Role
NOTE:: To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with
pulumi up --refresh. See #4766 for tracking making this work with regularpulumi upinvocations. Resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role. !> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure anyaws.iam.RolePolicyresources managed alongside this resource are included in thepolicy_namesargument. Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It will not delete the configured policies from the role.
Example Usage
Basic Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.iam.RolePoliciesExclusive("example", {
roleName: exampleAwsIamRole.name,
policyNames: [exampleAwsIamRolePolicy.name],
});import pulumi
import pulumi_aws as aws
example = aws.iam.RolePoliciesExclusive("example",
role_name=example_aws_iam_role["name"],
policy_names=[example_aws_iam_role_policy["name"]])using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Iam.RolePoliciesExclusive("example", new()
{
RoleName = exampleAwsIamRole.Name,
PolicyNames = new[]
{
exampleAwsIamRolePolicy.Name,
},
});
});package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iam.NewRolePoliciesExclusive(ctx, "example", &iam.RolePoliciesExclusiveArgs{
RoleName: pulumi.Any(exampleAwsIamRole.Name),
PolicyNames: pulumi.StringArray{
exampleAwsIamRolePolicy.Name,
},
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.RolePoliciesExclusive;
import com.pulumi.aws.iam.RolePoliciesExclusiveArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new RolePoliciesExclusive("example", RolePoliciesExclusiveArgs.builder()
.roleName(exampleAwsIamRole.name())
.policyNames(exampleAwsIamRolePolicy.name())
.build());
}
}resources:
example:
type: aws:iam:RolePoliciesExclusive
properties:
roleName: ${exampleAwsIamRole.name}
policyNames:
- ${exampleAwsIamRolePolicy.name}Disallow Inline Policies
To automatically remove any configured inline policies, set the policy_names argument to an empty list.
This will not prevent inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when
applyis proactively run.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.iam.RolePoliciesExclusive("example", {
roleName: exampleAwsIamRole.name,
policyNames: [],
});import pulumi
import pulumi_aws as aws
example = aws.iam.RolePoliciesExclusive("example",
role_name=example_aws_iam_role["name"],
policy_names=[])using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Iam.RolePoliciesExclusive("example", new()
{
RoleName = exampleAwsIamRole.Name,
PolicyNames = new[] {},
});
});package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iam.NewRolePoliciesExclusive(ctx, "example", &iam.RolePoliciesExclusiveArgs{
RoleName: pulumi.Any(exampleAwsIamRole.Name),
PolicyNames: pulumi.StringArray{},
})
if err != nil {
return err
}
return nil
})
}package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.RolePoliciesExclusive;
import com.pulumi.aws.iam.RolePoliciesExclusiveArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new RolePoliciesExclusive("example", RolePoliciesExclusiveArgs.builder()
.roleName(exampleAwsIamRole.name())
.policyNames()
.build());
}
}resources:
example:
type: aws:iam:RolePoliciesExclusive
properties:
roleName: ${exampleAwsIamRole.name}
policyNames: []Import
Using pulumi import, import exclusive management of inline policy assignments using the role_name. For example:
$ pulumi import aws:iam/rolePoliciesExclusive:RolePoliciesExclusive example MyRole