Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing Keys on update for DataZone-DataSource #1866

Open
MeTimesThree opened this issue Nov 27, 2024 · 2 comments
Open

Missing Keys on update for DataZone-DataSource #1866

MeTimesThree opened this issue Nov 27, 2024 · 2 comments
Labels
awaiting-upstream The issue cannot be resolved without action in another repository (may be owned by Pulumi). blocked The issue cannot be resolved without 3rd party action. kind/bug Some behavior is incorrect or out of spec

Comments

@MeTimesThree
Copy link

What happened?

The update of a Datazone-DataSource (in this case the enableBusinessNameGeneration-property) fails with the following error:

error: operation error CloudControl: UpdateResource, https response error StatusCode: 400, RequestID: 12dd0157-c9e6-46ba-b168-f2146b452bd1, api error ValidationException: Model validation failed (#: required key [DomainIdentifier] not found #: required key [ProjectIdentifier] not found #: required key [EnvironmentIdentifier] not found)

In CloudTrail we see the following request-parameters:
"requestParameters": { "typeName": "AWS::DataZone::DataSource", "clientToken": "<redacted>", "identifier": "<domain>|49ngwew1svuydn", "patchDocument": "HIDDEN_DUE_TO_SECURITY_REASONS" },

This is the patchDocument from the pulumi-debug:
pulumi:pulumi:Stack datenkatalog-datenkatalog running {"ClientToken":"<redacted>","Identifier":"<domain>|49ngwew1svuydn","PatchDocument":"[{\"op\":\"add\",\"path\":\"/Configuration\",\"value\":{\"GlueRunConfiguration\":{\"AutoImportDataQualityResult\":false,\"DataAccessRole\":\"arn:aws:iam::381492292231:role/datazone-glue-manage-access-role-poc-dpServRole\",\"RelationalFilterConfigurations\":[{\"DatabaseName\":\"glue-poc-db\",\"FilterExpressions\":[{\"Expression\":\"kooperationspartner\",\"Type\":\"INCLUDE\"}]}]}}},{\"op\":\"replace\",\"path\":\"/Recommendation\",\"value\":{\"EnableBusinessNameGeneration\":false}}]","TypeName":"AWS::DataZone::DataSource"}

Sadly i have no further ideas on how to debug this but i will happily assist in further debugging!

Example

This is the Pulumi-main that fails:
It needs the following dependency: SftSecurityGroup

You should just be able to "Pulumi up" without issues and can then change enable_business_name_generation to true in line 459. The next "Pulumi up" should produce the error.

Output of pulumi about

CLI
Version 3.141.0
Go Version go1.23.3
Go Compiler gc

Plugins
KIND NAME VERSION
resource aws 6.61.0
resource aws-native 1.10.0
language python unknown
resource std 1.6.2
resource str 1.0.0

Host
OS fedora
Version 40
Arch x86_64

This project is written in python: executable='/home/u000451/repos/sft-bi-poc/pulumi/datenkatalog/venv/bin/python' version='3.12.7'

Current Stack: organization/datenkatalog/datenkatalog

TYPE URN
pulumi:pulumi:Stack urn:pulumi:datenkatalog::datenkatalog::pulumi:pulumi:Stack::datenkatalog-datenkatalog
pulumi:providers:aws urn:pulumi:datenkatalog::datenkatalog::pulumi:providers:aws::default_6_61_0
aws:ec2/vpc:Vpc urn:pulumi:datenkatalog::datenkatalog::aws:ec2/vpc:Vpc::vpc-poc-dp
aws:iam/role:Role urn:pulumi:datenkatalog::datenkatalog::aws:iam/role:Role::Redshift-poc-dpServRole
aws:ec2/subnet:Subnet urn:pulumi:datenkatalog::datenkatalog::aws:ec2/subnet:Subnet::subnet_private_1-poc-dp
components:index:SftSecurityGroup urn:pulumi:datenkatalog::datenkatalog::components:index:SftSecurityGroup::sftSecurityGroupRedshift
aws:ec2/subnet:Subnet urn:pulumi:datenkatalog::datenkatalog::aws:ec2/subnet:Subnet::subnet_public-poc-dp
aws:ec2/securityGroup:SecurityGroup urn:pulumi:datenkatalog::datenkatalog::aws:ec2/securityGroup:SecurityGroup::sftSecurityGroupRedshift-sft_security_group
aws:ec2/subnet:Subnet urn:pulumi:datenkatalog::datenkatalog::aws:ec2/subnet:Subnet::subnet_private_2-poc-dp
aws:ec2/subnet:Subnet urn:pulumi:datenkatalog::datenkatalog::aws:ec2/subnet:Subnet::subnet_public_2-poc-dp
aws:vpc/securityGroupEgressRule:SecurityGroupEgressRule urn:pulumi:datenkatalog::datenkatalog::aws:vpc/securityGroupEgressRule:SecurityGroupEgressRule::sftSecurityGroupRedshift-sft_security_group_all_outgoing
aws:vpc/securityGroupIngressRule:SecurityGroupIngressRule urn:pulumi:datenkatalog::datenkatalog::aws:vpc/securityGroupIngressRule:SecurityGroupIngressRule::sftSecurityGroupRedshift-sft_security_group_self_referincing
aws:redshift/subnetGroup:SubnetGroup urn:pulumi:datenkatalog::datenkatalog::aws:redshift/subnetGroup:SubnetGroup::sub_group_redshift-poc-dp
aws:redshift/cluster:Cluster urn:pulumi:datenkatalog::datenkatalog::aws:redshift/cluster:Cluster::redshift_kernbank-poc-dp
aws:iam/role:Role urn:pulumi:datenkatalog::datenkatalog::aws:iam/role:Role::datazone-domain-execution-role-poc-dpServRole
pulumi:providers:aws-native urn:pulumi:datenkatalog::datenkatalog::pulumi:providers:aws-native::default_1_10_0
aws-native:datazone:Domain urn:pulumi:datenkatalog::datenkatalog::aws-native:datazone:Domain::datazone_domain_bank-poc-dp
aws:iam/role:Role urn:pulumi:datenkatalog::datenkatalog::aws:iam/role:Role::datazone-redshift-manage-access-role-poc-dpServRole
aws:iam/role:Role urn:pulumi:datenkatalog::datenkatalog::aws:iam/role:Role::datazone-provisioning-role-poc-dpServRole
aws-native:datazone:Project urn:pulumi:datenkatalog::datenkatalog::aws-native:datazone:Project::datazone_project_kk-poc-dp
aws-native:datazone:EnvironmentBlueprintConfiguration urn:pulumi:datenkatalog::datenkatalog::aws-native:datazone:EnvironmentBlueprintConfiguration::datazone_bank_blup_config_redshift-poc-dp
aws:secretsmanager/secret:Secret urn:pulumi:datenkatalog::datenkatalog::aws:secretsmanager/secret:Secret::kk_redshift_credentials
aws-native:datazone:EnvironmentProfile urn:pulumi:datenkatalog::datenkatalog::aws-native:datazone:EnvironmentProfile::kk_datazone_bank_env_profile_redshift-poc-dp
aws:secretsmanager/secretVersion:SecretVersion urn:pulumi:datenkatalog::datenkatalog::aws:secretsmanager/secretVersion:SecretVersion::kk_redshift_credentials_version
aws-native:datazone:Environment urn:pulumi:datenkatalog::datenkatalog::aws-native:datazone:Environment::kk_datazone_bank_env_redshift-poc-dp
aws-native:datazone:DataSource urn:pulumi:datenkatalog::datenkatalog::aws-native:datazone:DataSource::kk_source_redshift-poc-dp

Found no pending operations associated with datenkatalog

Backend
Name fedora.fritz.box
URL s3://pulumi-state-bic-poc
User u000451
Organizations
Token type personal

Dependencies:
NAME VERSION
pandas 2.2.3
pip 24.3.1
pulumi_aws 6.61.0
pulumi_aws_native 1.10.0
pulumi_std 1.6.2
pulumi_str 1.0.0
setuptools 75.2.0
wheel 0.44.0

Pulumi locates its logs in /tmp by default

Additional context

We were able to circumvent the error by adding the following to the datasource (to delete and recreate it):
opts = pulumi.ResourceOptions(replace_on_changes=["*"], delete_before_replace=True),
However, if you add Subscriptions in Datazone, you cannot delete the DataSource anymore, so sadly that is not a workaround if the DataSource is used.

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

@MeTimesThree MeTimesThree added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Nov 27, 2024
@flostadler
Copy link
Contributor

So sorry you're running into this issue @MeTimesThree!
Both the ProjectIdentifier and EnvironmentIdentifier are createOnly properties in AWS CloudControl (which aws-native uses under the hood).

Our assumption is that those mustn't be sent as part of update requests:

// Write-only properties can't even be read internally within the CloudControl service so they must be included in
// patch requests as adds to ensure the updated model validates.
// If a property is both write-only and create-only, we should not include it in the patch request
// because create-only properties can't be updated and even doing an add of the same value is rejected.

I'll try to replicate this with both pulumi and AWS CloudControl directly to find the root cause.

@flostadler flostadler self-assigned this Nov 27, 2024
@flostadler flostadler removed the needs-triage Needs attention from the triage team label Nov 27, 2024
@flostadler
Copy link
Contributor

flostadler commented Dec 2, 2024

@MeTimesThree I was able to verify that this is an AWS CloudControl bug.

When executing the same update using the aws cli we get a similar error:

An error occurred (ValidationException) when calling the UpdateResource operation: Model validation failed (#: required key [DomainIdentifier] not found
#: required key [ProjectIdentifier] not found
#: required key [EnvironmentIdentifier] not found)

But including those required keys in the patch document yields:

An error occurred (NotUpdatableException) when calling the UpdateResource operation: Invalid patch update: createOnlyProperties [/properties/EnvironmentIdentifier, /properties/DomainIdentifier, /properties/ProjectIdentifier] cannot be updated

I'll open an issue about this on the AWS side: aws-cloudformation/cloudformation-coverage-roadmap#2205

@flostadler flostadler added the awaiting-upstream The issue cannot be resolved without action in another repository (may be owned by Pulumi). label Dec 2, 2024
@flostadler flostadler removed their assignment Dec 2, 2024
@mjeffryes mjeffryes added the blocked The issue cannot be resolved without 3rd party action. label Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
awaiting-upstream The issue cannot be resolved without action in another repository (may be owned by Pulumi). blocked The issue cannot be resolved without 3rd party action. kind/bug Some behavior is incorrect or out of spec
Projects
None yet
Development

No branches or pull requests

3 participants