This message was deleted.
# aws
s
This message was deleted.
b
looking at this now, you've added an explicit
dependsOn
here - any reason why? does it work without that?
c
nope, I only added that while trying to force the dependency to be recognized
a moment of desperation 🀣
πŸ˜† 1
b
hmm I've never seen this before, i'm not really sure what to do 😞
wait, the name of the resource is changing:
Copy code
diff: ~name
did you change the name in the same op?
c
yes, thats the whole reason the role is being replaced
b
ah yes, I'm seeing the start of your comment now - i skim read πŸ˜“
c
which I know should not happen frequently when declaring the policies outside of the role itself, so I’m backed into a not-so-edge-edgecase
b
yeah this is why we have autonaming by default, i would do them in two operations in this case. yiu'll have to attach the new policies and then update the name
c
I totally get why this issue was deprioritized, I was hoping my added color might get it a bump/someone had figured a good workaround
oh totally, and that would make my life SO much easier, but unfortunately I have worked for clients where autonaming is a no go based on their approach to regulatory requirements (not saying its the best approach), just a corner I’ve found myself stuck in many times
sorry, I just reread your comment about two ops: the policies arent recreated in this case, theyre exactly the same
in this case I would expect pulumi to recognize that the attachment obj is dependent on the role obj, so it’s order of operations should be to 1. destroy the policy attachments 2. destroy/recreate the role 3. recreate the policy attachments on the newly created role
@billowy-army-68599 I accidentally stumbled on my fix this morning!
So I started breaking down the individual roles and policies for my service, and decided that it would be best to loop through the policy attachments, which required aΒ 
pulumi.all().apply()
Β to pull off. Of course, forcing the apply told the engine that those policy attachments need to be destroyed while the parent role is replaced, and everything worked itself out.
Copy code
const taskPolicies: aws.iam.Policy[] = [
    new aws.iam.Policy("iam-task-ssm-read-policy", { ... }, defaultResourceOptions),
    new aws.iam.Policy("iam-task-kms-use-policy", { ... }, defaultResourceOptions),
    // SQS,
    // S3,
    // SNS,
    // SSM
]

this.roles = {
    ecsExecution: new aws.iam.Role("iam-execution-role", { ... }, defaultResourceOptions),
    task: new aws.iam.Role("iam-task-role", { ... }, defaultResourceOptions)
};

const taskPolicyAttachments = pulumi.all(taskPolicies).apply((policies) => {
    policies.map((policy,index) => 
        new aws.iam.RolePolicyAttachment(`iam-task-role-policy-attachment-${index}`, {
            role: this.roles.task.name,
            policyArn: policy.arn
        }, { 
            parent: this.roles.task,
            dependsOn: [ this.roles.task ]
        })
    )
})
Copy code
Type                                   Name                               Status       Info
     pulumi:pulumi:Stack                    aberrant-io-poc                                 
     β”œβ”€ aberrant:aws:ecs                    poc-ecs                                         
 +-  β”‚  β”œβ”€ aws:ecs:TaskDefinition           ecs-queue-task-definition          replaced     [diff: ~taskRoleArn]
 ~   β”‚  β”‚  └─ aws:ecs:Service               ecs-queue-service                  updated      [diff: ~taskDefinition]
 +-  β”‚  β”œβ”€ aws:ecs:TaskDefinition           ecs-dbMigration-task-definition    replaced     [diff: ~taskRoleArn]
 ~   β”‚  β”‚  └─ aws:ecs:Service               ecs-db-migration-service           updated      [diff: ~taskDefinition]
 +-  β”‚  β”œβ”€ aws:ecs:TaskDefinition           ecs-web-task-definition            replaced     [diff: ~taskRoleArn]
 ~   β”‚  β”‚  └─ aws:ecs:Service               ecs-web-service                    updated      [diff: ~taskDefinition]
 +-  β”‚  β”œβ”€ aws:ecs:TaskDefinition           ecs-jobs-task-definition           replaced     [diff: ~taskRoleArn]
 ~   β”‚  β”‚  └─ aws:ecs:Service               ecs-jobs-service                   updated      [diff: ~taskDefinition]
 +-  β”‚  └─ aws:ecs:TaskDefinition           ecs-es-task-definition             replaced     [diff: ~taskRoleArn]
 ~   β”‚     └─ aws:ecs:Service               ecs-es-service                     updated      [diff: ~taskDefinition]
     └─ aberrant:aws:iam                    poc-iam                                         
 +-     └─ aws:iam:Role                     iam-task-role                      replaced     [diff: ~name]
 +-        β”œβ”€ aws:iam:RolePolicyAttachment  iam-task-role-policy-attachment-1  replaced     [diff: ~role]
 +-        └─ aws:iam:RolePolicyAttachment  iam-task-role-policy-attachment-0  replaced     [diff: ~role]