search

pulumi / pulumi-aws-native

AWS Native Provider for Pulumi
Apache License 2.0
95 stars 17 forks source link

Imported S3 Bucket marked for replacement upon refresh #1847

Open ixti opened 3 days ago

ixti commented 3 days ago

What happened?

When S3 Bucket resource imported can't be refreshed. Attempt to refresh - cause them to be marked for replacement.

Example

You can reproduce this with a simple script:

BUCKET_NAME="$(date +pulumi-import-test-%Y%m%d)-$(tr -dc a-z0-9 </dev/urandom | head -c 13; echo)"
echo "$BUCKET_NAME"

# Create bucket
aws s3api create-bucket \
  --bucket "$BUCKET_NAME" \
  --create-bucket-configuration 'LocationConstraint=us-west-2'
aws s3api put-bucket-ownership-controls \
  --bucket "$BUCKET_NAME" \
  --ownership-controls '{"Rules":[{"ObjectOwnership":"BucketOwnerEnforced"}]}'
aws s3api put-bucket-encryption \
  --bucket "$BUCKET_NAME" \
  --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"},"BucketKeyEnabled":true}]}'

# Setup Pulumi project
pulumi login --local
pulumi new typescript --name pulumi-test-s3-import --description "s3 bucket import bug demo" --stack demo --secrets-provider passphrase --yes
npm install @pulumi/aws-native

# Create Pulumi program
rm -f index.ts
cat <<EOF > index.ts
import * as awsNative from "@pulumi/aws-native";

const bucketName = "$BUCKET_NAME";
const bucket     = new awsNative.s3.Bucket("demo", {
  bucketName,
  bucketEncryption: {
    serverSideEncryptionConfiguration: [{
      serverSideEncryptionByDefault: { sseAlgorithm: "AES256" },
      bucketKeyEnabled: true
    }]
  },
  ownershipControls: {
    rules: [{ objectOwnership: "BucketOwnerEnforced" }]
  },
  publicAccessBlockConfiguration: {
    blockPublicAcls: true,
    blockPublicPolicy: true,
    ignorePublicAcls: true,
    restrictPublicBuckets: true
  }
}, {
  import: bucketName
});

export const arn = bucket.arn;
EOF

# Run initial update that will import the resource
pulumi update --yes

# Refresh or update with refresh causing resource replacement
pulumi update --refresh

Output of pulumi about

CLI          
Version      3.141.0
Go Version   go1.23.3
Go Compiler  gc

Plugins
KIND      NAME        VERSION
resource  aws-native  1.9.0
language  nodejs      unknown

Host     
OS       gentoo
Version  2.17
Arch     x86_64

This project is written in nodejs: executable='/run/user/1000/fnm_multishells/31012_1732329528924/bin/node' version='v20.7.0'

Current Stack: organization/pulumi-test-s3-import/demo

TYPE                         URN
pulumi:pulumi:Stack          urn:pulumi:demo::pulumi-test-s3-import::pulumi:pulumi:Stack::pulumi-test-s3-import-demo
pulumi:providers:aws-native  urn:pulumi:demo::pulumi-test-s3-import::pulumi:providers:aws-native::default_1_9_0
aws-native:s3:Bucket         urn:pulumi:demo::pulumi-test-s3-import::aws-native:s3:Bucket::demo

Found no pending operations associated with demo

Backend        
Name           evil-eurasier
URL            file://~
User           ixti
Organizations  
Token type     personal

Dependencies:
NAME                VERSION
typescript          5.7.2
@pulumi/aws-native  1.9.0
@pulumi/pulumi      3.141.0
@types/node         18.19.64

Pulumi locates its logs in /tmp by default

Additional context

AWS classic provider does not suffer from this, though:

import * as aws from "@pulumi/aws";

const bucketName = "<same bucket name as in previous example>";
const bucket     = new aws.s3.Bucket("demo", {
  bucket: bucketName,
  serverSideEncryptionConfiguration: {
    rule: {
      applyServerSideEncryptionByDefault: { sseAlgorithm: "AES256" },
      bucketKeyEnabled: true
    }
  }
}, {
  import: bucketName
});

export const arn = bucket.arn;

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

t0yv0 commented 1 day ago

Thank you for a detailed repro, I can confirm the problem on my end.

In addition I observed the following warnings on the first pulumi up that imported the resource:

Diagnostics:
  aws-native:s3:Bucket (demo):
    warning: Can't import write-only properties:
        accessControl,
            lifecycleConfiguration/Rules/*/ExpiredObjectDeleteMarker,
            lifecycleConfiguration/Rules/*/NoncurrentVersionExpirationInDays,
            lifecycleConfiguration/Rules/*/NoncurrentVersionTransition, 
            lifecycleConfiguration/Rules/*/Transition, 
            replicationConfiguration/Rules/*/Prefix

After the resource is imported, refresh also emits warnings:

    warning: Can't refresh write-only properties: accessControl, lifecycleConfiguration/Rules/*/ExpiredObjectDeleteMarker, lifecycleConfiguration/Rules/*/NoncurrentVersionExpirationInDays, lifecycleConfiguration/Rules/*/NoncurrentVersionTransition, lifecycleConfiguration/Rules/*/Transition, replicationConfiguration/Rules/*/Prefix

This must be related to https://github.com/pulumi/pulumi-aws-native/issues/1373