While importing aws resources that were originally created w Pulumi Community #general

While importing aws resources that were originally...

billowy-laptop-45963

10/31/2019, 3:31 PM

While importing aws resources that were originally created with ansible, I ran into a weird case where I can import a RoleAttachment fine, but subsequent pulumi ups what to do a replace/import-replacement.

pulumi refresh

shows no changes. If I remove the import: from the resource

pulumi up

shows no changes. Is this normal behaviour? Will this cause infrastructure changes? Can I get to a point where

pulumi up

doesn't return changes without removing the import?

white-balloon-205

10/31/2019, 3:59 PM

but subsequent pulumi ups what to do a replace/import-replacement.

Can you share the detailed diff you see that leads to this?

billowy-laptop-45963

10/31/2019, 4:42 PM

you mean the output of

pulumi up --diff

white-balloon-205

10/31/2019, 5:04 PM

Yep.

billowy-laptop-45963

10/31/2019, 5:34 PM

Copy code

$ pulumi up --diff
Previewing update (prd-vms-permissions):
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:prd-vms-permissions::vms-permissions::pulumi:pulumi:Stack::vms-permissions-prd-vms-permissions]
    +-aws:iam/rolePolicyAttachment:RolePolicyAttachment: (replace)
        [id=prd-mediaconvert-execution-role-arn:aws:iam::1234567890:policy/prd-vms-inbox-readonly-access-policy]
        [urn=urn:pulumi:prd-vms-permissions::vms-permissions::aws:iam/rolePolicyAttachment:RolePolicyAttachment::prd-mc-prd-vms-inbox-readonly-access-policy]
        [provider=urn:pulumi:prd-vms-permissions::vms-permissions::pulumi:providers:aws::vmsprd::84585519-9f50-4f3a-b33a-f3e2b0047db3]
        id       : "prd-mediaconvert-execution-role-arn:aws:iam::1234567890:policy/prd-vms-inbox-readonly-access-policy"
        policyArn: "arn:aws:iam::1234567890:policy/prd-vms-inbox-readonly-access-policy"
        role     : "prd-mediaconvert-execution-role"
Resources:             
    +-1 to replace
    23 unchanged

white-balloon-205

10/31/2019, 5:57 PM

Huh - it is very surprising that there is no diff shown here. Are you on recent version of all components? You could get more details by running with

--logtostderr -v=9 2> out.txt

and looking for lines including

replaces=

which should indicate what is causing Pulumi to believe it needs to replace this.

billowy-laptop-45963

10/31/2019, 5:59 PM

my pulumi cli version is 1.4.0, how do I ensure I'm using up to date components?

white-balloon-205

10/31/2019, 6:00 PM

You can look at

package-lock.json

and see what versions of the

@pulumi/*

packages you are using.

billowy-laptop-45963

10/31/2019, 6:05 PM

ok those components...

yarn outdated

says I am... 1.7.0 for pulumi/aws

billowy-laptop-45963

10/31/2019, 8:36 PM

here is a sample line:

I1031 16:32:38.165583    3150 provider_plugin.go:572] Provider[aws, 0xc00159a720].Diff(urn:pulumi:prd-vms-permissions::vms-permissions::aws:iam/policy:Policy::dev-content-policy,arn:aws:iam::1234567890:policy/dev-content-policy) success: changes=1 #replaces=[] #stables=[namePrefix description path name] delbefrepl=false, diffs=#[], detaileddiff=map[]

what am I looking for?

white-balloon-205

10/31/2019, 10:04 PM

That line looks like it's for the

Policy

, is there a similar line for the

PolicyAttachement

? It should show a non-empty list of

replaces=

billowy-laptop-45963

11/01/2019, 2:08 PM

This is basically what I'm trying to do. I have lots of ansible code similar to this which I would like to import and use pulumi to manage.

Copy code

- iam_managed_policy:
    policy_name: 'policya'
    policy: |
    ...
  register: policya
- iam_role:
    name: myrole
    purge_policies: true
    assume_role_policy_document: |
    ...
    managed_policy:
    - '{{ policya.arn }}'
  register: myrole

I thought I would create a function similar to ansible's iam_role which allows just passing a list of managed_policies since pulumi/terraform require more resources to do the same thing as in ansible above:

Copy code

export interface RoleArgs extends aws.iam.RoleArgs {
    managedPolicies: pulumi.Input<string>[],
}
export function createRole(name: string, roleArgs: RoleArgs, opts: pulumi.CustomResourceOptions) {
    const role = new aws.iam.Role(name, roleArgs as aws.iam.RoleArgs, opts);
    const managedPolicies = roleArgs.managedPolicies == null ? [] : roleArgs.managedPolicies
    const roleAttachments = role.name.apply(
        roleName =>
            pulumi
                .all(managedPolicies)
                .apply(
                    arns =>
                        arns.map(
                            (arn, i) => {
                                const policyName = arn.split('/').pop()
                                return new aws.iam.RolePolicyAttachment(`${name}/${policyName}`, {
                                    policyArn: arn,
                                    role: roleName,
                                }, { provider: opts.provider, import: `${roleName}/${arn}` });
                            }))
    )
    return role;
}

Then I can convert the ansible into the following pulumi which imports fine the first time:

Copy code

const policya = new aws.iam.Policy(
    `policya`,
    {name: `policya`, policy: `...`},
    { provider: provider, import: `arn:aws:iam::${accountId}:policy/policya` })

const myrole = createRole(
    'myrole',
    {assumeRolePolicy: `...`, managedPolicies: [policya.arn]},
    { provider: provider, import: `myrole` })
)

but then wants to replace afterwards.

billowy-laptop-45963

11/01/2019, 2:10 PM

Is this not a reasonable approach that won't work?

billowy-laptop-45963

11/01/2019, 3:42 PM

should I create an issue in pulumi/aws github for this? I could put a small ansible playbook of 2 tasks and a pulumi index.ts with the 3 resources.

3 Views

Open in Slack

Previous Next