Hi I think I hit some weird bug with `rolePolicyAttachment R Pulumi Community #python

Hi I think I hit some weird bug with `rolePolicyAt...

great-sunset-355

05/06/2022, 7:22 AM

Hi I think I hit some weird bug with

rolePolicyAttachment:RolePolicyAttachment

I had a role assigned to 2 ECS tasks and it had 3 policy attachments

Copy code

import pulumi_aws as aws

role = iam.Role("role")  # dummy role

for idx, arn in enumerate(
        [
            "arn:aws:iam::aws:policy/AmazonSESFullAccess",
            "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",
            "arn:aws:iam::aws:policy/AmazonS3FullAccess",
        ]
    ):
        aws.iam.RolePolicyAttachment(
            f"{self._config.name}-{idx}-app-role-extension",
            args=aws.iam.RolePolicyAttachmentArgs(policy_arn=arn, role=role.id),
            opts=self._opts,
        )
        aws.iam.RolePolicyAttachment(
            f"{self._config.name}-{idx}-scheduler-role-extension",
            args=aws.iam.RolePolicyAttachmentArgs(
                policy_arn=arn, role=role.id
            ),
            opts=self._opts,
        )

Later on I decided to add 1 more Policy attachment and limit some Full access policies to necessary permissions.

Copy code

import pulumi_aws as aws

role = iam.Role("role")  # dummy role
ses_policy = aws.iam.Policy("ses-pol")
s3_policy = aws.iam.Policy("s3-pol")
lambda_invoke_policy = aws.iam.Policy("lambda-pol")

for idx, arn in enumerate(
        [
            ses_policy.arn,
            lambda_invoke_policy.arn,
            "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",
            s3_policy.arn,
        ]
    ):
        aws.iam.RolePolicyAttachment(
            f"{self._config.name}-{idx}-app-role-extension",
            args=aws.iam.RolePolicyAttachmentArgs(policy_arn=arn, role=role.id),
            opts=self._opts,
        )
        aws.iam.RolePolicyAttachment(
            f"{self._config.name}-{idx}-scheduler-role-extension",
            args=aws.iam.RolePolicyAttachmentArgs(
                policy_arn=arn, role=role.id
            ),
            opts=self._opts,
        )

This has caused a weird state, that Pulumi state shows that the

PolicyAttachment

"arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",

exists but the final IAM role did not have the policy. After changing the order to cause an update, IAM role gained the policy. And after deploying to another environment the problem was back. What is going on here? Am I being tricked by some async anomaly? Note:

pulumi up

is running in a CI pipeline, do I need to run

pulumi refresh

there as well?

great-sunset-355

05/07/2022, 9:14 AM

Can our hero @billowy-army-68599 chip in please?

billowy-army-68599

05/07/2022, 2:17 PM

Please file a bug, this chat is best effort support

great-sunset-355

05/07/2022, 4:35 PM

Okay, will do. I always ask here before creating issues :)

2 Views

Open in Slack

Previous Next