aws.cloudwatch.onSchedule does not refresh cleanly

[t0yv0]

What happened?

There are a few self-correcting (through accepting refresh) dirty refresh issues affecting the underpinnings of the aws.cloudwatch.onSchedule backing component resource manifesting in this dirty refresh warning:

 //  pulumi:pulumi:Stack: (same)
 //    [urn=urn:pulumi:repro::CloudWatchOidcManual::pulumi:pulumi:Stack::CloudWatchOidcManual-repro]
 //        ~ aws:cloudwatch/eventTarget:EventTarget: (update)
 //            [id=everyMinute-9e9e214-everyMinute]
 //            [urn=urn:pulumi:repro::CloudWatchOidcManual::aws:cloudwatch:EventRuleEventSubscription$aws:cloudwatch/eventTarget:EventTarget::everyMinute]
 //            [provider=urn:pulumi:repro::CloudWatchOidcManual::pulumi:providers:aws::default_6_32_0::5a064f26-8475-4a99-b06d-8c9afcab0e1c]
 //            --outputs:--
 //          + runCommandTargets: []
 //        ~ aws:lambda/function:Function: (update)
 //            [id=everyMinute-abf24f8]
 //            [urn=urn:pulumi:repro::CloudWatchOidcManual::aws:cloudwatch:EventRuleEventSubscription$aws:lambda/function:Function::everyMinute]
 //            [provider=urn:pulumi:repro::CloudWatchOidcManual::pulumi:providers:aws::default_6_32_0::5a064f26-8475-4a99-b06d-8c9afcab0e1c]
 //            --outputs:--
 //          ~ lastModified                : "2024-04-25T20:32:46.914+0000" => "2024-04-25T20:32:53.260+0000"
 //          + replacementSecurityGroupIds : []
 //        ~ aws:iam/role:Role: (update)
 //            [id=everyMinute-c9b4761]
 //            [urn=urn:pulumi:repro::CloudWatchOidcManual::aws:cloudwatch:EventRuleEventSubscription$aws:iam/role:Role::everyMinute]
 //            [provider=urn:pulumi:repro::CloudWatchOidcManual::pulumi:providers:aws::default_6_32_0::5a064f26-8475-4a99-b06d-8c9afcab0e1c]
 //            --outputs:--
 //          ~ managedPolicyArns  : [
 //              + [0]: "arn:aws:iam::aws:policy/AWSLambda_FullAccess"
 //              + [1]: "arn:aws:iam::aws:policy/AmazonS3FullAccess"
 //              + [2]: "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess"
 //              + [3]: "arn:aws:iam::aws:policy/AmazonKinesisFullAccess"
 //              + [4]: "arn:aws:iam::aws:policy/AmazonCognitoPowerUser"
 //              + [5]: "arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess"
 //              + [6]: "arn:aws:iam::aws:policy/AmazonSQSFullAccess"
 //              + [7]: "arn:aws:iam::aws:policy/CloudWatchEventsFullAccess"
 //              + [8]: "arn:aws:iam::aws:policy/CloudWatchFullAccessV2"
 //            ]

Example

import * as aws from "@pulumi/aws";

const event = aws.cloudwatch.onSchedule("everyMinute", "rate(1 minute)", async (event) => {
    console.log("Received event: " + JSON.stringify(event, null, 2));
}, {});

pulumi up
pulumi refresh

Output of pulumi about

CLI          
Version      3.111.1
Go Version   go1.22.1
Go Compiler  gc

Plugins
NAME    VERSION
aws     6.32.0
nodejs  unknown

Host     
OS       darwin
Version  14.4.1
Arch     x86_64

This project is written in nodejs: executable='/Users/t0yv0/bin/node' version='v18.18.2'

Current Stack: anton-pulumi-corp/CloudWatchOidcManual/repro

TYPE                                               URN
pulumi:pulumi:Stack                                urn:pulumi:repro::CloudWatchOidcManual::pulumi:pulumi:Stack::CloudWatchOidcManual-repro
aws:cloudwatch:EventRuleEventSubscription          urn:pulumi:repro::CloudWatchOidcManual::aws:cloudwatch:EventRuleEventSubscription::everyMinute
pulumi:providers:aws                               urn:pulumi:repro::CloudWatchOidcManual::pulumi:providers:aws::default_6_32_0
aws:cloudwatch/eventRule:EventRule                 urn:pulumi:repro::CloudWatchOidcManual::aws:cloudwatch:EventRuleEventSubscription$aws:cloudwatch/eventRule:EventRule::everyMinute
aws:iam/role:Role                                  urn:pulumi:repro::CloudWatchOidcManual::aws:cloudwatch:EventRuleEventSubscription$aws:iam/role:Role::everyMinute
aws:iam/rolePolicyAttachment:RolePolicyAttachment  urn:pulumi:repro::CloudWatchOidcManual::aws:cloudwatch:EventRuleEventSubscription$aws:iam/rolePolicyAttachment:RolePolicyAttachment::everyMinute-d32a66fa
aws:iam/rolePolicyAttachment:RolePolicyAttachment  urn:pulumi:repro::CloudWatchOidcManual::aws:cloudwatch:EventRuleEventSubscription$aws:iam/rolePolicyAttachment:RolePolicyAttachment::everyMinute-019020e7
aws:iam/rolePolicyAttachment:RolePolicyAttachment  urn:pulumi:repro::CloudWatchOidcManual::aws:cloudwatch:EventRuleEventSubscription$aws:iam/rolePolicyAttachment:RolePolicyAttachment::everyMinute-e1a3786d
aws:iam/rolePolicyAttachment:RolePolicyAttachment  urn:pulumi:repro::CloudWatchOidcManual::aws:cloudwatch:EventRuleEventSubscription$aws:iam/rolePolicyAttachment:RolePolicyAttachment::everyMinute-4aaabb8e
aws:iam/rolePolicyAttachment:RolePolicyAttachment  urn:pulumi:repro::CloudWatchOidcManual::aws:cloudwatch:EventRuleEventSubscription$aws:iam/rolePolicyAttachment:RolePolicyAttachment::everyMinute-b5aeb6b6
aws:iam/rolePolicyAttachment:RolePolicyAttachment  urn:pulumi:repro::CloudWatchOidcManual::aws:cloudwatch:EventRuleEventSubscription$aws:iam/rolePolicyAttachment:RolePolicyAttachment::everyMinute-74d12784
aws:iam/rolePolicyAttachment:RolePolicyAttachment  urn:pulumi:repro::CloudWatchOidcManual::aws:cloudwatch:EventRuleEventSubscription$aws:iam/rolePolicyAttachment:RolePolicyAttachment::everyMinute-a1de8170
aws:iam/rolePolicyAttachment:RolePolicyAttachment  urn:pulumi:repro::CloudWatchOidcManual::aws:cloudwatch:EventRuleEventSubscription$aws:iam/rolePolicyAttachment:RolePolicyAttachment::everyMinute-7cd09230
aws:iam/rolePolicyAttachment:RolePolicyAttachment  urn:pulumi:repro::CloudWatchOidcManual::aws:cloudwatch:EventRuleEventSubscription$aws:iam/rolePolicyAttachment:RolePolicyAttachment::everyMinute-1b4caae3
aws:lambda/function:Function                       urn:pulumi:repro::CloudWatchOidcManual::aws:cloudwatch:EventRuleEventSubscription$aws:lambda/function:Function::everyMinute
aws:cloudwatch/eventTarget:EventTarget             urn:pulumi:repro::CloudWatchOidcManual::aws:cloudwatch:EventRuleEventSubscription$aws:cloudwatch/eventTarget:EventTarget::everyMinute
aws:lambda/permission:Permission                   urn:pulumi:repro::CloudWatchOidcManual::aws:cloudwatch:EventRuleEventSubscription$aws:lambda/permission:Permission::everyMinute


Found no pending operations associated with repro

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/anton-pulumi-corp
User           anton-pulumi-corp
Organizations  anton-pulumi-corp, moolumi, pulumi
Token type     personal

Dependencies:
NAME            VERSION
@types/node     18.19.31
@actions/core   1.10.1
@pulumi/aws     6.32.0
@pulumi/pulumi  3.113.3

Pulumi locates its logs in /var/folders/gk/cchgxh512m72f_dmkcc3d09h0000gp/T/com.apple.shortcuts.mac-helper// by default

Additional context

N/A

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[t0yv0]

Breaking this down, EventTarget does not refresh cleanly likely following TF where undefined runCommandTargets end up being replaced by an empty list. This is a very common self-correcting form of refresh also present in TF.

          ~ aws:cloudwatch/eventTarget:EventTarget: (update)
            [id=everyMinute-9e9e214-everyMinute]
            [urn=urn:pulumi:repro::CloudWatchOidcManual::aws:cloudwatch:EventRuleEventSubscription$aws:cloudwatch/eventTarget:EventTarget::everyMinute]
            [provider=urn:pulumi:repro::CloudWatchOidcManual::pulumi:providers:aws::default_6_32_0::5a064f26-8475-4a99-b06d-8c9afcab0e1c]
            --outputs:--
          + runCommandTargets: []

Lambda replacementSecurityGroupIds is in the similar category, but is also marked deprecated, while still affecting refresh. This is unfortunate.

Lambda lastModified shows as a diff even though it not an output property and reasonably is expected to change in the cloud.

[t0yv0]

managedPolicyArns is exactly as in #2246