Skip to content

Commit

Permalink
Add NOTEs for exclusive management resources doc pages
Browse files Browse the repository at this point in the history
Exclusive Relationship Management Resources do not currently work as you would expect in Pulumi but require `pulumi up --refresh`. A NOTE is added with this information to the affected resources docs pages so that users are made aware of the problem.

More context in: #4772
  • Loading branch information
t0yv0 committed Nov 19, 2024
1 parent eef4e41 commit 17d9357
Show file tree
Hide file tree
Showing 15 changed files with 714 additions and 53 deletions.
52 changes: 52 additions & 0 deletions docs/resource/aws_iam_role_policies_exclusive.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
---
subcategory: "IAM (Identity & Access Management)"
layout: "aws"
page_title: "AWS: aws_iam_role_policies_exclusive"
description: |-
Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role.
---

# Resource: aws_iam_role_policies_exclusive

Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role.

-> **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.

!> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `aws_iam_role_policy` resources managed alongside this resource are included in the `policy_names` argument.

~> Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role.

## Example Usage

### Basic Usage

```terraform
resource "aws_iam_role_policies_exclusive" "example" {
role_name = aws_iam_role.example.name
policy_names = [aws_iam_role_policy.example.name]
}
```

### Disallow Inline Policies

To automatically remove any configured inline policies, set the `policy_names` argument to an empty list.

~> This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.

```terraform
resource "aws_iam_role_policies_exclusive" "example" {
role_name = aws_iam_role.example.name
policy_names = []
}
```

## Argument Reference

The following arguments are required:

* `role_name` - (Required) IAM role name.
* `policy_names` - (Required) A list of inline policy names to be assigned to the role. Policies attached to this role but not configured in this argument will be removed.

## Attribute Reference

This resource exports no additional attributes.
51 changes: 51 additions & 0 deletions docs/resource/aws_iam_role_policy_attachments_exclusive.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
---
subcategory: "IAM (Identity & Access Management)"
layout: "aws"
description: |-
Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role.
---

# Resource: aws.iam.RolePolicyAttachmentsExclusive

Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role.

-> **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.

!> This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `aws_iam_role_policy_attachment` resources managed alongside this resource are included in the `policy_arns` argument.

~> Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role.

## Example Usage

### Basic Usage

```terraform
resource "aws_iam_role_policy_attachments_exclusive" "example" {
role_name = aws_iam_role.example.name
policy_arns = [aws_iam_policy.example.arn]
}
```

### Disallow Customer Managed Policies

To automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list.

~> This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.

```terraform
resource "aws_iam_role_policy_attachments_exclusive" "example" {
role_name = aws_iam_role.example.name
policy_arns = []
}
```

## Argument Reference

The following arguments are required:

* `role_name` - (Required) IAM role name.
* `policy_arns` - (Required) A list of customer managed policy ARNs to be attached to the role. Policies attached to this role but not configured in this argument will be removed.

## Attribute Reference

This resource exports no additional attributes.
2 changes: 1 addition & 1 deletion provider/cmd/pulumi-resource-aws/schema-minimal.json
Original file line number Diff line number Diff line change
Expand Up @@ -278809,7 +278809,7 @@
}
},
"aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive": {
"description": "\n\n## Import\n\nUsing `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example:\n\n```sh\n$ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole\n```\n",
"description": "Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity \u0026 Access Management) role.\n\n\u003e **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.\n\n!\u003e This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policy_arns` argument.\n\n\u003e Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role.\n\n## Example Usage\n\n### Basic Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.RolePolicyAttachmentsExclusive(\"example\", {\n roleName: exampleAwsIamRole.name,\n policyArns: [exampleAwsIamPolicy.arn],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.RolePolicyAttachmentsExclusive(\"example\",\n role_name=example_aws_iam_role[\"name\"],\n policy_arns=[example_aws_iam_policy[\"arn\"]])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.RolePolicyAttachmentsExclusive(\"example\", new()\n {\n RoleName = exampleAwsIamRole.Name,\n PolicyArns = new[]\n {\n exampleAwsIamPolicy.Arn,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRolePolicyAttachmentsExclusive(ctx, \"example\", \u0026iam.RolePolicyAttachmentsExclusiveArgs{\n\t\t\tRoleName: pulumi.Any(exampleAwsIamRole.Name),\n\t\t\tPolicyArns: pulumi.StringArray{\n\t\t\t\texampleAwsIamPolicy.Arn,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusive;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusiveArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new RolePolicyAttachmentsExclusive(\"example\", RolePolicyAttachmentsExclusiveArgs.builder()\n .roleName(exampleAwsIamRole.name())\n .policyArns(exampleAwsIamPolicy.arn())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:RolePolicyAttachmentsExclusive\n properties:\n roleName: ${exampleAwsIamRole.name}\n policyArns:\n - ${exampleAwsIamPolicy.arn}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Disallow Customer Managed Policies\n\nTo automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list.\n\n\u003e This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.RolePolicyAttachmentsExclusive(\"example\", {\n roleName: exampleAwsIamRole.name,\n policyArns: [],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.RolePolicyAttachmentsExclusive(\"example\",\n role_name=example_aws_iam_role[\"name\"],\n policy_arns=[])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.RolePolicyAttachmentsExclusive(\"example\", new()\n {\n RoleName = exampleAwsIamRole.Name,\n PolicyArns = new[] {},\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRolePolicyAttachmentsExclusive(ctx, \"example\", \u0026iam.RolePolicyAttachmentsExclusiveArgs{\n\t\t\tRoleName: pulumi.Any(exampleAwsIamRole.Name),\n\t\t\tPolicyArns: pulumi.StringArray{},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusive;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusiveArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new RolePolicyAttachmentsExclusive(\"example\", RolePolicyAttachmentsExclusiveArgs.builder()\n .roleName(exampleAwsIamRole.name())\n .policyArns()\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:RolePolicyAttachmentsExclusive\n properties:\n roleName: ${exampleAwsIamRole.name}\n policyArns: []\n```\n\u003c!--End PulumiCodeChooser --\u003e\n",
"properties": {
"policyArns": {
"type": "array",
Expand Down
Loading

0 comments on commit 17d9357

Please sign in to comment.