Open graeson opened 2 years ago
Given the second one works, I suspect an eventual consistency issue and could be due to upstream. As a potential workaround, you could try something along the lines of access_role_arn = role.arn.apply(lambda arn: time.sleep(10) or arn)
I tried using time.sleep(10)
as per your suggestion and it worked on first pass. Just out a curiosity, I experimented with increasingly lower sleep times and it works consistently with time.sleep(4)
. With 3 seconds it fails intermittently and with 2 seconds it fails consistently. Thanks for your help @leezen!
@graeson Thanks for confirming. That's unfortunate that this does indicate an issue w/ the underlying upstream code resulting in the workaround, but at least it sounds like you're unblocked for now. I'm going to change the title of this issue to reflect that new understand and keep the issue open for tracking.
For anyone using Terraform stumbling about this: Same thing happens with Terraform's AWS provider. Creating the access role and immediately creating the service afterwards results in that same error. I've successfully used this provider to introduce this artifical delay between those two resources: https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep
While creating the role and the apprunner in the same tf file, I think it gets an error because the app runner is tried to be created without all the definitions of the role. I solved it with sleep too. I solved it as follows. The duration can be changed. However, I set it to 60 sec.
resource "aws_iam_role" "myrole" { name = "myrole" assume_role_policy = jsonencode({ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "build.apprunner.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }) }
resource "aws_iam_role_policy_attachment" "myrolepolicy" { role = aws_iam_role.myrole.id policy_arn = "arn:aws:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess" }
resource "time_sleep" "waitrolecreate" { depends_on = [aws_iam_role.myrole] create_duration = "60s" }
resource "aws_apprunner_service" "my-app-runner" { depends_on = [time_sleep.waitrolecreate] service_name = "my-app-runner" . . . .
Hello!
Issue details
I am trying to deploy a container image from a private AWS ECR repository to AWS App Runner using Pulumi. The Pulumi code only creates two resources: an IAM role and an App Runner service. On first execution of
pulumi up
the IAM role is created successfully, but App Runner throws an error stating it can't assume the role.On second execution of
pulumi up
the service assumes the role, downloads from ECR and deploys to AppRunner successfully. To diagnose the issue, I looked through Pulumi output generated withpulumi up --logtostderr -v=9 2> out.txt
and CloudTrail logs, but was not able to find any additional information about root cause. As a sanity check, I tried recreating the same resources using CloudFormation and it works without issue. Finally, I tried usingopt:
to explicitly establish adependsOn
between the service and role, but that didn't make a difference.Steps to reproduce
image_identifier
to a valid, ECR image URIpulumi up
to see errorpulumi up
again to deploy successfullyExpected: App Runner to assume the IAM role, download image from ECR and deploy to App Runner on the first execution of
pulumi up
.Actual: App Runner was unable to assume IAM role on first
pulumi up
and failed with "InvalidRequestException: Error in assuming access role". On second execution ofpulumi up
I get the expected behavior.