https://pulumi.com logo
#aws
Title
# aws
f

future-nail-59564

11/30/2020, 10:28 PM
Is it possible that we can only have a single
aws.iam.GroupMembership
per
aws.iam.Group
? I want to be able to attach a user to a group, independently from the users already part of that group. Therefore, in my User component, I am creating a
GroupMembership
specifically for that user-group relationship:
Copy code
new aws.iam.GroupMembership(
        `${username}-${group}`,
        {
          users: [username],
          group: group,
        },
However, it appears that this group membership gets overwritten by each user, even if all GroupMembership resources have unique names. The first time I run my stack, the group is correctly created in IAM with all users, however the state doesn’t seem to be updated correctly, because the next time I run the stack (while there is supposed to be no change), it removes all users from group in IAM but one. I assuming it’s a bug, because the second run of the stack should be idempotent.
l

little-cartoon-10569

11/30/2020, 10:34 PM
Yes. You need to user UserGroupMembership to achieve this. This is because of the AWS SDK, not Pulumi.
aws_iam_group_membership will conflict with itself if used more than once with the same group. To non-exclusively manage the users in a group, see the aws_iam_user_group_membership
f

future-nail-59564

11/30/2020, 10:35 PM
Thank you so much @little-cartoon-10569, that explains everything! 😁 🙏
👍 1
…and it’s much simpler for my use-case, because I can attach all groups to my user using a single resource, instead of many! 🎉
Unfortunately, I don’t see an equivalent of that for attaching multiple policies to a group using a single resource, correct? 😕
l

little-cartoon-10569

11/30/2020, 10:56 PM
Normally, a single policy with multiple statements is used for that sort of thing...
But no, there is no one-to-many group:policy mapping.
Loops to the rescue!