Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
p
purple-plumber-90981
04/28/2021, 10:52 PMin aws.iam for RolePolicyAttachment, every time i “pulumi up” the existing attachments are removed and new ones added. Is this expected behaviour ? I would think that as my attachments are unchanged, nothing should be removed/recreated
sample’ish code in thread
l
little-cartoon-10569
04/28/2021, 10:52 PMNo, that doesn't usually happen.
p
purple-plumber-90981
04/28/2021, 10:53 PMthat is an example of what i see every time
the only real changes were to cluster and nodegroup
here is my role and attachment code
l
little-cartoon-10569
04/28/2021, 10:54 PMAre you changing the name every time? Can't see in that screenshot. The code would probably be more useful?
p
purple-plumber-90981
04/28/2021, 10:54 PMlol im getting to it
👍 1
role
eks_admin_role = aws.iam.Role(
"itplat_eks_clusteradmin_role",
assume_role_policy=eks_assume_role_policy,
name="itplat_eks_clusteradmin_role",
tags={
"clusterAccess": "itplat_eks_admin",
},
opts=pulumi.ResourceOptions(provider=providers['us-east-1']),attachment
# attach AmazonEC2FullAccess policy to the eks_admin_role
eksworker_policy_attachment_admin_role = aws.iam.RolePolicyAttachment(
"eksworker_attach_ec2Policy_to_" + str(eks_admin_role.name),
policy_arn="arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
role=eks_admin_role.name,
opts=pulumi.ResourceOptions(provider=providers['us-east-1']),
)the same code is duplicated for other roles and attachments but the structure is the same
l
little-cartoon-10569
04/28/2021, 10:56 PMThat looks like the problem.
eks_admin_role.nameUse the same value as you pass in to the role, rather than the name from the role, even though they have the same value.
p
purple-plumber-90981
04/28/2021, 10:57 PMerm . . . i would prefer not to as i want to have them generated later
are you saying eks_admin_role.name is not a string ?
l
little-cartoon-10569
04/28/2021, 10:57 PMYou can use the same variable and pass it to both constructors
Yes, it's not a string, it's an Output<string>.
p
purple-plumber-90981
04/28/2021, 10:58 PMcould i just str() it
l
little-cartoon-10569
04/28/2021, 10:58 PMNo, it's not available at construction time.
It comes back from the provisioning of the resource asynchronously, potentially long after construction time.
p
purple-plumber-90981
04/28/2021, 10:59 PMright because this is all decoupled
sigh, i should have realised that
ok that is enough to get me past my current issue… i will redesign as per your suggestion
👍 1
thank you for the learning
🙇 1