https://pulumi.com logo
Powered by
#typescript
Title
# typescript
a

acoustic-room-2113

01/17/2022, 9:35 PM
Hey y'all. Is it possible to try to see if a stack exists when using the S3 backend, prior to attempting to reference it or some way to allow referencing a non-existent stack to fail gracefully? This is what I'm trying currently and it's failing in preview.
Copy code
let kmsPolicy: aws.iam.Policy;
try {
  const vaultStack = new pulumi.StackReference(`vault-${env}`);
  const vaultKey = vaultStack.getOutput(
    "vaultKey"
  ) as pulumi.Output<aws.kms.Key>;

  if (vaultKey != undefined && vaultKey != null) {
    kmsPolicy = new aws.iam.Policy("vaultKMSUnsealPolicy", {
      name: `VaultKMSUnsealKeyAccess-${env}`,
      description: "Allow access to Vault Unseal Key",
      policy: vaultKey.apply((key) =>
        JSON.stringify({
          Version: "2012-10-17",
          Statement: [
            {
              Sid: "VaultKMSUnseal",
              Effect: "Allow",
              Action: ["kms:Encrypt", "kms:Decrypt", "kms:DescribeKey"],
              Resource: key.arn,
            },
          ],
        })
      ),
    });
  }
} catch (e) {
  console.log(e);
}
l

little-cartoon-10569

01/17/2022, 9:44 PM
The problem here is (I think) that vaultKey is an Output which contains undefined, and you're not checking for that. You don't need the current guard, you need one inside an apply.
Unfortunately, that means you'd be conditionally creating resources based on unknown values. The contract for getOutput says that it should return undefined, but it's not; I don't know if that's a bug in the docs or in the code, though.
You might be better off using 
requireOutput()
and aborting that way?
It might even throw a catchable exception, I'm not sure.
a

acoustic-room-2113

01/17/2022, 9:51 PM
There error is about the non-existent stack
Copy code
pulumi:pulumi:Stack (iam-iam.dev):
    error: preview failed
 
  pulumi:pulumi:StackReference (vault-dev):
    error: Preview failed: unknown stack "vault-dev"
Until now, I've been keeping all of my IAM roles/instance profiles in one project and reference those in other projects. The issue I'm running into is with this project for a Vault stack. Originally, I defined the policy and attached the policy in the Vault project, but it's led to a situation where things get weird with a policy defined in the Vault stack being attached to a role defined in the IAM stack.
There's nothing stopping me from moving the Vault server role and whatnot to the Vault project besides my own desire for consistency
But to be clear, if the referenced stack doesn't exist, I want pulumi to ignore the code related to it
I found there is a 
forceDetachPolicies
option for 
aws.iam.Role
That solves the issue I was trying to work around
2 Views
Powered by