https://pulumi.com logo
Powered by
f

faint-vegetable-61837

03/14/2019, 3:54 PM
Hi, I ran into a problem with aws IAM resources. Sometimes a resource (Role or Policy) may be recreated on AWS with the same name (ARN). Pulumi update won't detect any changes in this case. However, if on AWS console pulumi created resources that reference this ARN now show internal AWS id instead of ARN. A scenario - a role is created by one stack (kiam). Another stack (an app) creates another role with trusted policy to give the first role permission to assume the app role. If the first stack is destroyed and deployed again, updating the second stack does not do any update, however the policy does not reference the correct ARN anymore.
I think Pulumi needs to consider IAM unique IDs when calculating diffs, otherwise it gets out of hand https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids
c

creamy-potato-29402

03/14/2019, 6:42 PM
@faint-vegetable-61837 I don’t fully understand. How are you propagating the ARN to the second stack?
f

faint-vegetable-61837

03/14/2019, 7:52 PM
Through output with ARN
I guess I can pass unique id of the role, I did not think about this
c

creamy-potato-29402

03/14/2019, 8:17 PM
It seems like that is what you’d want, right?
f

faint-vegetable-61837

03/14/2019, 8:48 PM
thank you, I need to try this to see if IAM policy documents accept unique ids instead of ARNs, the amazon doc is not clear on this
c

creamy-potato-29402

03/14/2019, 8:50 PM
not an expert on this, but you might have to export both from the stack.
Powered by