Hi I am experiencing weird behaviour I have an IAM policy like this ```{ "Statement": [ ...

great-sunset-355

12/08/2022, 10:24 AM

Hi I am experiencing weird behaviour I have an IAM policy like this

Copy code

{
    "Statement": [
        {
            "Action": "ssm:DescribeParameters",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/pulumi_project": "sandbox",
                    "aws:ResourceTag/pulumi_stack": "dev",
                    "aws:ResourceTag/tier": "dev"
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:RequestTag/pulumi_project": "sandbox",
                    "aws:RequestTag/pulumi_stack": "dev",
                    "aws:RequestTag/tier": "dev"
                }
            },
            "Effect": "Allow",
            "Resource": "*"
        },
    ],
    "Version": "2012-10-17"
}

and my pulumi code is deploying SSM parameters

Copy code

const dbParams = [
      { role: ro, type: "ro", endpoint: args.masterHostReadOnly },
      { role: rw, type: "rw", endpoint: args.masterHost },
      { role: mig, type: "mig", endpoint: args.masterHost },
    ].map(({ role, type, endpoint }) => {
      const ssmPrefix = `ecs/${namespace}/db/${clusterName}/${type}`;

      return [
        { name: "pguser", value: role.name },
        { name: "pgpassword", value: role.password },
        { name: "pghost", value: endpoint },
        { name: "pgdatabase", value: db.name },
        { name: "pgport", value: DefaultPort.toString() },
        { name: "pgssl", value: "true" },
      ].map((p) => {
        const param = new aws.ssm.Parameter(
          rcName(`${type}-${p.name.replace("/", "-")}`),
          {
            name: `/${ssmPrefix}/${databaseName === "service" ? "" : `${databaseName}_`}${p.name}`,
            type: "SecureString",
            value: pulumi.output(p.value).apply(
              (v) => {
              if (!v)
                throw Error(`Missing value for RdsClusterDatabase parameter: ${p.name}`);
              return `${v}`;
            }
            ),
            tags,
          },
          { parent: role }
        )
        return {name: p.name.toUpperCase(), arn:param.arn}
      });

However sometimes during the initial deployment one or more parameters fail with error

Copy code

error reading SSM Parameter (/ecs/main/db/sandbox/ro/pguser): AccessDeniedException: User: arn:aws:sts::<accounted>:assumed-role/pulumi-ci-sandbox-role/dev-jan-Session is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-central-1:<accountId>:parameter/ecs/main/db/sandbox/ro/pguser because no identity-based policy allows the ssm:GetParameter action
        status code: 400, request id: 30c9a9dd-23af-4bb5-b4e7-a6801667db51

then the second run of

pulumi up

just works Other times the error is triggered inside

apply

Error: Missing value for RdsClusterDatabase parameter: pghost

Can anyone tell me how to debug this?

2 Views

Open in Slack

Previous Next

Pulumi Community

No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.