06/12/2019, 2:29 PM
Is there a way to poll for resource creation to reinforce a
relationship? We believe we are encountering an issue creating a resource that depends on an IAM RolePolicyAttachment that isn't quite ready when the dependent resource starts to create.


06/12/2019, 2:34 PM
If you have provided a dependsOn relationship in your code, the dependent resource will already wait. If you are seeing a case where a resource says it’s created but is still not usable (or can fail due to eventual consistency issues) then that is likely a bug in the provider. The more common issue with IAM is that you might not be depending on the policy attachments themselves, just the role, which would allow for creating other resources pointing at the role before the policies are attached.


06/12/2019, 2:34 PM
Thanks Luke, I am depending on the attachment here.
Copy code
const dmsRole = new aws.iam.Role("dms-vpc-role", {
    name: "dms-vpc-role",
    assumeRolePolicy: `{
          "Version": "2012-10-17",
          "Statement": [
                  "Effect": "Allow",
                  "Principal": {
                      "Service": "<|>"
                  "Action": "sts:AssumeRole"
    permissionsBoundary: config.require("iamPermissionsBoundaryArn"),

const dmsRolePolicy = new aws.iam.RolePolicyAttachment("dms-vpc-role-policy", {
    policyArn: "arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole",
    role: dmsRole

const dmsSubnetGroup = new aws.dms.ReplicationSubnetGroup("dms", {
    replicationSubnetGroupDescription: "Test replication subnet group",
    replicationSubnetGroupId: "test-dms-replication-subnet-group",
    subnetIds: [
}, {
    dependsOn: dmsRolePolicy
the ReplicationSubnetGroup fails to create here in the initial run. when i
pulumi up
again, it succeeds — i am guessing this is because of the eventual consistency issue, but have not proven that
Does Pulumi have some kind of before/after create hook that I can use to write a custom poll before the resource is considered ready?


06/12/2019, 3:19 PM
In the case of AWS IAM there is also a delay between the API operation completing and the thing actually being done at the provider - we saw it a lot on Terraform too.


06/12/2019, 3:20 PM
right, I believe we are hitting this: are there any hooks in Pulumi we could leverage to write some workaround polling?