Is it possible that we can only have a single

aws.iam.GroupMembership

per

aws.iam.Group

? I want to be able to attach a user to a group, independently from the users already part of that group. Therefore, in my User component, I am creating a

GroupMembership

specifically for that user-group relationship:

new aws.iam.GroupMembership(
        `${username}-${group}`,
        {
          users: [username],
          group: group,
        },

However, it appears that this group membership gets overwritten by each user, even if all GroupMembership resources have unique names. The first time I run my stack, the group is correctly created in IAM with all users, however the state doesn’t seem to be updated correctly, because the next time I run the stack (while there is supposed to be no change), it removes all users from group in IAM but one. I assuming it’s a bug, because the second run of the stack should be idempotent.

Yes. You need to user UserGroupMembership to achieve this. This is because of the AWS SDK, not Pulumi.

aws_iam_group_membership will conflict with itself if used more than once with the same group. To non-exclusively manage the users in a group, see the aws_iam_user_group_membership

Thank you so much @little-cartoon-10569, that explains everything! 😁 🙏

Normally, a single policy with multiple statements is used for that sort of thing...