-
Notifications
You must be signed in to change notification settings - Fork 156
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Non-zero refresh on aws_wafv2_web_acl #3361
Comments
An experiment to see if PlanResourceChange can substitute for CtyInstanceState while still handling wafv2_web_acl resource correctly. See #3361 --------- Co-authored-by: Ian Wahbe <[email protected]>
Do you have the corresponding Pulumi code handy? |
In practice, this is a non-issue in Terraform. After the initial deployment of the resource - here's what each of the following shows:
Notably - after that 2nd terraform apply the refresh has run (implicitly) and the state is "good", so there is no more drift/diff. So in practice, any Terraform user will almost never see any issue here. In Pulumi though, since the refresh isn't run automatically, and the refresh shows a diff explicitly, users will "see" that diff when they first do an explicit preview. The one big "difference" in display between Pulumi and Terraform is that a |
Sure @mikhailshilkov the Pulumi program is as follows: import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.wafv2.WebAcl("example", {
name: "managed-rule-example",
defaultAction: {block: {}},
scope: "REGIONAL",
rules: [
{
name: "test-aws-rules",
overrideAction: {count: {}},
priority: 1,
statement: {
managedRuleGroupStatement: {
name: "AWSManagedRulesCommonRuleSet",
vendorName: "AWS",
version: "Version_1.3",
}
},
visibilityConfig: {
cloudwatchMetricsEnabled: false,
metricName: "test-aws-rules",
sampledRequestsEnabled: true,
}
},
],
visibilityConfig: {
cloudwatchMetricsEnabled: false,
metricName: "josh-test",
sampledRequestsEnabled: true,
}
})
export const exampleId = example.id; It appears that pulumi refresh shows a plan that updates WebAcl but pulumi up --refresh doesn't, it shows WebAcl as unchanging but when pressed for details it show the same diff:
|
After either pulumi refresh or pulumi up --refresh is accepted, the state gets in a good place and works as expected after that. |
What happened?
This seems to be a representative issue with non-zero refresh with some trivial changes that is inherited from upstream but is highlighted more prominently for the Pulumi CLI. I am curious if our strategy would be to accept this behavior or try to suppress similar benign refresh diffs in some way.
Note that tags and token_domains changed from missing to an empty value, but the state was, in fact,
updated. In TF CLI this seems a low-ceremony operation.
In contrast, when using Pulumi CLI with the latest bridge, we do get the exact same behavior but
Pulumi CI prompts the user to confirm the refresh update. It shows tags and tokenDomains changing.
Example
See above.
Output of
pulumi about
Additional context
N/A
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: