This message was deleted Pulumi Community #general

Join Slack

This message was deleted.

# general

sparse-intern-71089

11/14/2023, 9:05 PM

This message was deleted.

freezing-electrician-6256

11/14/2023, 9:06 PM

i guess one potential approach might be to synchronously query for the role and loop until it gets a value, but this also seems fraught with peril

freezing-electrician-6256

11/14/2023, 9:10 PM

as a side note, i'm new to Pulumi and have several years experience with Terraform. in Terraform, i'm used to seeing some values with "(known after apply)", not sure if Pulumi has an equivalent. to me it's weird that the "preview" diff shows

[null]

right away, which makes me think that it's not waiting to compute the value until it's needed

dry-keyboard-94795

11/14/2023, 9:34 PM

As you suggested, the role is created asynchronously on the aws side, so will be unreliable in general. Something you can do is use the promise form of

getRole

, and keep retrying until you end up with a non-null response. Let me setup an environment so I can provide an example quickly

dry-keyboard-94795

11/14/2023, 9:37 PM

@freezing-electrician-6256 can you provide an example of your current

getRolesOutput

usage, which will help with doing an example here

dry-keyboard-94795

11/14/2023, 10:08 PM

This is a generic example, there's likely cleaner ways to do it; such as wrapping the promise with this library: https://www.npmjs.com/package/ts-retry-promise

Copy code

async function getRoleAsync(nameRegex: string): Promise<aws.iam.GetRoleResult> {
    let roleName: string | null = null;
    const maxRetries = 10;
    let attempts = 0;
    const sleepTime = 1000;
    do {
        attempts++;
        let rolesResult = await aws.iam.getRoles({
            nameRegex: nameRegex,
        });
        if (rolesResult.names.length > 0) {
            roleName = rolesResult.names[0];
        }
        if (roleName == null) {
            console.log("retrying!", rolesResult);
            await new Promise(r => setTimeout(r, sleepTime));
        }
    } while (roleName == null && attempts < maxRetries);
    if (roleName == null) {
        throw new Error("Failed to find role");
    }

    return aws.iam.getRole({
        name: roleName,
    });
}

// These are for demo purposes to show how to unrole a promise in Pulumi
const roleDependingOnResource = stubResource.id.apply(_ => getRoleAsync("NEVER_EXISTS"));
const roleNonDependent = pulumi.output(getRoleAsync("NEVER_EXISTS"));

🚀 1

👍 1

meow party 1

dry-keyboard-94795

11/14/2023, 10:16 PM

alternate using that library:

Copy code

import { retryDecorator } from "ts-retry-promise";

const getRole = (nameRegex: string) => aws.iam.getRoles({
    nameRegex: nameRegex,
}).then(roles => {
    if (roles.names.length <= 0) {
        throw new Error("Failed to find role");
    }
    return aws.iam.getRole({
        name: roles.names[0],
    });
});
const retryGetRole = retryDecorator(getRole, { retries: 10, delay: 1000 });


// These are for demo purposes to show how to unrole a promise in Pulumi
const roleDependingOnResource = stubResource.id.apply(_ => retryGetRole("NEVER_EXISTS"));
const roleNonDependent = pulumi.output(retryGetRole("NEVER_EXISTS"));

freezing-electrician-6256

11/14/2023, 11:07 PM

the usage is going into a big jsonstringify policy, looks something like:

Copy code

policy: pulumi.jsonStringify({
        Version: "2012-10-17",
        Statement: [
            {
                Sid: "Foo",
                Effect: "Allow",
                Principal: {
                    AWS: [
                        aws.iam.getRoleOutput(params),
                    ]
                },

(the getRoleOutput is technically wrapped in a function but effectively ends up like that)

freezing-electrician-6256

11/14/2023, 11:08 PM

hm okay, yeah i guess we can just wait for the role to become valid

5 Views

Open in Slack

Previous Next