I had a AWS Role resource that I imported into a stack that I left as “protected” — it’s the AWSControlTowerAdmin role that control tower creates out the box. I want to use Pulumi to lock down this role a bit more as per AWS documentation. I successfully ran the stack and brought the role under Pulumi management. I now want to refactor the code and I moved the resource into a

ComponentResource

. When I rerun the stack, it doesn’t recognize it as an update and instead tries to recreate the resource. It fails because `creating IAM Role (AWSControlTowerAdmin): EntityAlreadyExists: Role with name AWSControlTowerAdmin already exists`… any thoughts on the correct approach to this?

You can add a Pulumi alias, or you can export the stack, fix the URN and parent links, and re-import. The alias option is easier 🙂 https://www.pulumi.com/docs/intro/concepts/resources/options/aliases/

ahh

Our you could remove the resource from the state and import it in the new location (which is essentially the export/edit/import option, but safer).

Is there a way I can find the old urn? It seems to have disappeared from the stack’s list of resources even though it never deleted it

Export the stack and search for it

Our you could remove the resource from the state and import it in the new location

^ how would this look?

ahh ok

Yes, certainly. And you can import it in the right place. Since it's in a ComponentResource, I wouldn't use

pulumi import

(unless it can handle that? Not sure...). You can write the code yourself and use the

import

opt.

https://www.pulumi.com/docs/intro/concepts/resources/options/import/ what would the resource id be for this IAM role?

Have a look at the doc page for the resource, the info is near the bottom of the page.

from the stack where it’s living, it seems like it’s the role name

That's the Pulumi id. You need to use the AWS ID, which might be anthing. Sometime they're weird composite string.

Why isn’t it the… ARN?

You'll have to ask the AWS API developers 🙂

haha

They can but they shouldn't, because of drift. However, you can use the

.get()

class method (https://www.pulumi.com/registry/packages/aws/api-docs/iam/role/#look-up) to get a read-only version of the resource in the project you don't want to manage it.

ah so they’ll just compete with each other to manage that resource?

Yes.

kk I was going to import as we talked about but realized I hadn’t deleted it from the other stack and it got me wondering…

It's

pulumi state delete

? Yes, that does not affect AWS, only the Pulumi state file.

kk the message from

protect

still applies to the state

Yes. You can remove the

protect

via an up (which will also do nothing to AWS), then remove the resource from state.

thank you again!!