04/22/2020, 6:29 AM
Hi, i’m having an issue with a stack where every time i run
pulumi up
it appears to want to update a KMS key even though there’s been no changes to that resource. When I view the details of the change, the resource is listed but without any changes. when i apply the change, theres a
action performed (i can see it in cloudtrail) but theres no change. Any ideas? the main reason this is an issue is because our CI/CD tool doesn’t have write permission to KMS keys, only read (by design) so the initial deployment is done elsewhere with the relevant credentials. However that assumes that whenever any other changes go through CI/CD, it doesnt need to update any keys.
Actually, my mistake, the details do show a difference in the key policy, however it’s just a difference in the order of the json properties
actually nevermind, i figured out the problem. it was two things. The first was I had parts like the following in my template:
Effect: "Allow",
            Principal: {
                AWS: accountId
            Action: "kms:*",
            Resource: "*"
which Pulumi then substitutes the relevant account ID in. However when this gets sent to AWS, AWS will expand the ID into the full principle arn (ie
) which means it'll always be different when pulumi compares it to what it has locally the second issue was similar, but involved context keys. I also had this in the same policy:
Effect: "Allow",
            Principal: {
                AWS: accountId
            Action: [
            Resource: "*",
            Condition: { Bool: { "kms:GrantIsForAWSResource": true }}
notice there's no quotes around
in the condition key? Pulumi treats this as a typescript boolean which is obviously different to the string
that gets returned from AWS, another reason it was detecting a change
once i fixed those two things up, its now correctly seeing that no change is required.
👍 2