pulumi-aws
pulumi-aws copied to clipboard
pulumi
Security Group: Egress rule with incorrect to_port takes 3 pulumi ups to correct.
What happened?
- Using the code below, start with the egress rule set with
from_port=0andto_port=65535. - Run
pulumi up - See error message about how to and from port both need to be 0.
- Take a look at Pulumi console and note that the state shows the egress property set with the 0 and 65535 values.
- Take a look at AWS console for the security group and note that no outbound rule is defined. Not too surprising given the error.
- Change the egress rule so both
from_portandto_portare set to 0. - Run
pulumi up - See same error message about how both values must be 0 even though they are now set correctly.
- Take a look at Pulumi console and note that the state shows the egress is now correctly set to 0 for both from_port and to_port.
- Take a look at AWS console and note that there is still no outbound rule defined for the security group.
- Run
pulumi upagain (without any changes to the code) and note that it still shows a diff for theto_portfrom 65535 to 0. And the update completes successfully. - Take a look at Pulumi console and see that the security group egress rule property is missing.
- Take a look at the AWS console and see that there is still no outbound rule shown.
- Run
pulumi upagain and note the diff shows it is adding a complete egress rule and that the update completes successfully. - Take a look at the Puluim console and see the egress rule is now shown.
- Take a look at the AWS console and see that the outbound rule is now there.
- Subsequent
pulumi upshows no changes.
Example
from pulumi_aws import ec2
security_group = ec2.SecurityGroup(
f"egress-test",
egress=[
ec2.SecurityGroupEgressArgs(
from_port=0, to_port=65535, protocol="-1", cidr_blocks=["0.0.0.0/0"],
# from_port=0, to_port=0, protocol="-1", cidr_blocks=["0.0.0.0/0"],
)
],
)
Output of pulumi about
CLI
Version 3.101.1
Go Version go1.21.5
Go Compiler gc
Plugins NAME VERSION aws 6.18.0 python unknown
Host
OS darwin
Version 13.5
Arch x86_64
This project is written in python: executable='/Users/mitch/Downloads/wmg-sg/venv/bin/python3' version='3.11.3'
Current Stack: MitchGerdisch/xxxx/dev
TYPE URN pulumi:pulumi:Stack urn:pulumi:dev::xxxx::pulumi:pulumi:Stack::wmg-sg-dev pulumi:providers:aws urn:pulumi:dev::xxxx::pulumi:providers:aws::default_6_18_0 aws:ec2/securityGroup:SecurityGroup urn:pulumi:dev::xxxx::aws:ec2/securityGroup:SecurityGroup::egress-test
Found no pending operations associated with dev
Backend
Name pulumi.com
Dependencies: NAME VERSION pip 23.3.2 pulumi_aws 6.18.0 setuptools 69.0.3 wheel 0.42.0
Additional context
I tested this with Terraform using the latest version of the aws provider and version 5.31.0 which is what the the Pulumi AWS provider is based on. Terraform does not exhibit this behavior. You get an error about the to_port=65535 like with Pulumi. But after changing it to the correct value of 0 and doing a terraform apply, it updates correctly with no errors.
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
Thanks for letting us know @MitchellGerdisch. This looks like a combination of an upstream issue (https://github.com/hashicorp/terraform-provider-aws/issues/34640) and a diff bug (that provides a partial work-around?).
I'm not sure it is the same issue.
I did test the same scenario with TF and although it (correctly) complained about using to_port=65535 after updating to_port=0, a subsequent terraform apply worked as expected. Whereas with Pulumi multiple pulumi ups are needed after fixing the to_port property.
I've went through the steps and it seems go better but not entirely satisfactory now.
- errors as before, but pulumi state has no SG. However, AWS console has as SG without egress rules.
- after I edit the program and do a pulumi up, I get OK and a new SG created in the console with the expected egress rules
- subsequent pulumi up show no changes
So this is almost entirely what we want except the sequence created 2 Security Group instead of one. That is, validation failure here created an actual AWS security group and then didn't clean it up after it realized there is a problem:
import pulumi
from pulumi_aws import ec2
security_group = ec2.SecurityGroup(
f"egress-test",
egress=[
ec2.SecurityGroupEgressArgs(
from_port=0, to_port=0, protocol="-1", cidr_blocks=["0.0.0.0/0"],
)
],
)
Leaving this in the tracker for now, suspect this aspect reproduces upstream.
CLI
Version 3.130.0
Go Version go1.22.6
Go Compiler gc
Plugins
KIND NAME VERSION
resource aws 6.52.0
language python unknown
Host
OS darwin
Version 14.6.1
Arch arm64
This project is written in python: executable='/Users/anton/Library/Mobile Documents/com~apple~CloudDocs/pulumi-bugs/pulumi-aws-3257/venv/bin/python' version='3.10.13'
Current Stack: anton-pulumi-corp/pulumi-aws-3257/dev
TYPE URN
pulumi:pulumi:Stack urn:pulumi:dev::pulumi-aws-3257::pulumi:pulumi:Stack::pulumi-aws-3257-dev
pulumi:providers:aws urn:pulumi:dev::pulumi-aws-3257::pulumi:providers:aws::default_6_52_0
aws:ec2/securityGroup:SecurityGroup urn:pulumi:dev::pulumi-aws-3257::aws:ec2/securityGroup:SecurityGroup::egress-test
Found no pending operations associated with dev
Backend
Name pulumi.com
URL https://app.pulumi.com/anton-pulumi-corp
User anton-pulumi-corp
Organizations anton-pulumi-corp, moolumi, demo, pulumi
Token type personal
Dependencies:
NAME VERSION
pip 24.2
pulumi_aws 6.52.0
setuptools 75.1.0
wheel 0.44.0
Pulumi locates its logs in /var/folders/gd/3ncjb1lj5ljgk8xl5ssn_gvc0000gn/T/com.apple.shortcuts.mac-helper// by default