pulumi-aws-kotlin/com.pulumi.aws.iam.kotlin/RolePoliciesExclusive

RolePoliciesExclusive

class RolePoliciesExclusive : KotlinCustomResource

NOTE:: To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with pulumi up --refresh. See #4766 for tracking making this work with regular pulumi up invocations. Resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role. !> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any aws.iam.RolePolicy resources managed alongside this resource are included in the policy_names argument. Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It will not delete the configured policies from the role.

Example Usage

Basic Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.iam.RolePoliciesExclusive("example", {
    roleName: exampleAwsIamRole.name,
    policyNames: [exampleAwsIamRolePolicy&#46;name],
});

import pulumi
import pulumi_aws as aws
example = aws.iam.RolePoliciesExclusive("example",
    role_name=example_aws_iam_role["name"],
    policy_names=[example_aws_iam_role_policy["name"]])

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
    var example = new Aws.Iam.RolePoliciesExclusive("example", new()
    {
        RoleName = exampleAwsIamRole.Name,
        PolicyNames = new[]
        {
            exampleAwsIamRolePolicy.Name,
        },
    });
});

package main
import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iam.NewRolePoliciesExclusive(ctx, "example", &iam.RolePoliciesExclusiveArgs{
			RoleName: pulumi.Any(exampleAwsIamRole.Name),
			PolicyNames: pulumi.StringArray{
				exampleAwsIamRolePolicy.Name,
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.RolePoliciesExclusive;
import com.pulumi.aws.iam.RolePoliciesExclusiveArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new RolePoliciesExclusive("example", RolePoliciesExclusiveArgs.builder()
            .roleName(exampleAwsIamRole.name())
            .policyNames(exampleAwsIamRolePolicy.name())
            .build());
    }
}

resources:
  example:
    type: aws:iam:RolePoliciesExclusive
    properties:
      roleName: ${exampleAwsIamRole.name}
      policyNames:
        - ${exampleAwsIamRolePolicy.name}

Disallow Inline Policies

To automatically remove any configured inline policies, set the policy_names argument to an empty list.

This will not prevent inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when apply is proactively run.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.iam.RolePoliciesExclusive("example", {
    roleName: exampleAwsIamRole.name,
    policyNames: [],
});

import pulumi
import pulumi_aws as aws
example = aws.iam.RolePoliciesExclusive("example",
    role_name=example_aws_iam_role["name"],
    policy_names=[])

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
    var example = new Aws.Iam.RolePoliciesExclusive("example", new()
    {
        RoleName = exampleAwsIamRole.Name,
        PolicyNames = new[] {},
    });
});

package main
import (
	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iam.NewRolePoliciesExclusive(ctx, "example", &iam.RolePoliciesExclusiveArgs{
			RoleName:    pulumi.Any(exampleAwsIamRole.Name),
			PolicyNames: pulumi.StringArray{},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.RolePoliciesExclusive;
import com.pulumi.aws.iam.RolePoliciesExclusiveArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new RolePoliciesExclusive("example", RolePoliciesExclusiveArgs.builder()
            .roleName(exampleAwsIamRole.name())
            .policyNames()
            .build());
    }
}

resources:
  example:
    type: aws:iam:RolePoliciesExclusive
    properties:
      roleName: ${exampleAwsIamRole.name}
      policyNames: []

Import

Using pulumi import, import exclusive management of inline policy assignments using the role_name. For example:

$ pulumi import aws:iam/rolePoliciesExclusive:RolePoliciesExclusive example MyRole

Properties

val id: Output<String>

policyNames

val policyNames: Output<List<String>>

A list of inline policy names to be assigned to the role. Policies attached to this role but not configured in this argument will be removed.

pulumiChildResources

val pulumiChildResources: Set<KotlinResource>

pulumiResourceName

val pulumiResourceName: String

pulumiResourceType

val pulumiResourceType: String

roleName

val roleName: Output<String>

IAM role name.

urn

val urn: Output<String>