dry-journalist-60579
03/22/2023, 7:16 PMpulumi up
on a stack that includes a ecr Repository and a RepositoryPolicy, it thinks the policy is different every run:
# Allow app subaccounts to pull from image repository
repository_policy = aws.ecr.RepositoryPolicy(
"repository-policy",
repository=repository.name,
policy={
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCrossAccountPull",
"Effect": "Allow",
"Principal": {
"AWS": [
f"arn:aws:iam::{account_id}:root"
for account_id in ALLOWED_ACCOUNT_IDS
]
},
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
],
}
],
},
)
melodic-tomato-39005
03/22/2023, 10:31 PMdry-journalist-60579
03/22/2023, 10:32 PMmelodic-tomato-39005
04/26/2023, 6:42 PMdry-journalist-60579
04/26/2023, 6:43 PMawsx
raise any flags for you?aws:cloudformation:Stack
?melodic-tomato-39005
04/26/2023, 6:50 PMawsx
seems unrelated at first glance. We actually have a small number of similar issues open where Pulumi thinks unchanged resources have changed. That suggests an underlying bug. I’m compiling these at the moment so we can track this down. Sorry for the trouble!dry-journalist-60579
04/26/2023, 7:25 PMaws:cloudformation:Stack
one as well?melodic-tomato-39005
04/26/2023, 7:28 PMdry-journalist-60579
04/26/2023, 7:38 PM