https://pulumi.com logo
Join Slack
Powered by
How do I import an AWS Active Directory without i...
# aws
s
How do I import an AWS Active Directory without it replacing it? I've done all sorts of verification on the password. I've logged into the network and tested the credentials. It is definitely the right value. I've also been verifying pulumi's knowledge of the password with the preview command.
Copy code
pulumi preview  --show-sames=false --show-secrets=true --diff
But the output always indicates it's replacing because of the password.
Copy code
Type                               Name                  Plan        Info
 +   pulumi:pulumi:Stack                directory_import-dev  create
 +   ├─ pulumi:providers:aws            provider              create
 +-  └─ aws:directoryservice:Directory  directory             replace     [diff: +password]; 1 warning
m
What's the sequence of steps you took to get to this situation? Did you import the Directory using 
pulumi import
? And how are you specifying your password?
s
Copy code
"""An AWS Python Pulumi program"""

import pulumi
import pulumi_aws as aws


provider =  aws.Provider(
    "provider",
    profile="ocor-services-cloudplay",
    region="us-east-2"
)



directory = aws.directoryservice.Directory(
    f"directory",
    name="d1.local",
    short_name="d1",
    password="77xasdfsf!sdfdD5",
    edition="Enterprise",
    type="MicrosoftAD",
    desired_number_of_domain_controllers=2,
    vpc_settings={
        "vpc_id": "vpc-0e432c6301bfb44d4",
        "subnet_ids": ["subnet-0d188846ea46a1bc5","subnet-0a6592cf9f2f75ce1"], 
    },
    tags={
        "Project": "foo",
    },
    opts=pulumi.ResourceOptions(
        provider=provider,
        import_ = "d-9a6767287b",
        ignore_changes=["tags"]
    )
)
I'm doing a ResourceOptions import
m
Have you tried importing via the CLI? I'm wondering whether the password is something that can be retrieved at all. However, https://www.pulumi.com/registry/packages/aws/api-docs/directoryservice/directory/#look-up seems to have the password as an output.
Perhaps that's something you could try: Can you get() the Directory and output the password?
s
The password definitely can't be retrieved from AWS. It's nowhere in their api
🤔 1
m
Or even just compare it with your string, 
Directory.get(...).password.apply( ... == "77x...")
s
Where do you see it having .password as an output?
m
I think I would do two things: Try to get() your directory and compare/inspect what it returns as the password, and try to import via the CLI to see what code it generates for you.
s
It's under "The following state arguments are supported" as an argument to the get method
m
Ah, sorry, but the password should still be part of the outputs, because all inputs are also outputs implicitly
s
wouldn't it just a string input then? It wouldn't be an actual value from an existing resource
it would accept the string, and then spit out the same string
but then the existing directory may still be different
overall I doubt a directory will really change, so another option would be to just have a reference_directory_id variable that gets passed in, and have it call the get method normally within the code with that scenario.
m
When you look up the resource, it will populate everything. E.g., if you look up a bucket by name, you will get all the other parameters as well.
s
if I use the get function, I can't use .apply to get the output properties throughout the rest of the code. thus I'd need to add lots of conditions in other locations.
m
I'm trying to think of ways to figure out whether Pulumi has a chance to determine that the password has, in fact, not changed. When AWS never reveals the current password, Pulumi can only send a new one.
s
Is there any clean way to get outputs from either the actual deployment of the resource or the get method output without lots of conditions?
m
if I use the get function, I can't use .apply to get the output properties throughout the rest of the code. thus I'd need to add lots of conditions in other locations.
I'm not suggesting you use this as the permanent solution 🙂 Just as an experiment
s
The aws api docs don't output the password
I think it's really making an assumption that the password would be different
👍 1
m
Is there any clean way to get outputs from either the actual deployment of the resource or the get method output without lots of conditions?
You want everything as Pulumi Outputs, right? In that case, have a look at 
get_directory_output
at https://github.com/pulumi/pulumi-aws/blob/6800a7473ac4c2c2803787b7f414821db921c924/sdk/python/pulumi_aws/directoryservice/get_directory.py#L289
s
that looks useful
Thanks! I think that will at least help work around this for now
👍 1
m
There is one rather hacky/adventurous way you could try, which comes to mind because I've just been doing something similar an hour ago: Import the Directory resource into your state using the CLI (it has to be in your state file for the next step to work) and then edit the state file (
pulumi state edit
) and add the password to the resource's outputs. You'll have to place the encrypted ciphertext there, but I believe you can come up with a way to obtain this, e.g., store it as a secret value in your config and copy the encrypted value. (The entire operation is probably easiest to pull off if you have another Directory to compare to, and you definitely want to have a backup or first try this in a stack that contains nothing but your Directory.) Then Pulumi has something to compare your new input to, and will be able to determine that the password has not changed.
s
ok, that's interesting
Open in Slack
PreviousNext
Powered by