Channels
#general
Title
r
rapid-raincoat-36492
10/03/2021, 9:09 PMIn typescript, how can I say "Don't create resource X until 15 seconds after the IAM Role it depends on finishes provisioning?"
b
bored-oyster-3147
10/03/2021, 9:19 PMAre you getting an error because the role isn't ready yet? How are you passing the role to resource X?
b
billowy-army-68599
10/03/2021, 9:21 PM
doing something in an
.apply Copy code
iamRole.arn.apply(async (arn) => {
console.log("waiting for IAM role to be ready")
await new Promise(resolve => setTimeout(resolve, 120000));
return arn;
}),Josh's question is important though, you might not need this...
r
rapid-raincoat-36492
10/03/2021, 9:55 PMIt's an implicit dependency, like:
Copy code
new aws.sns.TopicSubscription('firehose_sub', {
topic: snsTopic.arn,
protocol: 'firehose',
endpoint: firehoseStream.arn,
subscriptionRoleArn: snsRole.role.arn,
});snsRoleaws.iam.Roleb
billowy-army-68599
10/03/2021, 9:57 PM
why is the role implicit? if you're passing an output from
snsRole.role.arnb
bored-oyster-3147
10/03/2021, 10:34 PMYea I'm surprised, I would expect that to just work without any funny business. That's not your experience, though?
r
rapid-raincoat-36492
10/04/2021, 12:55 AMIt is done in a dependent chain, but sometimes IAM Roles aren't immediately usable after their creation. This is pretty common in Terraform: https://github.com/terraform-aws-modules/terraform-aws-autoscaling/blob/d4b7da041ef781604726953234b5bcd494cc5908/examples/complete/main.tf#L100-L103
When I delete and then recreate this module over and over, the IAM Role is not ready yet about 2/3rds of the time. And then a
pulumi upMy guess:
Pulumi/or tries to ensure that the
subscriptionRoleArnTopicSubscriptionTopicSubscriptionmanagedPolicyArnsb
bored-oyster-3147
10/04/2021, 12:11 PMSo what if you pass something like
dependsOn: policyResourcer
rapid-raincoat-36492
10/04/2021, 1:45 PMThe Role should already be dependent on the policy because the policy arn is in the Role
managedPolicyArnsb
bored-oyster-3147
10/04/2021, 1:47 PMOk, I'm confused about the order of operations. Your last message gave me the impression that you were:
1. Creating a role
2. Adding a policy to it (maybe via policy attachment)
3. Passing the role to TopicSubscription
And there was a race condition between 2 & 3, because since TopicSubscription is not explicitly dependent on the policy attachment in 2, it doesn't wait for it. I haven't seen
managedPolicyArnsr
rapid-raincoat-36492
10/04/2021, 2:14 PMrepro package: https://gist.github.com/dmattia/7ac415f36ead6599aa7b39096f4037f8
Error on my first time trying to run it:
Re-running an
upb
bored-oyster-3147
10/04/2021, 2:24 PMOk so I was half correct.
In your code, the order of operations is not as I interpreted - because you are creating the policy first. But
managedPolicyArns Copy code
const snsPolicy = new aws.iam.Policy(`sns_policy`, {
name: 'raceConditionPolicySns',
path: '/',
policy: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: [
'firehose:DescribeDeliveryStream',
'firehose:ListDeliveryStreams',
'firehose:ListTagsForDeliveryStream',
'firehose:PutRecord',
'firehose:PutRecordBatch',
],
Resource: [firehoseStream.arn],
},
],
},
});
const snsRole = new aws.iam.Role(`sns_role`, {
name: 'raceConditionRoleSns',
assumeRolePolicy: {
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: 'sts:AssumeRole',
Principal: {
Service: '<http://sns.amazonaws.com|sns.amazonaws.com>',
},
},
],
},
});
var policyAttachment = new aws.iam.RolePolicyAttachment('sns_role_policy_attachment', {
policyArn: snsPolicy.arn,
role: snsRole.name,
});
new aws.sns.TopicSubscription('firehose_sub', {
topic: snsTopic.arn,
protocol: 'firehose',
endpoint: firehoseStream.arn,
subscriptionRoleArn: snsRole.arn,
}, {
dependsOn: policyAttachment,
});r
rapid-raincoat-36492
10/04/2021, 3:45 PMI can do that, thank you!