Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

dotnet Data Sources `Pulumi.Aws.Iam.Invokes` could not resolve Resource `Output<T>`.

See original GitHub issue

Description

Create Iam Role and pass it’s Arn to Pulumi.Aws.Iam.Invokes.GetPolicyDocument throws exception.

Pulumi.Deployment+InvokeException: Invoke of ‘aws:iam/getPolicyDocument:getPolicyDocument’ failed: “statement.1.principals.0.identifiers”: required field is not set ()

It seems like Pulumi.Aws.Invokes.GetArn also throws exception for same kind of error.

Error message

$ pulumi up

Previewing update (dev):
     Type                 Name        Plan     Info
     pulumi:pulumi:Stack  pulumi-dev           'dotnet build -nologo .' completed successfully

     pulumi:pulumi:Stack  pulumi-dev  running..   
     pulumi:pulumi:Stack  pulumi-dev             1 error; 2 messages
     Type                 Name        Plan       Info
 +   └─ aws:iam:Role      role        create

Diagnostics:
  pulumi:pulumi:Stack (pulumi-dev):

    error: Running program 'C:\git\infra\pulumi\bin\Debug\netcoreapp3.0\Infra.dll' failed with an unhandled exception:
    Pulumi.Deployment+InvokeException: Invoke of 'aws:iam/getPolicyDocument:getPolicyDocument' failed: "statement.1.principals.0.identifiers": required field is not set ()
       at Pulumi.Deployment.InvokeAsync[T](String token, ResourceArgs args, InvokeOptions options, Boolean convertResult)
       at Program.<>c.<<Main>b__0_0>d.MoveNext() in C:\git\cysharp\infra\pulumi\Program.cs:line 36
    --- End of stack trace from previous location where exception was thrown ---
       at Pulumi.Stack.RunInitAsync(Func`1 init)
       at Pulumi.Output`1.GetValueAsync()
       at Pulumi.Deployment.RegisterResourceOutputsAsync(Resource resource, Output`1 outputs)
       at Pulumi.Deployment.Runner.WhileRunningAsync()

Minimum reproduce

using System.Collections.Generic;
using System.Threading.Tasks;
using Pulumi;
using Pulumi.Aws.Iam;
using Pulumi.Aws.Iam.Inputs;

class Program
{
    static Task<int> Main()
    {
        return Deployment.RunAsync(async () =>
        {
            var policy = await Pulumi.Aws.Iam.Invokes.GetPolicyDocument(new GetPolicyDocumentArgs
            {
                Statements = new[] {
                    new GetPolicyDocumentStatementsArgs
                    {
                        Actions = "sts:AssumeRole",
                        Effect = "Allow",
                        Principals = new GetPolicyDocumentStatementsPrincipalsArgs
                        {
                            Type = "Service",
                            Identifiers = "ec2.amazonaws.com",
                        }
                    },
                },
            });
            var role = new Pulumi.Aws.Iam.Role($"role", new RoleArgs
            {
                AssumeRolePolicy = policy.Json,
            });

            var assumepolicy = await Pulumi.Aws.Iam.Invokes.GetPolicyDocument(new GetPolicyDocumentArgs
            {
                Statements = new[] {
                    new GetPolicyDocumentStatementsArgs
                    {
                        Actions = "sts:AssumeRole",
                        Effect = "Allow",
                        Principals = new GetPolicyDocumentStatementsPrincipalsArgs
                        {
                            Type = "Service",
                            Identifiers = "ec2.amazonaws.com",
                        }
                    },
                    new GetPolicyDocumentStatementsArgs
                    {
                        Actions = "sts:AssumeRole",
                        Effect = "Allow",
                        Principals = new GetPolicyDocumentStatementsPrincipalsArgs
                        {
                            Type = "AWS",
                            // throws exception here!
                            Identifiers = role.Arn,
                        }
                    }
                }
            });

            return new Dictionary<string, object>
            {
                { "arn", role.Arn },
                { "assumepolicy", assumepolicy.Json },
            };
        });
    }
}

Workaround

Issue happens only when Role is not yet created before. You can avoid with following steps.

  1. Create role first and run pulumi up and execute change. (comment out Data Sources var assumepolicy section.)
  2. Add Data Source and pass Output<T> Role.Arn to InputList<T> Identifiers.
  3. pulumi up successfully run and GetPolicyDocumentResult will resolved as expected.

Expected behavior

Data Source wait for Resource Output<T> and resolve dependency.

Actual behavior

Exception happen when Data Source Input<T> receive Resource’s Output<T> when Resource is not yet created.

Terraform actually can resolve this resource -> data dependency. This enable me to create IAM Document with Role Arn restriction without consider resource -> data dependency.

data "aws_iam_policy_document" "main" {
  statement {
    actions = ["sts:AssumeRole"]
    principals {
      type        = "Service"
      identifiers = "ec2.amazonaws.com"
    }
  }
}
resource "aws_iam_role" "main" {
  name               = var.name
  assume_role_policy = data.aws_iam_policy_document.main.json
}
data "aws_iam_policy_document" "eks_kube2iam_role_assumerole_policy" {
  statement {
    actions = ["sts:AssumeRole"]
    effect  = "Allow"
    principals {
      identifiers = ["ec2.amazonaws.com"]
      type        = "Service"
    }
  }
  statement {
    actions = ["sts:AssumeRole"]
    effect  = "Allow"
    principals {
      identifiers = [aws_iam_role.main.arn]
      type        = "AWS"
    }
  }
}

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:7 (5 by maintainers)

github_iconTop GitHub Comments

1reaction
CyrusNajmabadicommented, Nov 20, 2019

I’m @mikhailshilkov is doing hte codegen change. I’m makign the change to the core .NET Pulumi sdk to work here.

1reaction
pgavlincommented, Nov 20, 2019

I believe that this is occurring because we expect all inputs to an invoke to be fully-resolved. As such, it would appear that we’ve mistyped the Identifiers field of GetPolicyDocumentStatementsPrincipalsArgs: rather than an InputList<T>, it should be an ImmutableArray<T>.

You should be able to make this work by invoking the data source inside an Apply, which looks something like this:

            var assumepolicy = role.Arn.Apply(roleArn => Pulumi.Aws.Iam.Invokes.GetPolicyDocument(new GetPolicyDocumentArgs
            {
                Statements = new[] {
                    new GetPolicyDocumentStatementsArgs
                    {
                        Actions = "sts:AssumeRole",
                        Effect = "Allow",
                        Principals = new GetPolicyDocumentStatementsPrincipalsArgs
                        {
                            Type = "Service",
                            Identifiers = "ec2.amazonaws.com",
                        }
                    },
                    new GetPolicyDocumentStatementsArgs
                    {
                        Actions = "sts:AssumeRole",
                        Effect = "Allow",
                        Principals = new GetPolicyDocumentStatementsPrincipalsArgs
                        {
                            Type = "AWS",
                            Identifiers = roleArn,
                        }
                    }
                }
            }));

cc @CyrusNajmabadi @MIkhailShilkov

Read more comments on GitHub >

github_iconTop Results From Across the Web

Troubleshooting Guide - Pulumi
This guide covers common troubleshooting techniques when using Pulumi, such as tracing, manually editing deployments, and resolving common errors.
Read more >
aws.iam.Role - Pulumi
Documentation for the aws.iam.Role resource with examples, input properties, output properties, lookup functions, and supporting types.
Read more >
Intro to Pulumi: Inputs and Outputs
Resource properties are treated specially in Pulumi, both for purposes of input and output. Learn how to work with inputs and outputs in...
Read more >
Intro to Pulumi: Dynamic Resource Providers
Dynamic resource providers are providers that can be written inside your Pulumi program. Learn how to use dynamic providers and use cases for...
Read more >
aws.iam.PolicyAttachment - Pulumi
PolicyAttachment resource with examples, input properties, output properties, ... These resources do not enforce exclusive attachment of an IAM policy.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Pulumi.Aws.Invokes.GetCallerIdentity throws System.NullReferenceException

Next page

customTimeouts not honored for `ecs.Service`