alert-raincoat-81485
09/13/2021, 8:49 PMpulumi up
for the upgrades or refresh.
Previewing update (d2):
Type Name Plan Info
pulumi:pulumi:Stack roletest-d2 1 message
- ├─ aws:iam:RolePolicyAttachment <pulumi_aws.iam.get_policy.AwaitableGetPolicyResult object at 0x106fa1f70> delete
- ├─ aws:iam:RolePolicyAttachment <pulumi_aws.iam.get_policy.AwaitableGetPolicyResult object at 0x106fa1d00> delete
- ├─ aws:iam:RolePolicyAttachment <pulumi_aws.iam.policy.Policy object at 0x106fb7130> delete
- ├─ aws:iam:RolePolicyAttachment <pulumi_aws.iam.get_policy.AwaitableGetPolicyResult object at 0x106fb7040> delete
- ├─ aws:iam:Policy policy-as14 delete
- └─ aws:iam:Role roleas14 delete
Any suggestions?billowy-army-68599
alert-raincoat-81485
09/13/2021, 9:00 PMtry..except
options, when we run pulumi up, it detaches all policies attached with the iam role, so that we have to run 2nd time again to attach policies.billowy-army-68599
try
block, you're checking if the role exists:
try:
example = aws.iam.get_role(name="role-as1")
print(example.name)
in the first run, it won't exist, so it catches the exception and creates all the roles
on the next run, the role does exist - however, the resources have been added to the Pulumi state in the last run, so now it wants to remove themalert-raincoat-81485
09/13/2021, 11:14 PMtry...except
block and ran a part underneath except
standalone.
It creates the resources but at the second run it doesn’t remove the role but detaches all policies. @billowy-army-68599billowy-army-68599
for attach_policy in policy_arns:
test_attach = aws.iam.RolePolicyAttachment(
str(attach_policy), role=role.name, policy_arn=attach_policy.arn
)
for i, attach_policy in enumerate(policy_arns):
test_attach = aws.iam.RolePolicyAttachment(
f"policy_attachment-{i}", role=role.name, policy_arn=attach_policy.arn
)
alert-raincoat-81485
09/14/2021, 12:02 AMbillowy-army-68599
able-honey-93860
12/27/2021, 4:09 AMfor attach_policy in policy_arns:
test_attach = aws.iam.RolePolicyAttachment(
attach_policy.name,
name=attach_policy.name,
role=role.name, policy_arn=attach_policy.arn
)
This logic works in my runs, but curious if it's an appropriate approach? Yours seems to be a little different and I'd love to hear if that's best practice or doesn't matter? Thanks!