lively-ice-73493
08/16/2021, 9:08 PM// Attach required role for ECS to pull images
const roleAttachment = new aws.iam.PolicyAttachment(
`${solution_name}-policy-attachment`,
{
roles: [solutionRole.name],
policyArn:
aws.iam.ManagedPolicy.AmazonECSTaskExecutionRolePolicy,
}
);
The AmazonECSTaskExecutionRolePolicy
is attached to another Role (role-b) in an AWS account. When you run pulumi destroy
on the pipeline with the attachment in it, the attachment is also removed from role-b
. System down.
This seems related: https://github.com/pulumi/pulumi/issues/918
What am suppose to do besides create a bunch of user-defined policies and not use managed policies? Not what we want to do.aws.iam.ManagedPolicy.LambdaFullAccess
policy or some other very widely used policy...green-stone-37839
08/16/2021, 9:28 PMaws.iam.PolicyAttachment
creates exclusive attachments of IAM policies across AWS accounts. Pulumi docs: https://www.pulumi.com/docs/reference/pkg/aws/iam/policyattachment/
You can use aws.iam.RolePolicyAttachment
for your use case which does not create exclusive relationships.lively-ice-73493
08/16/2021, 9:29 PMWARNING: The aws.iam.PolicyAttachment resource creates exclusive attachments of IAM policies.......Thank you!!!!
green-stone-37839
08/16/2021, 9:30 PMlively-ice-73493
08/16/2021, 9:30 PMgreen-stone-37839
08/16/2021, 9:31 PMlively-ice-73493
08/16/2021, 10:24 PMExclusivePolicyAttachment
would be a nice resource name. Just sharing.