breezy-butcher-78604
04/22/2020, 6:29 AMpulumi up
it appears to want to update a KMS key even though there’s been no changes to that resource. When I view the details of the change, the resource is listed but without any changes. when i apply the change, theres a PutKeyPolicy
action performed (i can see it in cloudtrail) but theres no change. Any ideas?
the main reason this is an issue is because our CI/CD tool doesn’t have write permission to KMS keys, only read (by design) so the initial deployment is done elsewhere with the relevant credentials. However that assumes that whenever any other changes go through CI/CD, it doesnt need to update any keys.Effect: "Allow",
Principal: {
AWS: accountId
},
Action: "kms:*",
Resource: "*"
which Pulumi then substitutes the relevant account ID in. However when this gets sent to AWS, AWS will expand the ID into the full principle arn (ie arn:aws:iam::0123456789:root
) which means it'll always be different when pulumi compares it to what it has locally
the second issue was similar, but involved context keys. I also had this in the same policy:
Effect: "Allow",
Principal: {
AWS: accountId
},
Action: [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
Resource: "*",
Condition: { Bool: { "kms:GrantIsForAWSResource": true }}
notice there's no quotes around true
in the condition key? Pulumi treats this as a typescript boolean which is obviously different to the string "true"
that gets returned from AWS, another reason it was detecting a change