I think it's easier to show with screenshot. This is the role in AWS and my Pulumi code in the other screenshot. I've cut it for brevity, but the inline policy is the same and I include an "import" for the role. However, pulumi does not complain that they are different when doing pulumi up. The difference being, in the Pulumi code, there is no "managedPolicies" element which should cause it to say they are different, but it doesn't and allows the import. The fix, is that I actually should include a "managedPolicies" for the EnvoyAccess like the 3rd screenshot