Docs - Provide instructions for correcting resource dependencies during aws.s3.Bucket -> aws.s3.BucketV2 migration

[fabien-github]

File: themes/default/content//registry/packages/aws/how-to-guides/bucketv2-migration

Hi,

during the migration between aws.s3.Bucket to aws.s3.BucketV2, i was stuck by dependencies during the removal of the bucket state :

pulumi state delete "urn:pulumi:dev::sandbox::aws:s3/bucket:Bucket::testing1234567-bucket"
warning: This command will edit your stack's state directly. Confirm? Yes

error: urn:pulumi:dev::sandbox::aws:s3/bucket:Bucket::testing1234567-bucket can't be safely deleted because the following resources depend on it:
 * "testing-role-policy" (urn:pulumi:dev::sandbox::aws:iam/policy:Policy::testing-role-policy)
 * "test"          (urn:pulumi:dev::sandbox::aws:iam/rolePolicyAttachment:RolePolicyAttachment::test)

--target-dependents option removes child, so i don't think it will be wanted by users.

I'm not sure what is the best way to fix that without editing the state file.

I don't know how you want to handle this case in the documentation. I think it's going to be pretty widespread.

[fabien-github]

Related to this : #4470

[mjeffryes]

@fabien-github I think you're running into this issue: BucketV2 to Bucket aliasing is no longer working· pulumi-aws/4471 Unfortunately, it does require some state edits right now to migrate Bucket resources to BucketV2. We'll reevaluate prioritizing a fix there.

[corymhall]

@fabien-github do you have an example program showing the old bucket and those dependent resources I can use to walk through this?

[fabien-github]

Sure, here with python, the bucket will be parent of the policy and the iam role :

import pulumi_aws as aws
from pulumi import Output

bucket = aws.s3.Bucket(
    "testing-bucket",
)

app_policy = aws.iam.Policy(
    "testing-role-policy",
    policy=Output.json_dumps(
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "s3:ListAllMyBuckets",
                    "Effect": "Allow",
                    "Resource": "*",
                },
                {
                    "Action": [
                        "s3:GetObject",
                        "s3:PutObject",
                        "s3:DeleteObject",
                        "s3:ListBucket",
                    ],
                    "Effect": "Allow",
                    "Resource": Output.concat(bucket.arn, "/*"),
                },
                {
                    "Action": [
                        "s3:ListBucket",
                    ],
                    "Effect": "Allow",
                    "Resource": bucket.arn,
                },
            ],
        }
    ),
)

instance_assume_role_policy = aws.iam.get_policy_document(
    statements=[
        {
            "actions": ["sts:AssumeRole"],
            "principals": [
                {
                    "type": "Service",
                    "identifiers": ["ec2.amazonaws.com"],
                }
            ],
        }
    ]
)

role = aws.iam.Role("testing-role", assume_role_policy=instance_assume_role_policy.json)

attach_policy = aws.iam.RolePolicyAttachment(
    "testing-attach-policy", role=role.name, policy_arn=app_policy.arn
)

Directly deleting the bucket following docs :

pulumi state delete "urn:pulumi:dev::sandbox::aws:s3/bucket:Bucket::testing-bucket"
 warning: This command will edit your stack's state directly. Confirm? Yes
error: urn:pulumi:dev::sandbox::aws:s3/bucket:Bucket::testing-bucket can't be safely deleted because the following resources depend on it:
 * "testing-role-policy" (urn:pulumi:dev::sandbox::aws:iam/policy:Policy::testing-role-policy)
 * "testing-attach-policy" (urn:pulumi:dev::sandbox::aws:iam/rolePolicyAttachment:RolePolicyAttachment::testing-attach-policy)

Delete those resources first or pass --target-dependents.

[corymhall]

@fabien-github thanks for the example, I think I understand what is happening now. I think we might need to re-order the steps in our migration guide to take this scenario (which I think is a common one) into account.

Instead of deleting from state and then performing the import, I think we should perform the import and then delete from state.

• Find URNs for legacy Bucket Pulumi resources using pulumi stack export
• Determine the actual bucket name(s)
• Determine which side-by-side resources will be needed for each bucket
• Construct an pulumi-import.json file listing the buckets and their side-by-side resources
• Run pulumi import --file import-file.json using the Bulk Importing feature
• Add the suggested code into your Pulumi program source
• Update dependent resources to reference new bucket (New step)
• Run pulumi preview to confirm a no-change plan
• If warnings are generated, edit the program to remove deprecated inputs from BucketV2
• Run pulumi up to update the references in state to the new BucketV2 resource
• Remove the legacy Bucket code from your Pulumi program source
• Remove the legacy Bucket resources from state using pulumi state delete $bucketURN
• Run pulumi preview one more time to confirm a no-change plan on the final program

There will be a couple of steps during the migration where the resources are technically being managed by two different resource definitions, but since no changes are being made and we are just updated the dependency information in state we should be fine. The other option would be to manually edit the state to update the dependency info instead of running pulumi up.

Let me know what you think about this and we can update our migration guide to account for this scenario.

cc @t0yv0

[fabien-github]

Hi @corymhall,
I followed step by step and the migration handled correctly without manually editing the state file, I think this is a big win compared to the previous documentation. As a user, it's also more reassuring to have the final deletion resource at the end of the process.

[t0yv0]

@corymhall thanks so much, could you update the guide at https://www.pulumi.com/registry/packages/aws/how-to-guides/bucketv2-migration/#migrating-with-pulumi-import