https://pulumi.com logo
Join Slack
Powered by
I created a resource outside the pulumi stack (man...
# general
f
I created a resource outside the pulumi stack (manually in the console). But I make a reference to it in the pulumi stack. However...when I try to take down my stack, it tries to take down my external resource. Any way I can prevent this?
Copy code
aws:iam:SamlProvider (default):
    error: Preview failed: unable to delete resource "urn:pulumi:toli::xxx::aws:iam/samlProvider:SamlProvider::default"
    as it is currently marked for protection. To unprotect the resource, either remove the `protect` flag from the resource in your Pulumiprogram and run `pulumi up` or use the command:
    `pulumi state unprotect urn:pulumi:toli::xxx::aws:iam/samlProvider:SamlProvider::default`
p
How did you make a reference to it? If you didn’t import it, I’d say pulumi shouldn’t touch it.
Anyway, considering it wants to delete it, I guess it must exist in the state. Try to: • export the stack state using 
pulumi stack export
• remove manually the resources from the exported JSON • import it back • remove reference from the source code • run 
pulumi up
so it syncs
f
I just give it the ARN:
Copy code
new aws.ec2clientvpn.Endpoint(endpointName, {
      ..
      authenticationOptions: [
        {
          type: 'federated-authentication',
          samlProviderArn: 'ARN GOES HERE',
        },
      ],
    });
p
hah, that’s interesting 🤔
it’s gonna be a stupid question but are you sure that’s the resource pulumi wants to delete?
f
btw I'm not sure I get the concept of what happens in a 
pulumi stack export
. I thought it generates this stuff on demand based on my code. But practically I've seen it tends to differ in some scenarios. Like I always run into this 
pending operations
problem, where I have to manually go in and delete that part of the JSON. But I don't really follow why.
p
pulumi stack export
dumps the current state of your stack
• your code is your desired state • what you see as an output from 
pulumi stack export
is how the current state according to pulumi looks like
required actions are computed based on the difference between those two
that’s why if you happen to have any inconsistencies or something went totally wrong during 
pulumi up
command, you might be asked to manually adjust the state file (by doing export -> fix -> import)
f
well according to this error message...
Copy code
aws:iam:SamlProvider (default):
    error: Preview failed: unable to delete resource "urn:pulumi:toli::xxx::aws:iam/samlProvider:SamlProvider::default"
    as it is currently marked for protection. To unprotect the resource, either remove the `protect` flag from the resource in your Pulumiprogram and run `pulumi up` or use the command:
    `pulumi state unprotect urn:pulumi:toli::xxx::aws:iam/samlProvider:SamlProvider::default`
I don't see a reference to it in my code. At some point I tried doing a 
pulumi import aws:iam/samlProvider:SamlProvider ...
and it gave me the code necessary (which included a long XML file). I didn't want to deal with storing that XML file...so I decided to keep it custom. Could that 
import
have somehow put that resource into my state, without putting it in the code?
p
yes!
I think that’s it 🙂
that’s why I asked you in the first place if you imported this resource
and you did
that’s why it was added to your state (you can confirm that by finding this resource in state JSON file)
f
ah...I didn't realize that's what import does. I thought you actually need to copy and paste the code it gives you
p
but because you didn’t add the proposed code, it looks like you would like to remove it
once again -> your code is a desired state state -> this is what pulumi thinks is the current state of your cloud
f
is there a way I can import stuff without having it add to the state without me adding the proposed code?
i.e. I just want the proposed code
p
I think you’re still missing the point a little bit
let me try to rephrase this or write an extended example so we’re on the same page
1. In the beginning you state is empty. 2. When you add e.g. 
new aws.ec2clientvpn.Endpoint
to your code it does… nothing. You just declared that you want it. 3. When you run 
pulumi up
it compares the current state (nothing) with your desired state (one 
aws.ec2clientvpn.Endpoint
resource). In result, it generates action to CREATE it.
after successful update, 
aws.ec2clientvpn.Endpoint
with appropriate 
urn
is added to the state
that’s why next time you run 
pulumi up
it doesn’t do anything
if you remove it from the source code, there’s a diff and pulumi generates 
DELETE
action as a result
if you want to manage something that was already created outside of pulumi stack you need to import it
you cannot just write the code for it because it will result in 
CREATE
action (and it already exists)
if you import it, pulumi will modify the stack accordingly and give you a piece of code to match it (so there’s no diff between the code and state)
so if you import something, you have to add the code - otherwise it doesn’t make any sense
BUT if you want to use an already existing resource, just reference it without doing the actual import
you can either write the literal arn OR if you want to have a resource instance, you can use 
get
(https://www.pulumi.com/registry/packages/aws/api-docs/iam/samlprovider/; part 
Look up an Existing SamlProvider Resource
)
f
Aaaah gotcha. Ok this makes a lot of sense. And yes, your theory worked. I deleted the saml provider resource from the state, and was able to tear down my 
toli
stack, without it touching the provider or complaining 🙂 Thanks a bunch!
p
you’re welcome 🙂
to sum up: if you import something to pulumi stack state, pulumi will own/manage it
so if you don’t want some resource to be a part of the stack, don’t import it -> use get if necessary or just pass the arn
124 Views
Open in Slack
PreviousNext
Powered by