-
Notifications
You must be signed in to change notification settings - Fork 156
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add NOTEs for exclusive management resources doc pages
Exclusive Relationship Management Resources do not currently work as you would expect in Pulumi but require `pulumi up --refresh`. A NOTE is added with this information to the affected resources docs pages so that users are made aware of the problem. More context in: #4772
- Loading branch information
Showing
15 changed files
with
714 additions
and
53 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
--- | ||
subcategory: "IAM (Identity & Access Management)" | ||
layout: "aws" | ||
page_title: "AWS: aws_iam_role_policies_exclusive" | ||
description: |- | ||
Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role. | ||
--- | ||
|
||
# Resource: aws_iam_role_policies_exclusive | ||
|
||
Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role. | ||
|
||
-> **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. | ||
|
||
!> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `aws_iam_role_policy` resources managed alongside this resource are included in the `policy_names` argument. | ||
|
||
~> Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role. | ||
|
||
## Example Usage | ||
|
||
### Basic Usage | ||
|
||
```terraform | ||
resource "aws_iam_role_policies_exclusive" "example" { | ||
role_name = aws_iam_role.example.name | ||
policy_names = [aws_iam_role_policy.example.name] | ||
} | ||
``` | ||
|
||
### Disallow Inline Policies | ||
|
||
To automatically remove any configured inline policies, set the `policy_names` argument to an empty list. | ||
|
||
~> This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. | ||
|
||
```terraform | ||
resource "aws_iam_role_policies_exclusive" "example" { | ||
role_name = aws_iam_role.example.name | ||
policy_names = [] | ||
} | ||
``` | ||
|
||
## Argument Reference | ||
|
||
The following arguments are required: | ||
|
||
* `role_name` - (Required) IAM role name. | ||
* `policy_names` - (Required) A list of inline policy names to be assigned to the role. Policies attached to this role but not configured in this argument will be removed. | ||
|
||
## Attribute Reference | ||
|
||
This resource exports no additional attributes. |
51 changes: 51 additions & 0 deletions
51
docs/resource/aws_iam_role_policy_attachments_exclusive.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
--- | ||
subcategory: "IAM (Identity & Access Management)" | ||
layout: "aws" | ||
description: |- | ||
Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role. | ||
--- | ||
|
||
# Resource: aws.iam.RolePolicyAttachmentsExclusive | ||
|
||
Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role. | ||
|
||
-> **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. | ||
|
||
!> This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `aws_iam_role_policy_attachment` resources managed alongside this resource are included in the `policy_arns` argument. | ||
|
||
~> Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role. | ||
|
||
## Example Usage | ||
|
||
### Basic Usage | ||
|
||
```terraform | ||
resource "aws_iam_role_policy_attachments_exclusive" "example" { | ||
role_name = aws_iam_role.example.name | ||
policy_arns = [aws_iam_policy.example.arn] | ||
} | ||
``` | ||
|
||
### Disallow Customer Managed Policies | ||
|
||
To automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list. | ||
|
||
~> This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. | ||
|
||
```terraform | ||
resource "aws_iam_role_policy_attachments_exclusive" "example" { | ||
role_name = aws_iam_role.example.name | ||
policy_arns = [] | ||
} | ||
``` | ||
|
||
## Argument Reference | ||
|
||
The following arguments are required: | ||
|
||
* `role_name` - (Required) IAM role name. | ||
* `policy_arns` - (Required) A list of customer managed policy ARNs to be attached to the role. Policies attached to this role but not configured in this argument will be removed. | ||
|
||
## Attribute Reference | ||
|
||
This resource exports no additional attributes. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.