great-sunset-355
05/06/2022, 7:22 AMrolePolicyAttachment:RolePolicyAttachment
I had a role assigned to 2 ECS tasks and it had 3 policy attachments
import pulumi_aws as aws
role = iam.Role("role") # dummy role
for idx, arn in enumerate(
[
"arn:aws:iam::aws:policy/AmazonSESFullAccess",
"arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",
"arn:aws:iam::aws:policy/AmazonS3FullAccess",
]
):
aws.iam.RolePolicyAttachment(
f"{self._config.name}-{idx}-app-role-extension",
args=aws.iam.RolePolicyAttachmentArgs(policy_arn=arn, role=role.id),
opts=self._opts,
)
aws.iam.RolePolicyAttachment(
f"{self._config.name}-{idx}-scheduler-role-extension",
args=aws.iam.RolePolicyAttachmentArgs(
policy_arn=arn, role=role.id
),
opts=self._opts,
)
Later on I decided to add 1 more Policy attachment and limit some Full access policies to necessary permissions.
import pulumi_aws as aws
role = iam.Role("role") # dummy role
ses_policy = aws.iam.Policy("ses-pol")
s3_policy = aws.iam.Policy("s3-pol")
lambda_invoke_policy = aws.iam.Policy("lambda-pol")
for idx, arn in enumerate(
[
ses_policy.arn,
lambda_invoke_policy.arn,
"arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",
s3_policy.arn,
]
):
aws.iam.RolePolicyAttachment(
f"{self._config.name}-{idx}-app-role-extension",
args=aws.iam.RolePolicyAttachmentArgs(policy_arn=arn, role=role.id),
opts=self._opts,
)
aws.iam.RolePolicyAttachment(
f"{self._config.name}-{idx}-scheduler-role-extension",
args=aws.iam.RolePolicyAttachmentArgs(
policy_arn=arn, role=role.id
),
opts=self._opts,
)
This has caused a weird state, that Pulumi state shows that the PolicyAttachment
of "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess",
exists but the final IAM role did not have the policy.
After changing the order to cause an update, IAM role gained the policy. And after deploying to another environment the problem was back.
What is going on here? Am I being tricked by some async anomaly?
Note: pulumi up
is running in a CI pipeline, do I need to run pulumi refresh
there as well?billowy-army-68599
05/07/2022, 2:17 PMgreat-sunset-355
05/07/2022, 4:35 PM