Accidentally ran refresh, now Accounts fail updating when no changes

[daveio]

trafficstars

Describe what happened

I ran a refresh on my stack. Afterward, the Accounts show pending for update. I have tried adding ignoreChanges with ["*"] and with ["name", "type"], no effect. Now I can't update unless I exclude them with

pulumi update --exclude "urn:pulumi:production::STACK::cloudflare:index/account:Account::ACCOUNT1" --exclude "urn:pulumi:production::STACK::cloudflare:index/account:Account::ACCOUNT2"

Sample program

import { Account } from "@pulumi/cloudflare"

const accountOne = new Account(
  "dave.io",
  {
    name: "ACCOUNT1",
    type: "standard"
  }
)

const accountTwo = new Account(
  "delirium.org.uk",
  {
    name: "ACCOUNT2",
    type: "standard"
  }
)

export default { accountOne, accountTwo }

Log output

Placeholders: STACKNAME, ACCOUNT1, ACCOUNT2, ACCOUNT1_ID, ACCOUNT2_ID

     Type                         Name             Status                  Info
     pulumi:pulumi:Stack          STACKNAME  **failed**              5 errors
 ~   ├─ cloudflare:index:Account  ACCOUNT1  **updating failed**     [diff: ]; 1 error
 ~   └─ cloudflare:index:Account  ACCOUNT2         **updating failed**     [diff: ]; 1 error

Diagnostics:
  cloudflare:index:Account (ACCOUNT1):
    error: failed to make http request: PUT "https://api.cloudflare.com/client/v4/accounts/ACCOUNT1_ID": 400 Bad Request {"success":false,"errors":[{"code":1001,"message":"Updating account type is not supported from client api"}],"messages":[],"result":null}

  cloudflare:index:Account (ACCOUNT2):
    error: failed to make http request: PUT "https://api.cloudflare.com/client/v4/accounts/ACCOUNT2_ID": 400 Bad Request {"success":false,"errors":[{"code":1001,"message":"Updating account type is not supported from client api"}],"messages":[],"result":null}

Affected Resource(s)

cloudflare:index/account:Account

Output of pulumi about

Placeholders: RESOURCES, STACK, USERNAME

CLI          
Version      3.167.0
Go Version   go1.24.2
Go Compiler  gc

Plugins
KIND      NAME          VERSION
resource  cloudflare    6.1.2
resource  digitalocean  4.43.0
resource  kubernetes    4.23.0
language  nodejs        3.167.0
resource  upcloud       0.2.0

Host     
OS       darwin
Version  15.4.1
Arch     arm64

This project is written in nodejs: executable='/Users/dave/.local/share/mise/installs/node/22.15.0/bin/node' version='v22.15.0'

Current Stack: USERNAME/STACK/production

RESOURCES

Found no pending operations associated with production

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/USERNAME
User           USERNAME
Organizations  USERNAME
Token type     personal

Pulumi locates its logs in /var/folders/ny/9qhlpxxd775c3ctmhrqtbc780000gn/T/ by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[t0yv0]

I am sorry you are hitting this. Would it be possible to see which plan is generated by pulumi preview --diff? Also what is the state of the Account resources in the statefile (pulumi stack --export)?

I have tried reproducing directly but unfortunately our test environment needs some additional setup to work with Account resources {"code":1002,"message":"Forbidden. Account creation is not allowed"} on:

const accountOne = new cloudflare.Account(
    "dave.io",
    {
        name: "ACCOUNT1",
        type: "standard"
    }
)

Reading the error message it appears that Pulumi is under impression that the account "type" is changing.

There is a property here: https://github.com/cloudflare/terraform-provider-cloudflare/blob/72a74193561eaaf004a9aa21499c44ca729e8bd3/internal/services/account/schema.go#L30

Which can take values of "standard" or "enterprise".

It sounds like this property cannot be changed in place so the upstream provider should likely mark it as requiring replace with a plan modifier, which is not the case now.

The other problem is that you are not intending to change the "type", so I am wondering what happened here, perhaps the refresh call changed it to something unexpected.

I see no obvious issues in https://github.com/cloudflare/terraform-provider-cloudflare/blob/72a74193561eaaf004a9aa21499c44ca729e8bd3/internal/services/account/resource.go#L144 but there could be something mistreating "type" there.

[daveio]

@t0yv0 You need to create an account with Cloudflare first, then do an import. This worked fine, until I did a refresh, and it's now convinced it needs to update the type property even though it's not changing. The diff doesn't even list any changes to the object. It's unclear why it's trying to change it.

Could you give me a bit more specific detail of what you need? I'm happy to provide, but I don't want to dump my entire stack into this ticket.

[t0yv0]

pulumi stack export would show the state of the Account resource as Pulumi tracks it. That could be helpful (needs sanistizing though).

pulumi preview --diff output sometimes gives an indication of which property is triggering the change.

The maximal detail is in debug logs, PULUMI_DEBUG_GRPC=$PWD/logs.json pulumi preview could have the gory details on Pulumi gRPC interactions with the provider, which again need sanitization but could be somewhat useful here.

[daveio]

@t0yv0 Last question before I give you what you've asked for, promise!

Is there any way I can pass this to you privately? I'm happy for you as a Pulumi employee to see the full state of my stack and logs, but I don't want to post them publicly.

If not that's okay too - I can sanitise them. Just wanted to know if I can bypass that bit of effort is all :)

[t0yv0]

Absolutely - I've just updated my https://github.com/t0yv0 profile to have email and https://github.com/t0yv0.gpg has the GPG key if you need to go further and secure it. Also can connect on community Slack.

[t0yv0]

Perhaps SPAM filters got in the way but I've not heard from you.