This message was deleted.
# general
s
This message was deleted.
f
i guess one potential approach might be to synchronously query for the role and loop until it gets a value, but this also seems fraught with peril
as a side note, i'm new to Pulumi and have several years experience with Terraform. in Terraform, i'm used to seeing some values with "(known after apply)", not sure if Pulumi has an equivalent. to me it's weird that the "preview" diff shows
[null]
right away, which makes me think that it's not waiting to compute the value until it's needed
d
As you suggested, the role is created asynchronously on the aws side, so will be unreliable in general. Something you can do is use the promise form of
getRole
, and keep retrying until you end up with a non-null response. Let me setup an environment so I can provide an example quickly
@freezing-electrician-6256 can you provide an example of your current
getRolesOutput
usage, which will help with doing an example here
This is a generic example, there's likely cleaner ways to do it; such as wrapping the promise with this library: https://www.npmjs.com/package/ts-retry-promise
Copy code
async function getRoleAsync(nameRegex: string): Promise<aws.iam.GetRoleResult> {
    let roleName: string | null = null;
    const maxRetries = 10;
    let attempts = 0;
    const sleepTime = 1000;
    do {
        attempts++;
        let rolesResult = await aws.iam.getRoles({
            nameRegex: nameRegex,
        });
        if (rolesResult.names.length > 0) {
            roleName = rolesResult.names[0];
        }
        if (roleName == null) {
            console.log("retrying!", rolesResult);
            await new Promise(r => setTimeout(r, sleepTime));
        }
    } while (roleName == null && attempts < maxRetries);
    if (roleName == null) {
        throw new Error("Failed to find role");
    }

    return aws.iam.getRole({
        name: roleName,
    });
}

// These are for demo purposes to show how to unrole a promise in Pulumi
const roleDependingOnResource = stubResource.id.apply(_ => getRoleAsync("NEVER_EXISTS"));
const roleNonDependent = pulumi.output(getRoleAsync("NEVER_EXISTS"));
🚀 1
👍 1
meow party 1
alternate using that library:
Copy code
import { retryDecorator } from "ts-retry-promise";

const getRole = (nameRegex: string) => aws.iam.getRoles({
    nameRegex: nameRegex,
}).then(roles => {
    if (roles.names.length <= 0) {
        throw new Error("Failed to find role");
    }
    return aws.iam.getRole({
        name: roles.names[0],
    });
});
const retryGetRole = retryDecorator(getRole, { retries: 10, delay: 1000 });


// These are for demo purposes to show how to unrole a promise in Pulumi
const roleDependingOnResource = stubResource.id.apply(_ => retryGetRole("NEVER_EXISTS"));
const roleNonDependent = pulumi.output(retryGetRole("NEVER_EXISTS"));
f
the usage is going into a big jsonstringify policy, looks something like:
Copy code
policy: pulumi.jsonStringify({
        Version: "2012-10-17",
        Statement: [
            {
                Sid: "Foo",
                Effect: "Allow",
                Principal: {
                    AWS: [
                        aws.iam.getRoleOutput(params),
                    ]
                },
(the getRoleOutput is technically wrapped in a function but effectively ends up like that)
hm okay, yeah i guess we can just wait for the role to become valid