search

pulumi / pulumi-aws

An Amazon Web Services (AWS) Pulumi resource package, providing multi-language access to AWS
Apache License 2.0
465 stars 157 forks source link

aws.amplify.DomainAssociation always wants to update despite no changes #4223

Open james-tindal opened 4 months ago

james-tindal commented 4 months ago

Describe what happened

Pulumi always thinks my code has had a certificateSettings key removed from the DomainAssociation arguments. The problem is fixed by adding certificateSettings: { type: 'AMPLIFY_MANAGED' } to the DomainAssociation arguments.

Sample program

The code: ```ts import * as pulumi from '@pulumi/pulumi' import * as aws from '@pulumi/aws' const config = new pulumi.Config() const githubRepo = 'james-tindal/game-of-life' const githubToken = config.requireSecret('github-access-token') const amplifyApp = new aws.amplify.App('amplify-game-of-life', { name: `game-of-life.jamestindal.co.uk`, repository: `https://github.com/${githubRepo}`, accessToken: githubToken, buildSpec: ` version: 1 frontend: artifacts: baseDirectory: src files: - '**/*' ` }) const mainBranch = new aws.amplify.Branch('amplify main branch', { appId: amplifyApp.id, branchName: 'main' }) const domainAssociation = new aws.amplify.DomainAssociation('domain association', { appId: amplifyApp.id, domainName: 'jamestindal.co.uk', subDomains: [{ branchName: mainBranch.branchName, prefix: 'game-of-life', }], waitForVerification: true }) ```

Log output

pulumi preview:

image

pulumi preview --diff:

image

Affected Resource(s)

aws.amplify.DomainAssociation

Output of pulumi about

``` CLI Version 3.123.0 Go Version go1.22.5 Go Compiler gc Plugins KIND NAME VERSION resource aws 6.44.0 resource aws 6.44.0 resource awsx 2.13.0 resource awsx 2.13.0 resource docker 4.5.4 resource docker 4.5.4 resource docker 3.6.1 resource docker 3.6.1 language nodejs unknown Host OS darwin Version 14.5 Arch x86_64 This project is written in nodejs: executable='/usr/local/bin/node' version='v22.4.1' Backend Name pulumi.com URL https://app.pulumi.com/uJEmLiaoJzSIsPRHtHQynpXoYqP5b4sMeLmhJywZ User uJEmLiaoJzSIsPRHtHQynpXoYqP5b4sMeLmhJywZ Organizations uJEmLiaoJzSIsPRHtHQynpXoYqP5b4sMeLmhJywZ Token type personal Pulumi locates its logs in /var/folders/_8/k71zvsq96fz4rvtrdyygkhx00000gp/T/ by default warning: Failed to get information about the Pulumi program's dependencies: could not find either /Users/user/code/james-tindal.co.uk/yarn.lock or /Users/user/code/james-tindal.co.uk/package-lock.json warning: Failed to get information about the current stack: No current stack ```

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

corymhall commented 4 months ago

@james-tindal thanks for bringing this to our attention. I've been able to repro this and confirm that this is only an issue with Pulumi (Terraform does not have this issue).

I also tried this with PlanResourceChange which did not fix the issue.

Note: If you want to try and reproduce this you will need a real domain (domain_name) and will have to manually add the CNAME records while the domain association is creating.

https://github.com/hashicorp/terraform-provider-aws/blob/c1277a5b4f3c4c9d6e04b83805809dcd26e7d1e5/internal/service/amplify/domain_association.go#L52-L74

Terraform code: ```hcl locals { github_repo = "" github_token = "" domain_name = "" } resource "aws_amplify_app" "example" { name = "game-of-life.${local.domain_name}" repository = "https://github.com/${local.github_repo}" access_token = local.github_token build_spec = <<-EOT version: 1 frontend: artifacts: baseDirectory: src files: - '**/*' EOT } resource "aws_amplify_branch" "example" { app_id = aws_amplify_app.example.id branch_name = "main" } resource "aws_amplify_domain_association" "example" { app_id = aws_amplify_app.example.id domain_name = local.domain_name sub_domain { branch_name = aws_amplify_branch.example.branch_name prefix = "game-of-life" } wait_for_verification = true } ```
grpc logs: ```console { "method": "/pulumirpc.ResourceProvider/Diff", "request": { "id": "dwe82rhfivmh8/corymhall.com", "urn": "urn:pulumi:dev::pulumi-typescript-app::aws:amplify/domainAssociation:DomainAssociation::domain association", "olds": { "appId": "dwe82rhfivmh8", "arn": "arn:aws:amplify:us-east-2:616138583583:apps/dwe82rhfivmh8/domains/corymhall.com", "certificateSettings": { "certificateVerificationDnsRecord": "_38981cc15793fe1fa9d171106734e757.corymhall.com. CNAME _d7b11b54b4354db45e28cb990e01cdc2.sdgjtdhdhz.acm-validations.aws.", "customCertificateArn": "", "type": "AMPLIFY_MANAGED" }, "certificateVerificationDnsRecord": "_38981cc15793fe1fa9d171106734e757.corymhall.com. CNAME _d7b11b54b4354db45e28cb990e01cdc2.sdgjtdhdhz.acm-validations.aws.", "domainName": "corymhall.com", "enableAutoSubDomain": false, "id": "dwe82rhfivmh8/corymhall.com", "subDomains": [ { "branchName": "main", "dnsRecord": "game-of-life CNAME d1vk7opjtvrijc.cloudfront.net", "prefix": "game-of-life", "verified": true } ], "waitForVerification": true }, "news": { "__defaults": [ "enableAutoSubDomain" ], "appId": "dwe82rhfivmh8", "domainName": "corymhall.com", "enableAutoSubDomain": false, "subDomains": [ { "__defaults": [], "branchName": "main", "prefix": "game-of-life" } ], "waitForVerification": true }, "oldInputs": { "__defaults": [ "enableAutoSubDomain" ], "appId": "dwe82rhfivmh8", "domainName": "corymhall.com", "enableAutoSubDomain": false, "subDomains": [ { "__defaults": [], "branchName": "main", "prefix": "game-of-life" } ], "waitForVerification": true } }, "response": { "stables": [ "appId", "domainName" ], "changes": "DIFF_SOME", "diffs": [ "certificateSettings" ], "detailedDiff": { "certificateSettings": { "kind": "UPDATE" }, "certificateSettings.type": { "kind": "DELETE" } }, "hasDetailedDiff": true }, "metadata": { "kind": "resource", "mode": "client", "name": "aws" } } ```
t0yv0 commented 1 month ago

I was curious and looked a bit further into the field definition:

            "certificate_settings": {
                Type:     schema.TypeList,
                Optional: true,
                MaxItems: 1,
                Elem: &schema.Resource{
                    Schema: map[string]*schema.Schema{
                        "certificate_verification_dns_record": {
                            Type:     schema.TypeString,
                            Computed: true,
                        },
                        names.AttrType: {
                            Type:             schema.TypeString,
                            Required:         true,
                            ValidateDiagFunc: enum.Validate[types.CertificateType](),
                        },
                        "custom_certificate_arn": {
                            Type:         schema.TypeString,
                            Optional:     true,
                            ValidateFunc: verify.ValidARN,
                        },
                    },
                },
            },

Indeed appears to be an issue in pulumi-terraform-bridge.