rapid-raincoat-36492
10/03/2021, 9:09 PMbored-oyster-3147
10/03/2021, 9:19 PMbillowy-army-68599
.apply
will wait until the IAM role is finished, so you can do something like this:
iamRole.arn.apply(async (arn) => {
console.log("waiting for IAM role to be ready")
await new Promise(resolve => setTimeout(resolve, 120000));
return arn;
}),
rapid-raincoat-36492
10/03/2021, 9:55 PMnew aws.sns.TopicSubscription('firehose_sub', {
topic: snsTopic.arn,
protocol: 'firehose',
endpoint: firehoseStream.arn,
subscriptionRoleArn: snsRole.role.arn,
});
where snsRole
is a module that creates an aws.iam.Role
. I'll go with the promise route, thank you!billowy-army-68599
snsRole.role.arn
to the Topic, it should be done in a dependent chainbored-oyster-3147
10/03/2021, 10:34 PMrapid-raincoat-36492
10/04/2021, 12:55 AMpulumi up
right after creates itsubscriptionRoleArn
has the correct permissions on SNS when the TopicSubscription
is created. The TopicSubscription
is created after the IAM Role, but before the managedPolicyArns
are all attached to the IAM Role.
I could very well be wrong, but it's pretty consistentbored-oyster-3147
10/04/2021, 12:11 PMdependsOn: policyResource
to the TopicSubscription resource? That way it doesn't get created until the policies are provisioned.rapid-raincoat-36492
10/04/2021, 1:45 PMmanagedPolicyArns
bored-oyster-3147
10/04/2021, 1:47 PMmanagedPolicyArns
in any code that you have shared.rapid-raincoat-36492
10/04/2021, 2:14 PMup
immediately after:bored-oyster-3147
10/04/2021, 2:24 PMmanagedPolicyArns
functions in the way that I interpreted, meaning that when AWS receives values in that property it is actually creating additional resources in the form of PolicyAttachments for each of those ARNs, and since pulumi is not managing those policy attachments it does not know to wait for them.
If you instead allow pulumi to manage that PolicyAttachment, than I suspect you would eliminate this race condition. Try something like this instead:
const snsPolicy = new aws.iam.Policy(`sns_policy`, {
name: 'raceConditionPolicySns',
path: '/',
policy: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: [
'firehose:DescribeDeliveryStream',
'firehose:ListDeliveryStreams',
'firehose:ListTagsForDeliveryStream',
'firehose:PutRecord',
'firehose:PutRecordBatch',
],
Resource: [firehoseStream.arn],
},
],
},
});
const snsRole = new aws.iam.Role(`sns_role`, {
name: 'raceConditionRoleSns',
assumeRolePolicy: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: 'sts:AssumeRole',
Principal: {
Service: '<http://sns.amazonaws.com|sns.amazonaws.com>',
},
},
],
},
});
var policyAttachment = new aws.iam.RolePolicyAttachment('sns_role_policy_attachment', {
policyArn: snsPolicy.arn,
role: snsRole.name,
});
new aws.sns.TopicSubscription('firehose_sub', {
topic: snsTopic.arn,
protocol: 'firehose',
endpoint: firehoseStream.arn,
subscriptionRoleArn: snsRole.arn,
}, {
dependsOn: policyAttachment,
});
rapid-raincoat-36492
10/04/2021, 3:45 PM