https://pulumi.com logo
Powered by
l

lively-ice-73493

08/16/2021, 9:08 PM
Copy code
// Attach required role for ECS to pull images
const roleAttachment = new aws.iam.PolicyAttachment(
  `${solution_name}-policy-attachment`,
  {
    roles: [solutionRole.name],
    policyArn:
       aws.iam.ManagedPolicy.AmazonECSTaskExecutionRolePolicy,
  }
);
The 
AmazonECSTaskExecutionRolePolicy
is attached to another Role (role-b) in an AWS account. When you run 
pulumi destroy
on the pipeline with the attachment in it, the attachment is also removed from 
role-b
. System down. This seems related: https://github.com/pulumi/pulumi/issues/918 What am suppose to do besides create a bunch of user-defined policies and not use managed policies? Not what we want to do.
Apply this issue to 
aws.iam.ManagedPolicy.LambdaFullAccess
policy or some other very widely used policy...
g

green-stone-37839

08/16/2021, 9:28 PM
Hi Chad, the use of 
aws.iam.PolicyAttachment
creates exclusive attachments of IAM policies across AWS accounts. Pulumi docs: https://www.pulumi.com/docs/reference/pkg/aws/iam/policyattachment/ You can use 
aws.iam.RolePolicyAttachment
for your use case which does not create exclusive relationships.
l

lively-ice-73493

08/16/2021, 9:29 PM
Oh @green-stone-37839 You mean this BIG warning in the documentation I presume
WARNING: The aws.iam.PolicyAttachment resource creates exclusive attachments of IAM policies.......
Thank you!!!!
g

green-stone-37839

08/16/2021, 9:30 PM
Anytime!
l

lively-ice-73493

08/16/2021, 9:30 PM
Probably a cut-n-paste from some solution and didn't even read that page. Appreciate this. 🙂
g

green-stone-37839

08/16/2021, 9:31 PM
no problem!
l

lively-ice-73493

08/16/2021, 10:24 PM
My teammates suggested 
ExclusivePolicyAttachment
would be a nice resource name. Just sharing.
2 Views
Powered by