Hey y'all. Is it possible to try to see if a stack...
# typescript
Hey y'all. Is it possible to try to see if a stack exists when using the S3 backend, prior to attempting to reference it or some way to allow referencing a non-existent stack to fail gracefully? This is what I'm trying currently and it's failing in preview.
Copy code
let kmsPolicy: aws.iam.Policy;
try {
  const vaultStack = new pulumi.StackReference(`vault-${env}`);
  const vaultKey = vaultStack.getOutput(
  ) as pulumi.Output<aws.kms.Key>;

  if (vaultKey != undefined && vaultKey != null) {
    kmsPolicy = new aws.iam.Policy("vaultKMSUnsealPolicy", {
      name: `VaultKMSUnsealKeyAccess-${env}`,
      description: "Allow access to Vault Unseal Key",
      policy: vaultKey.apply((key) =>
          Version: "2012-10-17",
          Statement: [
              Sid: "VaultKMSUnseal",
              Effect: "Allow",
              Action: ["kms:Encrypt", "kms:Decrypt", "kms:DescribeKey"],
              Resource: key.arn,
} catch (e) {
The problem here is (I think) that vaultKey is an Output which contains undefined, and you're not checking for that. You don't need the current guard, you need one inside an apply.
Unfortunately, that means you'd be conditionally creating resources based on unknown values. The contract for getOutput says that it should return undefined, but it's not; I don't know if that's a bug in the docs or in the code, though.
You might be better off using
and aborting that way?
It might even throw a catchable exception, I'm not sure.
There error is about the non-existent stack
Copy code
pulumi:pulumi:Stack (iam-iam.dev):
    error: preview failed
  pulumi:pulumi:StackReference (vault-dev):
    error: Preview failed: unknown stack "vault-dev"
Until now, I've been keeping all of my IAM roles/instance profiles in one project and reference those in other projects. The issue I'm running into is with this project for a Vault stack. Originally, I defined the policy and attached the policy in the Vault project, but it's led to a situation where things get weird with a policy defined in the Vault stack being attached to a role defined in the IAM stack.
There's nothing stopping me from moving the Vault server role and whatnot to the Vault project besides my own desire for consistency
But to be clear, if the referenced stack doesn't exist, I want pulumi to ignore the code related to it
I found there is a
option for
That solves the issue I was trying to work around