Description
openedon Feb 15, 2023
What happened?
I'm trying to import existing Az resources, such as StorageAccount.
They import fine but contain a lot of default properties values that I would like to remove.
No matter what I tried (removing from code, using pulumi refresh
, editing state manually) I can't make Pulumi think there is no diff.
Even if the diff is harmless, Pulumi wants to drop and recreate the Resource Group, which is not an option.
Expected Behavior
I would like my imported resources to end up in the same "state" as a newly created one, with only the properties that are relevant to me.
Steps to reproduce
Here's how I'm creating a new StorageAccount (that works):
var rg = ResourceGroup.Get("rg", "****");
var storage1 = new StorageAccount("storage-new", new()
{
ResourceGroupName = rg.Name,
AccountName = "test-new-storage",
Kind = Kind.StorageV2,
Sku = new SkuArgs { Name = SkuName.Standard_GRS },
});
It's created ok. Moreover if I run pulumi refresh
or pulumi up
, there's no diff.
Aside: ARM has a different default than Azure Portal UI (this is documented in MSDN). Its minimum TLS version is 1.0 (Portal: 1.2), which isn't great security-wise. Terraform overrides this with a default of 1.2 and maybe Pulumi should do the same?
Now I would like to import an existing StorageAccount, ideally with a similar set of explicitly set properties.
var storage = new StorageAccount("storage", new()
{
ResourceGroupName = rg.Name,
AccountName = "****",
Kind = Kind.StorageV2,
Sku = new SkuArgs { Name = SkuName.Standard_GRS },
MinimumTlsVersion = MinimumTlsVersion.TLS1_2,
},
new()
{
ImportId = "/subscriptions/****/resourceGroups/****/providers/Microsoft.Storage/storageAccounts/****"
});
That import fails because inputs to import do not match the existing resource, although all inputs above match.
When I look at the diff, it tells me many properties are missing:
- accessTier : "Hot"
- allowBlobPublicAccess : false
- allowSharedKeyAccess : true
- enableHttpsTrafficOnly: true
- enableNfsV3 : false
- encryption : {
- keySource: "Microsoft.Storage"
- services : {
- blob: {
- enabled: true
- keyType: "Account"
- }
- file: {
- enabled: true
- keyType: "Account"
- }
- }
- }
- identity : {
- type: "None"
- }
- isHnsEnabled : false
- networkRuleSet : {
- bypass : "AzureServices"
- defaultAction: "Allow"
- }
If we focus on accessTier
for example, this is the default value that is also set in the StorageAccount I created above.
Of course, I can do an import without code and it works. The generated code contains all properties above and everything is ok (pulumi up
shows no diff).
Yet if I try to remove the properties from code, Pulumi wants to re-create the StorageAccount again. Even if I delete the inputs from the state file as well!
I've tried many things but for the life of me I can't reduce the set of properties in C# without re-creating the account.
For reference, here's the state:
{
"urn": "urn:pulumi:dev::****::azure-native:storage:StorageAccount::storage",
"custom": true,
"id": "/subscriptions/****/resourceGroups/****/providers/Microsoft.Storage/storageAccounts/****",
"type": "azure-native:storage:StorageAccount",
"inputs": {
"accessTier": "Hot",
"accountName": "****",
"allowBlobPublicAccess": false,
"allowSharedKeyAccess": true,
"enableHttpsTrafficOnly": true,
"enableNfsV3": false,
"encryption": {
"keySource": "Microsoft.Storage",
"services": {
"blob": {
"enabled": true,
"keyType": "Account"
},
"file": {
"enabled": true,
"keyType": "Account"
}
}
},
"identity": {
"type": "None"
},
"isHnsEnabled": false,
"kind": "StorageV2",
"location": "****",
"minimumTlsVersion": "TLS1_2",
"networkRuleSet": {
"bypass": "AzureServices",
"defaultAction": "Allow"
},
"resourceGroupName": "rg",
"sku": {
"name": "Standard_GRS"
}
},
"outputs": {
"__inputs": {
"4dabf18193072939515e22adb298388d": "1b47061264138c4ac30d75fd1eb44270",
"ciphertext": "v1:HJUGKBePF/lFyZBm:wDvKEnWFv46CX+5UImNJuVIXdiNJoVPwNVd7Wt1FdnukAzgmmI/+9W8c2IiZ1c/G5fZX211ZcKb9RTkAZw1nGV0CLAa5SprHyhAEHILUco+mihvEj5uthc/JOgwaZYVQRAVRqtJiGuOJ4rfN8EFdWm0AhRi8mQ36mRBL0lJ1HJtDkVfYOoizcxhTaILJ9W6ftrPgwQ5DEt+6FfOK0GiNGpabkYjruu7aTE4z8yZc/bDQsyBaSsRJz4kboaoppVscpHdHO5p3v8Jn3k4eNmrrPWidMpP3Ajf1Cl6UraS/yned3VMPmcMWT0r+KYZiv9AyqOTNHcodaSvvgCGmTCK93ApO5nLSw+QLs3ndD5w6wwayrInyeGx1uwaSPJNIkl/smnSrdtRiUbRk5g0utYpnw9SZ7p6NfhbTtVcH0mwb7Ek9TVFEQeVi+t0wVKgxqs/FrZGT1hQt+A/OidE5Fuyem4ajW3o2Pw0+eSLnmJ+HebfaUpN5+V6UIROMU6ymHobq1hb0RByTaHR5TzK3eUI+o7WgFrz+GqWqFJUDfCKcO7H8yU68uInTRXKqb2UWTbRuwaQrL1G03D2Zx7HplsNHRLxwNNYiXXP8/F7ebts9SBptmElH7IVkwtOe261tBt6Rv6yQHLpLtegraQJc+n+rOS3hyMndvVg0zxpEMWxzXVQXXt5/LfKTug8exvxrtrIq4h5LCyZsTBxUAFG/y1/JvszH8EHJe20SGvm+eO088BCTgMa/EOIbNxEdULbMb1pDvFFIkDd213OUflD3Vg533i76+v2GsasbLrNNZgRNbuuUt1vCCZryuv6pCBMjm9E="
},
"accessTier": "Hot",
"allowBlobPublicAccess": false,
"allowSharedKeyAccess": true,
"creationTime": "2022-11-24T09:21:06.2300695Z",
"enableHttpsTrafficOnly": true,
"enableNfsV3": false,
"encryption": {
"keySource": "Microsoft.Storage",
"services": {
"blob": {
"enabled": true,
"keyType": "Account",
"lastEnabledTime": "2022-11-24T09:21:06.4494551Z"
},
"file": {
"enabled": true,
"keyType": "Account",
"lastEnabledTime": "2022-11-24T09:21:06.4494551Z"
}
}
},
"id": "/subscriptions/****/resourceGroups/****/providers/Microsoft.Storage/storageAccounts/****",
"identity": {
"type": "None"
},
"isHnsEnabled": false,
"keyCreationTime": {
"key1": "2022-11-24T09:21:06.4332126Z",
"key2": "2022-11-24T09:21:06.4332126Z"
},
"kind": "StorageV2",
"location": "****",
"minimumTlsVersion": "TLS1_2",
"name": "****",
"networkRuleSet": {
"bypass": "AzureServices",
"defaultAction": "Allow",
"ipRules": [],
"virtualNetworkRules": []
},
"primaryEndpoints": {
"blob": "https://****.blob.core.windows.net/",
"dfs": "https://****.dfs.core.windows.net/",
"file": "https://****.file.core.windows.net/",
"queue": "https://****.queue.core.windows.net/",
"table": "https://****.table.core.windows.net/",
"web": "https://****.web.core.windows.net/"
},
"primaryLocation": "****",
"privateEndpointConnections": [
{
"id": "/subscriptions/****/resourceGroups/****/providers/Microsoft.Storage/storageAccounts/****/privateEndpointConnections/****",
"name": "****",
"privateEndpoint": {
"id": "/subscriptions/****/resourceGroups/****/providers/Microsoft.Network/privateEndpoints/****"
},
"privateLinkServiceConnectionState": {
"actionRequired": "None",
"description": "Auto-Approved",
"status": "Approved"
},
"provisioningState": "Succeeded",
"type": "Microsoft.Storage/storageAccounts/privateEndpointConnections"
}
],
"provisioningState": "Succeeded",
"secondaryLocation": "****",
"sku": {
"name": "Standard_GRS",
"tier": "Standard"
},
"statusOfPrimary": "available",
"statusOfSecondary": "available",
"type": "Microsoft.Storage/storageAccounts"
},
"parent": "urn:pulumi:dev::****::pulumi:pulumi:Stack::****",
"dependencies": [
"urn:pulumi:dev::****::azure-native:resources:ResourceGroup::rg"
],
"provider": "urn:pulumi:dev::****::pulumi:providers:azure-native::default_1_94_0::839072c1-6496-40f5-b66b-dab75e07611a",
"propertyDependencies": {
"accessTier": null,
"accountName": null,
"allowBlobPublicAccess": null,
"allowSharedKeyAccess": null,
"enableHttpsTrafficOnly": null,
"enableNfsV3": null,
"encryption": null,
"identity": null,
"isHnsEnabled": null,
"kind": null,
"minimumTlsVersion": null,
"networkRuleSet": null,
"resourceGroupName": [
"urn:pulumi:dev::****::azure-native:resources:ResourceGroup::rg"
],
"sku": null,
"tags": null
},
"importID": "/subscriptions/****/resourceGroups/****/providers/Microsoft.Storage/storageAccounts/****"
}
Even if I remove the extra inputs from the state (with export/import), the code still complains about differences, although it says I removed a null property, such as: -accessTier: null
.
Output of pulumi about
CLI
Version 3.54.0
Go Version go1.20
Go Compiler gc
Plugins
NAME VERSION
azure-native 1.94.0
dotnet unknown
Host
OS Microsoft Windows 10 Enterprise
Version 10.0.19044 Build 19044
Arch x86_64
This project is written in dotnet: executable='C:\Program Files\dotnet\dotnet.exe' version='7.0.102'
Current Stack: ***
TYPE URN
pulumi:pulumi:Stack urn:pulumi:***::****::pulumi:pulumi:Stack::****
pulumi:providers:azure-native urn:pulumi:***::****::pulumi:providers:azure-native::default_1_94_0
azure-native:resources:ResourceGroup urn:pulumi:***::****::azure-native:resources:ResourceGroup::rg
azure-native:storage:StorageAccount urn:pulumi:***::****::azure-native:storage:StorageAccount::storage-new
azure-native:storage:StorageAccount urn:pulumi:***::****::azure-native:storage:StorageAccount::storage
Found no pending operations associated with ***
Backend
Name ****
URL file://.
User ****
Organizations
Dependencies:
NAME VERSION
Pulumi 3.53.0
Pulumi.AzureNative 1.94.0
Pulumi locates its logs in ***** by default
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).