https://pulumi.com logo
Join Slack
Powered by
Hi all, I’m using Pulumi to manage AWS IAM Identit...
# getting-started
m
Hi all, I’m using Pulumi to manage AWS IAM Identity Center. However, I’m stuck with a specific issue. Pulumi is trying to update a ManagedPolicyAttachment but this resource does not support update. When trying to find out what is being updated using 
pulumi preview --diff
, I get nothing. Here is the diff I got. Does anyone have more insights on how can I debug this issue further?
Copy code
~ aws:ssoadmin/managedPolicyAttachment:ManagedPolicyAttachment: (update)
        [id=arn:aws:iam::aws:policy/AdministratorAccess,arn:aws:sso:::permissionSet/ssoins-redacted/ps-redacted,arn:aws:sso:::instance/ssoins-redacted]
        [urn=urn:pulumi:sso::pulumi-project::aws:ssoadmin/managedPolicyAttachment:ManagedPolicyAttachment::ps-naman.gupta-AdministratorAccess]
        [provider=urn:pulumi:sso::pulumi-project::pulumi:providers:aws::default_6_47_0::4ebbbff7-f135-4f95-843f-dc99a5523f22]
        instanceArn     : "arn:aws:sso:::instance/ssoins-redacted"
        managedPolicyArn: "arn:aws:iam::aws:policy/AdministratorAccess"
        permissionSetArn: "arn:aws:sso:::permissionSet/ssoins-redacted/ps-redacted"
l
ManagedPolicyAttachments are just an implementation detail. They're the link in a many-to-many. You can't change one, you can only create or delete one.
If you remove a managed policy from a permission set, then the attachment goes away.
m
I understand that the resource doesn’t support update. My question is why is Pulumi trying to update this resource and what is it trying to update? I don’t see anything in the diff but pulumi seems to think something has changed triggering the update
l
I don't see a change there. Does anything change when you apply it? I think this is expected behaviour when there's a difference between your code and state, but not between the updated state and the cloud.
m
No, nothing changes. The program fails with 
doesn't support update
I fail to understand how this is expected behaviour? If pulumi determines there needs to be an update, shouldn’t it be able to also explain what is being changed? Isn’t that what the 
~
, 
-
and 
+
signs are there for? To explain what resource is being updated and whats changing in them. I can’t reproduce this issue everytime but it seems to come up more often when I use different providers (i.e., I create the resources using 
pulumi up
and I try to “update” them using the automation API)
l
doesn't support update
is not something I've heard of before. Something is afoot.
113 Views
Open in Slack
PreviousNext
Powered by