pulumi-aws icon indicating copy to clipboard operation
pulumi-aws copied to clipboard

Published 20 hours ago verified publisher icon pulumi

EKS Cluster Subnet - Invalid Preview

Open stefan01 opened this issue 1 year ago • 3 comments
trafficstars

What happened?

We are creating an EKS Cluster using the pulumi-aws provider with python 3.12. The EKS Cluster already exists and we imported it using pulumi import .... That cluster is associated to 6 subnets and we are changing it to just 3 inside of our pulumi program.

When we run pulumi preview --diff, the output of the subnet_ids inside of vpc_config changes with every run and it often does not match with the desired ids. The output seems like it is random.

Examples:

Run 1:

Image

Run 2:

Image

Run 3:

Image

Property Test

We implemented a property test to check the resulting subnets and we noticed that they are correct. When checking the values inside of a debugger, they are also matching as expected. Only the preview seems to be invalid.

We are assuming that this is an issue inside of the preview rendering of the pulumi cli (?),

Example

cluster.py

# Create EKS Cluster
self.cluster = aws.eks.Cluster(
    resource_name=config.name,
    name=config.name,
    role_arn=role.role.arn,
    vpc_config={
        "subnet_ids": ["subnet-1234567", "subnet-4532456", "subnet-436425145",],   # Example ids, in my case I used real existing subnet ids
        "endpoint_private_access": config.enable_private_access,
        "endpoint_public_access": config.enable_public_access,
    },
    enabled_cluster_log_types=[
        "api",
        "audit",
        "authenticator",
        "controllerManager",
        "scheduler",
    ],
    bootstrap_self_managed_addons=False,
    tags=config.tags,
    opts=child_opts.merge(pulumi.ResourceOptions(
        ignore_changes=["vpcConfig.securityGroupIds"])),
)

property-test.py

def eks_subnet_validator(
    args: StackValidationArgs, report_violation: ReportViolation,
):
    eks: PolicyResource = next(
        filter(
            lambda r: r.resource_type == "aws:eks/cluster:Cluster",
            args.resources,
        ),
    )

    # Check VPC Config
    eks_subnet_ids = list(eks.props["vpcConfig"]["subnetIds"])
    expected_subnet_ids = ["subnet-1234567", "subnet-4532456", "subnet-436425145"]   # Example ids, in my case I used real existing subnet ids
    
    if set(expected_subnet_ids) != set(eks_subnet_ids):
        report_violation(
            f"""The subnets used for the EKS Cluster are not the correct subnets!
            Excepted: {expected_subnet_ids}, Actual: {eks_subnet_ids}""",
            eks.urn,
        )

Output of pulumi about

CLI
Version 3.129.0 Go Version go1.22.6 Go Compiler gc

Plugins KIND NAME VERSION resource aws 6.48.0 language python 3.12 resource random 4.16.3 resource std 1.7.3 resource tls 5.0.4

Host
OS ubuntu Version 22.04 Arch x86_64

Pulumi locates its logs in /tmp by default

Additional context

As we can not publish the real code, we modified it to create a close approximation. The provided code was tested in our condition and resulted in the same issues.

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

stefan01 avatar Aug 14 '24 11:08 stefan01

I suspect this is a problem with lists vs sets. Probably the aws provider diff method that's not handling this quite right. Moving repos.

Frassle avatar Aug 14 '24 11:08 Frassle

Thanks for sending it here. This is a manifestation of a known issue with confusing Set Previews, some combination of:

  • https://github.com/pulumi/pulumi-terraform-bridge/issues/2239
  • https://github.com/pulumi/pulumi-terraform-bridge/issues/186

I will add this item to the workstream and we will follow up here once the fix is available!

t0yv0 avatar Aug 14 '24 16:08 t0yv0

Added to epic https://github.com/pulumi/home/issues/3558

cleverguy25 avatar Sep 27 '24 18:09 cleverguy25