upgrade Azure-Native Api Version to latest forces resources recreation

[rexebin]

What happened?

First of all, thanks for the awesome product.

I upgraded to Pulumi Azure Native package 1.103.0 and a few API versions are marked as obsolete. So I upgraded them to the recommended version, for example:

1. azure-native:documentdb/v20221115 => azure-native:documentdb/v20230315
2. azure-native:keyvault/v20211001 => azure-native:keyvault/v20230201

On redeployment, resources are being created:

1. created a new keyvault with a different random suffix
2. failed to create the cosmos db because the name is fixed, complaining resource already exists.

Expected Behavior

Changing API version should not require resource recreations as the document indicates: https://www.pulumi.com/registry/packages/azure-native/version-guide/#switching-between-api-versions

Steps to reproduce

1. upgrade to Pulumi.AzureNative to 1.103
2. upgrade document db api versions
3. upgrade key vault api versions
4. redeploy

Output of pulumi about

azure-native:documentdb/v20230315:DatabaseAccount (f3a5e968b6de4b2380a76afd187cadf3-exa-ees):
error: cannot create already existing subresource '/subscriptions/***/resourceGroups/xxxxx/providers/Microsoft.DocumentDB/databaseAccounts/xxxxx'

names are replaced with xxxx.

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[dixler]

First of all, thanks for the awesome product.

Thanks! I joined because I thought it was cool too!

I'm under the impression that this is an azure-native provider issue so I'm going to transfer it there and they might be better able to assist.

[thomas11]

Hi @rexebin, sorry you're running into this issue. Would you be able to show us the diff that Pulumi prints on pulumi up? It should show which properties it wants to add or update.

[rexebin]

@thomas11 It doesn't try to update existing ones, it ignores them and tries to create new resources, no relationship with the resource created with the old API version. For example,

1. when we let Pulumi create the resource name with a random suffix, it simply creates another resource with another random suffix.
2. when we specify the resource name, i.e. no random suffix, it complains resource already exists.

[thomas11]

Hi @rexebin, I just tried to reproduce the issue with a minimal Key Vault program but wasn't able to. Changing the imported version from v20211001 to v20230201, pulumi up says there are no changes.

package main

import (
	keyvault "github.com/pulumi/pulumi-azure-native-sdk/keyvault/v20211001"
	"github.com/pulumi/pulumi-azure-native-sdk/resources"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		resourceGroup, err := resources.NewResourceGroup(ctx, "tkapplerrg", nil)
		if err != nil {
			return err
		}

		keyvault.NewVault(ctx, "tkapplervault", &keyvault.VaultArgs{
			ResourceGroupName: resourceGroup.Name,
			Properties: &keyvault.VaultPropertiesArgs{
				Sku: &keyvault.SkuArgs{
					Family: pulumi.String(keyvault.SkuFamilyA),
					Name:   keyvault.SkuNameStandard,
				},
				TenantId: pulumi.String("72f988bf-86f1-41af-91ab-2d7cd011db47"),
				AccessPolicies: &keyvault.AccessPolicyEntryArray{
					&keyvault.AccessPolicyEntryArgs{
						ObjectId: pulumi.String("f4d7f4a0-3f9c-4f4e-8f5c-5b1f1e1b9f5e"),
						TenantId: pulumi.String("72f988bf-86f1-41af-91ab-2d7cd011db47"),
						Permissions: &keyvault.PermissionsArgs{
							Certificates: pulumi.StringArray{
								pulumi.String("list"),
							},
						},
					},
				},
			},
		})

		return nil
	})
}

Are you able to share a sample program that shows the issue?

[rexebin]

Hi @thomas11, thanks for taking time to try to reproduce.

Did you deploy v20211001 with Pulumi.AzureNative v1.102.0, then upgrade to v1.103.0 and V20230201?

[zlepper]

I'm getting something that looks like the same issue. I have changed a managed cluster from the default api version to V20230102Preview, which is now causing pulumi to want to tear down the entire cluster, which would be bad.

I have quite a few resources in the stack, so apologize for the rather long output:
https://gist.github.com/zlepper/0279b25b3f411b7b3b0380d8340dc088

[zlepper]

So i have been digging a bit more into this and trying to create a more minimal example. I have concluded 2 things:

1. This only seems to happen when the azure resource is parented in a component resource. If the azure resource is declared directly in the main stack function, then the issue does not seem to occur.
2. Explicitly adding an alias to the CustomResourceOptions for the old name seems to allow Pulumi to keep the link, and avoids Pulumi wanting to delete stuff.

Do note: I have only tested with the ManagedCluster here, since that is what I had my issue on.

Test code:
Program.cs:

using Pulumi.AzureNative.Resources.V20220901;
using PulumiAzureReplacement;
using Deployment = Pulumi.Deployment;

await Deployment.RunAsync(() =>
{
    var rg = new ResourceGroup("rg", new()
    {
        Location = "westeurope",
        ResourceGroupName = "azreptest"
    });

    var c = new ClusterComponentResource("cluster", new()
    {
        ResourceGroup = rg.Name,
    });
});

ClusterComponentResource.cs:

using Pulumi;
using Pulumi.AzureNative.ContainerService.V20230102Preview;
using Pulumi.AzureNative.ContainerService.V20230102Preview.Inputs;

namespace PulumiAzureReplacement;

public class ClusterComponentResource : ComponentResource
{
    public ClusterComponentResource(string name, ClusterComponentResourceArgs args) : base("dgz:index:cluster", name, args)
    {
    
        var managedCluster = new ManagedCluster("managedCluster", new()
        {
            AgentPoolProfiles = new[]
            {
                new ManagedClusterAgentPoolProfileArgs
                {
                    AvailabilityZones = new[]
                    {
                        "1",
                    },
                    Count = 1,
                    EnableNodePublicIP = true,
                    Mode = "System",
                    Name = "nodepool1",
                    OsType = "Linux",
                    Type = "VirtualMachineScaleSets",
                    VmSize = "Standard_B4ms",
                },
            },
            Identity = new ManagedClusterIdentityArgs
            {
                Type = ResourceIdentityType.SystemAssigned,
            },
            DnsPrefix = "azreptest",
            ResourceGroupName = args.ResourceGroup,
            ResourceName = "clustername1",
        }, new()
        {
            Parent = this,
            Aliases =
            {
                new Alias()
                {
                    Parent = this,
                    Name = "managedCluster",
                    Type = "azure-native:containerservice:ManagedCluster",
                }
            }
        });
        
        RegisterOutputs();
    }
}

public class ClusterComponentResourceArgs : ResourceArgs
{
    public required Input<string> ResourceGroup { get; init; }
}

.csproj:

<Project Sdk="Microsoft.NET.Sdk">

    <PropertyGroup>
        <OutputType>Exe</OutputType>
        <TargetFramework>net7.0</TargetFramework>
        <ImplicitUsings>enable</ImplicitUsings>
        <Nullable>enable</Nullable>
    </PropertyGroup>

    <ItemGroup>
        <PackageReference Include="Pulumi" Version="3.54.1" />
        <PackageReference Include="Pulumi.AzureNative" Version="1.99.2" />
    </ItemGroup>

</Project>

[rexebin]

Cool, good to know.

To be clear, we have been upgrading the api versions and pulumi azure native packages a lot of times before, never encountered this issue, until the version 103.

My bet is that some changes in release 103 caused issue.

[zlepper]

Cool, good to know.

To be clear, we have been upgrading the api versions and pulumi azure native packages a lot of times before, never encountered this issue, until the version 103.

My bet is that some changes in release 103 caused issue.

Just out of curiosity: are the resource you have issues with also declared in a component resource like in the code I made, or are they at the "root" of the stack like the resource group in my example?

[rexebin]

All of our resources are encapsulated into custom classes and have their container as their parents.

…

On Thu, 22 Jun 2023 at 19:44, Rasmus Hansen ***@***.***> wrote: Cool, good to know. To be clear, we have been upgrading the api versions and pulumi azure native packages a lot of times before, never encountered this issue, until the version 103. My bet is that some changes in release 103 caused issue. Just out of curiosity: are the resource you have issues with also declared in a component resource like in the code I made, or are they at the "root" of the stack like the resource group in my example? — Reply to this email directly, view it on GitHub <#2505 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACTDVB4LP3HAW5WPRWDLHGDXMSHBXANCNFSM6AAAAAAY7Q3QMM> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[mikhailshilkov]

@rexebin Which language are you using? It sounds like @zlepper has issues with .NET, are you also using it?

@justinvp This sounds similar to pulumi/pulumi#12662. Do we know if C# works correctly?

[justinvp]

@rexebin what version of the Pulumi CLI are you using?
@zlepper same, what version of the Pulumi CLI are you using?

The issue sounds like it could be pulumi/pulumi#12848, which was fixed in v3.72.0 on 6/15. Are you still hitting this using the latest version of the CLI (as of today v3.75.0)?

[rexebin]

I was using 3.71.0, but the cli is doing fine until I upgrade the azure native package to 1.103.

…

On Fri, 14 Jul 2023 at 01:15, Justin Van Patten ***@***.***> wrote: @rexebin <https://github.com/rexebin> what version of the Pulumi CLI are you using? @zlepper <https://github.com/zlepper> same, what version of the Pulumi CLI are you using? The issue sounds like it could be pulumi/pulumi#12848 <pulumi/pulumi#12848>, which was fixed in v3.72.0 on 6/15. Are you still hitting this using the latest version of the CLI (as of today v3.75.0)? — Reply to this email directly, view it on GitHub <#2505 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACTDVB73K7VTQBCBOWKSBRTXQCFQPANCNFSM6AAAAAAY7Q3QMM> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[teto]

I see something similar since using native for resource groups, which is quite annoying since it contains all the other resources xD

The typescript code:

// 'location' is set in azure stack
export const deploy = () => {
  const config = new pulumi.Config();
  const environment = config.require("environment");

  // must be unique globally
  const storageAccountName = `storageaccount${environment}`

  // to ease right management with principal, resource group is already created
  const resourceGroupName= `gitlab-ci-${environment}`;

  // pulumi.log.info(`Creating resource group ${resourceGroupName}`)
  const resourceGroup = new azure_native.resources.ResourceGroup(resourceGroupName, {
      resourceGroupName: resourceGroupName
  });
  ...

the output of pulumi up

    pulumi:pulumi:Stack                      ci-azure-infra-dev                  5 warnings
 +   ├─ azure-native:resources:ResourceGroup  gitlab-ci-dev            create     1 message
 +   ├─ azure-native:storage:StorageAccount   storageaccountdev  create     
 +   └─ azure-native:storage:BlobContainer    blobcontainer            create     

Diagnostics:
  azure-native:resources:ResourceGroup (gitlab-ci-dev):
    Created resource group 

  pulumi:pulumi:Stack (ci-azure-infra-dev):
    warning: using pulumi-language-nodejs from $PATH at /nix/store/b1009spvm0bafh8bx2v4zarsqih1acjw-pulumi-language-nodejs-3.90.1/bin/pulumi-language-nodejs
    warning: using pulumi-language-nodejs from $PATH at /nix/store/b1009spvm0bafh8bx2v4zarsqih1acjw-pulumi-language-nodejs-3.90.1/bin/pulumi-language-nodejs
    warning: using pulumi-resource-azure-native from $PATH at /nix/store/7vkmbki011kmv02rikqprdmvxsvqpv4c-pulumi-azure-native-2.13.0/bin/pulumi-resource-azure-native
    warning: using pulumi-resource-azure-native from $PATH at /nix/store/7vkmbki011kmv02rikqprdmvxsvqpv4c-pulumi-azure-native-2.13.0/bin/pulumi-resource-azure-native
    warning: resource plugin azure-native is expected to have version >=2.16.0, but has 2.13.0; the wrong version may be on your path, or this may be a bug in the plugin

Outputs:
  + bucketName       : output<string>
  + containerName    : output<string>
  + resourceGroupName: "gitlab-ci-dev"

Resources:
    + 3 to create
    1 unchanged

Do you want to perform this update? details
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:infra-dev::ci-azure::pulumi:pulumi:Stack::ci-azure-infra-dev]
    + azure-native:resources:ResourceGroup: (create)
        [urn=urn:pulumi:infra-dev::ci-azure::azure-native:resources:ResourceGroup::gitlab-ci-dev]
        [provider=urn:pulumi:infra-dev::ci-azure::pulumi:providers:azure-native::default_2_16_0::50fa100f-a8d0-409c-a141-5ac6248a4088]
        location         : "francecentral"
        resourceGroupName: "gitlab-ci-dev"
    + azure-native:storage:StorageAccount: (create)
        [urn=urn:pulumi:infra-dev::ci-azure::azure-native:storage:StorageAccount::storageaccountdev]
        [provider=urn:pulumi:infra-dev::ci-azure::pulumi:providers:azure-native::default_2_16_0::50fa100f-a8d0-409c-a141-5ac6248a4088]
        accountName          : "storageaccountdev"
        allowBlobPublicAccess: false
        allowSharedKeyAccess : true
        kind                 : "StorageV2"
        location             : "francecentral"
        resourceGroupName    : output<string>
        sku                  : {
            name: "Standard_LRS"
        }
    + azure-native:storage:BlobContainer: (create)
        [urn=urn:pulumi:infra-dev::ci-azure::azure-native:storage:BlobContainer::blobcontainer]
        [provider=urn:pulumi:infra-dev::ci-azure::pulumi:providers:azure-native::default_2_16_0::50fa100f-a8d0-409c-a141-5ac6248a4088]
        accountName      : output<string>
        containerName    : "blobcontainer"
        publicAccess     : "None"
        resourceGroupName: output<string>

    --outputs:--
  + bucketName       : output<string>
  + containerName    : output<string>
  + resourceGroupName: "gitlab-ci-dev"

The output of pulumi about

CLI          
Version      3.90.1
Go Version   go1.21.3
Go Compiler  gc

Host     
OS       nixos
Version  23.11 (Tapir)
Arch     x86_64