https://pulumi.com logo
Title
c

careful-beard-19872

05/19/2021, 7:05 PM
hi all - I’ve just run into github issue 918 (policy attachments not detaching when role needs to be recreated) and left a comment in the thread with my example. In the meantime, has anyone found a good workaround for this?
b

billowy-army-68599

05/19/2021, 7:33 PM
looking at this now, you've added an explicit
dependsOn
here - any reason why? does it work without that?
c

careful-beard-19872

05/19/2021, 7:36 PM
nope, I only added that while trying to force the dependency to be recognized
a moment of desperation 🀣
πŸ˜† 1
b

billowy-army-68599

05/19/2021, 7:38 PM
hmm I've never seen this before, i'm not really sure what to do 😞
wait, the name of the resource is changing:
diff: ~name
did you change the name in the same op?
c

careful-beard-19872

05/19/2021, 7:39 PM
yes, thats the whole reason the role is being replaced
b

billowy-army-68599

05/19/2021, 7:40 PM
ah yes, I'm seeing the start of your comment now - i skim read πŸ˜“
c

careful-beard-19872

05/19/2021, 7:40 PM
which I know should not happen frequently when declaring the policies outside of the role itself, so I’m backed into a not-so-edge-edgecase
b

billowy-army-68599

05/19/2021, 7:41 PM
yeah this is why we have autonaming by default, i would do them in two operations in this case. yiu'll have to attach the new policies and then update the name
c

careful-beard-19872

05/19/2021, 7:42 PM
I totally get why this issue was deprioritized, I was hoping my added color might get it a bump/someone had figured a good workaround
oh totally, and that would make my life SO much easier, but unfortunately I have worked for clients where autonaming is a no go based on their approach to regulatory requirements (not saying its the best approach), just a corner I’ve found myself stuck in many times
sorry, I just reread your comment about two ops: the policies arent recreated in this case, theyre exactly the same
in this case I would expect pulumi to recognize that the attachment obj is dependent on the role obj, so it’s order of operations should be to 1. destroy the policy attachments 2. destroy/recreate the role 3. recreate the policy attachments on the newly created role
@billowy-army-68599 I accidentally stumbled on my fix this morning!
So I started breaking down the individual roles and policies for my service, and decided that it would be best to loop through the policy attachments, which required aΒ 
pulumi.all().apply()
Β to pull off. Of course, forcing the apply told the engine that those policy attachments need to be destroyed while the parent role is replaced, and everything worked itself out.
const taskPolicies: aws.iam.Policy[] = [
    new aws.iam.Policy("iam-task-ssm-read-policy", { ... }, defaultResourceOptions),
    new aws.iam.Policy("iam-task-kms-use-policy", { ... }, defaultResourceOptions),
    // SQS,
    // S3,
    // SNS,
    // SSM
]

this.roles = {
    ecsExecution: new aws.iam.Role("iam-execution-role", { ... }, defaultResourceOptions),
    task: new aws.iam.Role("iam-task-role", { ... }, defaultResourceOptions)
};

const taskPolicyAttachments = pulumi.all(taskPolicies).apply((policies) => {
    policies.map((policy,index) => 
        new aws.iam.RolePolicyAttachment(`iam-task-role-policy-attachment-${index}`, {
            role: this.roles.task.name,
            policyArn: policy.arn
        }, { 
            parent: this.roles.task,
            dependsOn: [ this.roles.task ]
        })
    )
})
Type                                   Name                               Status       Info
     pulumi:pulumi:Stack                    aberrant-io-poc                                 
     β”œβ”€ aberrant:aws:ecs                    poc-ecs                                         
 +-  β”‚  β”œβ”€ aws:ecs:TaskDefinition           ecs-queue-task-definition          replaced     [diff: ~taskRoleArn]
 ~   β”‚  β”‚  └─ aws:ecs:Service               ecs-queue-service                  updated      [diff: ~taskDefinition]
 +-  β”‚  β”œβ”€ aws:ecs:TaskDefinition           ecs-dbMigration-task-definition    replaced     [diff: ~taskRoleArn]
 ~   β”‚  β”‚  └─ aws:ecs:Service               ecs-db-migration-service           updated      [diff: ~taskDefinition]
 +-  β”‚  β”œβ”€ aws:ecs:TaskDefinition           ecs-web-task-definition            replaced     [diff: ~taskRoleArn]
 ~   β”‚  β”‚  └─ aws:ecs:Service               ecs-web-service                    updated      [diff: ~taskDefinition]
 +-  β”‚  β”œβ”€ aws:ecs:TaskDefinition           ecs-jobs-task-definition           replaced     [diff: ~taskRoleArn]
 ~   β”‚  β”‚  └─ aws:ecs:Service               ecs-jobs-service                   updated      [diff: ~taskDefinition]
 +-  β”‚  └─ aws:ecs:TaskDefinition           ecs-es-task-definition             replaced     [diff: ~taskRoleArn]
 ~   β”‚     └─ aws:ecs:Service               ecs-es-service                     updated      [diff: ~taskDefinition]
     └─ aberrant:aws:iam                    poc-iam                                         
 +-     └─ aws:iam:Role                     iam-task-role                      replaced     [diff: ~name]
 +-        β”œβ”€ aws:iam:RolePolicyAttachment  iam-task-role-policy-attachment-1  replaced     [diff: ~role]
 +-        └─ aws:iam:RolePolicyAttachment  iam-task-role-policy-attachment-0  replaced     [diff: ~role]