This message was deleted Pulumi Community #aws

Join Slack

This message was deleted.

# aws

sparse-intern-71089

05/19/2021, 7:05 PM

This message was deleted.

billowy-army-68599

05/19/2021, 7:33 PM

looking at this now, you've added an explicit

dependsOn

here - any reason why? does it work without that?

careful-beard-19872

05/19/2021, 7:36 PM

nope, I only added that while trying to force the dependency to be recognized

careful-beard-19872

05/19/2021, 7:37 PM

a moment of desperation 🤣

😆 1

billowy-army-68599

05/19/2021, 7:38 PM

hmm I've never seen this before, i'm not really sure what to do 😞

billowy-army-68599

05/19/2021, 7:39 PM

wait, the name of the resource is changing:

Copy code

diff: ~name

billowy-army-68599

05/19/2021, 7:39 PM

did you change the name in the same op?

careful-beard-19872

05/19/2021, 7:39 PM

yes, thats the whole reason the role is being replaced

billowy-army-68599

05/19/2021, 7:40 PM

ah yes, I'm seeing the start of your comment now - i skim read 😓

careful-beard-19872

05/19/2021, 7:40 PM

which I know should not happen frequently when declaring the policies outside of the role itself, so I’m backed into a not-so-edge-edgecase

billowy-army-68599

05/19/2021, 7:41 PM

yeah this is why we have autonaming by default, i would do them in two operations in this case. yiu'll have to attach the new policies and then update the name

careful-beard-19872

05/19/2021, 7:42 PM

I totally get why this issue was deprioritized, I was hoping my added color might get it a bump/someone had figured a good workaround

careful-beard-19872

05/19/2021, 7:42 PM

oh totally, and that would make my life SO much easier, but unfortunately I have worked for clients where autonaming is a no go based on their approach to regulatory requirements (not saying its the best approach), just a corner I’ve found myself stuck in many times

careful-beard-19872

05/19/2021, 7:45 PM

sorry, I just reread your comment about two ops: the policies arent recreated in this case, theyre exactly the same

careful-beard-19872

05/19/2021, 7:47 PM

in this case I would expect pulumi to recognize that the attachment obj is dependent on the role obj, so it’s order of operations should be to 1. destroy the policy attachments 2. destroy/recreate the role 3. recreate the policy attachments on the newly created role

careful-beard-19872

05/21/2021, 4:47 PM

@billowy-army-68599 I accidentally stumbled on my fix this morning!

careful-beard-19872

05/21/2021, 4:48 PM

So I started breaking down the individual roles and policies for my service, and decided that it would be best to loop through the policy attachments, which required a

pulumi.all().apply()

to pull off. Of course, forcing the apply told the engine that those policy attachments need to be destroyed while the parent role is replaced, and everything worked itself out.

Copy code

const taskPolicies: aws.iam.Policy[] = [
    new aws.iam.Policy("iam-task-ssm-read-policy", { ... }, defaultResourceOptions),
    new aws.iam.Policy("iam-task-kms-use-policy", { ... }, defaultResourceOptions),
    // SQS,
    // S3,
    // SNS,
    // SSM
]

this.roles = {
    ecsExecution: new aws.iam.Role("iam-execution-role", { ... }, defaultResourceOptions),
    task: new aws.iam.Role("iam-task-role", { ... }, defaultResourceOptions)
};

const taskPolicyAttachments = pulumi.all(taskPolicies).apply((policies) => {
    policies.map((policy,index) => 
        new aws.iam.RolePolicyAttachment(`iam-task-role-policy-attachment-${index}`, {
            role: this.roles.task.name,
            policyArn: policy.arn
        }, { 
            parent: this.roles.task,
            dependsOn: [ this.roles.task ]
        })
    )
})

careful-beard-19872

05/21/2021, 4:49 PM

Copy code

Type                                   Name                               Status       Info
     pulumi:pulumi:Stack                    aberrant-io-poc                                 
     ├─ aberrant:aws:ecs                    poc-ecs                                         
 +-  │  ├─ aws:ecs:TaskDefinition           ecs-queue-task-definition          replaced     [diff: ~taskRoleArn]
 ~   │  │  └─ aws:ecs:Service               ecs-queue-service                  updated      [diff: ~taskDefinition]
 +-  │  ├─ aws:ecs:TaskDefinition           ecs-dbMigration-task-definition    replaced     [diff: ~taskRoleArn]
 ~   │  │  └─ aws:ecs:Service               ecs-db-migration-service           updated      [diff: ~taskDefinition]
 +-  │  ├─ aws:ecs:TaskDefinition           ecs-web-task-definition            replaced     [diff: ~taskRoleArn]
 ~   │  │  └─ aws:ecs:Service               ecs-web-service                    updated      [diff: ~taskDefinition]
 +-  │  ├─ aws:ecs:TaskDefinition           ecs-jobs-task-definition           replaced     [diff: ~taskRoleArn]
 ~   │  │  └─ aws:ecs:Service               ecs-jobs-service                   updated      [diff: ~taskDefinition]
 +-  │  └─ aws:ecs:TaskDefinition           ecs-es-task-definition             replaced     [diff: ~taskRoleArn]
 ~   │     └─ aws:ecs:Service               ecs-es-service                     updated      [diff: ~taskDefinition]
     └─ aberrant:aws:iam                    poc-iam                                         
 +-     └─ aws:iam:Role                     iam-task-role                      replaced     [diff: ~name]
 +-        ├─ aws:iam:RolePolicyAttachment  iam-task-role-policy-attachment-1  replaced     [diff: ~role]
 +-        └─ aws:iam:RolePolicyAttachment  iam-task-role-policy-attachment-0  replaced     [diff: ~role]

2 Views

Open in Slack

Previous Next