pulumi-aws 5.22.0 and above keep updating aws:route53/resolverEndpoint:ResolverEndpoint even when there's nothing to update

[aureq]

What happened?

As reported by a customer in Zendesk #2189

Running the Python program below, the provider always update the aws:route53/resolverEndpoint:ResolverEndpoint resources even when there's no code changes.

During the preview, the diff taken from from the Pulumi service is like this

When applying the update, which takes 6m30s, the diff from the Pulumi service is this

But downgrading to 5.21.1 and applying the update, everything is then fine and the diff is a lot cleaner.

After trying with different versions, here are the versions affected:

• 5.20.0: ok, no updates
• 5.21.0: ok, no updates
• 5.21.1: ok, no updates
• 5.22.0: NOT ok, performing unnecessary update
• 5.23.0: NOT ok, performing unnecessary update
• 5.25.0: NOT ok, performing unnecessary update

Steps to reproduce

Follow the steps below to easily reproduce this issue:

1. Create a new Pulumi application (aws-python)
2. Paste the code provided below
3. In a terminal, source your venv with source venv/bin/activate.fish or whatever works for your shell.
4. Install a working provider version with pip install pulumi-aws==5.21.1
5. Run pulumi up and deploy all the changes.
6. Run pulumi up a 2nd time, there shouldn't be any changes ✅
7. Up to this point, everything should be fine ✅
8. Install a newer provider version with pip install pulumi-aws==5.25.0
9. Run pulumi up and now some changes are pending ❌
10. Apply the changes from the step above
11. Revert to an older provider version pip install pulumi-aws==5.20.0
12. Run pulumi up, only the provider version is to be updated. ✅

Expected Behavior

Version 5.22.0 and above should behave the same way as 5.21.1 and earlier version, as in, not update/recreate resources when no code changes have occurred.

Actual Behavior

In version 5.22.0 and above, despite no changes, the stack is being updated and new resources are created/destroyed.

Output of pulumi about

CLI          
Version      3.50.2
Go Version   go1.19.4
Go Compiler  gc

Plugins
NAME    VERSION
aws     5.20.0
python  unknown

Host     
OS       debian
Version  11.6
Arch     x86_64

This project is written in python: executable='/home/aureq/work/customers/zendesk/2189/venv/bin/python3' version='3.9.15
'

Current Stack: menfin/zendesk/case-2189

TYPE                                           URN
pulumi:pulumi:Stack                            urn:pulumi:case-2189::zendesk::pulumi:pulumi:Stack::zendesk-case-2189
pulumi:providers:aws                           urn:pulumi:case-2189::zendesk::pulumi:providers:aws::apsoutheast2
aws:ec2/vpc:Vpc                                urn:pulumi:case-2189::zendesk::pulumi:providers:aws$aws:ec2/vpc:Vpc::aureq_case-2189_ap-southeast-2
aws:ec2/subnet:Subnet                          urn:pulumi:case-2189::zendesk::pulumi:providers:aws$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::aureq_0_ap-southeast-2_subnet
aws:ec2/subnet:Subnet                          urn:pulumi:case-2189::zendesk::pulumi:providers:aws$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::aureq_1_ap-southeast-2_subnet
aws:ec2/internetGateway:InternetGateway        urn:pulumi:case-2189::zendesk::pulumi:providers:aws$aws:ec2/vpc:Vpc$aws:ec2/internetGateway:InternetGateway::aureq-case-2189-ap-southeast-2_igw
pulumi:providers:aws                           urn:pulumi:case-2189::zendesk::pulumi:providers:aws::default_5_20_0
aws:ec2/managedPrefixList:ManagedPrefixList    urn:pulumi:case-2189::zendesk::aws:ec2/managedPrefixList:ManagedPrefixList::aureq-case-2189-ap-southeast-2_prefixlist
aws:ec2/vpcEndpoint:VpcEndpoint                urn:pulumi:case-2189::zendesk::aws:ec2/vpcEndpoint:VpcEndpoint::aureq-case-2189-ap-southeast-2_endpoint
aws:ec2/securityGroup:SecurityGroup            urn:pulumi:case-2189::zendesk::pulumi:providers:aws$aws:ec2/vpc:Vpc$aws:ec2/securityGroup:SecurityGroup::aureq-ap-southeast-2-resolver_sg
aws:route53/resolverEndpoint:ResolverEndpoint  urn:pulumi:case-2189::zendesk::pulumi:providers:aws$aws:ec2/vpc:Vpc$aws:route53/resolverEndpoint:ResolverEndpoint::aureq-ap-southeast-2-resolver-inbound
aws:route53/resolverEndpoint:ResolverEndpoint  urn:pulumi:case-2189::zendesk::pulumi:providers:aws$aws:ec2/vpc:Vpc$aws:route53/resolverEndpoint:ResolverEndpoint::aureq-ap-southeast-2-resolver-outbound


Found no pending operations associated with case-2189

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/aureq
User           aureq
Organizations  aureq, team-ce, menfin, menfin-team, demo, pulumi

Dependencies:
NAME        VERSION
pip         22.3.1
pulumi-aws  5.20.0
setuptools  65.6.3
wheel       0.38.4

Pulumi locates its logs in /tmp by default

Additional context

Here is the code I crafted to reproduce the issue.

"""An AWS Python Pulumi program"""

import pulumi
import pulumi_aws as aws

account_name = "aureq"
environment = "dev"
region = "ap-southeast-2"
zona_a = "ap-southeast-2a"
provider = aws.Provider("apsoutheast2", region=region)
vpc_name = "case-2189"

vpc_cidr_block = "10.42.0.0/16"


vpc = aws.ec2.Vpc(
        f"{account_name}_{vpc_name}_{region}",
        cidr_block=vpc_cidr_block,
        enable_dns_hostnames=True,
        opts=pulumi.ResourceOptions(
            parent=provider,
            provider=provider
        ),
    )


subnet_cidr_block_a = "10.42.0.0/24"
public_subnet_a = aws.ec2.Subnet(
    f"{account_name}_0_{region}_subnet",
    vpc_id=vpc.id,
    cidr_block=subnet_cidr_block_a,
    availability_zone=zona_a,
    opts=pulumi.ResourceOptions(
        parent=vpc,
    delete_before_replace=True),
)

subnet_cidr_block_b = "10.42.1.0/24"
public_subnet_b = aws.ec2.Subnet(
    f"{account_name}_1_{region}_subnet",
    vpc_id=vpc.id,
    cidr_block=subnet_cidr_block_b,
    availability_zone=zona_a,
    opts=pulumi.ResourceOptions(
        parent=vpc,
    delete_before_replace=True),
)

igw = aws.ec2.InternetGateway(f"{account_name}-{vpc_name}-{region}_igw",
    vpc_id=vpc.id,
    opts=pulumi.ResourceOptions(
        parent=vpc,
        provider=provider,
        delete_before_replace=True)
)

prefix_list = aws.ec2.ManagedPrefixList(
    f"{account_name}-{vpc_name}-{region}_prefixlist",
    address_family="IPv4",
    max_entries=5,
    entries=[
        aws.ec2.ManagedPrefixListEntryArgs(
            cidr=vpc.cidr_block,
            description="Primary",
        ),
    ],
)

vpc_endpoint = aws.ec2.VpcEndpoint(f"{account_name}-{vpc_name}-{region}_endpoint",
    service_name=f"com.amazonaws.{region}.ec2",
    vpc_id=vpc.id,
    vpc_endpoint_type="Interface",
    private_dns_enabled=True
)

resolver_sg = aws.ec2.SecurityGroup(f"{account_name}-{region}-resolver_sg",
    vpc_id=vpc.id,
    name="resolver_sg",
    ingress=[
        aws.ec2.SecurityGroupIngressArgs(from_port=53, to_port=53, protocol="tcp", prefix_list_ids=[prefix_list.id]),
        aws.ec2.SecurityGroupIngressArgs(from_port=53, to_port=53, protocol="udp", prefix_list_ids=[prefix_list.id])
    ],
    egress=[
        aws.ec2.SecurityGroupEgressArgs( from_port=0, to_port=0, protocol="-1", cidr_blocks=["0.0.0.0/0"])
    ],
    opts=pulumi.ResourceOptions(
        parent=vpc,
        provider=provider,
    ),
)

inbound_resolver = aws.route53.ResolverEndpoint(
    f"{account_name}-{region}-resolver-inbound",
    direction="INBOUND",
    security_group_ids=[
        resolver_sg.id
    ],
    # name="",
    ip_addresses=[
        aws.route53.ResolverEndpointIpAddressArgs(subnet_id=public_subnet_a.id),
        aws.route53.ResolverEndpointIpAddressArgs(subnet_id=public_subnet_b.id),
    ],
    opts=pulumi.ResourceOptions(
        parent=vpc
    ),
)

outbound_resolver = aws.route53.ResolverEndpoint(
    f"{account_name}-{region}-resolver-outbound",
    direction="OUTBOUND",
    security_group_ids=[
        resolver_sg.id
    ],
    # name="",
    ip_addresses=[
        aws.route53.ResolverEndpointIpAddressArgs(subnet_id=public_subnet_a.id),
        aws.route53.ResolverEndpointIpAddressArgs(subnet_id=public_subnet_b.id),
    ],
    opts=pulumi.ResourceOptions(
        parent=vpc
    ),
)

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[thomas11]

Unfortunately, this is due to a backwards-incompatible change (a valid bug fix) in the upstream Terraform provider. It would probably be hard to work around this on the Pulumi side.

The unnecessary update should only occur once, though.

[aureq]

Hi @thomas11

I'm reopening this issue since it feels the experience isn't great.

If I create a brand new stack with 5.26.0, all completes as expected ✅. However, any subsequent pulumi up with no code changes lead to the cloud resources being destroyed and recreated. And for the simple code shared above, that takes over 5 minutes, not to mentioned the resource id are changing each time which wouldn't be great at all when using stack references.

My own outputs here...

❯ pulumi up
Previewing update (case-2189)

View Live: https://app.pulumi.com/menfin/zendesk/case-2189/previews/46047807-b074-4a01-b96b-b128c2f493f3

     Type                                   Name                                       Plan       
 +   pulumi:pulumi:Stack                    zendesk-case-2189                          create     
 +   ├─ pulumi:providers:aws                apsoutheast2                               create     
 +   │  └─ aws:ec2:Vpc                      aureq_case-2189_ap-southeast-2             create     
 +   │     ├─ aws:ec2:Subnet                aureq_1_ap-southeast-2_subnet              create     
 +   │     ├─ aws:ec2:InternetGateway       aureq-case-2189-ap-southeast-2_igw         create     
 +   │     ├─ aws:ec2:Subnet                aureq_0_ap-southeast-2_subnet              create     
 +   │     ├─ aws:ec2:SecurityGroup         aureq-ap-southeast-2-resolver_sg           create     
 +   │     ├─ aws:route53:ResolverEndpoint  aureq-ap-southeast-2-resolver-inbound      create     
 +   │     └─ aws:route53:ResolverEndpoint  aureq-ap-southeast-2-resolver-outbound     create     
 +   ├─ aws:ec2:ManagedPrefixList           aureq-case-2189-ap-southeast-2_prefixlist  create     
 +   └─ aws:ec2:VpcEndpoint                 aureq-case-2189-ap-southeast-2_endpoint    create     


Resources:
    + 11 to create

Do you want to perform this update? yes
Updating (case-2189)

View Live: https://app.pulumi.com/menfin/zendesk/case-2189/updates/1

     Type                                   Name                                       Status              
 +   pulumi:pulumi:Stack                    zendesk-case-2189                          created (0.52s)     
 +   ├─ pulumi:providers:aws                apsoutheast2                               created (0.24s)     
 +   │  └─ aws:ec2:Vpc                      aureq_case-2189_ap-southeast-2             created (11s)       
 +   │     ├─ aws:ec2:Subnet                aureq_1_ap-southeast-2_subnet              created (0.95s)     
 +   │     ├─ aws:ec2:Subnet                aureq_0_ap-southeast-2_subnet              created (1s)        
 +   │     ├─ aws:ec2:InternetGateway       aureq-case-2189-ap-southeast-2_igw         created (1s)        
 +   │     ├─ aws:ec2:SecurityGroup         aureq-ap-southeast-2-resolver_sg           created (2s)        
 +   │     ├─ aws:route53:ResolverEndpoint  aureq-ap-southeast-2-resolver-inbound      created (46s)       
 +   │     └─ aws:route53:ResolverEndpoint  aureq-ap-southeast-2-resolver-outbound     created (117s)      
 +   ├─ aws:ec2:ManagedPrefixList           aureq-case-2189-ap-southeast-2_prefixlist  created (1s)        
 +   └─ aws:ec2:VpcEndpoint                 aureq-case-2189-ap-southeast-2_endpoint    created (32s)       


Resources:
    + 11 created

Duration: 2m22s

❯ pulumi up
Previewing update (case-2189)

View Live: https://app.pulumi.com/menfin/zendesk/case-2189/previews/23941013-9fe3-4a90-a8d4-8d235c0c275b

     Type                                   Name                                    Plan       Info
     pulumi:pulumi:Stack                    zendesk-case-2189                                  
     └─ pulumi:providers:aws                apsoutheast2                                       
        └─ aws:ec2:Vpc                      aureq_case-2189_ap-southeast-2                     
 ~         ├─ aws:route53:ResolverEndpoint  aureq-ap-southeast-2-resolver-inbound   update     [diff: ~ipAddresses]
 ~         └─ aws:route53:ResolverEndpoint  aureq-ap-southeast-2-resolver-outbound  update     [diff: ~ipAddresses]


Resources:
    ~ 2 to update
    9 unchanged

Do you want to perform this update? yes
Updating (case-2189)

View Live: https://app.pulumi.com/menfin/zendesk/case-2189/updates/2

     Type                                   Name                                    Status             Info
     pulumi:pulumi:Stack                    zendesk-case-2189                                          
     └─ pulumi:providers:aws                apsoutheast2                                               
        └─ aws:ec2:Vpc                      aureq_case-2189_ap-southeast-2                             
 ~         ├─ aws:route53:ResolverEndpoint  aureq-ap-southeast-2-resolver-outbound  updated (333s)     [diff: ~ipAddresses]
 ~         └─ aws:route53:ResolverEndpoint  aureq-ap-southeast-2-resolver-inbound   updated (82s)      [diff: ~ipAddresses]


Resources:
    ~ 2 updated
    9 unchanged

Duration: 5m38s

[thomas11]

Unfortunately, no fix yet but here is some debugging information.

The hypothesis is that the issue is caused by this upstream change. Possibly because in the schema, ip is both optional and computed which can cause issues, see here for instance.

Stepping through in the debugger shows that in pulumi-terraform-bridge/pkg/tfshim/sdk-v2/provider.go we call schema.Resource.SimpleDiff which returns a diff where each subnet_id occurs twice, once with Old empty and once with New empty.

[rdanno]

I'm having the same issue. It was suddenly introduced into my project when upgrading to the latest pulumi_aws pip module. It took a bit of debugging because i'd made changes to this same resource and didn't expect it to be an upstream unrelated bug.

Changes are being made even when there are no actual code changes were made:

    ~ aws:route53/resolverEndpoint:ResolverEndpoint: (update)
        [id=rslvr-out-92d9c]
        [urn=urn:pulumi:ResolverEndpoint]
        [provider=urn:pulumi:cfa6a9e04]
      ~ ipAddresses: [
          ~ [0]: {
                  ~ subnetId: "subnet-1725d" => "subnet-1725d"
                }
          ~ [1]: {
                  ~ subnetId: "subnet-98b2b" => "subnet-98b2b"
                }
        ]

I understand this is actually an upstream Terraform issue/bug but this is a version-stopper anyone using this resource

[t0yv0]

Hi folks just noting that we've been trying to have a look at this as a possible bridge issue.

This PR reproduces in the unit test #788

I'm still investigating a bit to get a better hold of how these diffs are processed.

Confirming that reverting 2197a6c2c7a0ff306cec3432acb9f5680866f034 change to endpointHashIPAddress does make this work. If there's any indication that it's truly an upstream issue, like an upstream ticket or indication that this same program when run with Terraform CLI works correctly, that'd be wonderful.

[t0yv0]

So it appears that the bridged provider is calling endpointHashIPAddress with an empty IP. I could find that by injecting a panic in #788 . The context of the Diff call is in https://github.com/pulumi/pulumi-terraform-bridge/pull/788/files#diff-9beaea70a21888f25241e976278eec4d4b9019bd189b40ca5d2337bf19cd84b9R1841

So in fact the bridge is calling into TF SimpleDiff method which does down to a endpointHashIPAddress call with an empty "ip" sometimes.

github.com/pulumi/pulumi-terraform-bridge/v3/internal/testprovider.endpointHashIPAddress({0x20e6a40?, 0xc0007
        /Users/t0yv0/code/pulumi-terraform-bridge/internal/testprovider/schema_regress_aws_2352.go:119 +0x3e7
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Set).hash(0x1054929?, {0x20e6a40?, 0xc0007e35f0?
        /Users/t0yv0/go/pkg/mod/github.com/pulumi/terraform-plugin-sdk/[email protected]/
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Set).add(0xc0002dd8c0, {0x20e6a40?, 0xc0007e35f0
        /Users/t0yv0/go/pkg/mod/github.com/pulumi/terraform-plugin-sdk/[email protected]/
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*ConfigFieldReader).readSet(0xc0007e3260, {0xc000
        /Users/t0yv0/go/pkg/mod/github.com/pulumi/terraform-plugin-sdk/[email protected]/
....
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.schemaMap.diffSet(0x22e6624?, {0x26fbd10, 0xc00012
        /Users/t0yv0/go/pkg/mod/github.com/pulumi/terraform-plugin-sdk/[email protected]/
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.schemaMap.diff(0x6?, {0x26fbd10, 0xc000124010}, {0
        /Users/t0yv0/go/pkg/mod/github.com/pulumi/terraform-plugin-sdk/[email protected]/
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.schemaMap.Diff(0xc0002a2db0, {0x26fbd10, 0xc000124
        /Users/t0yv0/go/pkg/mod/github.com/pulumi/terraform-plugin-sdk/[email protected]/
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).SimpleDiff(0x26f13a0?, {0x26fbd10?, 0x
        /Users/t0yv0/go/pkg/mod/github.com/pulumi/terraform-plugin-sdk/[email protected]/
github.com/pulumi/pulumi-terraform-bridge/v3/pkg/tfshim/sdk-v2.v2Provider.Diff({0xc00026b400?}, {0x230418d, 0
        /Users/t0yv0/code/pulumi-terraform-bridge/pkg/tfshim/sdk-v2/provider.go:107 +0x27f
github.com/pulumi/pulumi-terraform-bridge/v3/pkg/tfbridge.(*Provider).Diff(0xc00026b400, {0x26fbd10?, 0xc0001

Now, that's a little suspicious. The IP is available in the state. Unfortunately I'm a bit more familiar with Plugin Framework than the sdk-v2 methods. IN the PF world, for Computed+Optional attributes, the PlannedState structure is resolved by recursively merging the data from State ant Config, and I'd expect the IP data from State flow in and be made use of before a diff attempt is made.

How does it work with sdk-v2 methods? I'm not entirely sure yet SimpleDiff is supposed to be called differently, and TF CLI calls it differently in this case, in which case it's a TF bug, or it's an issue inside SImpleDiff.

More on this next week.

[t0yv0]

I have some new information indicating this is a bridge bug. Here are the versions of Pulumi provider with which I can reproduce the issue and the corresponding versions of the TF provider:

| pulumi |     tf | fork                                  |
|--------+--------+---------------------------------------|
| 5.21.1 | 4.39.0 | v1.38.1-0.20221117095546-4f71b6571c4a |
| 5.22.0 | 4.42.0 | v1.38.1-0.20221201222409-5f2f39c9c899 |

However if I use terraform CLI to try to reproduce the issue with these TF versions, I cannot reproduce:

terraform apply # with v=4.39.0
terraform plan  # with v=4.42.0 or v=4.53.0 - produces "No changes" as expected.

The TF definition I'm using to repro:

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "4.39.0"
      # version = "4.42.0"
      # version = "4.53.0"
    }
  }
}

provider "aws" {
  profile = "devsandbox"
  region  = "us-east-1"
}

resource "aws_vpc" "repro_2294_vpc_us_east_1" {
  cidr_block = "10.42.0.0/16"
  enable_dns_hostnames = true
}

resource "aws_subnet" "repro_2294_subnet0_us_east_1" {
  vpc_id = aws_vpc.repro_2294_vpc_us_east_1.id
  cidr_block = "10.42.0.0/24"
  availability_zone = "us-east-1a"
}

resource "aws_subnet" "repro_2294_subnet1_us_east_1" {
  vpc_id = aws_vpc.repro_2294_vpc_us_east_1.id
  cidr_block = "10.42.1.0/24"
  availability_zone = "us-east-1a"
}

resource "aws_internet_gateway" "repro_2294_inet_gateway_us_east_1" {
  vpc_id = aws_vpc.repro_2294_vpc_us_east_1.id
}

resource "aws_ec2_managed_prefix_list" "repro_2294_prefix_list_us_east_1" {
  name = "prefixlist"
  address_family = "IPv4"
  max_entries = 5
  entry {
    cidr        = aws_vpc.repro_2294_vpc_us_east_1.cidr_block
    description = "Primary"
  }
}

resource "aws_security_group" "repro_2294_sec_group_us_east_1" {
  vpc_id = aws_vpc.repro_2294_vpc_us_east_1.id
  name = "sg1"

  ingress {
    description      = "INGRESS-TCP"
    from_port        = 53
    to_port          = 53
    protocol         = "tcp"
    prefix_list_ids  = [aws_ec2_managed_prefix_list.repro_2294_prefix_list_us_east_1.id]
  }

  ingress {
    description      = "INGRESS-UDP"
    from_port        = 53
    to_port          = 53
    protocol         = "udp"
    prefix_list_ids  = [aws_ec2_managed_prefix_list.repro_2294_prefix_list_us_east_1.id]
  }

  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
  }
}

resource "aws_route53_resolver_endpoint" "repro_2294_resolver_endpoint_us_east_1" {
  name = "rendpoint"
  direction = "INBOUND"
  security_group_ids = [aws_security_group.repro_2294_sec_group_us_east_1.id]

  ip_address {
    subnet_id = aws_subnet.repro_2294_subnet0_us_east_1.id
  }

  ip_address {
    subnet_id = aws_subnet.repro_2294_subnet1_us_east_1.id
  }
}

[t0yv0]

For users tracking this as pulumi-aws issue: please use v5.29.1 or higher that currently works around the specific problem with ResolverEndpoint, this issue is tracking fixing the root cause to future-proof other resources.

[t0yv0]

The root cause is now fixed in pulumi-terraform-bridge #844 under a feature flag. Feature-flags de-risk the rollout since the change involves Diff method and has a potential of unintentional consequences such as unexpected replace plans on provider upgrades. The tentative plan for gradual rollout is in #866

[pulumi-bot]

Cannot close issue without required labels: resolution/