https://pulumi.com logo
Powered by
s

sticky-bear-14421

06/20/2023, 9:08 AM
I am getting an error while importing an AWS S3 bucket policy into my state.
Copy code
Diagnostics:
  aws:s3:BucketPolicy (pulumi-infrastructure-bucket-policy):
    error: Preview failed: refreshing urn:pulumi:dev::bootstrap::aws:s3/bucketPolicy:BucketPolicy::pulumi-infrastructure-bucket-policy: 1 error occurred:
        * reading Amazon S3 (Simple Storage) Bucket Policy (arn:aws:s3:::infrastructure.pulumi.dev): InvalidARNError: invalid ARN
    caused by: invalid Amazon s3 ARN, unknown resource type, arn:aws:s3:::infrastructure.pulumi.dev
I created the policy in the policy editor and copied the (real) arn from the s3 console, so everything should be formally correct. I am working with the latest Pulumi release (3.72.2) with NodeJS Version v18.16.0. Any ideas why the simple import command fails?
Fun fact, setting the plain json document on the resource worked:
Copy code
new aws.s3.BucketPolicy("pulumi-infrastructure-bucket-policy", {
        bucket: bucket.bucket,
        policy: 
            `
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::infrastructure.pulumi.dev",
                "arn:aws:s3:::infrastructure.pulumi.dev"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        }
    ]
}`,
    });
e

echoing-dinner-19531

06/20/2023, 9:28 AM
Importing with 
pulumi import
? Did you get the type token and id the right way round (pulumi import <type> <name> <id/arn>)
s

sticky-bear-14421

06/20/2023, 9:28 AM
Yes
Copied the command from the docs and replaced the parts with my values
e

echoing-dinner-19531

06/20/2023, 9:34 AM
Shouldn't the policy arn differ from the bucket arn?
s

sticky-bear-14421

06/20/2023, 9:35 AM
I guess not, as the policy is part of the bucket permissions.
Actually the policy editor in the web console mentions the bucket arn
Uhhhhhhh, wait
pulumi import aws:s3/bucketPolicy:BucketPolicy allow_access_from_another_account my-tf-test-bucket
I guess I was kind of over eager and replaced my-tf-test-bucket with the arn
Let me check
e

echoing-dinner-19531

06/20/2023, 9:39 AM
I think for the import command you probably just need the name part of the arn
s

sticky-bear-14421

06/20/2023, 9:43 AM
New error .. life hates me today 😆 
error: no name for resource urn:pulumi:dev::bootstrap::aws:s3/bucket:bucket::pulumi-infrastructure-bucket
what puzzles me, pulumi-infrastructure-bucket isn’t the name I used for the import.
That is the name of the bucket in the state
e

echoing-dinner-19531

06/20/2023, 9:53 AM
That is odd, import shouldn't care about any other resource except the one your importing
What exactly does your import command look like?
s

sticky-bear-14421

06/20/2023, 10:01 AM
Copy code
pulumi import aws:s3/bucketPolicy:BucketPolicy pulumi-infrastructure-bucket-policy infrastructure.pulumi.dev
The actual name of the bucket is longer, I have shortened it
e

echoing-dinner-19531

06/20/2023, 10:04 AM
that looks reasonable, this probably needs an issue raising at https://github.com/pulumi/pulumi-aws/issues
Might be somethings not quite lined up because bucket policies are kinda not really their own resources but just a property on the bucket itself
s

sticky-bear-14421

06/20/2023, 10:06 AM
Sound reasonable
Powered by