Exception getting availability zones using non-default provider

[shanehull]

Hello!

• Vote on this issue by adding a 👍 reaction
• To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already)

Issue details

Steps to reproduce

1. Create a role and a role policy to assume
2. Create an AWS provider that assumes the role
3. Attempt to create a VPC using awsx.ec2.Vpc with explicit provider

Code to reproduce is here:
https://github.com/shed909/pulumi-provider-assume-role-repro

Expected:
A VPC should be created using the declared provider, assuming the Pulumi role and using the specified region.

Actual:

Pulumi outputs the following error:

    error: TypeError: Cannot read properties of undefined (reading 'length')
        at getAvailabilityZones (/home/shane/swell/swell-infrastructure-mvp/node_modules/@pulumi/ec2/vpc.ts:510:22)
        at processTicksAndRejections (node:internal/process/task_queues:96:5)
        at Vpc.initializeVpcArgs (/home/shane/swell/swell-infrastructure-mvp/node_modules/@pulumi/ec2/vpc.ts:330:35)

Possibly related to pulumi/pulumi-aws#673, but I'm getting a different error. I have implemented the workaround described in that thread, as well as messing around with different dependsOn args.
It seems to be limited to the awsx provider, eg. EKS resources are being created in my main project if I remove awsx from the picture.

[viveklak]

A bit confused. Why aren't you able to use the arn for the assumeRole.roleArn field directly (and not require the await)? Does that cause the same error?

cc @danielrbradley in case this is relevant to the MLC version of the component.

[shanehull]

Using the ARN directly results in the same error. The await is likely irrelevant.

[shanehull]

@danielrbradley have you had a chance to take a look at this?

As a workaround currently, I'm just creating a provider without an assumed role for this specific task (eg. the user of my AWS keys has permissions required to create a VPC).

Let me know if I can provider more info.

[danielrbradley]

I've had a quick dig into this and agree there's a secondary issue from the instantiation of the provider from the created role. I still need to dig into why the aws.getAvailabilityZones returns an empty result, there appears to be something else at play here.

[danielrbradley]

I've now tested and ensured this works in the new implementation in #843, we're only applying security fixes to the classic implementation.

This will be included in the next release.