https://pulumi.com logo
#aws
Title
# aws
b

breezy-butcher-78604

04/22/2020, 6:29 AM
Hi, i’m having an issue with a stack where every time i run
pulumi up
it appears to want to update a KMS key even though there’s been no changes to that resource. When I view the details of the change, the resource is listed but without any changes. when i apply the change, theres a
PutKeyPolicy
action performed (i can see it in cloudtrail) but theres no change. Any ideas? the main reason this is an issue is because our CI/CD tool doesn’t have write permission to KMS keys, only read (by design) so the initial deployment is done elsewhere with the relevant credentials. However that assumes that whenever any other changes go through CI/CD, it doesnt need to update any keys.
Actually, my mistake, the details do show a difference in the key policy, however it’s just a difference in the order of the json properties
actually nevermind, i figured out the problem. it was two things. The first was I had parts like the following in my template:
Copy code
Effect: "Allow",
            Principal: {
                AWS: accountId
            },
            Action: "kms:*",
            Resource: "*"
which Pulumi then substitutes the relevant account ID in. However when this gets sent to AWS, AWS will expand the ID into the full principle arn (ie
arn:aws:iam::0123456789:root
) which means it'll always be different when pulumi compares it to what it has locally the second issue was similar, but involved context keys. I also had this in the same policy:
Copy code
Effect: "Allow",
            Principal: {
                AWS: accountId
            },
            Action: [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            Resource: "*",
            Condition: { Bool: { "kms:GrantIsForAWSResource": true }}
notice there's no quotes around
true
in the condition key? Pulumi treats this as a typescript boolean which is obviously different to the string
"true"
that gets returned from AWS, another reason it was detecting a change
once i fixed those two things up, its now correctly seeing that no change is required.
👍 2