search

pulumi / pulumi-aws-native

AWS Native Provider for Pulumi
Apache License 2.0
95 stars 17 forks source link

Simplify the managment of attachments between `iam:Role` and `iam:ManagedPolicy` #1391

Open dead10ck opened 7 months ago

dead10ck commented 7 months ago

What happened?

When making a aws-native:iam:Role and aws-native:iam:ManagedPolicy resources to attach to the former, the Role resource has a managedPolicyArns input property to set the role's attached policies. But the managed policy resource also has a roles resource to attach the policy to a role.

One cannot set both because this would create a circular dependency: either the policy must be created first or the role.

But when the state is applied, since the attachments are missing from one end or another, the plan always wants to detach the policies — either because the roles are missing from the policies, or the policies are missing from the role.

This makes it impossible to manage IAM resources without explicitly ignoring changes to one of the resource types' respective input property.

Honestly I think attachments should just be a different resource type, just like they are in Terraform. But barring this, it should not be possible to do it at both ends: either attachments should be done on the role resource or the managed policies, but not both.

Example

  1. Make any policy and role.
  2. Attach the role to the policy through either resource
  3. Refresh state
  4. Observe plans for detachment at the other end

Output of pulumi about

CLI
Version
Go Version   go1.21.6
Go Compiler  gc

Plugins
NAME        VERSION
aws-native  0.97.0
python      unknown

Dependencies:
NAME              VERSION
autopep8          2.0.4
dead10ck-infra    1.0.0
flake8            7.0.0
pip               23.3.2
pydocstyle        6.3.0
pylint            3.0.4
pyls-isort        0.2.2
pylsp-mypy        0.6.8
python-lsp-black  2.0.0
rope              1.12.0
setuptools        69.0.3
whatthepatch      1.0.5
wheel             0.42.0
yapf              0.40.2

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

mjeffryes commented 7 months ago

Thanks for the bug report @dead10ck. This provider is designed to faithfully reflect the CloudControl API's, but unfortunately, that means we get it's quirks as well, like these mutually recursive attachment properties.

AWS IAM is not the only offender of this type, so we do hope to be able to offer a general solution for these in the future, but in the meantime, the best workaround is to ignoreChanges for the attachment property on either the Role or the Policy (whichever is defined first in your program), and rely exclusively on the attachment property of the second resource created.

dead10ck commented 7 months ago

Thanks, I figured that would be the workaround, but felt this was an issue worth tracking.

I get staying as close as possible to the API for the sake of maintainability, but my two cents are that sometimes the user experience has to win. This is a clear footgun for new users, and a quirk that any given Pulumi user would have to quickly learn.

I'd suggest at least putting a warning in the documentation until the interaction is fixed in a better way.