Skip to content

Attaching the same policy to an AWS role twice, and deleting causes detachment of earlier policy #1980

New issue
New issue
Open
Open
Attaching the same policy to an AWS role twice, and deleting causes detachment of earlier policy#1980

Description

@ahmetsevki

ahmetsevki
openedon Jan 30, 2020

This is a lost update problem.
This is on AWS provider, running v1.9.1

Repro Steps:
1- Create a role
2- Create a policy
3- attach the policy to role using aws.iam.RolePolicyAttachment
4- pulumi up: role is created w/ policy
5 - attach the same policy arn to role using aws.iam.RolePolicyAttachment, give it a different logical name. pulumi up : no change on the policy on the role (since it is the same attachment)
6 - Now, comment out the second attachment. pulumi up : role has no policies on it, the initial policy that is still in the code is also detached from the role.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as awsx from "@pulumi/awsx";

// Create an AWS resource (S3 Bucket)
const bucket = new aws.s3.Bucket("bug-bucket");


const lambdaRole = new aws.iam.Role(
  'bug-role',
  {
    description: "role that will be assumed by lambda",
    assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({
      Service: "lambda.amazonaws.com"
    })
  },
 
);

const lambdaRoleBucketAccessPolicy = new aws.iam.Policy(
  `bug-lambda-role-bucket-access`,
  {
    policy: {
      Version: "2012-10-17",
      Statement: [
        {
          Action: ["s3:GetObject"],
          Effect: "Allow",
          Resource: bucket.arn.apply(arn => `${arn}/*`)
        },        
      ]
    }
  },
);

const lambdaPolicyAttachment = new aws.iam.RolePolicyAttachment(
  `bug-lambda-role-bucket-attachment`,
  {
    policyArn: lambdaRoleBucketAccessPolicy.arn,
    role: lambdaRole
  },  
);
// STEP1 - run `pulumi up` as is: you will see the role with policy attachment
// STEP2 - uncomment the following policy attachment: there actually is no change in role policy
// STEP3 - comment the following attachment again. BUG: you will see that all attachments are gone.

// const lambdaPolicyAttachment2 = new aws.iam.RolePolicyAttachment(
//   // This is the same policy arn being attached to the same role.
//   `bug-lambda-role-bucket-attachment-2`,
//   {
//     policyArn: lambdaRoleBucketAccessPolicy.arn,
//     role: lambdaRole
//   },
// );

// Export the name of the bucket
export const bucketName = bucket.id;
export const roleName = lambdaRole.id;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    kind/enhancementImprovements or new features

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions