https://pulumi.com logo
b

busy-dusk-74339

01/17/2020, 10:40 PM
pulumi is convinced that it needs to add 2 security groups to my ec2 instance, but when i view the instance in the console, both of the SGs it wants to add are already there
Copy code
(plos-pulumi) 01-17|13:51:04|thatguy:~/repos/plos/plos-pulumi/apps/talend_poc > pulumi preview --diff
Previewing update (PLOS/dev):                                                                                                                                                                                                 pulumi:pulumi:Stack: (same)      
    [urn=urn:pulumi:dev::talend_poc::pulumi:pulumi:Stack::talend_poc-dev]
    > pulumi:pulumi:StackReference: (read)
        [id=PLOS/iam/dev]
        [urn=urn:pulumi:dev::talend_poc::pulumi:pulumi:StackReference::PLOS/iam/dev]
        name: "PLOS/iam/dev"                                                                                                                                                                                            ~ aws:iam/policyAttachment:PolicyAttachment: (update)
        [id=talend_poc_xml_policy_attachment-cc1c659]
        [urn=urn:pulumi:dev::talend_poc::aws:iam/policyAttachment:PolicyAttachment::talend_poc_xml_policy_attachment]
        [provider: urn:pulumi:dev::talend_poc::pulumi:providers:aws::default_1_8_0::90aafd96-3c4a-4649-9def-fb795391f334 => urn:pulumi:dev::talend_poc::pulumi:providers:aws::default_1_18_0::output<string>]
      - roles: [
      -     [0]: "talend_poc_role"
        ]
    --outputs:--
  + talend-output-bucket-name    : "talend-output-59615b1"
    +-aws:ec2/instance:Instance: (replace)
        [id=i-0b024d1ad4cb75dba]
        [urn=urn:pulumi:dev::talend_poc::aws:ec2/instance:Instance::talend_poc_instance]
        [provider: urn:pulumi:dev::talend_poc::pulumi:providers:aws::default_1_8_0::90aafd96-3c4a-4649-9def-fb795391f334 => urn:pulumi:dev::talend_poc::pulumi:providers:aws::default_1_18_0::output<string>]
      ~ securityGroups: [
          + [0]: "sg-078d2ef15a737ac03"
          + [1]: "sg-095e0af0371379410"
        ]
Resources:
    ~ 1 to update
    +-1 to replace
    2 changes. 15 unchanged
g

gentle-diamond-70147

01/17/2020, 11:01 PM
If you run a
pulumi refresh
, does it show that it's going to add the two security groups to your instance?
b

busy-dusk-74339

01/17/2020, 11:03 PM
i think that’s what this means?
Copy code
├─ aws:ec2:SecurityGroup         talend_poc_sg                                          [diff: +tags~egress,ingress]
so i proceeded with the refresh
which completed successfully
but it still thinks there are missing sgs.
g

gentle-diamond-70147

01/17/2020, 11:08 PM
so the refresh didn't show any
securityGroups
change?
b

busy-dusk-74339

01/17/2020, 11:09 PM
just the output i pasted above, the
~egress,ingress
is vaguely suggestive of a security group, but nothing that’s called out as such
nothing on the ec2 instance
g

gentle-diamond-70147

01/17/2020, 11:12 PM
So... this won't explain the issue, but
securityGroups
is a "legacy" setting. You should use
vpcSecurityGroupIds
instead.
b

busy-dusk-74339

01/17/2020, 11:12 PM
ah good to know
maybe this is an obscure edge case then
g

gentle-diamond-70147

01/17/2020, 11:17 PM
Maybe. I opened https://github.com/pulumi/pulumi-aws/issues/852 to deprecate that argument.
b

busy-dusk-74339

01/17/2020, 11:18 PM
well do you feel that there’s more we should do to try to diagnose the root cause, here? or should i just leave the SGs commented out on my instance for now and move on? this is just a temporary instance for a proof of concept so it’s nothing mission critical.
g

gentle-diamond-70147

01/17/2020, 11:20 PM
Oh, I do have an idea to try... can you reverse the order of the security groups as you've defined them on your instance? I wonder if it's an ordering issue.
So if you have:
Copy code
securityGroups: [
    sg1.id,
    sg2.id,
]
change it to
Copy code
securityGroups: [
    sg2.id,
    sg1.id,
]
b

busy-dusk-74339

01/17/2020, 11:25 PM
ok this is weird
now i’m having the same issue i did yesterday
where suddenly my session seems to have expired and i can’t log in
it was around this time of day too, as i recall
g

gentle-diamond-70147

01/17/2020, 11:29 PM
Hmm, maybe a token or cookie expiring after 24 hours.
b

busy-dusk-74339

01/17/2020, 11:38 PM
perhaps, it’s certainly a problem i hope not to have every day
g

gentle-diamond-70147

01/17/2020, 11:39 PM
I see some errors in our logs, chatting with one of our engineers.
👍 1
I’ll dm you.
👍 1