From d00700d75cf83c920246d1f35747876ef3e181ea Mon Sep 17 00:00:00 2001 From: Anton Tayanovskyy Date: Thu, 14 Nov 2024 16:14:12 -0500 Subject: [PATCH] Add NOTEs for exclusive management resources doc pages Exclusive Relationship Management Resources do not currently work as you would expect in Pulumi but require `pulumi up --refresh`. A NOTE is added with this information to the affected resources docs pages so that users are made aware of the problem. More context in: https://github.com/pulumi/pulumi-aws/issues/4772 --- .../aws_iam_role_policies_exclusive.md | 52 +++++++++++ ...s_iam_role_policy_attachments_exclusive.md | 51 +++++++++++ .../pulumi-resource-aws/schema-minimal.json | 2 +- provider/cmd/pulumi-resource-aws/schema.json | 4 +- provider/resources.go | 12 +++ sdk/dotnet/Iam/RolePoliciesExclusive.cs | 55 +++++++++++- .../Iam/RolePolicyAttachmentsExclusive.cs | 55 +++++++++++- sdk/go/aws/iam/rolePoliciesExclusive.go | 70 ++++++++++++++- .../aws/iam/rolePolicyAttachmentsExclusive.go | 70 ++++++++++++++- .../pulumi/aws/iam/RolePoliciesExclusive.java | 88 +++++++++++++++++-- .../iam/RolePolicyAttachmentsExclusive.java | 88 +++++++++++++++++-- sdk/nodejs/iam/rolePoliciesExclusive.ts | 38 +++++++- .../iam/rolePolicyAttachmentsExclusive.ts | 38 +++++++- .../pulumi_aws/iam/role_policies_exclusive.py | 72 +++++++++++++-- .../iam/role_policy_attachments_exclusive.py | 72 +++++++++++++-- 15 files changed, 714 insertions(+), 53 deletions(-) create mode 100644 docs/resource/aws_iam_role_policies_exclusive.md create mode 100644 docs/resource/aws_iam_role_policy_attachments_exclusive.md diff --git a/docs/resource/aws_iam_role_policies_exclusive.md b/docs/resource/aws_iam_role_policies_exclusive.md new file mode 100644 index 00000000000..aafd90014c3 --- /dev/null +++ b/docs/resource/aws_iam_role_policies_exclusive.md @@ -0,0 +1,52 @@ +--- +subcategory: "IAM (Identity & Access Management)" +layout: "aws" +page_title: "AWS: aws_iam_role_policies_exclusive" +description: |- + Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role. +--- + +# Resource: aws_iam_role_policies_exclusive + +Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role. + +-> **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. + +!> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `aws_iam_role_policy` resources managed alongside this resource are included in the `policy_names` argument. + +~> Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role. + +## Example Usage + +### Basic Usage + +```terraform +resource "aws_iam_role_policies_exclusive" "example" { + role_name = aws_iam_role.example.name + policy_names = [aws_iam_role_policy.example.name] +} +``` + +### Disallow Inline Policies + +To automatically remove any configured inline policies, set the `policy_names` argument to an empty list. + +~> This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. + +```terraform +resource "aws_iam_role_policies_exclusive" "example" { + role_name = aws_iam_role.example.name + policy_names = [] +} +``` + +## Argument Reference + +The following arguments are required: + +* `role_name` - (Required) IAM role name. +* `policy_names` - (Required) A list of inline policy names to be assigned to the role. Policies attached to this role but not configured in this argument will be removed. + +## Attribute Reference + +This resource exports no additional attributes. diff --git a/docs/resource/aws_iam_role_policy_attachments_exclusive.md b/docs/resource/aws_iam_role_policy_attachments_exclusive.md new file mode 100644 index 00000000000..596755543cc --- /dev/null +++ b/docs/resource/aws_iam_role_policy_attachments_exclusive.md @@ -0,0 +1,51 @@ +--- +subcategory: "IAM (Identity & Access Management)" +layout: "aws" +description: |- + Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role. +--- + +# Resource: aws.iam.RolePolicyAttachmentsExclusive + +Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role. + +-> **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. + +!> This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `aws_iam_role_policy_attachment` resources managed alongside this resource are included in the `policy_arns` argument. + +~> Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role. + +## Example Usage + +### Basic Usage + +```terraform +resource "aws_iam_role_policy_attachments_exclusive" "example" { + role_name = aws_iam_role.example.name + policy_arns = [aws_iam_policy.example.arn] +} +``` + +### Disallow Customer Managed Policies + +To automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list. + +~> This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. + +```terraform +resource "aws_iam_role_policy_attachments_exclusive" "example" { + role_name = aws_iam_role.example.name + policy_arns = [] +} +``` + +## Argument Reference + +The following arguments are required: + +* `role_name` - (Required) IAM role name. +* `policy_arns` - (Required) A list of customer managed policy ARNs to be attached to the role. Policies attached to this role but not configured in this argument will be removed. + +## Attribute Reference + +This resource exports no additional attributes. diff --git a/provider/cmd/pulumi-resource-aws/schema-minimal.json b/provider/cmd/pulumi-resource-aws/schema-minimal.json index 342a92d3858..0a5da95c59b 100644 --- a/provider/cmd/pulumi-resource-aws/schema-minimal.json +++ b/provider/cmd/pulumi-resource-aws/schema-minimal.json @@ -278857,7 +278857,7 @@ } }, "aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive": { - "description": "\n\n## Import\n\nUsing `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example:\n\n```sh\n$ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole\n```\n", + "description": "Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity \u0026 Access Management) role.\n\n\u003e **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.\n\n!\u003e This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policy_arns` argument.\n\n\u003e Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role.\n\n## Example Usage\n\n### Basic Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.RolePolicyAttachmentsExclusive(\"example\", {\n roleName: exampleAwsIamRole.name,\n policyArns: [exampleAwsIamPolicy.arn],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.RolePolicyAttachmentsExclusive(\"example\",\n role_name=example_aws_iam_role[\"name\"],\n policy_arns=[example_aws_iam_policy[\"arn\"]])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.RolePolicyAttachmentsExclusive(\"example\", new()\n {\n RoleName = exampleAwsIamRole.Name,\n PolicyArns = new[]\n {\n exampleAwsIamPolicy.Arn,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRolePolicyAttachmentsExclusive(ctx, \"example\", \u0026iam.RolePolicyAttachmentsExclusiveArgs{\n\t\t\tRoleName: pulumi.Any(exampleAwsIamRole.Name),\n\t\t\tPolicyArns: pulumi.StringArray{\n\t\t\t\texampleAwsIamPolicy.Arn,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusive;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusiveArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new RolePolicyAttachmentsExclusive(\"example\", RolePolicyAttachmentsExclusiveArgs.builder()\n .roleName(exampleAwsIamRole.name())\n .policyArns(exampleAwsIamPolicy.arn())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:RolePolicyAttachmentsExclusive\n properties:\n roleName: ${exampleAwsIamRole.name}\n policyArns:\n - ${exampleAwsIamPolicy.arn}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Disallow Customer Managed Policies\n\nTo automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list.\n\n\u003e This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.RolePolicyAttachmentsExclusive(\"example\", {\n roleName: exampleAwsIamRole.name,\n policyArns: [],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.RolePolicyAttachmentsExclusive(\"example\",\n role_name=example_aws_iam_role[\"name\"],\n policy_arns=[])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.RolePolicyAttachmentsExclusive(\"example\", new()\n {\n RoleName = exampleAwsIamRole.Name,\n PolicyArns = new[] {},\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRolePolicyAttachmentsExclusive(ctx, \"example\", \u0026iam.RolePolicyAttachmentsExclusiveArgs{\n\t\t\tRoleName: pulumi.Any(exampleAwsIamRole.Name),\n\t\t\tPolicyArns: pulumi.StringArray{},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusive;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusiveArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new RolePolicyAttachmentsExclusive(\"example\", RolePolicyAttachmentsExclusiveArgs.builder()\n .roleName(exampleAwsIamRole.name())\n .policyArns()\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:RolePolicyAttachmentsExclusive\n properties:\n roleName: ${exampleAwsIamRole.name}\n policyArns: []\n```\n\u003c!--End PulumiCodeChooser --\u003e\n", "properties": { "policyArns": { "type": "array", diff --git a/provider/cmd/pulumi-resource-aws/schema.json b/provider/cmd/pulumi-resource-aws/schema.json index d1388e70e3e..a5d77863c84 100644 --- a/provider/cmd/pulumi-resource-aws/schema.json +++ b/provider/cmd/pulumi-resource-aws/schema.json @@ -279403,7 +279403,7 @@ } }, "aws:iam/rolePoliciesExclusive:RolePoliciesExclusive": { - "description": "\n\n## Import\n\nUsing `pulumi import`, import exclusive management of inline policy assignments using the `role_name`. For example:\n\n```sh\n$ pulumi import aws:iam/rolePoliciesExclusive:RolePoliciesExclusive example MyRole\n```\n", + "description": "Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity \u0026 Access Management) role.\n\n\u003e **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.\n\n!\u003e This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicy` resources managed alongside this resource are included in the `policy_names` argument.\n\n\u003e Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role.\n\n## Example Usage\n\n### Basic Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.RolePoliciesExclusive(\"example\", {\n roleName: exampleAwsIamRole.name,\n policyNames: [exampleAwsIamRolePolicy.name],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.RolePoliciesExclusive(\"example\",\n role_name=example_aws_iam_role[\"name\"],\n policy_names=[example_aws_iam_role_policy[\"name\"]])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.RolePoliciesExclusive(\"example\", new()\n {\n RoleName = exampleAwsIamRole.Name,\n PolicyNames = new[]\n {\n exampleAwsIamRolePolicy.Name,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRolePoliciesExclusive(ctx, \"example\", \u0026iam.RolePoliciesExclusiveArgs{\n\t\t\tRoleName: pulumi.Any(exampleAwsIamRole.Name),\n\t\t\tPolicyNames: pulumi.StringArray{\n\t\t\t\texampleAwsIamRolePolicy.Name,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.RolePoliciesExclusive;\nimport com.pulumi.aws.iam.RolePoliciesExclusiveArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new RolePoliciesExclusive(\"example\", RolePoliciesExclusiveArgs.builder()\n .roleName(exampleAwsIamRole.name())\n .policyNames(exampleAwsIamRolePolicy.name())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:RolePoliciesExclusive\n properties:\n roleName: ${exampleAwsIamRole.name}\n policyNames:\n - ${exampleAwsIamRolePolicy.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Disallow Inline Policies\n\nTo automatically remove any configured inline policies, set the `policy_names` argument to an empty list.\n\n\u003e This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.RolePoliciesExclusive(\"example\", {\n roleName: exampleAwsIamRole.name,\n policyNames: [],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.RolePoliciesExclusive(\"example\",\n role_name=example_aws_iam_role[\"name\"],\n policy_names=[])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.RolePoliciesExclusive(\"example\", new()\n {\n RoleName = exampleAwsIamRole.Name,\n PolicyNames = new[] {},\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRolePoliciesExclusive(ctx, \"example\", \u0026iam.RolePoliciesExclusiveArgs{\n\t\t\tRoleName: pulumi.Any(exampleAwsIamRole.Name),\n\t\t\tPolicyNames: pulumi.StringArray{},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.RolePoliciesExclusive;\nimport com.pulumi.aws.iam.RolePoliciesExclusiveArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new RolePoliciesExclusive(\"example\", RolePoliciesExclusiveArgs.builder()\n .roleName(exampleAwsIamRole.name())\n .policyNames()\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:RolePoliciesExclusive\n properties:\n roleName: ${exampleAwsIamRole.name}\n policyNames: []\n```\n\u003c!--End PulumiCodeChooser --\u003e\n", "properties": { "policyNames": { "type": "array", @@ -279640,7 +279640,7 @@ } }, "aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive": { - "description": "\n\n## Import\n\nUsing `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example:\n\n```sh\n$ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole\n```\n", + "description": "Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity \u0026 Access Management) role.\n\n\u003e **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.\n\n!\u003e This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policy_arns` argument.\n\n\u003e Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role.\n\n## Example Usage\n\n### Basic Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.RolePolicyAttachmentsExclusive(\"example\", {\n roleName: exampleAwsIamRole.name,\n policyArns: [exampleAwsIamPolicy.arn],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.RolePolicyAttachmentsExclusive(\"example\",\n role_name=example_aws_iam_role[\"name\"],\n policy_arns=[example_aws_iam_policy[\"arn\"]])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.RolePolicyAttachmentsExclusive(\"example\", new()\n {\n RoleName = exampleAwsIamRole.Name,\n PolicyArns = new[]\n {\n exampleAwsIamPolicy.Arn,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRolePolicyAttachmentsExclusive(ctx, \"example\", \u0026iam.RolePolicyAttachmentsExclusiveArgs{\n\t\t\tRoleName: pulumi.Any(exampleAwsIamRole.Name),\n\t\t\tPolicyArns: pulumi.StringArray{\n\t\t\t\texampleAwsIamPolicy.Arn,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusive;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusiveArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new RolePolicyAttachmentsExclusive(\"example\", RolePolicyAttachmentsExclusiveArgs.builder()\n .roleName(exampleAwsIamRole.name())\n .policyArns(exampleAwsIamPolicy.arn())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:RolePolicyAttachmentsExclusive\n properties:\n roleName: ${exampleAwsIamRole.name}\n policyArns:\n - ${exampleAwsIamPolicy.arn}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Disallow Customer Managed Policies\n\nTo automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list.\n\n\u003e This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.RolePolicyAttachmentsExclusive(\"example\", {\n roleName: exampleAwsIamRole.name,\n policyArns: [],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.RolePolicyAttachmentsExclusive(\"example\",\n role_name=example_aws_iam_role[\"name\"],\n policy_arns=[])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.RolePolicyAttachmentsExclusive(\"example\", new()\n {\n RoleName = exampleAwsIamRole.Name,\n PolicyArns = new[] {},\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRolePolicyAttachmentsExclusive(ctx, \"example\", \u0026iam.RolePolicyAttachmentsExclusiveArgs{\n\t\t\tRoleName: pulumi.Any(exampleAwsIamRole.Name),\n\t\t\tPolicyArns: pulumi.StringArray{},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusive;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusiveArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new RolePolicyAttachmentsExclusive(\"example\", RolePolicyAttachmentsExclusiveArgs.builder()\n .roleName(exampleAwsIamRole.name())\n .policyArns()\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:RolePolicyAttachmentsExclusive\n properties:\n roleName: ${exampleAwsIamRole.name}\n policyArns: []\n```\n\u003c!--End PulumiCodeChooser --\u003e\n", "properties": { "policyArns": { "type": "array", diff --git a/provider/resources.go b/provider/resources.go index 8c947c4aa7b..edbbd8a5d74 100644 --- a/provider/resources.go +++ b/provider/resources.go @@ -2574,6 +2574,18 @@ compatibility shim in favor of the new "name" field.`) // deletes the same attachment we just created, since it is structurally equivalent! DeleteBeforeReplace: true, }, + "aws_iam_role_policies_exclusive": { + Tok: awsResource(iamMod, "RolePoliciesExclusive"), + Docs: &info.Doc{ + Markdown: maybeReadFile("docs/resource/aws_iam_role_policies_exclusive.md"), + }, + }, + "aws_iam_role_policy_attachments_exclusive": { + Tok: awsResource(iamMod, "RolePolicyAttachmentsExclusive"), + Docs: &info.Doc{ + Markdown: maybeReadFile("docs/resource/aws_iam_role_policy_attachments_exclusive.md"), + }, + }, "aws_iam_role_policy": { Tok: awsResource(iamMod, "RolePolicy"), Fields: map[string]*tfbridge.SchemaInfo{ diff --git a/sdk/dotnet/Iam/RolePoliciesExclusive.cs b/sdk/dotnet/Iam/RolePoliciesExclusive.cs index 5be1affb1c5..3b12185ffc2 100644 --- a/sdk/dotnet/Iam/RolePoliciesExclusive.cs +++ b/sdk/dotnet/Iam/RolePoliciesExclusive.cs @@ -10,12 +10,59 @@ namespace Pulumi.Aws.Iam { /// - /// ## Import + /// Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role. /// - /// Using `pulumi import`, import exclusive management of inline policy assignments using the `role_name`. For example: + /// > **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. /// - /// ```sh - /// $ pulumi import aws:iam/rolePoliciesExclusive:RolePoliciesExclusive example MyRole + /// !> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicy` resources managed alongside this resource are included in the `policy_names` argument. + /// + /// > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role. + /// + /// ## Example Usage + /// + /// ### Basic Usage + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Aws = Pulumi.Aws; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var example = new Aws.Iam.RolePoliciesExclusive("example", new() + /// { + /// RoleName = exampleAwsIamRole.Name, + /// PolicyNames = new[] + /// { + /// exampleAwsIamRolePolicy.Name, + /// }, + /// }); + /// + /// }); + /// ``` + /// + /// ### Disallow Inline Policies + /// + /// To automatically remove any configured inline policies, set the `policy_names` argument to an empty list. + /// + /// > This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Aws = Pulumi.Aws; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var example = new Aws.Iam.RolePoliciesExclusive("example", new() + /// { + /// RoleName = exampleAwsIamRole.Name, + /// PolicyNames = new[] {}, + /// }); + /// + /// }); /// ``` /// [AwsResourceType("aws:iam/rolePoliciesExclusive:RolePoliciesExclusive")] diff --git a/sdk/dotnet/Iam/RolePolicyAttachmentsExclusive.cs b/sdk/dotnet/Iam/RolePolicyAttachmentsExclusive.cs index ec90900d732..ba00cc8310f 100644 --- a/sdk/dotnet/Iam/RolePolicyAttachmentsExclusive.cs +++ b/sdk/dotnet/Iam/RolePolicyAttachmentsExclusive.cs @@ -10,12 +10,59 @@ namespace Pulumi.Aws.Iam { /// - /// ## Import + /// Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role. /// - /// Using `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example: + /// > **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. /// - /// ```sh - /// $ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole + /// !> This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policy_arns` argument. + /// + /// > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role. + /// + /// ## Example Usage + /// + /// ### Basic Usage + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Aws = Pulumi.Aws; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var example = new Aws.Iam.RolePolicyAttachmentsExclusive("example", new() + /// { + /// RoleName = exampleAwsIamRole.Name, + /// PolicyArns = new[] + /// { + /// exampleAwsIamPolicy.Arn, + /// }, + /// }); + /// + /// }); + /// ``` + /// + /// ### Disallow Customer Managed Policies + /// + /// To automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list. + /// + /// > This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. + /// + /// ```csharp + /// using System.Collections.Generic; + /// using System.Linq; + /// using Pulumi; + /// using Aws = Pulumi.Aws; + /// + /// return await Deployment.RunAsync(() => + /// { + /// var example = new Aws.Iam.RolePolicyAttachmentsExclusive("example", new() + /// { + /// RoleName = exampleAwsIamRole.Name, + /// PolicyArns = new[] {}, + /// }); + /// + /// }); /// ``` /// [AwsResourceType("aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive")] diff --git a/sdk/go/aws/iam/rolePoliciesExclusive.go b/sdk/go/aws/iam/rolePoliciesExclusive.go index 1348308e0df..8a20d08b3f7 100644 --- a/sdk/go/aws/iam/rolePoliciesExclusive.go +++ b/sdk/go/aws/iam/rolePoliciesExclusive.go @@ -12,12 +12,74 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## Import +// Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role. // -// Using `pulumi import`, import exclusive management of inline policy assignments using the `role_name`. For example: +// > **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. +// +// !> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `iam.RolePolicy` resources managed alongside this resource are included in the `policyNames` argument. +// +// > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role. +// +// ## Example Usage +// +// ### Basic Usage +// +// ```go +// package main +// +// import ( +// +// "github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam" +// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +// +// ) +// +// func main() { +// pulumi.Run(func(ctx *pulumi.Context) error { +// _, err := iam.NewRolePoliciesExclusive(ctx, "example", &iam.RolePoliciesExclusiveArgs{ +// RoleName: pulumi.Any(exampleAwsIamRole.Name), +// PolicyNames: pulumi.StringArray{ +// exampleAwsIamRolePolicy.Name, +// }, +// }) +// if err != nil { +// return err +// } +// return nil +// }) +// } +// +// ``` +// +// ### Disallow Inline Policies +// +// To automatically remove any configured inline policies, set the `policyNames` argument to an empty list. +// +// > This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. +// +// ```go +// package main +// +// import ( +// +// "github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam" +// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +// +// ) +// +// func main() { +// pulumi.Run(func(ctx *pulumi.Context) error { +// _, err := iam.NewRolePoliciesExclusive(ctx, "example", &iam.RolePoliciesExclusiveArgs{ +// RoleName: pulumi.Any(exampleAwsIamRole.Name), +// PolicyNames: pulumi.StringArray{}, +// }) +// if err != nil { +// return err +// } +// return nil +// }) +// } // -// ```sh -// $ pulumi import aws:iam/rolePoliciesExclusive:RolePoliciesExclusive example MyRole // ``` type RolePoliciesExclusive struct { pulumi.CustomResourceState diff --git a/sdk/go/aws/iam/rolePolicyAttachmentsExclusive.go b/sdk/go/aws/iam/rolePolicyAttachmentsExclusive.go index 6b823b81492..bcc442d2435 100644 --- a/sdk/go/aws/iam/rolePolicyAttachmentsExclusive.go +++ b/sdk/go/aws/iam/rolePolicyAttachmentsExclusive.go @@ -12,12 +12,74 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) -// ## Import +// Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role. // -// Using `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example: +// > **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. +// +// !> This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policyArns` argument. +// +// > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role. +// +// ## Example Usage +// +// ### Basic Usage +// +// ```go +// package main +// +// import ( +// +// "github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam" +// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +// +// ) +// +// func main() { +// pulumi.Run(func(ctx *pulumi.Context) error { +// _, err := iam.NewRolePolicyAttachmentsExclusive(ctx, "example", &iam.RolePolicyAttachmentsExclusiveArgs{ +// RoleName: pulumi.Any(exampleAwsIamRole.Name), +// PolicyArns: pulumi.StringArray{ +// exampleAwsIamPolicy.Arn, +// }, +// }) +// if err != nil { +// return err +// } +// return nil +// }) +// } +// +// ``` +// +// ### Disallow Customer Managed Policies +// +// To automatically remove any configured customer managed policies, set the `policyArns` argument to an empty list. +// +// > This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. +// +// ```go +// package main +// +// import ( +// +// "github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam" +// "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +// +// ) +// +// func main() { +// pulumi.Run(func(ctx *pulumi.Context) error { +// _, err := iam.NewRolePolicyAttachmentsExclusive(ctx, "example", &iam.RolePolicyAttachmentsExclusiveArgs{ +// RoleName: pulumi.Any(exampleAwsIamRole.Name), +// PolicyArns: pulumi.StringArray{}, +// }) +// if err != nil { +// return err +// } +// return nil +// }) +// } // -// ```sh -// $ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole // ``` type RolePolicyAttachmentsExclusive struct { pulumi.CustomResourceState diff --git a/sdk/java/src/main/java/com/pulumi/aws/iam/RolePoliciesExclusive.java b/sdk/java/src/main/java/com/pulumi/aws/iam/RolePoliciesExclusive.java index 7dd324794a6..15e702a481a 100644 --- a/sdk/java/src/main/java/com/pulumi/aws/iam/RolePoliciesExclusive.java +++ b/sdk/java/src/main/java/com/pulumi/aws/iam/RolePoliciesExclusive.java @@ -15,13 +15,91 @@ import javax.annotation.Nullable; /** - * ## Import + * Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role. * - * Using `pulumi import`, import exclusive management of inline policy assignments using the `role_name`. For example: + * > **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. * - * ```sh - * $ pulumi import aws:iam/rolePoliciesExclusive:RolePoliciesExclusive example MyRole - * ``` + * !> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicy` resources managed alongside this resource are included in the `policy_names` argument. + * + * > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role. + * + * ## Example Usage + * + * ### Basic Usage + * + * <!--Start PulumiCodeChooser --> + *
+ * {@code
+ * package generated_program;
+ * 
+ * import com.pulumi.Context;
+ * import com.pulumi.Pulumi;
+ * import com.pulumi.core.Output;
+ * import com.pulumi.aws.iam.RolePoliciesExclusive;
+ * import com.pulumi.aws.iam.RolePoliciesExclusiveArgs;
+ * import java.util.List;
+ * import java.util.ArrayList;
+ * import java.util.Map;
+ * import java.io.File;
+ * import java.nio.file.Files;
+ * import java.nio.file.Paths;
+ * 
+ * public class App {
+ *     public static void main(String[] args) {
+ *         Pulumi.run(App::stack);
+ *     }
+ * 
+ *     public static void stack(Context ctx) {
+ *         var example = new RolePoliciesExclusive("example", RolePoliciesExclusiveArgs.builder()
+ *             .roleName(exampleAwsIamRole.name())
+ *             .policyNames(exampleAwsIamRolePolicy.name())
+ *             .build());
+ * 
+ *     }
+ * }
+ * }
+ * 
+ * <!--End PulumiCodeChooser --> + * + * ### Disallow Inline Policies + * + * To automatically remove any configured inline policies, set the `policy_names` argument to an empty list. + * + * > This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. + * + * <!--Start PulumiCodeChooser --> + *
+ * {@code
+ * package generated_program;
+ * 
+ * import com.pulumi.Context;
+ * import com.pulumi.Pulumi;
+ * import com.pulumi.core.Output;
+ * import com.pulumi.aws.iam.RolePoliciesExclusive;
+ * import com.pulumi.aws.iam.RolePoliciesExclusiveArgs;
+ * import java.util.List;
+ * import java.util.ArrayList;
+ * import java.util.Map;
+ * import java.io.File;
+ * import java.nio.file.Files;
+ * import java.nio.file.Paths;
+ * 
+ * public class App {
+ *     public static void main(String[] args) {
+ *         Pulumi.run(App::stack);
+ *     }
+ * 
+ *     public static void stack(Context ctx) {
+ *         var example = new RolePoliciesExclusive("example", RolePoliciesExclusiveArgs.builder()
+ *             .roleName(exampleAwsIamRole.name())
+ *             .policyNames()
+ *             .build());
+ * 
+ *     }
+ * }
+ * }
+ * 
+ * <!--End PulumiCodeChooser --> * */ @ResourceType(type="aws:iam/rolePoliciesExclusive:RolePoliciesExclusive") diff --git a/sdk/java/src/main/java/com/pulumi/aws/iam/RolePolicyAttachmentsExclusive.java b/sdk/java/src/main/java/com/pulumi/aws/iam/RolePolicyAttachmentsExclusive.java index ac18709267b..2283544c039 100644 --- a/sdk/java/src/main/java/com/pulumi/aws/iam/RolePolicyAttachmentsExclusive.java +++ b/sdk/java/src/main/java/com/pulumi/aws/iam/RolePolicyAttachmentsExclusive.java @@ -15,13 +15,91 @@ import javax.annotation.Nullable; /** - * ## Import + * Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role. * - * Using `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example: + * > **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. * - * ```sh - * $ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole - * ``` + * !> This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policy_arns` argument. + * + * > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role. + * + * ## Example Usage + * + * ### Basic Usage + * + * <!--Start PulumiCodeChooser --> + *
+ * {@code
+ * package generated_program;
+ * 
+ * import com.pulumi.Context;
+ * import com.pulumi.Pulumi;
+ * import com.pulumi.core.Output;
+ * import com.pulumi.aws.iam.RolePolicyAttachmentsExclusive;
+ * import com.pulumi.aws.iam.RolePolicyAttachmentsExclusiveArgs;
+ * import java.util.List;
+ * import java.util.ArrayList;
+ * import java.util.Map;
+ * import java.io.File;
+ * import java.nio.file.Files;
+ * import java.nio.file.Paths;
+ * 
+ * public class App {
+ *     public static void main(String[] args) {
+ *         Pulumi.run(App::stack);
+ *     }
+ * 
+ *     public static void stack(Context ctx) {
+ *         var example = new RolePolicyAttachmentsExclusive("example", RolePolicyAttachmentsExclusiveArgs.builder()
+ *             .roleName(exampleAwsIamRole.name())
+ *             .policyArns(exampleAwsIamPolicy.arn())
+ *             .build());
+ * 
+ *     }
+ * }
+ * }
+ * 
+ * <!--End PulumiCodeChooser --> + * + * ### Disallow Customer Managed Policies + * + * To automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list. + * + * > This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. + * + * <!--Start PulumiCodeChooser --> + *
+ * {@code
+ * package generated_program;
+ * 
+ * import com.pulumi.Context;
+ * import com.pulumi.Pulumi;
+ * import com.pulumi.core.Output;
+ * import com.pulumi.aws.iam.RolePolicyAttachmentsExclusive;
+ * import com.pulumi.aws.iam.RolePolicyAttachmentsExclusiveArgs;
+ * import java.util.List;
+ * import java.util.ArrayList;
+ * import java.util.Map;
+ * import java.io.File;
+ * import java.nio.file.Files;
+ * import java.nio.file.Paths;
+ * 
+ * public class App {
+ *     public static void main(String[] args) {
+ *         Pulumi.run(App::stack);
+ *     }
+ * 
+ *     public static void stack(Context ctx) {
+ *         var example = new RolePolicyAttachmentsExclusive("example", RolePolicyAttachmentsExclusiveArgs.builder()
+ *             .roleName(exampleAwsIamRole.name())
+ *             .policyArns()
+ *             .build());
+ * 
+ *     }
+ * }
+ * }
+ * 
+ * <!--End PulumiCodeChooser --> * */ @ResourceType(type="aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive") diff --git a/sdk/nodejs/iam/rolePoliciesExclusive.ts b/sdk/nodejs/iam/rolePoliciesExclusive.ts index 116224c5e22..09807998629 100644 --- a/sdk/nodejs/iam/rolePoliciesExclusive.ts +++ b/sdk/nodejs/iam/rolePoliciesExclusive.ts @@ -5,12 +5,42 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * ## Import + * Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role. * - * Using `pulumi import`, import exclusive management of inline policy assignments using the `role_name`. For example: + * > **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. * - * ```sh - * $ pulumi import aws:iam/rolePoliciesExclusive:RolePoliciesExclusive example MyRole + * !> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicy` resources managed alongside this resource are included in the `policyNames` argument. + * + * > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role. + * + * ## Example Usage + * + * ### Basic Usage + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as aws from "@pulumi/aws"; + * + * const example = new aws.iam.RolePoliciesExclusive("example", { + * roleName: exampleAwsIamRole.name, + * policyNames: [exampleAwsIamRolePolicy.name], + * }); + * ``` + * + * ### Disallow Inline Policies + * + * To automatically remove any configured inline policies, set the `policyNames` argument to an empty list. + * + * > This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as aws from "@pulumi/aws"; + * + * const example = new aws.iam.RolePoliciesExclusive("example", { + * roleName: exampleAwsIamRole.name, + * policyNames: [], + * }); * ``` */ export class RolePoliciesExclusive extends pulumi.CustomResource { diff --git a/sdk/nodejs/iam/rolePolicyAttachmentsExclusive.ts b/sdk/nodejs/iam/rolePolicyAttachmentsExclusive.ts index 5fe6b634f2e..6cc2e5bdabf 100644 --- a/sdk/nodejs/iam/rolePolicyAttachmentsExclusive.ts +++ b/sdk/nodejs/iam/rolePolicyAttachmentsExclusive.ts @@ -5,12 +5,42 @@ import * as pulumi from "@pulumi/pulumi"; import * as utilities from "../utilities"; /** - * ## Import + * Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role. * - * Using `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example: + * > **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. * - * ```sh - * $ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole + * !> This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policyArns` argument. + * + * > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role. + * + * ## Example Usage + * + * ### Basic Usage + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as aws from "@pulumi/aws"; + * + * const example = new aws.iam.RolePolicyAttachmentsExclusive("example", { + * roleName: exampleAwsIamRole.name, + * policyArns: [exampleAwsIamPolicy.arn], + * }); + * ``` + * + * ### Disallow Customer Managed Policies + * + * To automatically remove any configured customer managed policies, set the `policyArns` argument to an empty list. + * + * > This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as aws from "@pulumi/aws"; + * + * const example = new aws.iam.RolePolicyAttachmentsExclusive("example", { + * roleName: exampleAwsIamRole.name, + * policyArns: [], + * }); * ``` */ export class RolePolicyAttachmentsExclusive extends pulumi.CustomResource { diff --git a/sdk/python/pulumi_aws/iam/role_policies_exclusive.py b/sdk/python/pulumi_aws/iam/role_policies_exclusive.py index 5290629100b..3c64e8ab174 100644 --- a/sdk/python/pulumi_aws/iam/role_policies_exclusive.py +++ b/sdk/python/pulumi_aws/iam/role_policies_exclusive.py @@ -103,12 +103,40 @@ def __init__(__self__, role_name: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## Import + Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role. - Using `pulumi import`, import exclusive management of inline policy assignments using the `role_name`. For example: + > **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. - ```sh - $ pulumi import aws:iam/rolePoliciesExclusive:RolePoliciesExclusive example MyRole + !> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `iam.RolePolicy` resources managed alongside this resource are included in the `policy_names` argument. + + > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role. + + ## Example Usage + + ### Basic Usage + + ```python + import pulumi + import pulumi_aws as aws + + example = aws.iam.RolePoliciesExclusive("example", + role_name=example_aws_iam_role["name"], + policy_names=[example_aws_iam_role_policy["name"]]) + ``` + + ### Disallow Inline Policies + + To automatically remove any configured inline policies, set the `policy_names` argument to an empty list. + + > This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. + + ```python + import pulumi + import pulumi_aws as aws + + example = aws.iam.RolePoliciesExclusive("example", + role_name=example_aws_iam_role["name"], + policy_names=[]) ``` :param str resource_name: The name of the resource. @@ -123,12 +151,40 @@ def __init__(__self__, args: RolePoliciesExclusiveArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## Import + Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role. + + > **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. + + !> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `iam.RolePolicy` resources managed alongside this resource are included in the `policy_names` argument. + + > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role. + + ## Example Usage + + ### Basic Usage + + ```python + import pulumi + import pulumi_aws as aws + + example = aws.iam.RolePoliciesExclusive("example", + role_name=example_aws_iam_role["name"], + policy_names=[example_aws_iam_role_policy["name"]]) + ``` + + ### Disallow Inline Policies + + To automatically remove any configured inline policies, set the `policy_names` argument to an empty list. + + > This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. - Using `pulumi import`, import exclusive management of inline policy assignments using the `role_name`. For example: + ```python + import pulumi + import pulumi_aws as aws - ```sh - $ pulumi import aws:iam/rolePoliciesExclusive:RolePoliciesExclusive example MyRole + example = aws.iam.RolePoliciesExclusive("example", + role_name=example_aws_iam_role["name"], + policy_names=[]) ``` :param str resource_name: The name of the resource. diff --git a/sdk/python/pulumi_aws/iam/role_policy_attachments_exclusive.py b/sdk/python/pulumi_aws/iam/role_policy_attachments_exclusive.py index dd7ded86b93..fd3d0d641b5 100644 --- a/sdk/python/pulumi_aws/iam/role_policy_attachments_exclusive.py +++ b/sdk/python/pulumi_aws/iam/role_policy_attachments_exclusive.py @@ -103,12 +103,40 @@ def __init__(__self__, role_name: Optional[pulumi.Input[str]] = None, __props__=None): """ - ## Import + Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role. - Using `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example: + > **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. - ```sh - $ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole + !> This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policy_arns` argument. + + > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role. + + ## Example Usage + + ### Basic Usage + + ```python + import pulumi + import pulumi_aws as aws + + example = aws.iam.RolePolicyAttachmentsExclusive("example", + role_name=example_aws_iam_role["name"], + policy_arns=[example_aws_iam_policy["arn"]]) + ``` + + ### Disallow Customer Managed Policies + + To automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list. + + > This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. + + ```python + import pulumi + import pulumi_aws as aws + + example = aws.iam.RolePolicyAttachmentsExclusive("example", + role_name=example_aws_iam_role["name"], + policy_arns=[]) ``` :param str resource_name: The name of the resource. @@ -123,12 +151,40 @@ def __init__(__self__, args: RolePolicyAttachmentsExclusiveArgs, opts: Optional[pulumi.ResourceOptions] = None): """ - ## Import + Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role. + + > **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations. + + !> This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policy_arns` argument. + + > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role. + + ## Example Usage + + ### Basic Usage + + ```python + import pulumi + import pulumi_aws as aws + + example = aws.iam.RolePolicyAttachmentsExclusive("example", + role_name=example_aws_iam_role["name"], + policy_arns=[example_aws_iam_policy["arn"]]) + ``` + + ### Disallow Customer Managed Policies + + To automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list. + + > This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run. - Using `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example: + ```python + import pulumi + import pulumi_aws as aws - ```sh - $ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole + example = aws.iam.RolePolicyAttachmentsExclusive("example", + role_name=example_aws_iam_role["name"], + policy_arns=[]) ``` :param str resource_name: The name of the resource.