https://pulumi.com logo
#aws
Title
# aws
q

quaint-electrician-41503

10/14/2020, 5:25 AM
I've been using
iam.RolePolicyAttachment
since yesterday to attach to an
iam.Policy
to a role. https://pulumi-community.slack.com/archives/CRH5ENVDX/p1602563075111100 . It seemed to work. Today I am again trying to use the same
iam.RolePolicyAttachment
. I see pulumi tell me the role attachment is created. But I look into the AWS console and look at the role or the policy itself and it's not attached. I am able to attach an aws manage policy today but not the custom policy I added yesterday. What should I be looking for as the breaking change? Why does pulumi tell me the attachment is created but I don't see it attached?
g

gentle-diamond-70147

10/14/2020, 5:33 AM
Can you share your full code that reproduces this?
q

quaint-electrician-41503

10/14/2020, 5:50 AM
I can't but I can try to summarize.
kmsKeyPolicy=aws.iam.Policy(... policy=kms_key.arn.apply(lambda: arn)....)
kms_attached_policy = aws.iam.RolePolicyAttachment(...,policy_arn=kmsKeyPolicy.arn, role=node_instance_role_arn.apply=(lambda: arn: aws.get_arn(arn).resource[5:]) ,)
I can export kms_attached_policy and I see id, policy_arn, role, urn output in terminal
If I look in aws console I do not see the policy attached, for the same role listed in output that was exported
Finally it seemed to work yesterday so I am feeling nutty
about to roll my git back to that commit.
But using the RolePolicyAttachment is working for a managed arn
Yesterday's code shares the same methods
I rolled back git to see if I made myself believe something didn't happen
I rolled back. It did not work. But it really seemed like I made this work yesterday. I am able to attach aws managed policies, just not my own policy.
After getting it to work as above I copied links to the attached policies and the git commit
Finally why does pulumi export the values and show it as created if it's not being attached?
Is there any policy that could have been applied that will not allow me to add my custom policy to a role?
Can I use the output to trace the supposedly attached event that's not showing up in my console?
I deleted the stack and reapplied and policy attached to the role. I don't understand what is going on.
rolled back to my other stack. now I see two of 3 attempted policies attached. seems like a bug or a limitation i don't understand
c

cool-fireman-90027

10/14/2020, 1:22 PM
If you run this:
pulumi up --logtostderr -v9 --debug
you might be able to see what is happening in the logs. https://www.pulumi.com/docs/reference/cli/pulumi_up/
q

quaint-electrician-41503

10/14/2020, 4:14 PM
That's a good idea. I am trying to create a few role policy attachments. Then is it possible that the future didn't complete before trying to attach the role to the node?
Can we manually mark dependencies in the job graph to ensure it's rendered properly?