I just noticed some interesting behavior around PolicyAttachment. It feels a little unexpected to me but maybe it's a misunderstanding on my part. I have an Administrator group in my AWS account with the admin policy attached to it. I wrote some Pulumi code to attach the admin policy to a role I created - in doing so I did not specify the existing group in the attachment - my expectation was there could be multiple attachments for a single policy - but it looks as though it behaves as though there is a single attachment resource for a policy and within that resource all the roles, groups, and users that you want linked to the policy must be specified. What happened is after deploying the Pulumi specified infra, my admin policy was removed from my Admin group and applied to the role. So it seems using attachments can have side effects on resources not created by Pulumi...?