https://pulumi.com logo
Powered by
Title
g

great-sunset-355

05/06/2022, 7:22 AM
Hi I think I hit some weird bug with 
rolePolicyAttachment:RolePolicyAttachment
I had a role assigned to 2 ECS tasks and it had 3 policy attachments 
import pulumi_aws as aws

role = iam.Role("role")  # dummy role

for idx, arn in enumerate(
        [
            "arn:aws:iam::aws:policy/AmazonSESFullAccess",
            "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",
            "arn:aws:iam::aws:policy/AmazonS3FullAccess",
        ]
    ):
        aws.iam.RolePolicyAttachment(
            f"{self._config.name}-{idx}-app-role-extension",
            args=aws.iam.RolePolicyAttachmentArgs(policy_arn=arn, role=role.id),
            opts=self._opts,
        )
        aws.iam.RolePolicyAttachment(
            f"{self._config.name}-{idx}-scheduler-role-extension",
            args=aws.iam.RolePolicyAttachmentArgs(
                policy_arn=arn, role=role.id
            ),
            opts=self._opts,
        )
Later on I decided to add 1 more Policy attachment and limit some Full access policies to necessary permissions. 
import pulumi_aws as aws

role = iam.Role("role")  # dummy role
ses_policy = aws.iam.Policy("ses-pol")
s3_policy = aws.iam.Policy("s3-pol")
lambda_invoke_policy = aws.iam.Policy("lambda-pol")

for idx, arn in enumerate(
        [
            ses_policy.arn,
            lambda_invoke_policy.arn,
            "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",
            s3_policy.arn,
        ]
    ):
        aws.iam.RolePolicyAttachment(
            f"{self._config.name}-{idx}-app-role-extension",
            args=aws.iam.RolePolicyAttachmentArgs(policy_arn=arn, role=role.id),
            opts=self._opts,
        )
        aws.iam.RolePolicyAttachment(
            f"{self._config.name}-{idx}-scheduler-role-extension",
            args=aws.iam.RolePolicyAttachmentArgs(
                policy_arn=arn, role=role.id
            ),
            opts=self._opts,
        )
This has caused a weird state, that Pulumi state shows that the 
PolicyAttachment
of 
"arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",
exists but the final IAM role did not have the policy. After changing the order to cause an update, IAM role gained the policy. And after deploying to another environment the problem was back. What is going on here? Am I being tricked by some async anomaly? Note: 
pulumi up
is running in a CI pipeline, do I need to run 
pulumi refresh
there as well?
Can our hero @billowy-army-68599 chip in please?
b

billowy-army-68599

05/07/2022, 2:17 PM
Please file a bug, this chat is best effort support
g

great-sunset-355

05/07/2022, 4:35 PM
Okay, will do. I always ask here before creating issues :)
#pythonJoin Slack
Powered by