https://pulumi.com logo
#aws
Title
# aws
w

wonderful-toddler-75767

02/14/2024, 4:09 PM
I'm trying to specify the name of my AWS role, but it keeps adding a - and a string to the end of it. I have the resource name and the "name" parameter the same, but it keeps adding this on. I've been nosing around the github threads and I've seen others comment on this (going back years). Has this been put on the back burner or am I missing something?
m

millions-furniture-75402

02/14/2024, 4:38 PM
This is a feature called pseudo-deterministic naming. Can you share your declaration?
w

wonderful-toddler-75767

02/14/2024, 4:41 PM
Sure @millions-furniture-75402 (in Python)
Copy code
def create_ssm_role():
    ec2_role = aws.iam.Role(
        "managed-instance-role",
        aws.iam.RoleArgs(
            assume_role_policy=json.dumps({
                "Version": "2012-10-17",
                "Statement": {
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "<http://ec2.amazonaws.com|ec2.amazonaws.com>",
                    },
                    "Action": "sts:AssumeRole",
                },
            })
        ),
        name = "managed-instance-role",
        tags = {'Name': 'managed-instance-role'}
    )
m

millions-furniture-75402

02/14/2024, 4:42 PM
The declaration looks correct. and in aws it has the appended hash?
w

wonderful-toddler-75767

02/14/2024, 4:43 PM
managed-instance-role-819d269
m

millions-furniture-75402

02/14/2024, 4:44 PM
though, your last 2 kwargs look odd, I wouldn't expect the spaces
w

wonderful-toddler-75767

02/14/2024, 4:44 PM
You think it's the spaces at issue? I can try it without them
m

millions-furniture-75402

02/14/2024, 4:44 PM
I'm not sure if it is, but that's something that caught my eye. Have you destroyed it completed by refreshing, deploying without it, and then deploying again with it?
w

wonderful-toddler-75767

02/14/2024, 4:45 PM
Without the spaces? No, but I can give that a go
m

millions-furniture-75402

02/14/2024, 4:46 PM
I just meant the resource in general.
w

wonderful-toddler-75767

02/14/2024, 4:46 PM
Oh, well I need that particular resource for the stack
But I can destroy the stack and then check the console to make sure nothing's lingering
You think there's something hanging around and creating a name conflict?
m

millions-furniture-75402

02/14/2024, 4:48 PM
It's possible, it really depends on the changes you have made and whether or not deploys have failed and what state that left the stack's state in. The first step is worth trying, refreshing the stack.
If anything updates, that's indicating drift, and it could be related to a previously failed deployment or a change in the target environment.
w

wonderful-toddler-75767

02/14/2024, 4:49 PM
It's the sandbox account so it gets a lot of create/destroy activity
m

millions-furniture-75402

02/14/2024, 4:49 PM
If Pulumi's state has drifted, it cannot accurately calculate the difference in state that will inform it of the changes to apply to resources.
w

wonderful-toddler-75767

02/14/2024, 4:57 PM
Aha!
Copy code
Diagnostics:
  aws:iam:Role (managed-instance-role):
    error: deleting urn:pulumi:sandbox-vpc::aws-vpc::aws:iam/role:Role::managed-instance-role: 1 error occurred:
        * deleting IAM Role (managed-instance-role-819d269): DeleteConflict: Cannot delete entity, must delete policies first.
        status code: 409, request id: 48a0193c-c4b0-409e-bc4a-249e5ef9040d
m

millions-furniture-75402

02/14/2024, 4:58 PM
It was hanging on the delete of an older resource?
w

wonderful-toddler-75767

02/14/2024, 5:00 PM
Yeah, it did the other stuff but was ignoring it
Went in and manually removed, then re-ran my stack deletion
Hmmm no did it again
managed-instance-role-dddcc0c this time
I'm wondering if deleting the stack entirely would help
m

millions-furniture-75402

02/14/2024, 5:12 PM
You might have a dependency issue too. I also noticed you had that in a function.
g

great-zebra-31498

02/14/2024, 5:54 PM
can you try different version?
Copy code
ec2_role = aws.iam.Role(
    "managed-instance-role",
    assume_role_policy=json.dumps({
        "Version": "2012-10-17",
        "Statement": {
            "Effect": "Allow",
            "Principal": {
                "Service": "<http://ec2.amazonaws.com|ec2.amazonaws.com>",
            },
            "Action": "sts:AssumeRole",
        },
    }),
    name = "managed-instance-role",
    tags = {'Name': 'managed-instance-role'}
)
or
Copy code
ec2_role = aws.iam.Role(
    "managed-instance-role",
    aws.iam.RoleArgs(
        assume_role_policy=json.dumps({
            "Version": "2012-10-17",
            "Statement": {
                "Effect": "Allow",
                "Principal": {
                    "Service": "<http://ec2.amazonaws.com|ec2.amazonaws.com>",
                },
                "Action": "sts:AssumeRole",
            },
        }),
        name = "managed-instance-role",
        tags = {'Name': 'managed-instance-role'}
    )
)
https://www.pulumi.com/registry/packages/aws/api-docs/iam/role/ there are 2 options how you can pass your parameters
w

wonderful-toddler-75767

02/14/2024, 7:28 PM
Got it!
l

little-cartoon-10569

02/14/2024, 7:28 PM
If you want to use a specific well-known name for a resource, you need to set the name argument. This is different from the name parameter. In the RoleArgs object, set the name there too.
w

wonderful-toddler-75767

02/14/2024, 7:28 PM
So it was the "aws.iam.RoleArgs(" I removed it and now it's no longer appending the string to the resource name 🙂
l

little-cartoon-10569

02/14/2024, 7:30 PM
Are you sure you need a specific name for the Role? Unless you have a good need for that, you should not remove the hash from the name. That hash allows Pulumi to gracefully replace the resource when necessary.
Sometimes it's necessary to have a well-known name (e.g. long-lived hard-to-change unmanaged resources need to use it), but usually it's not.
w

wonderful-toddler-75767

02/14/2024, 7:38 PM
I have a cross account permissions setup with another account so keeping the name consistent is helpful
l

little-cartoon-10569

02/14/2024, 9:33 PM
If you're setting them both up via Pulumi, that's not a problem. But if not, then you need a fixed name. Just use the name arg.