great-sunset-355
12/08/2022, 10:24 AM{
"Statement": [
{
"Action": "ssm:DescribeParameters",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/pulumi_project": "sandbox",
"aws:ResourceTag/pulumi_stack": "dev",
"aws:ResourceTag/tier": "dev"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/pulumi_project": "sandbox",
"aws:RequestTag/pulumi_stack": "dev",
"aws:RequestTag/tier": "dev"
}
},
"Effect": "Allow",
"Resource": "*"
},
],
"Version": "2012-10-17"
}
and my pulumi code is deploying SSM parameters
const dbParams = [
{ role: ro, type: "ro", endpoint: args.masterHostReadOnly },
{ role: rw, type: "rw", endpoint: args.masterHost },
{ role: mig, type: "mig", endpoint: args.masterHost },
].map(({ role, type, endpoint }) => {
const ssmPrefix = `ecs/${namespace}/db/${clusterName}/${type}`;
return [
{ name: "pguser", value: role.name },
{ name: "pgpassword", value: role.password },
{ name: "pghost", value: endpoint },
{ name: "pgdatabase", value: db.name },
{ name: "pgport", value: DefaultPort.toString() },
{ name: "pgssl", value: "true" },
].map((p) => {
const param = new aws.ssm.Parameter(
rcName(`${type}-${p.name.replace("/", "-")}`),
{
name: `/${ssmPrefix}/${databaseName === "service" ? "" : `${databaseName}_`}${p.name}`,
type: "SecureString",
value: pulumi.output(p.value).apply(
(v) => {
if (!v)
throw Error(`Missing value for RdsClusterDatabase parameter: ${p.name}`);
return `${v}`;
}
),
tags,
},
{ parent: role }
)
return {name: p.name.toUpperCase(), arn:param.arn}
});
However sometimes during the initial deployment one or more parameters fail with error
error reading SSM Parameter (/ecs/main/db/sandbox/ro/pguser): AccessDeniedException: User: arn:aws:sts::<accounted>:assumed-role/pulumi-ci-sandbox-role/dev-jan-Session is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-central-1:<accountId>:parameter/ecs/main/db/sandbox/ro/pguser because no identity-based policy allows the ssm:GetParameter action
status code: 400, request id: 30c9a9dd-23af-4bb5-b4e7-a6801667db51
then the second run of pulumi up
just works
Other times the error is triggered inside apply
Error: Missing value for RdsClusterDatabase parameter: pghostCan anyone tell me how to debug this?
No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.
Powered by