https://pulumi.com logo
Title
d

dry-journalist-60579

03/21/2023, 9:47 PM
I had a AWS Role resource that I imported into a stack that I left as “protected” — it’s the AWSControlTowerAdmin role that control tower creates out the box. I want to use Pulumi to lock down this role a bit more as per AWS documentation. I successfully ran the stack and brought the role under Pulumi management. I now want to refactor the code and I moved the resource into a
ComponentResource
. When I rerun the stack, it doesn’t recognize it as an update and instead tries to recreate the resource. It fails because `creating IAM Role (AWSControlTowerAdmin): EntityAlreadyExists: Role with name AWSControlTowerAdmin already exists`… any thoughts on the correct approach to this?
l

little-cartoon-10569

03/21/2023, 9:50 PM
You can add a Pulumi alias, or you can export the stack, fix the URN and parent links, and re-import. The alias option is easier 🙂 https://www.pulumi.com/docs/intro/concepts/resources/options/aliases/
d

dry-journalist-60579

03/21/2023, 9:51 PM
ahh
l

little-cartoon-10569

03/21/2023, 9:51 PM
Our you could remove the resource from the state and import it in the new location (which is essentially the export/edit/import option, but safer).
d

dry-journalist-60579

03/21/2023, 9:51 PM
Is there a way I can find the old urn? It seems to have disappeared from the stack’s list of resources even though it never deleted it
l

little-cartoon-10569

03/21/2023, 9:52 PM
Export the stack and search for it
It'll probably have a
delete: "true"
option.
Which is why you can't see it in the normal output.
d

dry-journalist-60579

03/21/2023, 9:53 PM
Our you could remove the resource from the state and import it in the new location
^ how would this look?
l

little-cartoon-10569

03/21/2023, 9:53 PM
pulumi state delete resourceUrn
Then either
pulumi import
or write the code yourself, and add the
import:
opt.
d

dry-journalist-60579

03/21/2023, 9:55 PM
ahh ok
Hmm weird, I’m not seeing the resource
in the exported stack
Maybe it did get deleted from the pulumi state…
ohh crap, it was in a different stack! 🤦‍♂️🏽
sorry!
So now that I’ve found it, I could do what you said and delete it from the state of that stack and import it into the new one?
l

little-cartoon-10569

03/21/2023, 10:00 PM
Yes, certainly. And you can import it in the right place. Since it's in a ComponentResource, I wouldn't use
pulumi import
(unless it can handle that? Not sure...). You can write the code yourself and use the
import
opt.
d

dry-journalist-60579

03/21/2023, 10:01 PM
https://www.pulumi.com/docs/intro/concepts/resources/options/import/ what would the resource id be for this IAM role?
l

little-cartoon-10569

03/21/2023, 10:01 PM
Have a look at the doc page for the resource, the info is near the bottom of the page.
d

dry-journalist-60579

03/21/2023, 10:02 PM
from the stack where it’s living, it seems like it’s the role name
yup, right?
l

little-cartoon-10569

03/21/2023, 10:02 PM
That's the Pulumi id. You need to use the AWS ID, which might be anthing. Sometime they're weird composite string.
Ah yes, it is the name then. It always pays to check.
d

dry-journalist-60579

03/21/2023, 10:03 PM
Why isn’t it the… ARN?
l

little-cartoon-10569

03/21/2023, 10:03 PM
You'll have to ask the AWS API developers 🙂
It's not a Pulumi thing.
d

dry-journalist-60579

03/21/2023, 10:04 PM
haha
cool cool, thank you so much
actually one question: can two distinct pulumi stacks manage the same resource? If not, will Pulumi stop you from trying?
l

little-cartoon-10569

03/21/2023, 10:13 PM
They can but they shouldn't, because of drift. However, you can use the
.get()
class method (https://www.pulumi.com/registry/packages/aws/api-docs/iam/role/#look-up) to get a read-only version of the resource in the project you don't want to manage it.
(This wouldn't generally apply to two different stacks in the same project; it's almost always an inter-project thing.)
d

dry-journalist-60579

03/21/2023, 10:13 PM
ah so they’ll just compete with each other to manage that resource?
l

little-cartoon-10569

03/21/2023, 10:13 PM
Yes.
d

dry-journalist-60579

03/21/2023, 10:14 PM
kk I was going to import as we talked about but realized I hadn’t deleted it from the other stack and it got me wondering…
just confirming… this just deletes the pulumi state and it does not affect the underlying AWS resource, right?
l

little-cartoon-10569

03/21/2023, 10:17 PM
It's
pulumi state delete
? Yes, that does not affect AWS, only the Pulumi state file.
d

dry-journalist-60579

03/21/2023, 10:18 PM
kk the message from
protect
still applies to the state
l

little-cartoon-10569

03/21/2023, 10:20 PM
Yes. You can remove the
protect
via an up (which will also do nothing to AWS), then remove the resource from state.
d

dry-journalist-60579

03/21/2023, 10:30 PM
thank you again!!