This message was deleted.
# aws
s
This message was deleted.
b
Actually, my mistake, the details do show a difference in the key policy, however it’s just a difference in the order of the json properties
actually nevermind, i figured out the problem. it was two things. The first was I had parts like the following in my template:
Copy code
Effect: "Allow",
            Principal: {
                AWS: accountId
            },
            Action: "kms:*",
            Resource: "*"
which Pulumi then substitutes the relevant account ID in. However when this gets sent to AWS, AWS will expand the ID into the full principle arn (ie
arn:aws:iam::0123456789:root
) which means it'll always be different when pulumi compares it to what it has locally the second issue was similar, but involved context keys. I also had this in the same policy:
Copy code
Effect: "Allow",
            Principal: {
                AWS: accountId
            },
            Action: [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            Resource: "*",
            Condition: { Bool: { "kms:GrantIsForAWSResource": true }}
notice there's no quotes around
true
in the condition key? Pulumi treats this as a typescript boolean which is obviously different to the string
"true"
that gets returned from AWS, another reason it was detecting a change
once i fixed those two things up, its now correctly seeing that no change is required.
👍 2