-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrading provider causes replacement in router_nat resource #2673
Comments
The diff GRPC call is this: {
"method": "/pulumirpc.ResourceProvider/Diff",
"request": {
"id": "ID",
"urn": "urn:pulumi:*::gcp:compute/routerNat:RouterNat::vpc-nat",
"olds": {
"__meta": "{\"e2bfb730-ecaa-11e6-8f88-34363bc7c4c0\":{\"create\":1200000000000,\"delete\":1200000000000,\"update\":1200000000000}}",
"drainNatIps": [],
"enableDynamicPortAllocation": true,
"enableEndpointIndependentMapping": false,
"icmpIdleTimeoutSec": 30,
"id": "ID",
"logConfig": {
"enable": true,
"filter": "ALL"
},
"maxPortsPerVm": 0,
"minPortsPerVm": 256,
"name": "vpc-nat",
"natIpAllocateOption": "MANUAL_ONLY",
"natIps": [
"NAT_IP"
],
"project": "project",
"region": "us-west2",
"router": "vpc",
"rules": [],
"sourceSubnetworkIpRangesToNat": "ALL_SUBNETWORKS_ALL_IP_RANGES",
"subnetworks": [],
"tcpEstablishedIdleTimeoutSec": 1200,
"tcpTimeWaitTimeoutSec": 120,
"tcpTransitoryIdleTimeoutSec": 30,
"type": "PUBLIC",
"udpIdleTimeoutSec": 30
},
"news": {
"__defaults": [
"icmpIdleTimeoutSec",
"tcpEstablishedIdleTimeoutSec",
"tcpTimeWaitTimeoutSec",
"tcpTransitoryIdleTimeoutSec",
"udpIdleTimeoutSec"
],
"enableDynamicPortAllocation": true,
"enableEndpointIndependentMapping": false,
"icmpIdleTimeoutSec": 30,
"logConfig": {
"__defaults": [],
"enable": true,
"filter": "ALL"
},
"minPortsPerVm": 256,
"name": "vpc-nat",
"natIpAllocateOption": "MANUAL_ONLY",
"natIps": [
"NAT_IP"
],
"router": "vpc",
"sourceSubnetworkIpRangesToNat": "ALL_SUBNETWORKS_ALL_IP_RANGES",
"tcpEstablishedIdleTimeoutSec": 1200,
"tcpTimeWaitTimeoutSec": 120,
"tcpTransitoryIdleTimeoutSec": 30,
"type": "PUBLIC",
"udpIdleTimeoutSec": 30
},
"oldInputs": {
"__defaults": [
"icmpIdleTimeoutSec",
"tcpEstablishedIdleTimeoutSec",
"tcpTimeWaitTimeoutSec",
"tcpTransitoryIdleTimeoutSec",
"udpIdleTimeoutSec"
],
"enableDynamicPortAllocation": true,
"enableEndpointIndependentMapping": false,
"icmpIdleTimeoutSec": 30,
"logConfig": {
"__defaults": [],
"enable": true,
"filter": "ALL"
},
"minPortsPerVm": 256,
"name": "vpc-nat",
"natIpAllocateOption": "MANUAL_ONLY",
"natIps": [
"NAT_IP"
],
"router": "vpc",
"sourceSubnetworkIpRangesToNat": "ALL_SUBNETWORKS_ALL_IP_RANGES",
"tcpEstablishedIdleTimeoutSec": 1200,
"tcpTimeWaitTimeoutSec": 120,
"tcpTransitoryIdleTimeoutSec": 30,
"type": "PUBLIC",
"udpIdleTimeoutSec": 30
},
"name": "vpc-nat",
"type": "gcp:compute/routerNat:RouterNat"
},
"response": {
"replaces": [
"__meta"
],
"stables": [
"endpointTypes",
"initialNatIps",
"name",
"project",
"region",
"router",
"type"
],
"changes": "DIFF_SOME",
"hasDetailedDiff": true
},
"metadata": {
"kind": "resource",
"mode": "client",
"name": "gcp"
}
} Looks like we are hitting a workaround we have for when our current detailed diff implementation fails: pulumi/pulumi-aws#2971 Very relevant to the ongoing work on improving the previews in the bridge - whatever solution we come up with here we should make sure to revisit with accurate bridge previews enabled Repro for the original issue in 2971: pulumi/pulumi-aws#2971 (comment) |
I replicate the configuration from the GRPC in the following program but have been unable to reproduce the issue. I attempted to upgrade from 7.27.0 to 8.9.3 and 8.10.0 name: gcp-router-nat-setup
runtime: yaml
resources:
provider:
type: pulumi:providers:gcp
defaultProvider: true
options:
version: 7.27.0 # change to 8.10.0
myRouter:
type: gcp:compute:Router
properties:
name: my-router
network: default
bgp:
asn: 65001
manualNatIp:
type: gcp:compute:Address
properties:
name: my-manual-nat-ip
myRouterNat:
type: gcp:compute:RouterNat
properties:
name: my-router-nat
router: ${myRouter.name}
enableDynamicPortAllocation: true
enableEndpointIndependentMapping: false
logConfig:
enable: true
filter: ALL
minPortsPerVm: 256
natIpAllocateOption: MANUAL_ONLY
sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES
type: PUBLIC
natIps:
- ${manualNatIp.selfLink}
@yoejigu can you please help me with a program which reproduces the behaviour? EDIT: I saw the provider version used was 8.9.3 - same behaviour there for me |
Removing the P1 as the issue doesn't seem to affect the resource in general and the user has not got back to us with a repro, so they are likely not blocked by this. |
Describe what happened
A user attempted to upgrade their GCP provider which triggered a replacement in the
router_nat
resource even though they haven't made any changes to that resource.The reason for the upgrade was that the user was facing a similar issue as described here: hashicorp/terraform-provider-google#17443
They were using the GCP provider v7.27.0 and when they tried to create a database using only the
sslMode
attribute, the pulumi provider auto set therequireSsl
tofalse
which conflicted with their desiredsslMode
ofTRUSTED_CLIENT_CERTIFICATE_REQUIRED
which mandates that therequireSsl
attribute to either betrue
orcleared
.They attempted to upgrade the provider to the most recent version to avoid this conflict but the provider upgrade led to pulumi to try to delete and replace a routerNAT resource even though they haven't made any changes to that resource.
Sample program
N/A
Log output
No response
Affected Resource(s)
GCP Database
Router NAT
Output of
pulumi about
N/A
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: