Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EKS Cluster does not refresh cleanly #2720

Closed
t0yv0 opened this issue Aug 25, 2023 · 3 comments
Closed

EKS Cluster does not refresh cleanly #2720

t0yv0 opened this issue Aug 25, 2023 · 3 comments
Assignees
Labels
area/refresh bug/diff kind/bug related to Pulumi generating wrong diffs on preview or up. kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed

Comments

@t0yv0
Copy link
Member

t0yv0 commented Aug 25, 2023

What happened?

Unexpected update plan for a refresh right after pulumi up:

View in Browser (Ctrl+O): https://app.pulumi.com/t0yv0/resources/eksdebug/updates/2

     Type                             Name                    Status           Info
     pulumi:pulumi:Stack              resources-eksdebug                       
     ├─ pulumi:providers:aws          provider                                 
 ~   ├─ aws:iam:Role                  ekscluster1role         updated (1s)     [diff: ~managedPolicyArns]
     ├─ aws:iam:RolePolicyAttachment  ekscluster1roleattach1                   
     ├─ aws:iam:RolePolicyAttachment  ekscluster1roleattach2                   
     ├─ aws:ec2:Vpc                   vpc1                                     
     ├─ aws:ec2:Subnet                subnet1                                  
     ├─ aws:ec2:Subnet                subnet2                                  
 ~   └─ aws:eks:Cluster               ekscluster1             updated (1s)     [diff: +defaultAddonsToRemoves]


Resources:
    ~ 2 updated
    7 unchanged

Duration: 3s

Expected Behavior

Refreshing eks.Cluster that was just provisioned does not generate update plans.

Steps to reproduce

name: resources

runtime:
  name: yaml

resources:

  provider:
    type: pulumi:providers:aws
    options:
      version: 5.42.0

  "ekscluster1":
    type: aws:eks:Cluster
    properties:
      roleArn: ${ekscluster1role.arn}
      vpcConfig:
        subnetIds:
          - ${subnet1.id}
          - ${subnet2.id}
    options:
      provider: ${provider}

  "ekscluster1role":
    type: aws:iam:Role
    properties:
      assumeRolePolicy:
        fn::invoke:
           return: json
           function: aws:iam:getPolicyDocument
           arguments:
             statements:
               - effect: Allow
                 principals:
                   - type: Service
                     identifiers:
                       - eks.amazonaws.com
                 actions:
                   - sts:AssumeRole
    options:
      provider: ${provider}

  "ekscluster1roleattach1":
    type: aws:iam:RolePolicyAttachment
    properties:
      policyArn: arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
      role: ${ekscluster1role.name}
    options:
      provider: ${provider}

  "ekscluster1roleattach2":
    type: aws:iam:RolePolicyAttachment
    properties:
      policyArn: arn:aws:iam::aws:policy/AmazonEKSVPCResourceController
      role: ${ekscluster1role.name}
    options:
      provider: ${provider}

  "vpc1":
    type: aws:ec2/vpc:Vpc
    properties:
      cidrBlock: "10.192.0.0/16"
    options:
      provider: ${provider}

  "subnet1":
    type: aws:ec2/subnet:Subnet
    properties:
      cidrBlock: 10.192.20.0/24
      vpcId: ${vpc1.id}
      mapPublicIpOnLaunch: false
      availabilityZone: us-west-2a
    options:
      provider: ${provider}

  "subnet2":
    type: aws:ec2/subnet:Subnet
    properties:
      cidrBlock: 10.192.21.0/24
      vpcId: ${vpc1.id}
      mapPublicIpOnLaunch: false
      availabilityZone: us-west-2b
    options:
      provider: ${provider}

Steps:

$ pulumi up --yes
$ pulumi refresh

Output of pulumi about

CLI          
Version      3.74.0
Go Version   go1.20.5
Go Compiler  gc

Plugins
NAME  VERSION
aws   5.42.0
yaml  unknown

Host     
OS       darwin
Version  13.4.1
Arch     x86_64

This project is written in yaml

Current Stack: t0yv0/resources/eksdebug

TYPE                                               URN
pulumi:pulumi:Stack                                urn:pulumi:eksdebug::resources::pulumi:pulumi:Stack::resources-eksdebug
pulumi:providers:aws                               urn:pulumi:eksdebug::resources::pulumi:providers:aws::provider
pulumi:providers:aws                               urn:pulumi:eksdebug::resources::pulumi:providers:aws::default
aws:iam/role:Role                                  urn:pulumi:eksdebug::resources::aws:iam/role:Role::ekscluster1role
aws:iam/rolePolicyAttachment:RolePolicyAttachment  urn:pulumi:eksdebug::resources::aws:iam/rolePolicyAttachment:RolePolicyAttachment::ekscluster1roleattach2
aws:iam/rolePolicyAttachment:RolePolicyAttachment  urn:pulumi:eksdebug::resources::aws:iam/rolePolicyAttachment:RolePolicyAttachment::ekscluster1roleattach1
aws:ec2/vpc:Vpc                                    urn:pulumi:eksdebug::resources::aws:ec2/vpc:Vpc::vpc1
aws:ec2/subnet:Subnet                              urn:pulumi:eksdebug::resources::aws:ec2/subnet:Subnet::subnet1
aws:ec2/subnet:Subnet                              urn:pulumi:eksdebug::resources::aws:ec2/subnet:Subnet::subnet2
aws:eks/cluster:Cluster                            urn:pulumi:eksdebug::resources::aws:eks/cluster:Cluster::ekscluster1


Found no pending operations associated with eksdebug

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/t0yv0
User           t0yv0
Organizations  t0yv0, pulumi

No dependencies found

Pulumi locates its logs in /var/folders/gk/cchgxh512m72f_dmkcc3d09h0000gp/T/ by default

Additional context

This issue was discovered as part of building out provider upgrade tests and surfaced when recording baseline provider behavior for the eks.Cluster resource.

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

@t0yv0 t0yv0 added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Aug 25, 2023
@t0yv0
Copy link
Member Author

t0yv0 commented Aug 25, 2023

On V6 this stack has a similar but different problem:


Do you want to perform this refresh?
No resources will be modified as part of this refresh; just your stack's state will be.
 details
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:eksdebug::resources::pulumi:pulumi:Stack::resources-eksdebug]
    ~ aws:iam/role:Role: (update)
        [id=ekscluster1role-3d947ce]
        [urn=urn:pulumi:eksdebug::resources::aws:iam/role:Role::ekscluster1role]
        [provider=urn:pulumi:eksdebug::resources::pulumi:providers:aws::provider::72b09d72-d11c-41e8-9c98-b0557ce66591]
        --outputs:--
      - roleLastUseds      : [
      -     [0]: {
              - lastUsedDate: ""
              - region      : ""
            }
        ]
    ~ aws:ec2/vpc:Vpc: (update)
        [id=vpc-0d04740861cf1d0f6]
        [urn=urn:pulumi:eksdebug::resources::aws:ec2/vpc:Vpc::vpc1]
        [provider=urn:pulumi:eksdebug::resources::pulumi:providers:aws::provider::72b09d72-d11c-41e8-9c98-b0557ce66591]
        --outputs:--
      - enableClassiclink               : false
      - enableClassiclinkDnsSupport     : false

Do you want to perform this refresh?
No resources will be modified as part of this refresh; just your stack's state will be.
  [Use arrows to move, type to filter]
  yes

Using

  provider:
    type: pulumi:providers:aws
    options:
      version: 6.0.2-alpha.2+9b14ba69

@iwahbe iwahbe added bug/diff kind/bug related to Pulumi generating wrong diffs on preview or up. and removed needs-triage Needs attention from the triage team labels Aug 28, 2023
@t0yv0
Copy link
Member Author

t0yv0 commented Apr 25, 2024

Still a problem:

Previewing refresh (repro2)

View in Browser (Ctrl+O): https://app.pulumi.com/anton-pulumi-corp/resources/repro2/previews/22ff7902-cbf3-4dbd-916d-cd889bc19484

     Type                             Name                    Plan       Info
     pulumi:pulumi:Stack              resources-repro2                   
     ├─ pulumi:providers:aws          provider                           
 ~   ├─ aws:iam:Role                  ekscluster1role         update     [diff: ~managedPolicyArns]
     ├─ aws:iam:RolePolicyAttachment  ekscluster1roleattach2             
     ├─ aws:ec2:Subnet                subnet1                            
     ├─ aws:iam:RolePolicyAttachment  ekscluster1roleattach1             
     ├─ aws:ec2:Subnet                subnet2                            
     ├─ aws:ec2:Vpc                   vpc1                               
 ~   └─ aws:eks:Cluster               ekscluster1             update     [diff: +defaultAddonsToRemoves]

Resources:
    ~ 2 to update
    7 unchanged

Do you want to perform this refresh?
No resources will be modified as part of this refresh; just your stack's state will be.
 details
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:repro2::resources::pulumi:pulumi:Stack::resources-repro2]
    ~ aws:iam/role:Role: (update)
        [id=ekscluster1role-1c24246]
        [urn=urn:pulumi:repro2::resources::aws:iam/role:Role::ekscluster1role]
        [provider=urn:pulumi:repro2::resources::pulumi:providers:aws::provider::9ac84da1-b67e-4670-856e-1ad436474fac]
        --outputs:--
      ~ managedPolicyArns  : [
          + [0]: "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
          + [1]: "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
        ]
    ~ aws:eks/cluster:Cluster: (update)
        [id=ekscluster1-421a7c7]
        [urn=urn:pulumi:repro2::resources::aws:eks/cluster:Cluster::ekscluster1]
        [provider=urn:pulumi:repro2::resources::pulumi:providers:aws::provider::9ac84da1-b67e-4670-856e-1ad436474fac]
        --outputs:--
      + defaultAddonsToRemoves : []

The problem is self-correcting after refresh. Looks like Read is normalizing defaultAddonsToRemoves from missing to [].

"default_addons_to_remove": {
				Type:     schema.TypeList,
				Optional: true,
				Elem: &schema.Schema{
					Type: schema.TypeString,
				},
			}

managedPolicyArns is exactly the same as in #2246

@corymhall
Copy link
Contributor

I just tried to reproduce this and I get a clean refresh. It looks like the refresh issues have not been fixed. I used the below program

const role = new aws.iam.Role(`role`, {
  assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal(
    aws.iam.Principals.EksPrincipal,
  ),
});

new aws.iam.RolePolicyAttachment(`cluster-policy`, {
  policyArn: 'arn:aws:iam::aws:policy/AmazonEKSClusterPolicy',
  role: role.name,
});

new aws.iam.RolePolicyAttachment(`eks-vpc-policy`, {
  policyArn: 'arn:aws:iam::aws:policy/AmazonEKSVPCResourceController',
  role: role.name,
});

const vpc = new aws.ec2.Vpc('Vpc', {
  cidrBlock: '10.0.0.0/16',
});

const subnet1 = new aws.ec2.Subnet('Subnet1', {
  vpcId: vpc.id,
  cidrBlock: '10.0.160.0/20',
  availabilityZone: 'us-east-2a',
});
const subnet2 = new aws.ec2.Subnet('Subnet2', {
  vpcId: vpc.id,
  cidrBlock: '10.0.96.0/20',
  availabilityZone: 'us-east-2b',
});

new aws.eks.Cluster(`cluster`, {
  roleArn: role.arn,
  vpcConfig: {
    subnetIds: [subnet1.id, subnet2.id],
  },
});

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/refresh bug/diff kind/bug related to Pulumi generating wrong diffs on preview or up. kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed
Projects
None yet
Development

No branches or pull requests

3 participants