Pulumi tries to delete the existing resouces iam role amp po

Question

Pulumi tries to delete the existing resouces iam role amp policies when we run `pulumi up` for the upgrades or refresh ```Previewing update d2 Type Name Plan Info pulumi pulumi Stack roletest d2 1 message aws iam RolePolicyAttachment lt pulumi aws iam get policy AwaitableGetPolicyResult object at 0x106fa1f70 gt delete aws iam RolePolicyAttachment lt pulumi aws iam get policy AwaitableGetPolicyResult object at 0x106fa1d00 gt delete aws iam RolePolicyAttachment lt pulumi aws iam policy Policy object at 0x106fb7130 gt delete aws iam RolePolicyAttachment lt pulumi aws iam get policy AwaitableGetPolicyResult object at 0x106fb7040 gt delete aws iam Policy policy as14 delete aws iam Role roleas14 delete``` Any suggestions

billowy-army-68599 · Answer

can you share your code it looks like you re defining your policy attachments with undefined names so they ll delete on each run

alert-raincoat-81485 · Answer

In this it deletes all the iam resources

alert-raincoat-81485 · Answer

and without `try except` options when we run pulumi up it detaches all policies attached with the iam role so that we have to run 2nd time again to attach policies

alert-raincoat-81485 · Answer

< billowy army 68599> any reviews suggestions

billowy-army-68599 · Answer

< alert raincoat 81485> the logic here is flawed it s using an imperative method in your `try` block you re checking if the role exists ```try example = aws iam get role name= role as1 print example name ``` in the first run it won t exist so it catches the exception and creates all the roles on the next run the role does exist however the resources have been added to the Pulumi state in the last run so now it wants to remove them

billowy-army-68599 · Answer

you need to write in a declarative manner don t check if the role exists just define the role and let Pulumi create it

alert-raincoat-81485 · Answer

Yes i tried that too i removed the `try except` block and ran a part underneath `except` standalone It creates the resources but at the second run it doesn t remove the role but detaches all policies < billowy army 68599>

billowy-army-68599 · Answer

< alert raincoat 81485> can you show me the first run and the second

billowy-army-68599 · Answer

it s more than likely because of this ```for attach policy in policy arns test attach = aws iam RolePolicyAttachment str attach policy role=role name policy arn=attach policy arn ```

billowy-army-68599 · Answer

resource names need to be static and computable

billowy-army-68599 · Answer

something like this ```for i attach policy in enumerate policy arns test attach = aws iam RolePolicyAttachment f policy attachment i role=role name policy arn=attach policy arn ```

alert-raincoat-81485 · Answer

Sure let me try that way if works

alert-raincoat-81485 · Answer

That worked well Thank you Lee < billowy army 68599>

billowy-army-68599 · Answer

if you need help understanding why please let me know

able-honey-93860 · Answer

Hi < billowy army 68599> reading through other peoples issues here just to soak in as much as I can and quickly learning you re a beast on here haha One thing I ve been doing is declaring the name for mostly everything I create since my environment requires specific naming conventions thus I cannot leverage pulumi s auto naming That being said I typically set the resource name to the specific assignment along with the name In the context of the above my approach would look something like this ```for attach policy in policy arns test attach = aws iam RolePolicyAttachment attach policy name name=attach policy name role=role name policy arn=attach policy arn ``` This logic works in my runs but curious if it s an appropriate approach Yours seems to be a little different and I d love to hear if that s best practice or doesn t matter Thanks