I have an aws / ts stack that I last updated a month ago and now it wants to do delete a bunch of my role attachments. Was anything changed that might've caused this? I have a decent amount of .apply / .then programming going on so I'm wondering if something changed in a way which makes that invalid...

Did you update any dependencies in particular? I am not aware of anything that would cause this - though there are many potential changes you might have made that could lead to this. Unless you are creating resources inside

.apply

calls, I ould not expect the preview results to be misleading.

I'm having a similar problem, most likely related to my flubbing of the outputs but confusing nevertheless. The preview/up details show the instance recreated because of a security group change, i.e, ++awsec2/instanceInstance: (create-replacement) [id=i-06f95703bc4a27bf2] [urn=urnpulumistage:houdini license serverawsec2/instanceInstance:houdini-license-server-stage] [provider=urnpulumistage:houdini license serverpulumiprovidersawsdefault 1 23 0:2a501aeb-bced-4003-8379-c1113d368079] ~ securityGroups: [ + [0]: "sg-0f0edc067620a7763" ] +-awsec2/instanceInstance: (replace) [id=i-06f95703bc4a27bf2] [urn=urnpulumistage:houdini license serverawsec2/instanceInstance:houdini-license-server-stage] [provider=urnpulumistage:houdini license serverpulumiprovidersawsdefault 1 23 0:2a501aeb-bced-4003-8379-c1113d368079] ~ securityGroups: [ + [0]: "sg-0f0edc067620a7763" ]

Does the underlying instance actually have these security groups applied? Note that I believe that

vpcSecurityGroupIds

is safer to use for VPC-based instances (i.e. if you are not in the default VPC). But not clear from context so far exactly what you instance is actually configured to do - and what change you are in practice making to its configuration.

yeah, not in the default vpc, i'll try using that. I'm not changing its configuration at all 😞