https://pulumi.com logo
#python
Title
# python
a

alert-raincoat-81485

09/13/2021, 8:49 PM
Pulumi tries to delete the existing resouces (iam role & policies) when we run
pulumi up
for the upgrades or refresh.
Copy code
Previewing update (d2):
     Type                             Name                                                                        Plan       Info
     pulumi:pulumi:Stack              roletest-d2                                                                            1 message
 -   ├─ aws:iam:RolePolicyAttachment  <pulumi_aws.iam.get_policy.AwaitableGetPolicyResult object at 0x106fa1f70>  delete
 -   ├─ aws:iam:RolePolicyAttachment  <pulumi_aws.iam.get_policy.AwaitableGetPolicyResult object at 0x106fa1d00>  delete
 -   ├─ aws:iam:RolePolicyAttachment  <pulumi_aws.iam.policy.Policy object at 0x106fb7130>                        delete
 -   ├─ aws:iam:RolePolicyAttachment  <pulumi_aws.iam.get_policy.AwaitableGetPolicyResult object at 0x106fb7040>  delete
 -   ├─ aws:iam:Policy                policy-as14                                                              delete
 -   └─ aws:iam:Role                  roleas14                                                                   delete
Any suggestions?
b

billowy-army-68599

09/13/2021, 8:54 PM
can you share your code? it looks like you're defining your policy attachments with undefined names so they'll delete on each run
👀 1
a

alert-raincoat-81485

09/13/2021, 9:00 PM
In this it deletes all the iam resources.
and without
try..except
options, when we run pulumi up, it detaches all policies attached with the iam role, so that we have to run 2nd time again to attach policies.
@billowy-army-68599 any reviews/suggestions?
b

billowy-army-68599

09/13/2021, 11:07 PM
@alert-raincoat-81485 the logic here is flawed, it's using an imperative method. in your
try
block, you're checking if the role exists:
Copy code
try:
    example = aws.iam.get_role(name="role-as1")
    print(example.name)
in the first run, it won't exist, so it catches the exception and creates all the roles on the next run, the role does exist - however, the resources have been added to the Pulumi state in the last run, so now it wants to remove them
you need to write in a declarative manner, don't check if the role exists, just define the role and let Pulumi create it
a

alert-raincoat-81485

09/13/2021, 11:14 PM
Yes i tried that too, i removed the
try...except
block and ran a part underneath
except
standalone. It creates the resources but at the second run it doesn’t remove the role but detaches all policies. @billowy-army-68599
b

billowy-army-68599

09/13/2021, 11:23 PM
@alert-raincoat-81485 can you show me the first run and the second?
it's more than likely because of this:
Copy code
for attach_policy in policy_arns:
    test_attach = aws.iam.RolePolicyAttachment(
        str(attach_policy), role=role.name, policy_arn=attach_policy.arn
    )
resource names need to be static and computable
something like this:
Copy code
for i, attach_policy in enumerate(policy_arns):
    test_attach = aws.iam.RolePolicyAttachment(
        f"policy_attachment-{i}", role=role.name, policy_arn=attach_policy.arn
    )
a

alert-raincoat-81485

09/14/2021, 12:02 AM
Sure, let me try that way if works.
That worked well, Thank you Lee @billowy-army-68599
b

billowy-army-68599

09/14/2021, 1:49 AM
if you need help understanding why, please let me know
a

able-honey-93860

12/27/2021, 4:09 AM
Hi @billowy-army-68599 reading through other peoples issues here just to soak in as much as I can and quickly learning you're a beast on here haha! One thing I've been doing is declaring the name for mostly everything I create since my environment requires specific naming conventions, thus I cannot leverage pulumi’s auto naming. That being said I typically set the resource name to the specific assignment along with the name. In the context of the above my approach would look something like this
Copy code
for attach_policy in policy_arns:
    test_attach = aws.iam.RolePolicyAttachment(
        attach_policy.name,
name=attach_policy.name,
role=role.name, policy_arn=attach_policy.arn
)
This logic works in my runs, but curious if it's an appropriate approach? Yours seems to be a little different and I'd love to hear if that's best practice or doesn't matter? Thanks!