sparse-intern-71089
04/22/2020, 6:29 AMbreezy-butcher-78604
04/22/2020, 6:38 AMbreezy-butcher-78604
04/22/2020, 7:04 AMEffect: "Allow",
Principal: {
AWS: accountId
},
Action: "kms:*",
Resource: "*"
which Pulumi then substitutes the relevant account ID in. However when this gets sent to AWS, AWS will expand the ID into the full principle arn (ie arn:aws:iam::0123456789:root
) which means it'll always be different when pulumi compares it to what it has locally
the second issue was similar, but involved context keys. I also had this in the same policy:
Effect: "Allow",
Principal: {
AWS: accountId
},
Action: [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
Resource: "*",
Condition: { Bool: { "kms:GrantIsForAWSResource": true }}
notice there's no quotes around true
in the condition key? Pulumi treats this as a typescript boolean which is obviously different to the string "true"
that gets returned from AWS, another reason it was detecting a changebreezy-butcher-78604
04/22/2020, 7:05 AM