No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

I've never seen that behaviour, I'm interested to know how often it happens.

Mmm seems to happen somewhat often. I have multiple stacks running in the same account. I tested a scenario whereby I “renamed” the resource to try and force the policy to reattach. When I look at the role it has no attached policies but the execution is marked successful.

I renamed this resource from `-s3write` to `-s3full` to try and force the reattach:
```aws.iam.PolicyAttachment(f"{cluster_name}-sa-attach-s3full",
                         roles=[role_sa.iam_role_name],
                         policy_arn="arn:aws:iam::aws:policy/AmazonS3FullAccess",
                         opts=pulumi.ResourceOptions(depends_on=[role_sa]))```

That must be a bug. I'm confident it has never happened to me. I've just checked all the roles that I can think of and that are similar to what you've described, and they all have all the policy attachments I expect them to have...

Maybe the python bindings? Maybe there's a hashset involved somewhere that's causing problems?

TBF, I'm not much of a sample case.. I've checked 3 roles with AWS-provided policies attached, x2 accounts / stacks.

I’m using an S3 backend with multiple stacks. I don’t have permission to use the public Pulumi backend in the org I’m working with. I could try building a minimal testcase with Typescript since that seems the best supported language.