https://pulumi.com logo
#general
Title
# general
a

adamant-dress-73325

08/20/2019, 3:58 PM
Hello, I am running into a spurious replace issue, is this a known problem? Pulumi believes that it needs to replace an ec2 instance to give it security group, but the instance already has the security group shown. It happens even after a
pulumi refresh
.
Copy code
++aws:ec2/instance:Instance: (create-replacement)
        <snip>
      ~ securityGroups: [
          + [0]: "sg-082e7a6e007b182dc"
        ]
    +-aws:ec2/instance:Instance: (replace)
      ~ securityGroups: [
          + [0]: "sg-082e7a6e007b182dc"
        ]
l

limited-rainbow-51650

08/20/2019, 4:16 PM
@adamant-dress-73325 are you trying to import existing resources into a Pulumi stack? Or is this a
pulumi preview/up
on an existing Pulumi setup?
a

adamant-dress-73325

08/20/2019, 4:17 PM
On an existing setup
these particular resources were created with pulumi
l

limited-rainbow-51650

08/20/2019, 4:21 PM
@adamant-dress-73325 what are the changes to your pulumi code compared to the previous
pulumi up
?
a

adamant-dress-73325

08/20/2019, 4:23 PM
I added new VPC Peering resources, while keeping the code for ec2 instance creation constant between runs.
Copy code
const blahInstance = new aws.ec2.Instance("blah-qa", {
  ami: "ami-blah",
  instanceType: aws.ec2.InstanceTypes.T3_XLarge,
  subnetId: vpcPrivateSubnetIds[0],
  securityGroups: [blahSg.id],
  keyName: "blah",
  associatePublicIpAddress: false,
  tags: {
    Name: "blah"
  }
});
l

limited-rainbow-51650

08/20/2019, 4:25 PM
What I usually do is comment out all my changes and add my changes again one by one up to the point where this behaviour happens.
w

white-balloon-205

08/20/2019, 4:32 PM
I recall the issue here is that
securityGroups
is actually the wrong property to use here - you need to use
vpcSecurityGroupIds
if you are working with a VPC (which it looks like you are). I believe the confusion you are seeing comes from some strange behaviour where in this case your
securityGroups
wasn't really being applied in the first place, and so it looks like it's constantly trying to reapply it? I think there have been some previous conversations on this topic in the channel here - such as https://pulumi-community.slack.com/archives/C84L4E3N1/p1562426255155500.
a

adamant-dress-73325

08/20/2019, 4:44 PM
Ok, that seems to work, no longer tries to replace, doc comment on that property would be great
l

limited-rainbow-51650

08/20/2019, 7:22 PM
Indeed, bitten by that too back in my Terraform days.
b

broad-dog-22463

08/20/2019, 7:23 PM
@adamant-dress-73325 sorry, securityGroups is actually for EC2 classic 😞 we may need to make this clearer
a

adamant-dress-73325

08/20/2019, 7:33 PM
No worries, rename for that property to classicSecurityGroups could work now that aliases are a thing and avoid the foot gun
Or maybe not, I guess those only work on urn