GCP Certificate recreates resources despite no changes

kpolley commented 1 week ago

Describe what happened

We use pulumi_tls and to create a new certificate and add it to GCP via pulumi. Pulumi recreates the certificate everytime we run pulumi up, despite no changes to the certificate or our stack. This causes the certificate to get deleted and recreated on every run, which is not ideal!

Sample program

import pulumi
import pulumi_gcp as gcp
import pulumi_tls as tls

cert_map = gcp.certificatemanager.CertificateMap(
    "pulumi-poc-cert-map",
    name=f"pulumi-poc-lb-cert-map",
)

# Create a certificate 
private_key = tls.PrivateKey(
    f"pulumi-poc-private-key",
    algorithm="RSA",
)
ca_cert = tls.SelfSignedCert(
    f"pulumi-poc-ca-cert",
    allowed_uses=["cert_signing", "crl_signing"],
    is_ca_certificate=True,
    private_key_pem=private_key.private_key_pem,
    validity_period_hours=24 * 365,
    subject={
        "common_name": "example.com",
    },
)

# Create the GCP Certificate
# Since the certificate is created in pulumi, the certificate will get
# recreated on every update. This is not ideal!
gcp_cert = gcp.certificatemanager.Certificate(
    f"pulumi-poc-gcp-cert",
    self_managed=gcp.certificatemanager.CertificateSelfManagedArgs(
        pem_certificate=ca_cert.cert_pem,
        pem_private_key=private_key.private_key_pem,
    )
)

# Add the certificate to the certificate map
# Since the certificate is updated in the previous step, the certificate map
# will get updated as well. This is not ideal!
gcp.certificatemanager.CertificateMapEntry(
    f"pulumi-poc-lb-cert-map-entry",
    map=cert_map.name,
    certificates=[gcp_cert.id],
    hostname="example.com",
)

Log output

The 'replace' operations happens on every run, despite no changes being made.

     Type                                           Name                          Plan        Info
     pulumi:pulumi:Stack                            poc-stack-dev                             6 warnings
 +-  ├─ gcp:certificatemanager:Certificate          pulumi-poc-gcp-cert           replace     [diff: ~selfManaged]
 ~   └─ gcp:certificatemanager:CertificateMapEntry  pulumi-poc-lb-cert-map-entry  update      [diff: ~certificates]

Affected Resource(s)

No response

Output of `pulumi about`

CLI          
Version      3.127.0
Go Version   go1.22.5
Go Compiler  gc

Plugins
KIND      NAME    VERSION
resource  gcp     8.2.0
resource  poc     0.1.0
language  python  unknown
resource  tls     5.0.6

Host     
OS       darwin
Version  14.6.1
Arch     arm64

This project is written in python: executable='/Users/kyle/Documents/pulumi-poc/pulumi-poc/poc-stack/venv/bin/python' version='3.12.4'

Current Stack: dev/poc-stack/dev

TYPE                                                            URN
pulumi:pulumi:Stack                                             urn:pulumi:dev::poc-stack::pulumi:pulumi:Stack::poc-stack-dev
pulumi:providers:gcp                                            urn:pulumi:dev::poc-stack::pulumi:providers:gcp::default_8_2_0
gcp:certificatemanager/certificateMap:CertificateMap            urn:pulumi:dev::poc-stack::gcp:certificatemanager/certificateMap:CertificateMap::pulumi-poc-cert-map
pulumi:providers:tls                                            urn:pulumi:dev::poc-stack::pulumi:providers:tls::default_5_0_6
tls:index/privateKey:PrivateKey                                 urn:pulumi:dev::poc-stack::tls:index/privateKey:PrivateKey::pulumi-poc-private-key
tls:index/selfSignedCert:SelfSignedCert                         urn:pulumi:dev::poc-stack::tls:index/selfSignedCert:SelfSignedCert::pulumi-poc-ca-cert
gcp:certificatemanager/certificate:Certificate                  urn:pulumi:dev::poc-stack::gcp:certificatemanager/certificate:Certificate::pulumi-poc-gcp-cert
gcp:certificatemanager/certificateMapEntry:CertificateMapEntry  urn:pulumi:dev::poc-stack::gcp:certificatemanager/certificateMapEntry:CertificateMapEntry::pulumi-poc-lb-cert-map-entry

Found no pending operations associated with dev

Backend        
Name           pulumi.com
Token type     personal

Dependencies:
NAME        VERSION
pip         24.2
pulumi-poc  0.1.0
setuptools  75.1.0
uv          0.2.27
wheel       0.44.0

Pulumi locates its logs in /tmp by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

guineveresaenger commented 1 week ago

Hi @kpolley, thank you for filing this issue.

Can you clarify whether this is about the pulumi-tls resources being re-created every pulumi up, or GCP showing a constant diff on certificate?

kpolley commented 6 days ago

Hi @kpolley, thank you for filing this issue.

Can you clarify whether this is about the pulumi-tls resources being re-created every pulumi up, or GCP showing a constant diff on certificate?

Hi @guineveresaenger, sorry I may have made an incorrect assumption. It could be GCP showing a constant diff on certificate which causes the issue.

guineveresaenger commented 5 days ago

Hi @kpolley - thank you for your reply.

I think I may be missing some context.

I'm running your code as supplied - and there's no permadiff for me:

Command line output

guin gcp-2402/python🦉 pulumi up Previewing update (dev) View in Browser (Ctrl+O): https://app.pulumi.com/guinevere-pulumi-corp/python/dev/previews/33bd1a4c-96e4-46a3-879e-b19d7d57202b Type Name Plan + pulumi:pulumi:Stack python-dev create + ├─ tls:index:PrivateKey pulumi-poc-private-key create + ├─ gcp:certificatemanager:CertificateMap pulumi-poc-cert-map create + ├─ tls:index:SelfSignedCert pulumi-poc-ca-cert create + ├─ gcp:certificatemanager:Certificate pulumi-poc-gcp-cert create + └─ gcp:certificatemanager:CertificateMapEntry pulumi-poc-lb-cert-map-entry create Resources: + 6 to create Do you want to perform this update? yes Updating (dev) View in Browser (Ctrl+O): https://app.pulumi.com/guinevere-pulumi-corp/python/dev/updates/1 Type Name Status + pulumi:pulumi:Stack python-dev created (27s) + ├─ gcp:certificatemanager:CertificateMap pulumi-poc-cert-map created (12s) + ├─ tls:index:PrivateKey pulumi-poc-private-key created (0.19s) + ├─ tls:index:SelfSignedCert pulumi-poc-ca-cert created (0.27s) + ├─ gcp:certificatemanager:Certificate pulumi-poc-gcp-cert created (11s) + └─ gcp:certificatemanager:CertificateMapEntry pulumi-poc-lb-cert-map-entry created (11s) Resources: + 6 created Duration: 28s guin gcp-2402/python🦉 pulumi up Previewing update (dev) View in Browser (Ctrl+O): https://app.pulumi.com/guinevere-pulumi-corp/python/dev/previews/e74bc20e-b609-42a3-8c72-17c03f93e5b4 Type Name Plan pulumi:pulumi:Stack python-dev Resources: 6 unchanged Do you want to perform this update? yes Updating (dev) View in Browser (Ctrl+O): https://app.pulumi.com/guinevere-pulumi-corp/python/dev/updates/2 Type Name Status pulumi:pulumi:Stack python-dev Resources: 6 unchanged Duration: 1s

I'm probably missing a detail here, perhaps you can clarify what's different on your end? Thank you!

kpolley commented 1 day ago

Hi @kpolley - thank you for your reply.

I think I may be missing some context.

I'm running your code as supplied - and there's no permadiff for me:

Command line output I'm probably missing a detail here, perhaps you can clarify what's different on your end? Thank you!

That is very interesting! Perhaps it is our pulumi versions?

Pulumi: v3.127.0
Python: 3.12.4
Python package pulumi-tls: 5.0.6
Python package pulumi-gcp: 8.2.0

VenelinMartinov commented 18 hours ago

Hey @kpolley, I have also been unable to reproduce the issue. Can you please try upgrading your pulumi CLI and provider versions and see if the issue persists?

If it does, can you answer a few questions:

Are you running with --refresh?
Is it possible you've had changes to the resources outside of pulumi?
Does the issue persist if you run pulumi refresh? If it does, you might be able to solve the issue by edittng your pulumi state manually to match the cloud state: https://www.pulumi.com/docs/iac/concepts/state-and-backends/#editing-state-manually

Thanks!

pulumi / pulumi-gcp