I just noticed some interesting behavior around PolicyAttachment. It feels a little unexpected to me but maybe it's a misunderstanding on my part.
I have an Administrator group in my AWS account with the admin policy attached to it. I wrote some Pulumi code to attach the admin policy to a role I created - in doing so I did not specify the existing group in the attachment - my expectation was there could be multiple attachments for a single policy - but it looks as though it behaves as though there is a single attachment resource for a policy and within that resource all the roles, groups, and users that you want linked to the policy must be specified. What happened is after deploying the Pulumi specified infra, my admin policy was removed from my Admin group and applied to the role. So it seems using attachments can have side effects on resources not created by Pulumi...?
Ah ok, so terraform has a great big warning in their docs about this:
Just thinking, I recall seeing this warning when I used terraform because I would always have their docs open when writing any terraform config. With pulumi because I'm using TS, I can just click into the type definitions and read the comments to get most of the info I need - it might be worth adding this warning into comments