search

pulumi / pulumi-azure-native

Azure Native Provider
Apache License 2.0
123 stars 32 forks source link

Can't use inline and standalone security group rules in network security group #3359

Closed pierskarsenbarg closed 1 week ago

pierskarsenbarg commented 1 week ago

What happened?

When creating a NetworkSecurityGroup there are two options on how to define the security rules:

  1. Use the inline SecurityRules input
  2. Use a standalone SecurityRule resource

It looks like you can use the two options side by side (so create a NSG resource with inline rules and then add on other rules later. But if you do then the standalone gets deleted and added repeatedly.

Example

Example repo here: https://github.com/pierskarsenbarg/azure-nsg-sec-rules

Steps:

  1. Clone repo
  2. Run pulumi up
  3. Run pulumi refresh and view details. You'll see that the security group rule has been added inline to the NSG
  4. Run pulumi up again and the inline security group that was moved from the standalone is deleted
  5. Run pulumi stack and see that both the nSG and the standalone rule exist in the state
  6. Run pulumi refresh and see that the standalone security rule is deleted from the state
  7. Run pulumi up and the standalone rule is created and the cycle starts again

You can also just run pulumi up -r instead of alternating between up and refresh for it to be deleted and re-created again.

Output of pulumi about

CLI
Version      3.120.0
Go Version   go1.22.4
Go Compiler  gc

Plugins
KIND      NAME          VERSION
resource  azure-native  2.8.0
language  dotnet        unknown

Host
OS       darwin
Version  14.5
Arch     arm64

This project is written in dotnet: executable='/usr/local/share/dotnet/dotnet' version='8.0.201'

Current Stack: pierskarsenbarg/azure-nsg-sec-rules/dev

TYPE                                       URN
pulumi:pulumi:Stack                        urn:pulumi:dev::azure-nsg-sec-rules::pulumi:pulumi:Stack::azure-nsg-sec-rules-dev
pulumi:providers:azure-native              urn:pulumi:dev::azure-nsg-sec-rules::pulumi:providers:azure-native::default_2_8_0
azure-native:resources:ResourceGroup       urn:pulumi:dev::azure-nsg-sec-rules::azure-native:resources:ResourceGroup::pk-nsg-rg
azure-native:network:NetworkSecurityGroup  urn:pulumi:dev::azure-nsg-sec-rules::azure-native:network:NetworkSecurityGroup::NSG2

Found no pending operations associated with dev

Backend
Name           pulumi.com
URL            https://app.pulumi.com/pierskarsenbarg
User           pierskarsenbarg
Organizations  pierskarsenbarg, karsenbarg, team-ce, gitlab-test-piers, demo
Token type     personal

Dependencies:
NAME                VERSION
Pulumi              3.64.0
Pulumi.AzureNative  2.8.0

Pulumi locates its logs in /var/folders/x8/cdd9j87s607fwpy0q62mfmmw0000gn/T/ by default

Additional context

This seems similar to #1087 but the difference here is that in this issue the standalone rule keeps getting deleted and recreated whereas in #1087 the inline rule was being deleted and recreated. Also, it only happens when you have at least one inline security rule.

The workaround for now is to choose to use either standalone security rules or inline ones.

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

danielrbradley commented 1 week ago

Yes, it's not currently supported. The documentation of the inline property includes:

Do not mix inline and standalone resource as they will conflict with each other, leading to resources deletion.

The issue tracking this is:

I'll close this as a duplicate of https://github.com/pulumi/pulumi-azure-native/issues/2794 and add a reference back from that issue.