Hello, I’m struggling to import an aws IAM role cr...
# generals
some-continent-1577
02/24/2022, 4:51 PMHello, I’m struggling to import an aws IAM role created externally into my pulumi stack; I ran the pulumi import command and added the code snippet it gave me to my script, but pulumi keeps trying to delete and replace the role still. Pointers would be appreciated
b
bored-table-20691
02/24/2022, 4:53 PMCan you share the example and the Pulumi output?
e
echoing-dinner-19531
02/24/2022, 5:07 PMThat would be helpful, I'm working on imports at the moment so examples of where it's not working are really useful
s
some-continent-1577
02/24/2022, 5:12 PMThanks for the replies. Here’s some source code, terminal output, and versions of mine. It’s manually whittled down from a bigger stack I’d rather not share here. I think I got the whittling right, but also working on a more minimal example
some-continent-1577
02/24/2022, 5:12 PMsome-continent-1577
02/24/2022, 5:31 PMHmm, I created a small 1-resource stack with just the role, then imported, then ran pulumi up--and that worked fine. Maybe some action I took between the import and the pulumi up in the big stack messed up the state there somehow. I’m not sure what that action that would have been though unfortunately (there were many). I’ll retry with the big stack…
b
bored-table-20691
02/24/2022, 5:34 PMDoes your big stack use a special provider (implicitly or explicitly)?
bored-table-20691
02/24/2022, 5:34 PMI’ve had that happen before
bored-table-20691
02/24/2022, 5:34 PMbored-table-20691
02/24/2022, 5:35 PMhttps://www.pulumi.com/docs/intro/concepts/resources/options/import/ - I’d look to see if you can possibly use this rather than
pulumi import …s
some-continent-1577
02/26/2022, 12:27 PMI was using stack provider config (Pulumi.myenv.yaml aws:assumeRole) to assume a certain role in another account where the iam role and other resources are. Not clear to me what explicit/implicit non-default provider. I have no provider=* overrides in my pulumi python code, just aws probider config settings in my stack config. And that did access the different account/role correctly.
some-continent-1577
02/26/2022, 12:27 PMAfter retrying with my big stack, it did work this time. Not sure what happened before.
some-continent-1577
02/26/2022, 12:33 PMAnd thanks for the pointer to the import resource option. I’m not quite clear on the advantages after reading the doc - I guess it can make the history of the import having been done more clear, and can maybe avoid doubling the code required for multiple stacks where a resource may or may not be required? In my case the existing iam role I want to use doesn’t exactly match the role that my pulumi code will otherwise create. And I just want . Maybe if I could somehow combine the import together with ignore_changes=[‘root’] (I think ‘root’ means all properties?), and only apply that to cases where the resource was imported and not created by pulumi - I think that’s what I’d want. But I have a decent way forward now using the cli import
e
echoing-dinner-19531
02/26/2022, 3:56 PMignore_changes=[‘root’] (I think ‘root’ means all properties?)
ignore_changes=['*']8 Views