Hey y all Is it possible to try to see if a stack exists whe Pulumi Community #typescript

Hey y'all. Is it possible to try to see if a stack...

acoustic-room-2113

01/17/2022, 9:35 PM

Hey y'all. Is it possible to try to see if a stack exists when using the S3 backend, prior to attempting to reference it or some way to allow referencing a non-existent stack to fail gracefully? This is what I'm trying currently and it's failing in preview.

Copy code

let kmsPolicy: aws.iam.Policy;
try {
  const vaultStack = new pulumi.StackReference(`vault-${env}`);
  const vaultKey = vaultStack.getOutput(
    "vaultKey"
  ) as pulumi.Output<aws.kms.Key>;

  if (vaultKey != undefined && vaultKey != null) {
    kmsPolicy = new aws.iam.Policy("vaultKMSUnsealPolicy", {
      name: `VaultKMSUnsealKeyAccess-${env}`,
      description: "Allow access to Vault Unseal Key",
      policy: vaultKey.apply((key) =>
        JSON.stringify({
          Version: "2012-10-17",
          Statement: [
            {
              Sid: "VaultKMSUnseal",
              Effect: "Allow",
              Action: ["kms:Encrypt", "kms:Decrypt", "kms:DescribeKey"],
              Resource: key.arn,
            },
          ],
        })
      ),
    });
  }
} catch (e) {
  console.log(e);
}

little-cartoon-10569

01/17/2022, 9:44 PM

The problem here is (I think) that vaultKey is an Output which contains undefined, and you're not checking for that. You don't need the current guard, you need one inside an apply.

little-cartoon-10569

01/17/2022, 9:45 PM

Unfortunately, that means you'd be conditionally creating resources based on unknown values. The contract for getOutput says that it should return undefined, but it's not; I don't know if that's a bug in the docs or in the code, though.

little-cartoon-10569

01/17/2022, 9:46 PM

You might be better off using

requireOutput()

and aborting that way?

little-cartoon-10569

01/17/2022, 9:46 PM

It might even throw a catchable exception, I'm not sure.

acoustic-room-2113

01/17/2022, 9:51 PM

There error is about the non-existent stack

Copy code

pulumi:pulumi:Stack (iam-iam.dev):
    error: preview failed
 
  pulumi:pulumi:StackReference (vault-dev):
    error: Preview failed: unknown stack "vault-dev"

acoustic-room-2113

01/17/2022, 9:56 PM

Until now, I've been keeping all of my IAM roles/instance profiles in one project and reference those in other projects. The issue I'm running into is with this project for a Vault stack. Originally, I defined the policy and attached the policy in the Vault project, but it's led to a situation where things get weird with a policy defined in the Vault stack being attached to a role defined in the IAM stack.

acoustic-room-2113

01/17/2022, 9:57 PM

There's nothing stopping me from moving the Vault server role and whatnot to the Vault project besides my own desire for consistency

acoustic-room-2113

01/17/2022, 10:02 PM

But to be clear, if the referenced stack doesn't exist, I want pulumi to ignore the code related to it

acoustic-room-2113

01/17/2022, 10:23 PM

I found there is a

forceDetachPolicies

option for

aws.iam.Role

acoustic-room-2113

01/17/2022, 10:24 PM

That solves the issue I was trying to work around

2 Views

Open in Slack

Previous Next