This message was deleted Pulumi Community #aws

Join Slack

This message was deleted.

# aws

sparse-intern-71089

04/22/2020, 6:29 AM

This message was deleted.

breezy-butcher-78604

04/22/2020, 6:38 AM

Actually, my mistake, the details do show a difference in the key policy, however it’s just a difference in the order of the json properties

breezy-butcher-78604

04/22/2020, 7:04 AM

actually nevermind, i figured out the problem. it was two things. The first was I had parts like the following in my template:

Copy code

Effect: "Allow",
            Principal: {
                AWS: accountId
            },
            Action: "kms:*",
            Resource: "*"

which Pulumi then substitutes the relevant account ID in. However when this gets sent to AWS, AWS will expand the ID into the full principle arn (ie

arn:aws:iam::0123456789:root

) which means it'll always be different when pulumi compares it to what it has locally the second issue was similar, but involved context keys. I also had this in the same policy:

Copy code

Effect: "Allow",
            Principal: {
                AWS: accountId
            },
            Action: [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            Resource: "*",
            Condition: { Bool: { "kms:GrantIsForAWSResource": true }}

notice there's no quotes around

true

in the condition key? Pulumi treats this as a typescript boolean which is obviously different to the string

"true"

that gets returned from AWS, another reason it was detecting a change

breezy-butcher-78604

04/22/2020, 7:05 AM

once i fixed those two things up, its now correctly seeing that no change is required.

👍 2

7 Views

Open in Slack

Previous Next