Azure DB for PostgreSQL flexible server resource being replaced after pulumi import

[mpftesta0]

What happened?

I am importing an existing postgres database Azure resource into pulumi. After copying and pasting the code as-is, I get an error:

error: unable to replace resource "urn:pulumi:production::project-name::azure-native:dbforpostgresql:Server::resource-name"
as it is currently marked for protection. To unprotect the resource, remove the protect flag from the resource in your Pulumi program and run pulumi up

There are no changes to the config that pulumi output. To experiment, I turned the protect flag into false. And I got a diff (see example).

As a follow up question, will a diff like this actually delete and replace my postgres instance in Azure?

Example

1. Manually create a postgres server in azure portal. Below is the resource json:

{
    "sku": {
        "name": "Standard_D4ads_v5",
        "tier": "GeneralPurpose"
    },
    "systemData": {
        "createdAt": "2024-03-03T02:46:49.2360793Z"
    },
    "properties": {
        "authConfig": {
            "activeDirectoryAuth": "Disabled",
            "passwordAuth": "Enabled"
        },
        "dataEncryption": {
            "type": "SystemManaged"
        },
        "fullyQualifiedDomainName": "resource-name.postgres.database.azure.com",
        "version": "16",
        "minorVersion": "0",
        "administratorLogin": "postgres",
        "state": "Ready",
        "storage": {
            "storageSizeGB": 128
        },
        "backup": {
            "backupRetentionDays": 7,
            "geoRedundantBackup": "Disabled",
            "earliestRestoreDate": "2024-03-03T02:51:26.1585511+00:00"
        },
        "network": {
            "publicNetworkAccess": "Disabled",
            "delegatedSubnetResourceId": "/subscriptions/24435b08-1dbe-4a8e-8cb0-f9508a89bbda/resourceGroups/resource-group/providers/Microsoft.Network/virtualNetworks/resource-vnet/subnets/default",
            "privateDnsZoneArmResourceId": "/subscriptions/24435b08-1dbe-4a8e-8cb0-f9508a89bbda/resourceGroups/resource-group/providers/Microsoft.Network/privateDnsZones/resource-name.private.postgres.database.azure.com"
        },
        "highAvailability": {
            "mode": "Disabled",
            "state": "NotEnabled"
        },
        "maintenanceWindow": {
            "customWindow": "Disabled",
            "dayOfWeek": 0,
            "startHour": 0,
            "startMinute": 0
        },
        "replicationRole": "Primary",
        "replicaCapacity": 5
    },
    "location": "West US",
    "tags": {
        "creation-mechanism": "manual",
        "environment": "production"
    },
    "id": "/subscriptions/24435b08-1dbe-4a8e-8cb0-f9508a89bbda/resourceGroups/resource-group/providers/Microsoft.DBforPostgreSQL/flexibleServers/resource-name",
    "name": "resource-name",
    "type": "Microsoft.DBforPostgreSQL/flexibleServers"
}

2. Run pulumi import

pulumi import azure-native:dbforpostgresql:Server justvent-postgres-production /subscriptions/24435b08-1dbe-4a8e-8cb0-f9508a89bbda/resourceGroups/resource-group/providers/Microsoft.DBforPostgreSQL/flexibleServers/resource-name

3. Copy and paste generated code

import * as pulumi from "@pulumi/pulumi";
import * as azure_native from "@pulumi/azure-native";

const resource_name = new azure_native.dbforpostgresql.Server("resource-name", {
    administratorLogin: "postgres",
    authConfig: {
        activeDirectoryAuth: "Disabled",
        passwordAuth: "Enabled",
    },
    backup: {
        backupRetentionDays: 7,
        geoRedundantBackup: "Disabled",
    },
    dataEncryption: {
        type: "SystemManaged",
    },
    highAvailability: {
        mode: "Disabled",
    },
    location: "West US",
    maintenanceWindow: {
        customWindow: "Disabled",
        dayOfWeek: 0,
        startHour: 0,
        startMinute: 0,
    },
    network: {
        delegatedSubnetResourceId: "/subscriptions/24435b08-1dbe-4a8e-8cb0-f9508a89bbda/resourceGroups/resource-group/providers/Microsoft.Network/virtualNetworks/resource-vnet/subnets/default",
        privateDnsZoneArmResourceId: "/subscriptions/24435b08-1dbe-4a8e-8cb0-f9508a89bbda/resourceGroups/resource-group/providers/Microsoft.Network/privateDnsZones/resource-name.private.postgres.database.azure.com",
    },
    replicationRole: "Primary",
    resourceGroupName: "resource-group",
    serverName: "resource-name,
    sku: {
        name: "Standard_D4ads_v5",
        tier: "GeneralPurpose",
    },
    storage: {
        storageSizeGB: 128,
    },
    tags: {
        "creation-mechanism": "manual",
        environment: "production",
    },
    version: "16",
}, {
    protect: true,
});

4. Run pulumi preview. This gets the following error:

error: unable to replace resource "urn:pulumi:production::project-name::azure-native:dbforpostgresql:Server::resource-name"
    as it is currently marked for protection. To unprotect the resource, remove the `protect` flag from the resource in your Pulumi program and run `pulumi up`

5. Set the protect flag to false.
6. Rerun pulumi preview. There is a diff that shows:

 pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:production::justvent-infrastructure::pulumi:pulumi:Stack::stack-name]
    --azure-native:dbforpostgresql:Server: (delete-replaced) 🔒
        [id=/subscriptions/24435b08-1dbe-4a8e-8cb0-f9508a89bbda/resourceGroups/resource-group/providers/Microsoft.DBforPostgreSQL/flexibleServers/resource-name]
        [urn=urn:pulumi:production::project-name::azure-native:dbforpostgresql:Server::resource-name]
        [provider=urn:pulumi:production::project-name::pulumi:providers:azure-native::default_2_30_0::61d6825f-dd99-477e-86de-b2120bb7693f]
    +-azure-native:dbforpostgresql:Server: (replace) 🔓
        [id=/subscriptions/24435b08-1dbe-4a8e-8cb0-f9508a89bbda/resourceGroups/resource-group/providers/Microsoft.DBforPostgreSQL/flexibleServers/resource-name]
        [urn=urn:pulumi:production::project-name::azure-native:dbforpostgresql:Server::resource-name]
        [provider=urn:pulumi:production::project-name::pulumi:providers:azure-native::default_2_30_0::61d6825f-dd99-477e-86de-b2120bb7693f]
      ~ authConfig      : {
          + tenantId: ""
        }
      + availabilityZone: ""
      ~ highAvailability: {
          + standbyAvailabilityZone: ""
        }
    ++azure-native:dbforpostgresql:Server: (create-replacement) 🔓
        [id=/subscriptions/9d118ba2-2e76-4959-88d1-ed0859747dff/resourceGroups/resource-group/providers/Microsoft.DBforPostgreSQL/flexibleServers/resource-name]
        [urn=urn:pulumi:production::project-name::azure-native:dbforpostgresql:Server::resource-name]
        [provider=urn:pulumi:production::project-name::pulumi:providers:azure-native::default_2_30_0::61d6825f-dd99-477e-86de-b2120bb7693f]
      ~ authConfig      : {
          + tenantId: ""
        }
      + availabilityZone: ""
      ~ highAvailability: {
          + standbyAvailabilityZone: ""
        }

Output of pulumi about

CLI
Version 3.108.1
Go Version go1.22.0
Go Compiler gc

Plugins
NAME VERSION
nodejs unknown

Host
OS darwin
Version 14.3.1
Arch arm64

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[mpftesta0]

Current work around: ignore authConfig, availabilityZone and highAvailability in changes:

const postgres = new azure_native.dbforpostgresql.Server(
  "resource-name",
  {
   ...resource config
  },
  {
    protect: true,
    ignoreChanges: ["authConfig", "availabilityZone", "highAvailability"],
  }
);

Workaround inspired by comments in pulumi/pulumi-aws#2426

[justinvp]

Glad you found a workaround. Since this looks specific to Azure Native, I'll move the issue to that repo.