pulumi-aws icon indicating copy to clipboard operation
pulumi-aws copied to clipboard

Published 20 hours ago verified publisher icon pulumi

SecretManger Secret has a persistent diff, when replicas is set!

Open dirien opened this issue 2 years ago • 3 comments

Hello!

Issue details

When adding a replica to a SecretManger.Secert in golang:

_, err := secretsmanager.NewSecret(ctx, "my-secret", &secretsmanager.SecretArgs{
	Name:                        pulumi.String("my-secret"),
	Description:                 pulumi.String("My secret"),
	ForceOverwriteReplicaSecret: pulumi.Bool(false),
	Replicas: secretsmanager.SecretReplicaArray{
		&secretsmanager.SecretReplicaArgs{
			Region: pulumi.String("us-east-1"),
		},
	},
})
if err != nil {
	return err
}

I get on all pulumi up call a difference displayed:

Resources:
    ~ 1 to update
    1 unchanged

Do you want to perform this update? details
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:dev::aws-classic-test::pulumi:pulumi:Stack::aws-classic-test-dev]
    ~ aws:secretsmanager/secret:Secret: (update)
        [id=arn:aws:secretsmanager:eu-central-1:052848974346:secret:my-secret-css8X3]
        [urn=urn:pulumi:dev::aws-classic-test::aws:secretsmanager/secret:Secret::my-secret]
      ~ replicas: [
          ~ [0]: {
                  ~ region: "us-east-1" => "us-east-1"
                }
        ]

But actually, I can't see any difference in the region field.

Affected area/feature

SecretManger.Secret

dirien avatar Dec 15 '22 17:12 dirien

Successfully reproduced this issue in TypeScript too:

new aws.secretsmanager.Secret(
  "my-secret",
  {
    name: "my-secret",
    description: "my-secret",
    replicas: [{ region: "us-east-1" }],
  });

Workaround

Applying an ignore to the region of the specific replica will hide this issue:

new aws.secretsmanager.Secret(
  "my-secret",
  {
    name: "my-secret",
    description: "my-secret",
    replicas: [{ region: "us-east-1" }],
  },
  {
    ignoreChanges: ["replicas[0].region"],
  }
);

Investigation Notes

There are additional fields (status, kmsKeyId and lastAccessedDate) which are automatically populated, but these don't appear to be causing the diff. It seems isolated to region field. Tested this by ignoring all fields except region and it still reported the diff.

This could likely be a bug within in the bridge on either the InstanceDiff result that comes back from tf.Diff(), or possibly something which should then get ignored by doIgnoreChanges but perhaps has something missing in the schema to trigger this correctly.

danielrbradley avatar Dec 19 '22 16:12 danielrbradley

Unfortunately this reproduces still. The root cause here is pulumi/pulumi-terraform-bridge#186

t0yv0 avatar May 06 '24 17:05 t0yv0

Added to epic https://github.com/pulumi/home/issues/3558

cleverguy25 avatar Sep 27 '24 18:09 cleverguy25