great-sunset-355
12/08/2022, 10:24 AM{
"Statement": [
{
"Action": "ssm:DescribeParameters",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/pulumi_project": "sandbox",
"aws:ResourceTag/pulumi_stack": "dev",
"aws:ResourceTag/tier": "dev"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/pulumi_project": "sandbox",
"aws:RequestTag/pulumi_stack": "dev",
"aws:RequestTag/tier": "dev"
}
},
"Effect": "Allow",
"Resource": "*"
},
],
"Version": "2012-10-17"
}
and my pulumi code is deploying SSM parameters
const dbParams = [
{ role: ro, type: "ro", endpoint: args.masterHostReadOnly },
{ role: rw, type: "rw", endpoint: args.masterHost },
{ role: mig, type: "mig", endpoint: args.masterHost },
].map(({ role, type, endpoint }) => {
const ssmPrefix = `ecs/${namespace}/db/${clusterName}/${type}`;
return [
{ name: "pguser", value: role.name },
{ name: "pgpassword", value: role.password },
{ name: "pghost", value: endpoint },
{ name: "pgdatabase", value: db.name },
{ name: "pgport", value: DefaultPort.toString() },
{ name: "pgssl", value: "true" },
].map((p) => {
const param = new aws.ssm.Parameter(
rcName(`${type}-${p.name.replace("/", "-")}`),
{
name: `/${ssmPrefix}/${databaseName === "service" ? "" : `${databaseName}_`}${p.name}`,
type: "SecureString",
value: pulumi.output(p.value).apply(
(v) => {
if (!v)
throw Error(`Missing value for RdsClusterDatabase parameter: ${p.name}`);
return `${v}`;
}
),
tags,
},
{ parent: role }
)
return {name: p.name.toUpperCase(), arn:param.arn}
});
However sometimes during the initial deployment one or more parameters fail with error
error reading SSM Parameter (/ecs/main/db/sandbox/ro/pguser): AccessDeniedException: User: arn:aws:sts::<accounted>:assumed-role/pulumi-ci-sandbox-role/dev-jan-Session is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-central-1:<accountId>:parameter/ecs/main/db/sandbox/ro/pguser because no identity-based policy allows the ssm:GetParameter action
status code: 400, request id: 30c9a9dd-23af-4bb5-b4e7-a6801667db51
then the second run of pulumi up
just works
Other times the error is triggered inside apply
Error: Missing value for RdsClusterDatabase parameter: pghostCan anyone tell me how to debug this?