Hi i m having an issue with a stack where every time i run `

Question

Hi i m having an issue with a stack where every time i run `pulumi up` it appears to want to update a KMS key even though there s been no changes to that resource When I view the details of the change the resource is listed but without any changes when i apply the change theres a `PutKeyPolicy` action performed i can see it in cloudtrail but theres no change Any ideas the main reason this is an issue is because our CI CD tool doesn t have write permission to KMS keys only read by design so the initial deployment is done elsewhere with the relevant credentials However that assumes that whenever any other changes go through CI CD it doesnt need to update any keys

breezy-butcher-78604 · Answer

Actually my mistake the details do show a difference in the key policy however it s just a difference in the order of the json properties

breezy-butcher-78604 · Answer

actually nevermind i figured out the problem it was two things The first was I had parts like the following in my template ``` Effect Allow Principal AWS accountId Action kms Resource ``` which Pulumi then substitutes the relevant account ID in However when this gets sent to AWS AWS will expand the ID into the full principle arn ie `arn aws iam 0123456789 root` which means it ll always be different when pulumi compares it to what it has locally the second issue was similar but involved context keys I also had this in the same policy ``` Effect Allow Principal AWS accountId Action kms CreateGrant kms ListGrants kms RevokeGrant Resource Condition Bool kms GrantIsForAWSResource true ``` notice there s no quotes around `true` in the condition key Pulumi treats this as a typescript boolean which is obviously different to the string ` true ` that gets returned from AWS another reason it was detecting a change

breezy-butcher-78604 · Answer

once i fixed those two things up its now correctly seeing that no change is required