This message was deleted.
# awss
sparse-intern-71089
06/02/2022, 12:36 PMThis message was deleted.
l
little-cartoon-10569
06/02/2022, 8:47 PMDoes it actually change the SSM parameter when running up? Or does it just report that it will, during a preview / before the up runs?
Pulumi will report potential changes if it cannot guarantee that there won't be a change. In this case, the value of the appSettingsKeyArn might not be known during preview, or it might change between preview and up, so it can't be certain that it won't have to update the keyId. So to be safe, it reports that it will change it. However, when running the actual up, it won't change it if it turns out that the "new" value is the same as the old value.
c
clean-rose-47860
06/04/2022, 4:58 PMYeah it actually doesn’t change anything, that’s correct.
But it’s quite alarming as pulumi reports the key of the parameter is being changed updated, which could have implications on data integrity (being able to decrypt).
clean-rose-47860
06/04/2022, 4:59 PMIf a bug in the code got in and caused the key to change, but I was conditioned to just think that the key always gets “updated”, I could inadvertently change the key without intending to do it
clean-rose-47860
06/04/2022, 4:59 PMDo you know why pulumi doesn’t track the key ARN?
clean-rose-47860
06/04/2022, 5:00 PMIs it a security thing?
l
little-cartoon-10569
06/05/2022, 11:32 PMI think it does track it. I'm guessing that your parameter is being created inside an apply. Can you confirm this? If this is the case, then that's the reason you're seeing this behaviour. Move the code outside the apply and everything will work as expected.
2 Views