Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrading provider causes replacement in router_nat resource #2673

Open
yoejigu opened this issue Nov 21, 2024 · 3 comments
Open

Upgrading provider causes replacement in router_nat resource #2673

yoejigu opened this issue Nov 21, 2024 · 3 comments
Labels
awaiting-feedback Blocked on input from the author bug/diff kind/bug related to Pulumi generating wrong diffs on preview or up. kind/bug Some behavior is incorrect or out of spec needs-repro Needs repro steps before it can be triaged or fixed

Comments

@yoejigu
Copy link

yoejigu commented Nov 21, 2024

Describe what happened

A user attempted to upgrade their GCP provider which triggered a replacement in the router_nat resource even though they haven't made any changes to that resource.

The reason for the upgrade was that the user was facing a similar issue as described here: hashicorp/terraform-provider-google#17443

They were using the GCP provider v7.27.0 and when they tried to create a database using only the sslMode attribute, the pulumi provider auto set the requireSsl to false which conflicted with their desired sslMode of TRUSTED_CLIENT_CERTIFICATE_REQUIRED which mandates that the requireSsl attribute to either be true or cleared.

They attempted to upgrade the provider to the most recent version to avoid this conflict but the provider upgrade led to pulumi to try to delete and replace a routerNAT resource even though they haven't made any changes to that resource.

Sample program

N/A

Log output

No response

Affected Resource(s)

GCP Database
Router NAT

Output of pulumi about

N/A

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

@yoejigu yoejigu added area/providers bug/diff kind/bug related to Pulumi generating wrong diffs on preview or up. kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Nov 21, 2024
@VenelinMartinov VenelinMartinov changed the title requireSsl deprecated in favor of sslMode but pulumi provider auto-applies require_ssl by default Upgrading provider causes replacement in router_nat resource Nov 22, 2024
@VenelinMartinov VenelinMartinov added the p1 A bug severe enough to be the next item assigned to an engineer label Nov 22, 2024
@VenelinMartinov
Copy link
Contributor

VenelinMartinov commented Nov 22, 2024

The diff GRPC call is this:

{
    "method": "/pulumirpc.ResourceProvider/Diff",
    "request": {
        "id": "ID",
        "urn": "urn:pulumi:*::gcp:compute/routerNat:RouterNat::vpc-nat",
        "olds": {
            "__meta": "{\"e2bfb730-ecaa-11e6-8f88-34363bc7c4c0\":{\"create\":1200000000000,\"delete\":1200000000000,\"update\":1200000000000}}",
            "drainNatIps": [],
            "enableDynamicPortAllocation": true,
            "enableEndpointIndependentMapping": false,
            "icmpIdleTimeoutSec": 30,
            "id": "ID",
            "logConfig": {
                "enable": true,
                "filter": "ALL"
            },
            "maxPortsPerVm": 0,
            "minPortsPerVm": 256,
            "name": "vpc-nat",
            "natIpAllocateOption": "MANUAL_ONLY",
            "natIps": [
                "NAT_IP"
            ],
            "project": "project",
            "region": "us-west2",
            "router": "vpc",
            "rules": [],
            "sourceSubnetworkIpRangesToNat": "ALL_SUBNETWORKS_ALL_IP_RANGES",
            "subnetworks": [],
            "tcpEstablishedIdleTimeoutSec": 1200,
            "tcpTimeWaitTimeoutSec": 120,
            "tcpTransitoryIdleTimeoutSec": 30,
            "type": "PUBLIC",
            "udpIdleTimeoutSec": 30
        },
        "news": {
            "__defaults": [
                "icmpIdleTimeoutSec",
                "tcpEstablishedIdleTimeoutSec",
                "tcpTimeWaitTimeoutSec",
                "tcpTransitoryIdleTimeoutSec",
                "udpIdleTimeoutSec"
            ],
            "enableDynamicPortAllocation": true,
            "enableEndpointIndependentMapping": false,
            "icmpIdleTimeoutSec": 30,
            "logConfig": {
                "__defaults": [],
                "enable": true,
                "filter": "ALL"
            },
            "minPortsPerVm": 256,
            "name": "vpc-nat",
            "natIpAllocateOption": "MANUAL_ONLY",
            "natIps": [
                "NAT_IP"
            ],
            "router": "vpc",
            "sourceSubnetworkIpRangesToNat": "ALL_SUBNETWORKS_ALL_IP_RANGES",
            "tcpEstablishedIdleTimeoutSec": 1200,
            "tcpTimeWaitTimeoutSec": 120,
            "tcpTransitoryIdleTimeoutSec": 30,
            "type": "PUBLIC",
            "udpIdleTimeoutSec": 30
        },
        "oldInputs": {
            "__defaults": [
                "icmpIdleTimeoutSec",
                "tcpEstablishedIdleTimeoutSec",
                "tcpTimeWaitTimeoutSec",
                "tcpTransitoryIdleTimeoutSec",
                "udpIdleTimeoutSec"
            ],
            "enableDynamicPortAllocation": true,
            "enableEndpointIndependentMapping": false,
            "icmpIdleTimeoutSec": 30,
            "logConfig": {
                "__defaults": [],
                "enable": true,
                "filter": "ALL"
            },
            "minPortsPerVm": 256,
            "name": "vpc-nat",
            "natIpAllocateOption": "MANUAL_ONLY",
            "natIps": [
                "NAT_IP"
            ],
            "router": "vpc",
            "sourceSubnetworkIpRangesToNat": "ALL_SUBNETWORKS_ALL_IP_RANGES",
            "tcpEstablishedIdleTimeoutSec": 1200,
            "tcpTimeWaitTimeoutSec": 120,
            "tcpTransitoryIdleTimeoutSec": 30,
            "type": "PUBLIC",
            "udpIdleTimeoutSec": 30
        },
        "name": "vpc-nat",
        "type": "gcp:compute/routerNat:RouterNat"
    },
    "response": {
        "replaces": [
            "__meta"
        ],
        "stables": [
            "endpointTypes",
            "initialNatIps",
            "name",
            "project",
            "region",
            "router",
            "type"
        ],
        "changes": "DIFF_SOME",
        "hasDetailedDiff": true
    },
    "metadata": {
        "kind": "resource",
        "mode": "client",
        "name": "gcp"
    }
}

Looks like we are hitting a workaround we have for when our current detailed diff implementation fails: pulumi/pulumi-aws#2971

https://github.com/pulumi/pulumi-terraform-bridge/blob/2a8b877dbe500f33980524c68855f0e732c3d6aa/pkg/tfbridge/provider.go#L1252

Very relevant to the ongoing work on improving the previews in the bridge - whatever solution we come up with here we should make sure to revisit with accurate bridge previews enabled

Repro for the original issue in 2971: pulumi/pulumi-aws#2971 (comment)

@VenelinMartinov VenelinMartinov removed the needs-triage Needs attention from the triage team label Nov 25, 2024
@VenelinMartinov VenelinMartinov self-assigned this Nov 25, 2024
@VenelinMartinov
Copy link
Contributor

VenelinMartinov commented Nov 25, 2024

I replicate the configuration from the GRPC in the following program but have been unable to reproduce the issue. I attempted to upgrade from 7.27.0 to 8.9.3 and 8.10.0

name: gcp-router-nat-setup
runtime: yaml

resources:
  provider:
    type: pulumi:providers:gcp
    defaultProvider: true
    options:
      version: 7.27.0 # change to 8.10.0
  myRouter:
    type: gcp:compute:Router
    properties:
      name: my-router
      network: default
      bgp:
        asn: 65001

  manualNatIp:
    type: gcp:compute:Address
    properties:
      name: my-manual-nat-ip

  myRouterNat:
    type: gcp:compute:RouterNat
    properties:
      name: my-router-nat
      router: ${myRouter.name}
      enableDynamicPortAllocation: true
      enableEndpointIndependentMapping: false
      logConfig:
        enable: true
        filter: ALL
      minPortsPerVm: 256
      natIpAllocateOption: MANUAL_ONLY
      sourceSubnetworkIpRangesToNat: ALL_SUBNETWORKS_ALL_IP_RANGES
      type: PUBLIC
      natIps:
        - ${manualNatIp.selfLink}

@yoejigu can you please help me with a program which reproduces the behaviour? Also can you please check which version you are upgrading to? Is it 8.10.0?

EDIT: I saw the provider version used was 8.9.3 - same behaviour there for me

@VenelinMartinov VenelinMartinov added needs-repro Needs repro steps before it can be triaged or fixed awaiting-feedback Blocked on input from the author labels Nov 25, 2024
@VenelinMartinov
Copy link
Contributor

Removing the P1 as the issue doesn't seem to affect the resource in general and the user has not got back to us with a repro, so they are likely not blocked by this.

@VenelinMartinov VenelinMartinov removed the p1 A bug severe enough to be the next item assigned to an engineer label Dec 5, 2024
@VenelinMartinov VenelinMartinov removed their assignment Dec 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
awaiting-feedback Blocked on input from the author bug/diff kind/bug related to Pulumi generating wrong diffs on preview or up. kind/bug Some behavior is incorrect or out of spec needs-repro Needs repro steps before it can be triaged or fixed
Projects
None yet
Development

No branches or pull requests

3 participants