Open
Description
This is a lost update problem.
This is on AWS provider, running v1.9.1
Repro Steps:
1- Create a role
2- Create a policy
3- attach the policy to role using aws.iam.RolePolicyAttachment
4- pulumi up
: role is created w/ policy
5 - attach the same policy arn to role using aws.iam.RolePolicyAttachment
, give it a different logical name. pulumi up
: no change on the policy on the role (since it is the same attachment)
6 - Now, comment out the second attachment. pulumi up
: role has no policies on it, the initial policy that is still in the code is also detached from the role.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";
// Create an AWS resource (S3 Bucket)
const bucket = new aws.s3.Bucket("bug-bucket");
const lambdaRole = new aws.iam.Role(
'bug-role',
{
description: "role that will be assumed by lambda",
assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({
Service: "lambda.amazonaws.com"
})
},
);
const lambdaRoleBucketAccessPolicy = new aws.iam.Policy(
`bug-lambda-role-bucket-access`,
{
policy: {
Version: "2012-10-17",
Statement: [
{
Action: ["s3:GetObject"],
Effect: "Allow",
Resource: bucket.arn.apply(arn => `${arn}/*`)
},
]
}
},
);
const lambdaPolicyAttachment = new aws.iam.RolePolicyAttachment(
`bug-lambda-role-bucket-attachment`,
{
policyArn: lambdaRoleBucketAccessPolicy.arn,
role: lambdaRole
},
);
// STEP1 - run `pulumi up` as is: you will see the role with policy attachment
// STEP2 - uncomment the following policy attachment: there actually is no change in role policy
// STEP3 - comment the following attachment again. BUG: you will see that all attachments are gone.
// const lambdaPolicyAttachment2 = new aws.iam.RolePolicyAttachment(
// // This is the same policy arn being attached to the same role.
// `bug-lambda-role-bucket-attachment-2`,
// {
// policyArn: lambdaRoleBucketAccessPolicy.arn,
// role: lambdaRole
// },
// );
// Export the name of the bucket
export const bucketName = bucket.id;
export const roleName = lambdaRole.id;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment