https://pulumi.com logo
Title
c

cool-dress-96114

03/07/2023, 5:31 PM
I’m having issues with reconciling
up
and
refresh
states on resources that have additional configuration as separate resources, and was wondering if anyone had any advice. Pulumi code snippet:
secGroup, err := ec2.NewSecurityGroup(ctx, "secgroup", &ec2.SecurityGroupArgs{
   NamePrefix: namePrefix,
   Ingress: &ec2.SecurityGroupIngressArray{
      &ec2.SecurityGroupIngressArgs{
         CidrBlocks:  pulumi.StringArray{pulumi.String("10.0.0.0/8")},
         Description: pulumi.String("description"),
         FromPort:    <http://pulumi.Int|pulumi.Int>(0),
         Protocol:    pulumi.String("-1"),
         ToPort:      <http://pulumi.Int|pulumi.Int>(0),
      },
   },
   VpcId: vpcId,
}, []pulumi.ResourceOption{awsPulumiProvider}...)
if err != nil {
   return err
}

_, err = ec2.NewSecurityGroupRule(ctx, "rule", &ec2.SecurityGroupRuleArgs{
   CidrBlocks:      pulumi.StringArray{pulumi.String("11.0.0.0/8")},
   Description:     pulumi.String("description"),
   FromPort:        <http://pulumi.Int|pulumi.Int>(0),
   Protocol:        pulumi.String("-1"),
   SecurityGroupId: secGroup.ID(),
   ToPort:          <http://pulumi.Int|pulumi.Int>(0),
   Type:            pulumi.String("ingress"),
}, awsPulumiProvider)
if err != nil {
   return err
}
So what we’ve done is create a security group with an ingress rule defined inline, and then later on add another ingress rule. • When running
refresh
the security group resource notices it has an extra rule, and updates. • Then after running
up
, the security group resource diffs the state with the expected state, and notices it needs to delete the rule (from the inline state, not the separate rule). • Then after running
refresh
again, the security group rule is deleted because it doesn’t exist. • Then after running
up
again, the separate security group rule is recreated, and we do it all over again. This happens with a lot of different types of resources, anything where we’re defining additional configuration out of line (another example being defining an AWS VPC Route Table, and adding a routing rule later), and basically means that we cannot use `refresh`… ever, which obviously is not desirable.
Screenshot 2023-03-07 at 09.31.45.png
Screenshot 2023-03-07 at 09.32.01.png
Screenshot 2023-03-07 at 09.32.10.png
Screenshot 2023-03-07 at 09.32.24.png
Screenshot 2023-03-07 at 09.33.09.png
s

salmon-account-74572

03/07/2023, 5:53 PM
In general, you don’t want to mix inline and separate definitions. This is because the separate definition changes the security group in a way that causes the inline definition to want to “fix” the perceived drift. I think this should go away if you switch to all inline or all separate.
c

cool-dress-96114

03/07/2023, 5:56 PM
Interesting… let me experiment with that. Obviously we can’t go to all inline, but we could go all separate definitions…
s

salmon-account-74572

03/07/2023, 6:03 PM
Let me know how you get on, and if you have further questions!
c

cool-dress-96114

03/07/2023, 6:07 PM
Thanks @salmon-account-74572, worked exactly as we want it to.
Going into our codebase guidelines, “never use inline” 😄
s

salmon-account-74572

03/07/2023, 6:24 PM
Awesome, glad to hear it! Thanks for using Pulumi!