Numeric field in aws.ecr.LifecyclePolicy policy json prevents changes from being detected

[samyoung17]

What happened?

We were able to create an aws.ecr.LifecyclePolicy that caused docker images to be retired when there are more than 10 in the ECR, however when we tried to reduce the number of images to store to 5, this was not reflected in AWS or the pulumi console when a pulumi up was triggered.

The presence of a numeric field in the selection field of a policy rule (e.g. rule.selection.countNumber), seems to prevent any changes in that selection object from being detected (e.g. changes to the rule.selection.tagPrefixList field). When we made it a string rule.selection.countNumber: '5', the change was detected by pulumi up diffing tool, however type validation failed when we tried to continue with the pulumi up workflow and actually persist the changes to AWS.

Steps to reproduce

First policy example is created successfully by a pulumi up command:

    new aws.ecr.LifecyclePolicy(
      `lifecycle-policy-name`,
      {
        repository: dockerRepository.id,
        policy: JSON.stringify({
          rules: [
            {
              rulePriority: 1,
              description:
                'A lifecycle policy for docker images',
              selection: {
                tagStatus: 'tagged',
                tagPrefixList: ['mytag'],
                countType: 'imageCountMoreThan',
                countNumber: 10,      // ORIGINAL FIELD
              },
              action: {
                type: 'expire',
              },
            },
          ],
        }),
      },
    );

Modified policy is not reflected by the next call to pulumi up:

    new aws.ecr.LifecyclePolicy(
      `lifecycle-policy-name`,
      {
        repository: dockerRepository.id,
        policy: JSON.stringify({
          rules: [
            {
              rulePriority: 1,
              description:
                'A lifecycle policy for docker images',
              selection: {
                tagStatus: 'tagged',
                tagPrefixList: ['mytag'],
                countType: 'imageCountMoreThan',
                countNumber: 5,    // CHANGED FIELD
              },
              action: {
                type: 'expire',
              },
            },
          ],
        }),
      },
    );

Expected Behavior

The second pulumi up call recognises a change to the policy, and persists the changes to pulumi and AWS.

Actual Behavior

No change is registered by the second pulumi up call, resulting in a silent failure in our CI jobs, making at appear that the change had been made without it actually happening in AWS.

Output of pulumi about

CLI          
Version      3.44.3
Go Version   go1.19.2
Go Compiler  gc

Plugins
NAME    VERSION
aws     4.33.0
docker  3.1.0
github  4.9.1
nodejs  unknown

Host     
OS       darwin
Version  12.4
Arch     arm64

This project is written in nodejs: executable='/Users/samyoung/.nvm/versions/node/v16.17.1/bin/node' version='v16.17.1'

Current Stack: octohydrogen/development

** REDACTED **

Found no pending operations associated with octohydrogen/development

Backend        
Name           pulumi.com
URL            https://app.pulumi.com/samyoung17
User           samyoung17
Organizations  samyoung17, octohydrogen

Dependencies:
NAME                              VERSION
eslint-config-prettier            8.3.0
eslint                            8.6.0
@pulumi/aws                       4.33.0
@pulumi/awsx                      0.30.0
@pulumi/pulumi                    3.27.0
@types/node                       14.18.2
@typescript-eslint/eslint-plugin  5.9.1
@typescript-eslint/parser         5.9.1
husky                             7.0.4
lint-staged                       12.1.7
prettier                          2.5.1
@pulumi/github                    4.9.1

Pulumi locates its logs in /var/folders/71/yh1m79c56q7bhz_gx6t_p7h00000gn/T/ by default
warning: A new version of Pulumi is available. To upgrade from version '3.44.3' to '3.46.1', run 
   $ brew upgrade pulumi
or visit https://pulumi.com/docs/reference/install/ for manual instructions and release notes.

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[lblackstone]

Thanks for the report, @samyoung17.

I checked the AWS docs, and the countNumber should indeed be an integer.

I'm not sure why you aren't seeing a diff from changing the value. A couple things that you could try:

1. Rather than passing the policy as a string, you can use the input type.
   https://github.com/pulumi/pulumi-aws/blob/v4.33.0/sdk/nodejs/ecr/lifecyclePolicy.ts#L167
   https://github.com/pulumi/pulumi-aws/blob/v4.33.0/sdk/nodejs/ecr/lifecyclePolicyDocument.ts

2. v4.33.0 of the provider is nearly a year old, so it's possible that you're hitting a bug that has been fixed since then. It would be worth trying with a more recent version.

[corymhall]

Looks like this no longer reproduces on the latest version.