Hey, I have an edge case, AWS Workspaces (sometimes) automatically create the role. But this role is then managed by AWS, so I need a fire and forget script. How can I create a role and then remove it from state, programmatically? I could use a command but the problem are the credentials, that I need to make several hoops in the command code same as pulumi already does with the provider. Notes: https://docs.aws.amazon.com/workspaces/latest/adminguide/workspaces-access-control.html#create-default-role

This role is created by the Quick Setup or if you launch a WorkSpace using the AWS Management Console, and it grants Amazon WorkSpaces permission to access specific AWS resources on your behalf.

You probably shouldn't do this in deployment code, because you don't know when the resource would be created. It might be immediately, it might be 100ms later, it might be at 1am tonight, it might be when someone logs into the workspace for the first time... If you really want to try this, you could use a

pulumi.Command

, maybe inside an

apply

that waits for the workspace to be created. But that would be quite fragile. I recommend having a non-Pulumi script that runs afterwards, that is not dependent on the Pulumi program (except perhaps via program outputs). If credential management is tough, you could try Pulumi ESC? Or some similar tech that puts the creds in the environment, allowing your script to just rely on the right creds just being there.

The problem is that the role must exist before anything tries to register a directory. And you can only register a directory after any directory type has been deployed which takes usually ~5 minutes at least.

registering WorkSpaces Directory (…): operation error WorkSpaces: RegisterWorkspaceDirectory, https response error StatusCode: 400, RequestID: …, WorkspacesDefaultRoleNotFoundException: The role workspaces_DefaultRole is missing. For more information, see <https://docs.aws.amazon.com/cli/latest/reference/workspaces/register-workspace-directory.html>.

You either need to split your projects then. Or create a role yourself and always use that one.

I’d create the role myself, but the role name is mandatory … everything with AWS Workspaces is an edgecase 😞 For now I’ll just use the

command

with

try create role or assume it is correct