https://pulumi.com logo
Powered by
w

worried-engineer-33884

06/12/2019, 2:29 PM
Is there a way to poll for resource creation to reinforce a 
dependsOn
relationship? We believe we are encountering an issue creating a resource that depends on an IAM RolePolicyAttachment that isn't quite ready when the dependent resource starts to create. https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency
w

white-balloon-205

06/12/2019, 2:34 PM
If you have provided a dependsOn relationship in your code, the dependent resource will already wait. If you are seeing a case where a resource says it’s created but is still not usable (or can fail due to eventual consistency issues) then that is likely a bug in the provider. The more common issue with IAM is that you might not be depending on the policy attachments themselves, just the role, which would allow for creating other resources pointing at the role before the policies are attached.
w

worried-engineer-33884

06/12/2019, 2:34 PM
Thanks Luke, I am depending on the attachment here.
Copy code
const dmsRole = new aws.iam.Role("dms-vpc-role", {
    name: "dms-vpc-role",
    assumeRolePolicy: `{
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Principal": {
                      "Service": "<http://dms.amazonaws.com|dms.amazonaws.com>"
                  },
                  "Action": "sts:AssumeRole"
              }
          ]
}`,
    permissionsBoundary: config.require("iamPermissionsBoundaryArn"),
});

const dmsRolePolicy = new aws.iam.RolePolicyAttachment("dms-vpc-role-policy", {
    policyArn: "arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole",
    role: dmsRole
})

const dmsSubnetGroup = new aws.dms.ReplicationSubnetGroup("dms", {
    replicationSubnetGroupDescription: "Test replication subnet group",
    replicationSubnetGroupId: "test-dms-replication-subnet-group",
    subnetIds: [
        config.require("az0SubnetPrivateId"),
        config.require("az1SubnetPrivateId"),
    ],
}, {
    dependsOn: dmsRolePolicy
});
the ReplicationSubnetGroup fails to create here in the initial run. when i 
pulumi up
again, it succeeds — i am guessing this is because of the eventual consistency issue, but have not proven that
Does Pulumi have some kind of before/after create hook that I can use to write a custom poll before the resource is considered ready?
s

stocky-spoon-28903

06/12/2019, 3:19 PM
In the case of AWS IAM there is also a delay between the API operation completing and the thing actually being done at the provider - we saw it a lot on Terraform too.
w

worried-engineer-33884

06/12/2019, 3:20 PM
right, I believe we are hitting this: https://github.com/terraform-providers/terraform-provider-aws/issues/7748 are there any hooks in Pulumi we could leverage to write some workaround polling?
Powered by