Hi, I ran into a problem with aws IAM resources. S...
# generalf
faint-vegetable-61837
03/14/2019, 3:54 PMHi, I ran into a problem with aws IAM resources. Sometimes a resource (Role or Policy) may be recreated on AWS with the same name (ARN). Pulumi update won't detect any changes in this case. However, if on AWS console pulumi created resources that reference this ARN now show internal AWS id instead of ARN.
A scenario - a role is created by one stack (kiam). Another stack (an app) creates another role with trusted policy to give the first role permission to assume the app role. If the first stack is destroyed and deployed again, updating the second stack does not do any update, however the policy does not reference the correct ARN anymore.
faint-vegetable-61837
03/14/2019, 4:49 PMI think Pulumi needs to consider IAM unique IDs when calculating diffs, otherwise it gets out of hand
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids
c
creamy-potato-29402
03/14/2019, 6:42 PM@faint-vegetable-61837 I don’t fully understand. How are you propagating the ARN to the second stack?
f
faint-vegetable-61837
03/14/2019, 7:52 PMThrough output with ARN
faint-vegetable-61837
03/14/2019, 7:54 PMI guess I can pass unique id of the role, I did not think about this
c
creamy-potato-29402
03/14/2019, 8:17 PMIt seems like that is what you’d want, right?
f
faint-vegetable-61837
03/14/2019, 8:48 PMthank you, I need to try this to see if IAM policy documents accept unique ids instead of ARNs, the amazon doc is not clear on this
c
creamy-potato-29402
03/14/2019, 8:50 PMnot an expert on this, but you might have to export both from the stack.