Skip to content

Updating EKS.Cluster public_access_cidrs produces wrong preview #2247

New issue
New issue
Open
Open
Updating EKS.Cluster public_access_cidrs produces wrong preview#2247
Labels
area/previewimpact/usabilitySomething that impacts users' ability to use the product easily and intuitivelykind/bugSome behavior is incorrect or out of spec
@btuffreau

Description

@btuffreau
btuffreau
opened on May 26, 2025

What happened?

Trying to update the public_access_cidrs for a Cluster produces a misleading preview that would lead to replacing an entire stack (assuming there but in fact does not.

Previewing update (dev):
     Type                              Name                 Plan        Info
     pulumi:pulumi:Stack               pulumi-dev
 ~   ├─ aws-native:eks:Cluster         eks-allowlist        update      [diff: ~resourcesVpcConfig]
 +-  ├─ aws-native:iam:OidcProvider    oidc-provider        replace     [diff: ~url]
 ~   ├─ aws-native:iam:Role            vpc-cni-role         update      [diff: ~assumeRolePolicyDocument]
 +-  ├─ pulumi:providers:kubernetes    kubernetes-provider  replace     [diff: ~kubeconfig]
 +-  └─ kubernetes:helm.sh/v3:Release  nginx-ingress        replace     [diff: +compat-allowNullValues,atomic,cleanupOnFail,dependencyUpdate,description,devel,disableCRDHooks,disableOpenapiValidation,disableWebhooks,forceUpdate,keyring,lint,name,postrender,recreatePods,renderSubchartNotes,replace,resetValues,reuseValues,skipAwait,skipCr

Resources:
    ~ 2 to update
    +-3 to replace
    5 changes. 39 unchanged

See the repro for details.

Example

Here's a simple repro https://github.com/btuffreau/pulumi-eks-allowlist-update

Output of pulumi about

Enter your passphrase to unlock config/secrets
    (set PULUMI_CONFIG_PASSPHRASE or PULUMI_CONFIG_PASSPHRASE_FILE to remember):
Enter your passphrase to unlock config/secrets
CLI
Version      3.171.0
Go Version   go1.24.3
Go Compiler  gc

Plugins
KIND      NAME          VERSION
resource  aws           6.67.0
resource  aws-native    1.28.0
resource  awsx          2.21.1
resource  docker        4.7.0
resource  docker-build  0.0.12
resource  kubernetes    4.21.1
language  python        3.171.0

Host
OS       darwin
Version  15.4.1
Arch     arm64

This project is written in python: executable='/Users/benjamin.tuffreau/Library/Caches/pypoetry/virtualenvs/pulumi-eks-allowlist-update-jQP7q1F8-py3.12/bin/python' version='3.12.7'

Current Stack: organization/pulumi/dev

TYPE                                                 URN
pulumi:pulumi:Stack                                  urn:pulumi:dev::pulumi::pulumi:pulumi:Stack::pulumi-dev
pulumi:providers:aws-native                          urn:pulumi:dev::pulumi::pulumi:providers:aws-native::awsn
pulumi:providers:awsx                                urn:pulumi:dev::pulumi::pulumi:providers:awsx::default_2_21_1
aws-native:iam:Role                                  urn:pulumi:dev::pulumi::aws-native:iam:Role::eks-role
aws-native:iam:Role                                  urn:pulumi:dev::pulumi::aws-native:iam:Role::nodes-role
awsx:ec2:Vpc                                         urn:pulumi:dev::pulumi::awsx:ec2:Vpc::vpc-repro-allowlist
pulumi:providers:aws                                 urn:pulumi:dev::pulumi::pulumi:providers:aws::default_6_66_3
aws:ec2/vpc:Vpc                                      urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc::vpc-repro-allowlist
aws:ec2/subnet:Subnet                                urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::vpc-repro-allowlist-private-1
aws:ec2/subnet:Subnet                                urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::vpc-repro-allowlist-private-2
aws:ec2/subnet:Subnet                                urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::vpc-repro-allowlist-private-3
aws:ec2/subnet:Subnet                                urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::vpc-repro-allowlist-public-2
aws:ec2/internetGateway:InternetGateway              urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/internetGateway:InternetGateway::vpc-repro-allowlist
aws:ec2/subnet:Subnet                                urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::vpc-repro-allowlist-public-1
aws:ec2/subnet:Subnet                                urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet::vpc-repro-allowlist-public-3
aws:ec2/routeTable:RouteTable                        urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::vpc-repro-allowlist-private-1
aws:ec2/routeTable:RouteTable                        urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::vpc-repro-allowlist-private-2
aws:ec2/routeTable:RouteTable                        urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::vpc-repro-allowlist-private-3
aws:ec2/routeTable:RouteTable                        urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::vpc-repro-allowlist-public-2
aws:ec2/eip:Eip                                      urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/eip:Eip::vpc-repro-allowlist-2
aws:ec2/routeTable:RouteTable                        urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::vpc-repro-allowlist-public-1
aws:ec2/eip:Eip                                      urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/eip:Eip::vpc-repro-allowlist-1
aws:ec2/eip:Eip                                      urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/eip:Eip::vpc-repro-allowlist-3
aws:ec2/routeTable:RouteTable                        urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable::vpc-repro-allowlist-public-3
aws:ec2/natGateway:NatGateway                        urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/natGateway:NatGateway::vpc-repro-allowlist-2
aws:ec2/routeTableAssociation:RouteTableAssociation  urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::vpc-repro-allowlist-private-2
aws:ec2/routeTableAssociation:RouteTableAssociation  urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::vpc-repro-allowlist-private-3
aws:ec2/routeTableAssociation:RouteTableAssociation  urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::vpc-repro-allowlist-public-2
aws:ec2/routeTableAssociation:RouteTableAssociation  urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::vpc-repro-allowlist-private-1
aws:ec2/route:Route                                  urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::vpc-repro-allowlist-public-2
aws:ec2/routeTableAssociation:RouteTableAssociation  urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::vpc-repro-allowlist-public-1
aws:ec2/natGateway:NatGateway                        urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/natGateway:NatGateway::vpc-repro-allowlist-1
aws:ec2/route:Route                                  urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::vpc-repro-allowlist-public-1
aws:ec2/route:Route                                  urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::vpc-repro-allowlist-public-3
aws:ec2/routeTableAssociation:RouteTableAssociation  urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/routeTableAssociation:RouteTableAssociation::vpc-repro-allowlist-public-3
aws:ec2/natGateway:NatGateway                        urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/natGateway:NatGateway::vpc-repro-allowlist-3
aws:ec2/route:Route                                  urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::vpc-repro-allowlist-private-2
aws:ec2/route:Route                                  urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::vpc-repro-allowlist-private-1
aws:ec2/route:Route                                  urn:pulumi:dev::pulumi::awsx:ec2:Vpc$aws:ec2/vpc:Vpc$aws:ec2/subnet:Subnet$aws:ec2/routeTable:RouteTable$aws:ec2/route:Route::vpc-repro-allowlist-private-3
pulumi:providers:pulumi                              urn:pulumi:dev::pulumi::pulumi:providers:pulumi::default
aws-native:eks:Cluster                               urn:pulumi:dev::pulumi::aws-native:eks:Cluster::eks-allowlist
aws-native:iam:OidcProvider                          urn:pulumi:dev::pulumi::aws-native:iam:OidcProvider::oidc-provider
pulumi:providers:kubernetes                          urn:pulumi:dev::pulumi::pulumi:providers:kubernetes::kubernetes-provider
aws-native:eks:Nodegroup                             urn:pulumi:dev::pulumi::aws-native:eks:Nodegroup::eksNodegroup
aws-native:iam:Role                                  urn:pulumi:dev::pulumi::aws-native:iam:Role::vpc-cni-role
kubernetes:helm.sh/v3:Release                        urn:pulumi:dev::pulumi::kubernetes:helm.sh/v3:Release::nginx-ingress
aws-native:eks:Addon                                 urn:pulumi:dev::pulumi::aws-native:eks:Addon::vpc-cni-addon


Found no pending operations associated with dev

Backend
Name           PLARYX2WQG54H
URL            file://~
User           benjamin.tuffreau
Organizations
Token type     personal

Dependencies:
NAME               VERSION
mypy               1.15.0
pulumi_aws_native  1.28.0
pulumi_awsx        2.21.1
pulumi_kubernetes  4.21.1

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/previewimpact/usabilitySomething that impacts users' ability to use the product easily and intuitivelykind/bugSome behavior is incorrect or out of spec

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions