i am creating an resources in a pulumi component r...
# generalh
hundreds-printer-10986
09/16/2025, 7:51 PMi am creating an resources in a pulumi component resource, if I run
pulumi uppulumi upe
echoing-dinner-19531
09/16/2025, 8:02 PMAs in the whole program hangs?
Is this just a local component, i.e. a class in your code?
h
hundreds-printer-10986
09/16/2025, 8:02 PMyes the whole program hangs, yes its a class in my code
hundreds-printer-10986
09/16/2025, 8:02 PMit has gotten up to 900s in creating, when created alone its 2s
e
echoing-dinner-19531
09/16/2025, 8:18 PMwonder if your somehow constructing a circular loop in the resource dependencies? Maybe via dependsOn/parent options?
h
hundreds-printer-10986
09/16/2025, 8:19 PMi have tried both depends_on being specified and empty, I also just moved the dependent resources into the same component resource, and I am still getting hanging
hundreds-printer-10986
09/16/2025, 8:22 PM Copy code
class DmsSecretsmanagerRole(ComponentResource):
def __init__(
self,
name: str,
region: str,
replication_task_config: Dict[str, str],
role_name: str,
stack_reference: StackReference,
opts: ResourceOptions,
):
super().__init__("myproject:DmsSecretsmanagerRole", name, {}, opts)
secret_arns = {}
kms_key_arns = {}
source_secret = secretsmanager.get_secret(
name=replication_task_config["source_secret_name"]
)
source_secret_arn = source_secret.arn
source_secret_kms_key_id = source_secret.kms_key_id
source_secret_kms_key_arn = kms.get_key(key_id=source_secret_kms_key_id).arn
role_arn_output = stack_reference.require_output("cross_account_role_arn")
cross_account_provider = role_arn_output.apply(
lambda arn: Provider(
f"{name}-cross-account-provider",
assume_roles=[ProviderAssumeRoleArgs(role_arn=arn)],
)
)
def get_target_secret_info(provider):
target_secret = secretsmanager.get_secret(
name=replication_task_config["target_secret_name"],
opts=pulumi.InvokeOptions(provider=provider)
)
target_secret_kms_key = kms.get_key(
key_id=target_secret.kms_key_id,
opts=pulumi.InvokeOptions(provider=provider)
)
return {
"secret_arn": target_secret.arn,
"kms_key_arn": target_secret_kms_key.arn
}
target_info = cross_account_provider.apply(get_target_secret_info)
secret_arns["source"] = source_secret_arn
secret_arns["target"] = target_info.apply(lambda x: x["secret_arn"])
print(f"Target Secret ARN set")
kms_key_arns["source"] = source_secret_kms_key_arn
kms_key_arns["target"] = target_info.apply(lambda x: x["kms_key_arn"])
print(f"Target Key ARN set")
secrets_manager_access_role = iam.Role(
f"{name}-secrets-manager-access-role",
name=f"{name}-{role_name}",
assume_role_policy=iam.get_policy_document(
statements=[
iam.GetPolicyDocumentStatementArgs(
effect="Allow",
actions=["sts:AssumeRole"],
principals=[
iam.GetPolicyDocumentStatementPrincipalArgs(
type="Service",
identifiers=[f"dms.{region}.<http://amazonaws.com|amazonaws.com>"],
)
],
)
]
).json,
opts=opts
)
secretsmanager_access_policy_document = secrets_manager_access_role.arn.apply(
lambda arn: iam.get_policy_document(
statements=[
iam.GetPolicyDocumentStatementArgs(
effect="Allow",
actions=[
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:ListSecrets",
],
resources=list(secret_arns.values()),
),
iam.GetPolicyDocumentStatementArgs(
effect="Allow",
actions=[
"kms:Decrypt",
],
resources=list(kms_key_arns.values()),
),
iam.GetPolicyDocumentStatementArgs(
effect="Allow",
actions=["iam:PassRole"],
resources=[arn],
conditions=[
iam.GetPolicyDocumentStatementConditionArgs(
test="StringEquals",
variable="iam:PassedToService",
values=[f"dms.{region}.<http://amazonaws.com|amazonaws.com>"],
)
],
),
]
)
)
iam.RolePolicy(
f"{name}-secrets-manager-access-policy",
role=secrets_manager_access_role.name,
policy=secretsmanager_access_policy_document.json,
opts=opts
)
cross_account_assume_policy = role_arn_output.apply(
lambda cross_account_role_arn: iam.Policy(
f"{name}-dms-assume-cross-account-policy",
policy=json.dumps({
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": cross_account_role_arn
}
]
})
)
)
iam.RolePolicyAttachment(
f"{name}-dms-cross-account-attachment",
role=secrets_manager_access_role.name,
policy_arn=cross_account_assume_policy.arn,
opts=opts
)
self.secrets = secret_arns
self.keys = kms_key_arns
self.dms_role = secrets_manager_access_role
pulumi.export(f"{name}-dms-secret-arns", self.secrets)
pulumi.export(f"{name}-dms-kms-key-arns", self.keys)
pulumi.export(f"{name}-dms_role_arn", self.dms_role.arn)hundreds-printer-10986
09/16/2025, 8:23 PMall of my print statement appear and all of my exports appear (except the role arn, thats
[unknown]e
echoing-dinner-19531
09/16/2025, 8:31 PMand this works by itself? But if you use the component in a larger program it hangs? How are you using the compoent, what options are being passed, what attributes are being read?
h
hundreds-printer-10986
09/16/2025, 8:35 PMno, this is the combined one, it hangs
hundreds-printer-10986
09/16/2025, 8:35 PMso if this is the only thing that runs, it hangs
hundreds-printer-10986
09/16/2025, 8:36 PMi used to have a separate component to get the secret and key arns, that runs by itself, but if I run this together, or if i run the secret and key compnent and this (with the key and secret stuff removed), it hangs
e
echoing-dinner-19531
09/16/2025, 8:46 PMDoes the secrets_manager_access_role get created?
h
hundreds-printer-10986
09/16/2025, 8:54 PMyes it gets created
hundreds-printer-10986
09/16/2025, 8:56 PMthe policy attachment for cross account access is created, but the
secretsmanager_access_policy_documenthundreds-printer-10986
09/16/2025, 9:26 PMthis is the problem
Copy code
secret_arns["target"] = target_secret.arn Copy code
secret_arns["target"] = target_secret.apply(lambda x: x.arn)e
echoing-dinner-19531
09/16/2025, 9:31 PMMight be worth grabbing verbose logs (-v10 --logtostderr --logflow) and raising an issue about the data fetches not resolving on the pulumi-aws repo. I can't see anything standing out from the code as to why it wouldn't work.
h
hundreds-printer-10986
09/16/2025, 9:46 PM2 Views