for that NSG. When I deploy the NSG it works fine, however if I change anything, like adding a tag to the NSG, when I re-run Pulumi Up then all of the NSG rules are deleted. Any ideas? If it makes any different I am creating the NSG in a custom component.
g
gentle-diamond-70147
06/28/2020, 9:34 PMThat's very strange. Can you share the code for your custom component?
c
colossal-room-15708
06/28/2020, 10:04 PMThat's actually "expected" unfortunately.
@miniature-leather-70472 I had a chat to Alex from the ARM team a while ago and he confirmed it's because the ARM platform receives the empty nsg resource in the second run where in actuality the resource has all these child resources now.
In those situations you need to run
pulumi up --refreshSee here for same issue with vnet and subnet
https://pulumi-community.slack.com/archives/CRVK66N5U/p1585637304036000
m
miniature-leather-70472
06/29/2020, 6:55 AMWow, ok that's pretty bad. So I've now got to rely on the user adding the refresh flag, otherwise it's going to break their environment. Is there no other way round it? Being idempotent is a pretty key factor for an IaC tool.
c
colossal-room-15708
06/29/2020, 8:47 AMIt's not pulumi nor terraform.
Terraform always runs a refresh and there's no way for a user to not run the refresh.
The ARM team said this:
My guess is this is because the subnet is provisioned as a child resource, not as a property of the subnet. When the VNET is created it will attempt to delete the subnets if they are not declared in the VNET PUT body. So when you resubmit the PUT with a tag but no subnets, NRP is trying to delete the subnets in the process.so yeah, if you're fine with getting hit by the "refresh" tax, just always add
refresht
tall-librarian-49374
06/29/2020, 9:50 AMYeah, the Microsoft.Network ARM API is broken in this way. A security group is a resource which demands rules to be present in the PUT payload, otherwise it tries to wipe them. Here is the place in the spec: https://github.com/Azure/azure-rest-api-specs/blob/master/specification/network/resource-manager/Microsoft.Network/stable/2020-05-01/networkSecurityGroup.json#L869
The same applies to vnets/subnets.
@miniature-leather-70472 I’m curious how you deal with this in ARM Templates. Do you define all rules as properties of an NSG?
m
miniature-leather-70472
06/29/2020, 10:55 AMOk, makes sense. In ARM I believe I have done both, but then ARM is running the whole template every time anyway, so you wouldn't notice a difference. In Terraform I've always set them up as separate objects but as you say the automatic refresh takes care of it
An I agree, or does sound like the API is broken if it allows you to specify them as separate object and yet expects them to be in the main object.
t
tall-librarian-49374
06/29/2020, 12:02 PMIf your rules are separate objects, then ARM templates would temporarily delete them while applying the NSG, wouldn’t it? Doesn’t that cause issues? I definitely experienced this with vnet/subnets.
m
miniature-leather-70472
06/30/2020, 11:29 AMYes it would cause issues, I'd have to check to see how it has worked in the past, it may be I've always used them as sub objects.