https://pulumi.com logo
Join Slack
Powered by
I'm trying to specify the name of my AWS role, but...
# aws
w
I'm trying to specify the name of my AWS role, but it keeps adding a - and a string to the end of it. I have the resource name and the "name" parameter the same, but it keeps adding this on. I've been nosing around the github threads and I've seen others comment on this (going back years). Has this been put on the back burner or am I missing something?
m
This is a feature called pseudo-deterministic naming. Can you share your declaration?
w
Sure @millions-furniture-75402 (in Python)
Copy code
def create_ssm_role():
    ec2_role = aws.iam.Role(
        "managed-instance-role",
        aws.iam.RoleArgs(
            assume_role_policy=json.dumps({
                "Version": "2012-10-17",
                "Statement": {
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "<http://ec2.amazonaws.com|ec2.amazonaws.com>",
                    },
                    "Action": "sts:AssumeRole",
                },
            })
        ),
        name = "managed-instance-role",
        tags = {'Name': 'managed-instance-role'}
    )
m
The declaration looks correct. and in aws it has the appended hash?
w
managed-instance-role-819d269
m
though, your last 2 kwargs look odd, I wouldn't expect the spaces
w
You think it's the spaces at issue? I can try it without them
m
I'm not sure if it is, but that's something that caught my eye. Have you destroyed it completed by refreshing, deploying without it, and then deploying again with it?
w
Without the spaces? No, but I can give that a go
m
I just meant the resource in general.
w
Oh, well I need that particular resource for the stack
But I can destroy the stack and then check the console to make sure nothing's lingering
You think there's something hanging around and creating a name conflict?
m
It's possible, it really depends on the changes you have made and whether or not deploys have failed and what state that left the stack's state in. The first step is worth trying, refreshing the stack.
If anything updates, that's indicating drift, and it could be related to a previously failed deployment or a change in the target environment.
w
It's the sandbox account so it gets a lot of create/destroy activity
m
If Pulumi's state has drifted, it cannot accurately calculate the difference in state that will inform it of the changes to apply to resources.
w
Aha!
Copy code
Diagnostics:
  aws:iam:Role (managed-instance-role):
    error: deleting urn:pulumi:sandbox-vpc::aws-vpc::aws:iam/role:Role::managed-instance-role: 1 error occurred:
        * deleting IAM Role (managed-instance-role-819d269): DeleteConflict: Cannot delete entity, must delete policies first.
        status code: 409, request id: 48a0193c-c4b0-409e-bc4a-249e5ef9040d
m
It was hanging on the delete of an older resource?
w
Yeah, it did the other stuff but was ignoring it
Went in and manually removed, then re-ran my stack deletion
Hmmm no did it again
managed-instance-role-dddcc0c this time
I'm wondering if deleting the stack entirely would help
m
You might have a dependency issue too. I also noticed you had that in a function.
g
can you try different version?
Copy code
ec2_role = aws.iam.Role(
    "managed-instance-role",
    assume_role_policy=json.dumps({
        "Version": "2012-10-17",
        "Statement": {
            "Effect": "Allow",
            "Principal": {
                "Service": "<http://ec2.amazonaws.com|ec2.amazonaws.com>",
            },
            "Action": "sts:AssumeRole",
        },
    }),
    name = "managed-instance-role",
    tags = {'Name': 'managed-instance-role'}
)
or
Copy code
ec2_role = aws.iam.Role(
    "managed-instance-role",
    aws.iam.RoleArgs(
        assume_role_policy=json.dumps({
            "Version": "2012-10-17",
            "Statement": {
                "Effect": "Allow",
                "Principal": {
                    "Service": "<http://ec2.amazonaws.com|ec2.amazonaws.com>",
                },
                "Action": "sts:AssumeRole",
            },
        }),
        name = "managed-instance-role",
        tags = {'Name': 'managed-instance-role'}
    )
)
https://www.pulumi.com/registry/packages/aws/api-docs/iam/role/ there are 2 options how you can pass your parameters
w
Got it!
l
If you want to use a specific well-known name for a resource, you need to set the name argument. This is different from the name parameter. In the RoleArgs object, set the name there too.
w
So it was the "aws.iam.RoleArgs(" I removed it and now it's no longer appending the string to the resource name 🙂
l
Are you sure you need a specific name for the Role? Unless you have a good need for that, you should not remove the hash from the name. That hash allows Pulumi to gracefully replace the resource when necessary.
Sometimes it's necessary to have a well-known name (e.g. long-lived hard-to-change unmanaged resources need to use it), but usually it's not.
w
I have a cross account permissions setup with another account so keeping the name consistent is helpful
l
If you're setting them both up via Pulumi, that's not a problem. But if not, then you need a fixed name. Just use the name arg.
Open in Slack
PreviousNext
Powered by