azure.dns.NsRecord causes constant redeploys

[oliverholliday]

We have an on-going issue with Azure NS records in pulumi-controlled DNS zones where nearly every deployment (80%+) triggers re-creating records due to the order of NS records changing.

This is an issue for us as we'd like to begin using --expect-no-changes.

I filed #243 back in May and I think it might be related.

import * as azure from "@pulumi/azure";

var root = azure.dns.getZone({
    name: "mydomainname.website",
    resourceGroupName: "domains"
});

var resourceGroup = new azure.core.ResourceGroup("test", {
    location: "ukwest"
});

var child = new azure.dns.Zone("dns-child", {
    resourceGroupName: resourceGroup.name,
    name: `test.${root.name}`
});

var nsRecord = new azure.dns.NsRecord("root-ns", {
    resourceGroupName: root.resourceGroupName,
    zoneName: root.name,
    name: "test",
    record: child.nameServers.apply(x => x.map(y => ({ nsdname: y }))), // workaround for #243
    ttl: 300
});

var aRecord = new azure.dns.ARecord("child-a", {
    resourceGroupName: child.resourceGroupName,
    zoneName: child.name,
    name: "@",
    records: ["127.0.0.1"],
    ttl: 300
});

Everything works as expected on the first pass, except for warnings:

Diagnostics:
  azure:dns:NsRecord (root-ns):
    warning: urn:pulumi:dev::pulumi-test::azure:dns/nsRecord:NsRecord::root-ns verification warning: "record": [DEPRECATED] This field has been replaced by `records`
    warning: urn:pulumi:dev::pulumi-test::azure:dns/nsRecord:NsRecord::root-ns verification warning: "record": [DEPRECATED] This field has been replaced by `records`

On subsequent passes without code changes we almost always see a redeployment required where only the order of the NS records is changed:

  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:dev::pulumi-test::pulumi:pulumi:Stack::pulumi-test-dev]
    ~ azure:dns/nsRecord:NsRecord: (update)
        [id=/subscriptions/xxx/resourceGroups/domains/providers/Microsoft.Network/dnszones/mydomainname.website/NS/test]
        [urn=urn:pulumi:dev::pulumi-test::azure:dns/nsRecord:NsRecord::root-ns]
        [provider=urn:pulumi:dev::pulumi-test::pulumi:providers:azure::default_1_0_0::32f49d58-d6d8-4280-8f12-92804d84aeb4]
      ~ record: [
          ~ [0]: {
                  ~ nsdname: "ns2-05.azure-dns.net." => "ns4-05.azure-dns.info."
                }
          ~ [1]: {
                  ~ nsdname: "ns1-05.azure-dns.com." => "ns3-05.azure-dns.org."
                }
          ~ [2]: {
                  ~ nsdname: "ns4-05.azure-dns.info." => "ns1-05.azure-dns.com."
                }
          ~ [3]: {
                  ~ nsdname: "ns3-05.azure-dns.org." => "ns2-05.azure-dns.net."
                }
        ]

I've tried various ways of sorting these records to try and prevent changes but none have worked. I'm not sure why that is, it seems the orders are being shuffled internally irrespective of the order in the definitions.

    record: child.nameServers.apply(x => x.sort().map(y => ({ nsdname: y}))),

[mikhailshilkov]

Thanks for reporting this @oliverholliday. I believe we should just fix #243, I'll try to prioritize that one.

[pgavlin]

Just out of curiosity, which version of the @pulumi/azure package are you using?

[oliverholliday]

Just out of curiosity, which version of the @pulumi/azure package are you using?

1.0.0 now but we've had this issue consistently since around May when I reported #243

[mikhailshilkov]

With #243 fixed, you should be able to migrate from record to records, which should fix the issue.