Hey, I've got a question about resource chaining a...
# golangs
sticky-bear-14421
06/11/2021, 9:44 AMHey, I've got a question about resource chaining and dependencies.
My code is about base infrastructure setup of an aws account with all the usual suspects like vpc, subnets, routing. First special resource is an organizational transit gateway setup. For this I have to create an IAM role which I assume by creating a provider resource and using this I create a second provider which assumes a role in a second account and there some route table operations are configured.
So far, so good ..
Now I have the need to do some vpc peerings and like above I have the propagator acceptor pattern again. So, again two providers, over into the second account and accept the peering propagation .. but no, my second provider failes, that it cannot assume the role, and this is where my problems begin.
I forgot to allow my IAM role to assume the other accounts accepter role. No problem, attach more resource arns in the policy and another pulumi up and it fails again, as my addition to the roles policy isn't finished when the provider gets created.
Copy code
peeringProvider, err := aws.NewProvider(ctx, fmt.Sprintf("peeringProvider-%s", peer.Name), &aws.ProviderArgs{
AssumeRole: &aws.ProviderAssumeRoleArgs{
RoleArn: pulumi.String(fmt.Sprintf("arn:aws:iam::%s:role/%s", peer.AccountID, peer.RouteTables["peeringAccepterRole"])),
SessionName: pulumi.String("peeringAccepterSession"),
},
Region: pulumi.String(region.Name),
}, pulumi.Provider(provider), pulumi.DependsOn([]pulumi.Resource{provider, role}),
)
if err != nil {
return err
}sticky-bear-14421
06/11/2021, 10:38 AMOk, just a minor issue with this snippet. the role dependency isn't with this provider but with the one this is being created with
pulumi.Provider(provider)RoleArn: role.Arnsticky-bear-14421
06/11/2021, 10:39 AMBut the change in itself is happening within the policy of the role, so not the role is changing but the policy, this is a dependency one layer deeper.
3 Views