No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

can you share your code? it looks like you're defining your policy attachments with undefined names so they'll delete on each run

In this it deletes all the iam resources.

and without `try..except` options, when we run pulumi up, it detaches all policies attached with the iam role, so that we have to run 2nd time again to attach policies.

<@U018R959Y9F> the logic here is flawed, it's using an imperative method.
in your `try` block, you're checking if the role exists:
```try:
    example = aws.iam.get_role(name="role-as1")
    print(example.name)```
in the first run, it won't exist, so it catches the exception and creates all the roles

on the next run, the role _does_ exist - however, the resources have been added to the Pulumi state in the last run, so now it wants to remove them

you need to write in a declarative manner, don't check if the role exists, just define the role and let Pulumi create it

Yes i tried that too, i removed the `try...except` block and ran a part underneath `except` standalone.
It creates the resources but at the second run it doesn’t remove the role but detaches all policies. <@UCWG26BH7>

<@U018R959Y9F> can you show me the first run and the second?

it's more than likely because of this:
```for attach_policy in policy_arns:
    test_attach = aws.iam.RolePolicyAttachment(
        str(attach_policy), role=role.name, policy_arn=attach_policy.arn
    )```

resource names need to be static and computable

something like this:
```for i, attach_policy in enumerate(policy_arns):
    test_attach = aws.iam.RolePolicyAttachment(
        f"policy_attachment-{i}", role=role.name, policy_arn=attach_policy.arn
    )```

That worked well, Thank you Lee <@UCWG26BH7>

if you need help understanding why, please let me know

Hi <@UCWG26BH7> reading through other peoples issues here just to soak in as much as I can and quickly learning you're a beast on here haha! One thing I've been doing is declaring the name for mostly everything I create since my environment requires specific naming conventions, thus I cannot leverage pulumi’s auto naming. That being said I typically set the resource name to the specific assignment along with the name. 

In the context of the above my approach would look something like this 
```for attach_policy in policy_arns:
    test_attach = aws.iam.RolePolicyAttachment(
        attach_policy.name,
name=attach_policy.name,
role=role.name, policy_arn=attach_policy.arn
)```
    This logic works in my runs, but curious if it's an appropriate approach? Yours seems to be a little different and I'd love to hear if that's best practice or doesn't matter? Thanks!