Question: Is there a way of overriding the role as...
# general
Question: Is there a way of overriding the role assumption stored in state for a
operation? Context: Suppose I create a stack with this snippet of provider configuration:
Copy code
    externalId: some/value
    roleArn: arn:aws:iam::123456789012:role/my_deployment_role
This gets stored in the state file:
Copy code
"type": "pulumi:providers:aws",
                "inputs": {
                    "assumeRole": "{\"externalId\":\"some\/value\",\"roleArn\":\"arn:aws:iam::123456789012:role/my_deployment_role\"}",
Let’s say that role has a limited set of permissions that doesn’t allow removing resources. At some point I want to destroy that stack. So I assume an
role that can do anything and run
pulumi destroy
. The current behaviour is that Pulumi assumes the role stored in state (even if I’ve removed it from the stack configuration) and try to delete the stack’s resources, which fails. I can work around this by removing the
from the stack config, run
pulumi up
, which removes the role assumption from the state file. Then I can run
pulumi destroy
. It would be nice if
had a
option so that admins can destroy resources regardless of the role assumed to create them. Is there a reason for the current behaviour that I’m not thinking of? Should I raise a bug or feature request for this? NB: If I rely on environment variables for AWS authentication (which are picked up by the underlying Go AWS SDK), I don’t have this problem at all. It’s only when I define the role assumption in the stack configuration.
FWIW, I did a cursory search of the
github issues for something like this, but didn’t find anything that quite matched my issue.
The usual (and Pulumi-supported) way of doing this would be to assume a role that does allow deleting everything, and adding the protect opt to all resources.
Then to destroy a stack, you need to remove all protect opts,
pulumi up
pulumi destroy
. The protection is there almost all the time, and "easily" removed when needed.
If you change the provider (which is what changing the assumeRole propery does, kinda), then you have to expect things like removing all resources with the 1st (version of the) provider, and adding them all again with the 2nd (version of the) provider, in order to destroy the stack. Which is absolutely not what you want.
Paul's suggestion is a good one, but we should have a github issue tracking this too. @prehistoric-london-9917 would you mind opening one?
Sure @gentle-diamond-70147: I’ll open one.
the right repo? Or should it be
since this (afaik) is provider specific?
I'd go with pulumi/aws.
👍 1