Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Imported S3 Bucket marked for replacement upon refresh #1847

Open
ixti opened this issue Nov 23, 2024 · 1 comment
Open

Imported S3 Bucket marked for replacement upon refresh #1847

ixti opened this issue Nov 23, 2024 · 1 comment
Labels
area/refresh kind/bug Some behavior is incorrect or out of spec

Comments

@ixti
Copy link

ixti commented Nov 23, 2024

What happened?

When S3 Bucket resource imported can't be refreshed. Attempt to refresh - cause them to be marked for replacement.

Example

You can reproduce this with a simple script:

BUCKET_NAME="$(date +pulumi-import-test-%Y%m%d)-$(tr -dc a-z0-9 </dev/urandom | head -c 13; echo)"
echo "$BUCKET_NAME"

# Create bucket
aws s3api create-bucket \
  --bucket "$BUCKET_NAME" \
  --create-bucket-configuration 'LocationConstraint=us-west-2'
aws s3api put-bucket-ownership-controls \
  --bucket "$BUCKET_NAME" \
  --ownership-controls '{"Rules":[{"ObjectOwnership":"BucketOwnerEnforced"}]}'
aws s3api put-bucket-encryption \
  --bucket "$BUCKET_NAME" \
  --server-side-encryption-configuration '{"Rules":[{"ApplyServerSideEncryptionByDefault":{"SSEAlgorithm":"AES256"},"BucketKeyEnabled":true}]}'


# Setup Pulumi project
pulumi login --local
pulumi new typescript --name pulumi-test-s3-import --description "s3 bucket import bug demo" --stack demo --secrets-provider passphrase --yes
npm install @pulumi/aws-native

# Create Pulumi program
rm -f index.ts
cat <<EOF > index.ts
import * as awsNative from "@pulumi/aws-native";

const bucketName = "$BUCKET_NAME";
const bucket     = new awsNative.s3.Bucket("demo", {
  bucketName,
  bucketEncryption: {
    serverSideEncryptionConfiguration: [{
      serverSideEncryptionByDefault: { sseAlgorithm: "AES256" },
      bucketKeyEnabled: true
    }]
  },
  ownershipControls: {
    rules: [{ objectOwnership: "BucketOwnerEnforced" }]
  },
  publicAccessBlockConfiguration: {
    blockPublicAcls: true,
    blockPublicPolicy: true,
    ignorePublicAcls: true,
    restrictPublicBuckets: true
  }
}, {
  import: bucketName
});

export const arn = bucket.arn;
EOF

# Run initial update that will import the resource
pulumi update --yes

# Refresh or update with refresh causing resource replacement
pulumi update --refresh

Output of pulumi about

CLI          
Version      3.141.0
Go Version   go1.23.3
Go Compiler  gc

Plugins
KIND      NAME        VERSION
resource  aws-native  1.9.0
language  nodejs      unknown

Host     
OS       gentoo
Version  2.17
Arch     x86_64

This project is written in nodejs: executable='/run/user/1000/fnm_multishells/31012_1732329528924/bin/node' version='v20.7.0'

Current Stack: organization/pulumi-test-s3-import/demo

TYPE                         URN
pulumi:pulumi:Stack          urn:pulumi:demo::pulumi-test-s3-import::pulumi:pulumi:Stack::pulumi-test-s3-import-demo
pulumi:providers:aws-native  urn:pulumi:demo::pulumi-test-s3-import::pulumi:providers:aws-native::default_1_9_0
aws-native:s3:Bucket         urn:pulumi:demo::pulumi-test-s3-import::aws-native:s3:Bucket::demo


Found no pending operations associated with demo

Backend        
Name           evil-eurasier
URL            file://~
User           ixti
Organizations  
Token type     personal

Dependencies:
NAME                VERSION
typescript          5.7.2
@pulumi/aws-native  1.9.0
@pulumi/pulumi      3.141.0
@types/node         18.19.64

Pulumi locates its logs in /tmp by default

Additional context

AWS classic provider does not suffer from this, though:

import * as aws from "@pulumi/aws";

const bucketName = "<same bucket name as in previous example>";
const bucket     = new aws.s3.Bucket("demo", {
  bucket: bucketName,
  serverSideEncryptionConfiguration: {
    rule: {
      applyServerSideEncryptionByDefault: { sseAlgorithm: "AES256" },
      bucketKeyEnabled: true
    }
  }
}, {
  import: bucketName
});

export const arn = bucket.arn;

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@ixti ixti added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Nov 23, 2024
@t0yv0
Copy link
Member

t0yv0 commented Nov 25, 2024

Thank you for a detailed repro, I can confirm the problem on my end.

In addition I observed the following warnings on the first pulumi up that imported the resource:

Diagnostics:
  aws-native:s3:Bucket (demo):
    warning: Can't import write-only properties:
        accessControl,
            lifecycleConfiguration/Rules/*/ExpiredObjectDeleteMarker,
            lifecycleConfiguration/Rules/*/NoncurrentVersionExpirationInDays,
            lifecycleConfiguration/Rules/*/NoncurrentVersionTransition, 
            lifecycleConfiguration/Rules/*/Transition, 
            replicationConfiguration/Rules/*/Prefix

After the resource is imported, refresh also emits warnings:

    warning: Can't refresh write-only properties: accessControl, lifecycleConfiguration/Rules/*/ExpiredObjectDeleteMarker, lifecycleConfiguration/Rules/*/NoncurrentVersionExpirationInDays, lifecycleConfiguration/Rules/*/NoncurrentVersionTransition, lifecycleConfiguration/Rules/*/Transition, replicationConfiguration/Rules/*/Prefix

This must be related to #1373

@t0yv0 t0yv0 added area/refresh and removed needs-triage Needs attention from the triage team labels Nov 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/refresh kind/bug Some behavior is incorrect or out of spec
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@t0yv0 @ixti