While importing aws resources that were originally...
# general
While importing aws resources that were originally created with ansible, I ran into a weird case where I can import a RoleAttachment fine, but subsequent pulumi ups what to do a replace/import-replacement.
pulumi refresh
shows no changes. If I remove the import: from the resource
pulumi up
shows no changes. Is this normal behaviour? Will this cause infrastructure changes? Can I get to a point where
pulumi up
doesn't return changes without removing the import?
but subsequent pulumi ups what to do a replace/import-replacement.
Can you share the detailed diff you see that leads to this?
you mean the output of
pulumi up --diff
Copy code
$ pulumi up --diff
Previewing update (prd-vms-permissions):
  pulumi:pulumi:Stack: (same)
    +-aws:iam/rolePolicyAttachment:RolePolicyAttachment: (replace)
        id       : "prd-mediaconvert-execution-role-arn:aws:iam::1234567890:policy/prd-vms-inbox-readonly-access-policy"
        policyArn: "arn:aws:iam::1234567890:policy/prd-vms-inbox-readonly-access-policy"
        role     : "prd-mediaconvert-execution-role"
    +-1 to replace
    23 unchanged
Huh - it is very surprising that there is no diff shown here. Are you on recent version of all components? You could get more details by running with
--logtostderr -v=9 2> out.txt
and looking for lines including
which should indicate what is causing Pulumi to believe it needs to replace this.
my pulumi cli version is 1.4.0, how do I ensure I'm using up to date components?
You can look at
and see what versions of the
packages you are using.
ok those components...
yarn outdated
says I am... 1.7.0 for pulumi/aws
here is a sample line:
I1031 16:32:38.165583    3150 provider_plugin.go:572] Provider[aws, 0xc00159a720].Diff(urn:pulumi:prd-vms-permissions::vms-permissions::aws:iam/policy:Policy::dev-content-policy,arn:aws:iam::1234567890:policy/dev-content-policy) success: changes=1 #replaces=[] #stables=[namePrefix description path name] delbefrepl=false, diffs=#[], detaileddiff=map[]
what am I looking for?
That line looks like it's for the
, is there a similar line for the
? It should show a non-empty list of
This is basically what I'm trying to do. I have lots of ansible code similar to this which I would like to import and use pulumi to manage.
Copy code
- iam_managed_policy:
    policy_name: 'policya'
    policy: |
  register: policya
- iam_role:
    name: myrole
    purge_policies: true
    assume_role_policy_document: |
    - '{{ policya.arn }}'
  register: myrole
I thought I would create a function similar to ansible's iam_role which allows just passing a list of managed_policies since pulumi/terraform require more resources to do the same thing as in ansible above:
Copy code
export interface RoleArgs extends aws.iam.RoleArgs {
    managedPolicies: pulumi.Input<string>[],
export function createRole(name: string, roleArgs: RoleArgs, opts: pulumi.CustomResourceOptions) {
    const role = new aws.iam.Role(name, roleArgs as aws.iam.RoleArgs, opts);
    const managedPolicies = roleArgs.managedPolicies == null ? [] : roleArgs.managedPolicies
    const roleAttachments = role.name.apply(
        roleName =>
                    arns =>
                            (arn, i) => {
                                const policyName = arn.split('/').pop()
                                return new aws.iam.RolePolicyAttachment(`${name}/${policyName}`, {
                                    policyArn: arn,
                                    role: roleName,
                                }, { provider: opts.provider, import: `${roleName}/${arn}` });
    return role;
Then I can convert the ansible into the following pulumi which imports fine the first time:
Copy code
const policya = new aws.iam.Policy(
    {name: `policya`, policy: `...`},
    { provider: provider, import: `arn:aws:iam::${accountId}:policy/policya` })

const myrole = createRole(
    {assumeRolePolicy: `...`, managedPolicies: [policya.arn]},
    { provider: provider, import: `myrole` })
but then wants to replace afterwards.
Is this not a reasonable approach that won't work?
should I create an issue in pulumi/aws github for this? I could put a small ansible playbook of 2 tasks and a pulumi index.ts with the 3 resources.