https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# general
s
This message was deleted.
f
bump ☝️
b
you keep using the word 
Stack
- do you mean the pulumi concept of a Stack? Like is all of this occurring in one pulumi stack? Do you need to 
get_role
? Is the role created further up in the stack with like:
Copy code
var role = new Aws.Iam.Role("role", ...);
And if it is, is the name you want a pulumi output on that object, like 
role.RoleName
? And if it isn't can you provide the role ARN on the new policy instead of the name? Since that is definitely an output.
You should (in my experience) only need to use the 
get_x
methods for things that are created outside of the stack
I've always used Role ARNs without issue - so I think that would work in your case
f
One of the resources in my Pulumi stack is a Cloudformation stack, the definition of which I am consuming from a 3rd party. One of the things that Cloudformation stack creates is an IAM Role. One of the Cloudformation stack outputs is the name of that role. Cloudformation outputs are exposed in Pulumi as outputs of the Cloudformation stack resource. To do additional infrastructure setup with additional Pulumi resources, I need to refer to that IAM role name. In everything else I do in Pulumi, the fact that the information is a Pulumi Output handles the necessary dependency ordering just fine. Here, that does not appear to be the case. My questions are: "_why_ is this not the case?" and "is there another way of formulating my Pulumi code to deal with this scenario?"
b
I still don't think you should be doing 
get_role
. That is why the ordering is broken. Can you link me reference for the 3rd party Cloudformation stack definition?
f
If not 
get_role
, then what? Do I need to create a separate Pulumi stack that only brings up that Cloudformation stack, and then have the rest of my code in another Pulumi stack and make references? That could also get complicated because I actually have several instances of the Cloudformation stack that I need to work with.
b
ok now I'm even more confused that you linked me a big yaml file. I thought you said you were using pulumi python? Is the "Cloudformation stack" part of the same pulumi stack? From your description I thought it was a ComponentResource provided by a 3rd party.
f
That's the 3rd party Cloudformation stack
b
Right - but it's YAML. So how is it part of the same pulumi stack as your python stack? can you share your python code?
f
b
ok that makes sense thank you. and 
cloudformation.stack.outputs
has a role name that you are using?
f
Yes:
Copy code
queue_instance_role = aws.iam.get_role(
    name=self.cf_stack.outputs["InstanceRoleName"],
)
b
my question is - why do you need to get role?
when you already have the name?
f
the name is generated in the stack execution, and I'd rather not have to rely on internal knowledge of how that stack executes in order to get the name elsewhere.
b
I'm confused by that statement. Can you share the code where you are creating the S3 policy?
f
Yes, I need the name of the role. I can just look into the Cloudformation stack definition and figure out how it pieces the name of that role together (as it turns out, it's not terribly complicated). While that is workable, it's only because the name (in this particular case) doesn't (currently!) include any randomly-generated content (like Pulumi does by default, with e.g. "foo-Role-abc123"). More broadly, I'm pretty sure that the role must exist in order for a RolePolicy to be attached to it, and the only way I can be sure it exists is to create the Pulumi resources that depend on that Role after that Role has been created. I was under the impression that because that name is exposed by the Cloudformation Stack as a Pulumi Output, this ordering would be taken care of by Pulumi. But it does not appear to be the case.
b
I really need to see your code in order to help you any further man, I'm sorry. I must really be missing something because I don't understand why you cannot use the name that you have.
What is the problem with doing:
Copy code
var policy = new Aws.S3.BucketPolicy("name", {
   role_name: self.cf_stack.outputs["InstanceRoleName"],
});
f
I guess the answer is that 
get_role
expects a 
str
and not an 
Output[str]
... presumably if the latter were true, this would work.
My mistake; sorry for the trouble. Thanks for the assistance 🙇
b
well that's my question, you don't need to get the role first if you already have the information you need, right?
I thought this 
<http://self.cf|self.cf>_stack.outputs["InstanceRoleName"]
was an 
Output[str]
f
b
so what property do you need from the 
Aws.Iam.Role
that is returned by 
get_role
?
f
Since it is only the name I need, I'm just going to restructure the code of the policy document to use the Cloudformation stack output directly. I had been trying to be more object-oriented in how I was writing this code, but that doesn't look like it's going to work in this case.
b
I mean, you're not being less object-oriented by not using 
get_role
I don't think. 
Get_role
is just meant to be used to retrieve resources that don't belong to your stack, which is why it wasn't waiting for the role to be created.. because it assumes it exists outside your stack
Like you said this is why it doesn't take in an 
Output[str]
but rather a 
str
, since it isn't supposed to depend on anything in the stack
2 Views
Open in Slack
PreviousNext
Powered by