Closed mark-bixler closed 1 month ago
What property does the update say has changed, and from what to what? Can you share the preview --diff output?
For sure!...some names have been replaced with generic.
╰─❯ pulumi preview --diff
Previewing update (dev)
View Live: https://app.pulumi.com/mark-bixler/example.io/dev/previews/88331707-f555-441f-860a-aa709eb8cf20
pulumi:pulumi:Stack: (same)
[urn=urn:pulumi:dev::example.io::pulumi:pulumi:Stack::example.io-dev]
+-aws:acm/certificate:Certificate: (replace)
[id=arn:aws:acm:us-east-1:208123456789:certificate/678536c4-2b68-4dc4-a74c-5239ef541758]
[urn=urn:pulumi:dev::example.io::aws:acm/certificate:Certificate::example.io-cert]
[provider=urn:pulumi:dev::example.io::pulumi:providers:aws::secondary::9ce33a40-5ee3-4c1c-afa4-36bcec07fe0e]
~ subjectAlternativeNames: [
+ [0]: "example.io"
]
--outputs:--
~ certArn : "arn:aws:acm:us-east-1:208123456789:certificate/678536c4-2b68-4dc4-a74c-5239ef541758" => output<string>
+ aws:s3/bucketPolicy:BucketPolicy: (create)
[urn=urn:pulumi:dev::example.io::aws:s3/bucketPolicy:BucketPolicy::bucketPolicy]
[provider=urn:pulumi:dev::example.io::pulumi:providers:aws::default_3_32_0::948060e5-ede3-4862-bf87-e2bfbc26d127]
bucket : "example.io"
policy : "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":[\"s3:GetObject\"],\"Resource\":[\"arn:aws:s3:::example.io/*\"]}]}"
~ aws:cloudfront/distribution:Distribution: (update)
[id=EBBYHAD0APXL8]
[urn=urn:pulumi:dev::example.io::aws:cloudfront/distribution:Distribution::example.io-cf-distro]
[provider=urn:pulumi:dev::example.io::pulumi:providers:aws::primary::ac20fd92-9f83-422c-8c3c-c947763de93b]
~ viewerCertificate: {
~ acmCertificateArn : "arn:aws:acm:us-east-1:208123456789:certificate/678536c4-2b68-4dc4-a74c-5239ef541758" => output<string>
~ cloudfrontDefaultCertificate: false => true
}
- aws:acm/certificateValidation:CertificateValidation: (delete)
[id=2021-03-09 00:33:06 +0000 UTC]
[urn=urn:pulumi:dev::example.io::aws:acm/certificateValidation:CertificateValidation::example.io-cert-validation]
[provider=urn:pulumi:dev::example.io::pulumi:providers:aws::secondary::9ce33a40-5ee3-4c1c-afa4-36bcec07fe0e]
certificateArn : "arn:aws:acm:us-east-1:208123456789:certificate/678536c4-2b68-4dc4-a74c-5239ef541758"
validationRecordFqdns: [
[0]: "_9ca52926eee1c50c11627e3f8f6a2746.example.io"
]
- aws:route53/record:Record: (delete)
[id=Z065202617WF6N3Z5GA22__9ca52926eee1c50c11627e3f8f6a2746.example.io._CNAME]
[urn=urn:pulumi:dev::example.io::aws:route53/record:Record::example.io-validation-record]
[provider=urn:pulumi:dev::example.io::pulumi:providers:aws::secondary::9ce33a40-5ee3-4c1c-afa4-36bcec07fe0e]
name : "_9ca52926eee1c50c11627e3f8f6a2746.example.io."
records : [
[0]: "_8b6c64a336a9f5a2b9770f3b007f0a0c.nfyddsqlcy.acm-validations.aws."
]
ttl : 60
type : "CNAME"
zoneId : "Z065202617WF6N3Z5GA22"
Resources:
+ 1 to create
~ 1 to update
- 2 to delete
+-1 to replace
5 changes. 6 unchanged
The code block for cert (did not change..was just adding a new bucket policy)..
const cert = new aws.acm.Certificate(
`${bucketName}-cert`,
{
domainName: bucketName,
subjectAlternativeNames: [
bucketName, `*.${bucketName}`
],
tags,
validationMethod: 'DNS',
},
{
provider: secondary,
},
);
Experiencing the same. Issues still seems to exist on pulumi version v3.36.0. Any updates on a solution / workaround?
Type Name Plan Info
pulumi:pulumi:Stack whatever 2 messages
+- ├─ aws:acm:Certificate myservice-certificate replace [diff: ~subjectAlternativeNames]
+- ├─ aws:acm:CertificateValidation myservice-certificate-validation replace [diff: ~certificateArn]
+- └─ aws:route53:Record myservice-certificate-validation-record replace [diff: ~name,records]
Even get it when just feeding in one value into the subjectAlternativeNames
array.
If anyone has an example program here to reproduce, that would make it much easier. Thank you!
Not 100% sure anymore. Would have a hard time to repro the scenario again today. But don't want to leave it unanswered:
It must have been in the broader context of providing certs to pulumi-helm (very vague, I know). As said not sure but hope that it helps, must have been something similar to this that produced the issue:
const cert = new aws.acm.Certificate(`myservice-certificate`, {
domainName: `myService.myDomainName`,
validationMethod: "DNS",
subjectAlternativeNames: [`${config.targetDomain}`]
});
const validationRecord = new aws.route53.Record(
`myservice-certificate-validation-record`,
{
type: aws.route53.RecordType.CNAME,
name: recordName,
records: [recordValue],
zoneId,
ttl: 1800,
});
const configCertValidation = new aws.acm.CertificateValidation(
`myservice-certificate-validation`,
{
certificateArn: cert.arn,
}
);
Closing this as stale as we still couldn't quite reproduce. If you're experiencing something similar, opening a new issue with a self-contained repro would be very helpful!
Running a new
pulumi preview
against my 2 SAN's results in Pulumi wanting to replace my Certificate.I've noticed a past issue https://github.com/pulumi/pulumi-aws/issues/1022 but that was closed and resolved.
I'm on the latest versions:
v2.22.0
@pulumi/aws@3.32.0
Expected behavior
Expected behavior is to not detect any changes. List has stayed static. No changes between up / preview
Current behavior
Pulumi tries to replace resource.