https://pulumi.com logo
#general
Title
# general
b

billowy-laptop-45963

10/31/2019, 3:31 PM
While importing aws resources that were originally created with ansible, I ran into a weird case where I can import a RoleAttachment fine, but subsequent pulumi ups what to do a replace/import-replacement.
pulumi refresh
shows no changes. If I remove the import: from the resource
pulumi up
shows no changes. Is this normal behaviour? Will this cause infrastructure changes? Can I get to a point where
pulumi up
doesn't return changes without removing the import?
w

white-balloon-205

10/31/2019, 3:59 PM
but subsequent pulumi ups what to do a replace/import-replacement.
Can you share the detailed diff you see that leads to this?
b

billowy-laptop-45963

10/31/2019, 4:42 PM
you mean the output of
pulumi up --diff
?
w

white-balloon-205

10/31/2019, 5:04 PM
Yep.
b

billowy-laptop-45963

10/31/2019, 5:34 PM
Copy code
$ pulumi up --diff
Previewing update (prd-vms-permissions):
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:prd-vms-permissions::vms-permissions::pulumi:pulumi:Stack::vms-permissions-prd-vms-permissions]
    +-aws:iam/rolePolicyAttachment:RolePolicyAttachment: (replace)
        [id=prd-mediaconvert-execution-role-arn:aws:iam::1234567890:policy/prd-vms-inbox-readonly-access-policy]
        [urn=urn:pulumi:prd-vms-permissions::vms-permissions::aws:iam/rolePolicyAttachment:RolePolicyAttachment::prd-mc-prd-vms-inbox-readonly-access-policy]
        [provider=urn:pulumi:prd-vms-permissions::vms-permissions::pulumi:providers:aws::vmsprd::84585519-9f50-4f3a-b33a-f3e2b0047db3]
        id       : "prd-mediaconvert-execution-role-arn:aws:iam::1234567890:policy/prd-vms-inbox-readonly-access-policy"
        policyArn: "arn:aws:iam::1234567890:policy/prd-vms-inbox-readonly-access-policy"
        role     : "prd-mediaconvert-execution-role"
Resources:             
    +-1 to replace
    23 unchanged
w

white-balloon-205

10/31/2019, 5:57 PM
Huh - it is very surprising that there is no diff shown here. Are you on recent version of all components? You could get more details by running with
--logtostderr -v=9 2> out.txt
and looking for lines including
replaces=
which should indicate what is causing Pulumi to believe it needs to replace this.
b

billowy-laptop-45963

10/31/2019, 5:59 PM
my pulumi cli version is 1.4.0, how do I ensure I'm using up to date components?
w

white-balloon-205

10/31/2019, 6:00 PM
You can look at
package-lock.json
and see what versions of the
@pulumi/*
packages you are using.
b

billowy-laptop-45963

10/31/2019, 6:05 PM
ok those components...
yarn outdated
says I am... 1.7.0 for pulumi/aws
here is a sample line:
I1031 16:32:38.165583    3150 provider_plugin.go:572] Provider[aws, 0xc00159a720].Diff(urn:pulumi:prd-vms-permissions::vms-permissions::aws:iam/policy:Policy::dev-content-policy,arn:aws:iam::1234567890:policy/dev-content-policy) success: changes=1 #replaces=[] #stables=[namePrefix description path name] delbefrepl=false, diffs=#[], detaileddiff=map[]
what am I looking for?
w

white-balloon-205

10/31/2019, 10:04 PM
That line looks like it's for the
Policy
, is there a similar line for the
PolicyAttachement
? It should show a non-empty list of
replaces=
.
b

billowy-laptop-45963

11/01/2019, 2:08 PM
This is basically what I'm trying to do. I have lots of ansible code similar to this which I would like to import and use pulumi to manage.
Copy code
- iam_managed_policy:
    policy_name: 'policya'
    policy: |
    ...
  register: policya
- iam_role:
    name: myrole
    purge_policies: true
    assume_role_policy_document: |
    ...
    managed_policy:
    - '{{ policya.arn }}'
  register: myrole
I thought I would create a function similar to ansible's iam_role which allows just passing a list of managed_policies since pulumi/terraform require more resources to do the same thing as in ansible above:
Copy code
export interface RoleArgs extends aws.iam.RoleArgs {
    managedPolicies: pulumi.Input<string>[],
}
export function createRole(name: string, roleArgs: RoleArgs, opts: pulumi.CustomResourceOptions) {
    const role = new aws.iam.Role(name, roleArgs as aws.iam.RoleArgs, opts);
    const managedPolicies = roleArgs.managedPolicies == null ? [] : roleArgs.managedPolicies
    const roleAttachments = role.name.apply(
        roleName =>
            pulumi
                .all(managedPolicies)
                .apply(
                    arns =>
                        arns.map(
                            (arn, i) => {
                                const policyName = arn.split('/').pop()
                                return new aws.iam.RolePolicyAttachment(`${name}/${policyName}`, {
                                    policyArn: arn,
                                    role: roleName,
                                }, { provider: opts.provider, import: `${roleName}/${arn}` });
                            }))
    )
    return role;
}
Then I can convert the ansible into the following pulumi which imports fine the first time:
Copy code
const policya = new aws.iam.Policy(
    `policya`,
    {name: `policya`, policy: `...`},
    { provider: provider, import: `arn:aws:iam::${accountId}:policy/policya` })

const myrole = createRole(
    'myrole',
    {assumeRolePolicy: `...`, managedPolicies: [policya.arn]},
    { provider: provider, import: `myrole` })
)
but then wants to replace afterwards.
Is this not a reasonable approach that won't work?
should I create an issue in pulumi/aws github for this? I could put a small ansible playbook of 2 tasks and a pulumi index.ts with the 3 resources.
3 Views