pulumi: Previews do not reflect the resulting update

When running up, the preview is vastly different than the resulting update. For example, making a change to an annotation in a namespace is causing all resources that use that namespace to be previewed as needing a replacement.

In my particular example here we’re using the Kubernetes provider, but I’ve experienced this with GCP’s Cloud SQL and other resources as well.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 17 (15 by maintainers)

Commits related to this issue

Most upvoted comments

Just to include a few more details here - here’s a short repro:

import * as k8s from "@pulumi/kubernetes";

const myns = new k8s.core.v1.Namespace("myns", {
    metadata: {
        // annotations: {
        //     "something": "else",
        // }
    }
});

const mypod = new k8s.core.v1.Pod("mypod", {
    metadata: {
        namespace: myns.metadata.name,
    },
    spec: {
        containers: [{
            name: "nginx",
            image: "nginx",
        }]
    }
})

If the above is deployed, and then the annotation is commented back in, a pulumi preview --diff will show:

$ pulumi preview --diff
Previewing update (foo):
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:foo::kube537::pulumi:pulumi:Stack::kube537-foo]
    ~ kubernetes:core/v1:Namespace: (update)
        [id=myns-xwi3qjfl]
        [urn=urn:pulumi:foo::kube537::kubernetes:core/v1:Namespace::myns]
        [provider=urn:pulumi:foo::kube537::pulumi:providers:kubernetes::default_0_25_2::34243091-0311-4e09-82b1-dcaf5567049f]
      ~ metadata: {
          ~ annotations: {
              + something: "else"
            }
        }
    +-kubernetes:core/v1:Pod: (replace)
        [id=myns-xwi3qjfl/mypod-dz9cs62z]
        [urn=urn:pulumi:foo::kube537::kubernetes:core/v1:Pod::mypod]
        [provider=urn:pulumi:foo::kube537::pulumi:providers:kubernetes::default_0_25_2::34243091-0311-4e09-82b1-dcaf5567049f]
      ~ metadata: {
          - namespace: "myns-xwi3qjfl"
        }

This suggested “replace” of the Pod is clearly very bad. It’s conservative, but makes the preview something you can’t trust anymore. The formatting of the diff on the Pod is also confusing (it says the namespace is being removed - which it isn’t).

As noted above - one current workaround is to use PULUMI_ENABLE_LEGACY_APPLY which will produce:

$ PULUMI_ENABLE_LEGACY_APPLY=true pulumi preview --diff
Previewing update (foo):
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:foo::kube537::pulumi:pulumi:Stack::kube537-foo]

But we also need to ensure that the default experience is not overly conservative here and that preview remains useful in these cases.

The core to this is in passing back the information that namespace.metadata.name is “stable” - that is, immutable for a given namespace. I was sure we had an issue tracking this already - but for now we can use this issue to track this improvement that we want to make soon to improve the default experience here (without regressing the fundamental safety of previews).

+3
lukehoban on Sep 6, 2019

@pgavlin That would be my preference. I would expect preview to be a dry run, thus returning exactly the values that it would create. In fact, my personal opinion would be that the update should execute exactly what is done via the preview. Thus it shouldn’t recalculate twice. It already knows what it needs to do, and should execute those changes. But that’s just my opinion as a user.

+1
nesl247 on Sep 11, 2019
Read more comments on GitHub
← pulumi: Preview failure: "unexpected unknown property value"
pulumi: Pulumi became so slow (~7x times) since version 2.16.2 →