https://pulumi.com logo
Title
c

curved-appointment-51749

12/01/2022, 12:59 PM
Hi. For a resource like
aws.iam.Role
where there is a property
managedPolicyArns
, if you import the resource or run
pulumi up --refresh
pulumi will populate
managedPolicyArns
with the policy even if you use
aws.iam.PolicyAttachment
,
aws.iam.RolePolicyAttachment
and
aws.iam.RolePolicy
. Pulumi warns that you should not use both. It is possible to use Resource Tranforms to remove
managedPolicyArns
but then running
pulumi up --refresh
results in policies being detached and then only maybe being reattached. Is it possible to use a resource like
aws.iam.Role
without
managedPolicyArns
in practice or do you really not have a choice?
l

little-cartoon-10569

12/01/2022, 7:39 PM
You should not remove those values. Those values are what's actually used in the AWS API. Pulumi just manages them for you if you use the policy attachment resources, or lets you manage them yourself if you use the Role properties directly.
Generally: don't refresh if you don't have to.
As a specific workaround for this, assuming you're using the attachment resources, you can add
ignoreChanges
on the inline and managed policy ARN properties.
c

curved-appointment-51749

12/02/2022, 11:34 AM
Thank you @little-cartoon-10569 for responding. Please correct me if I'm wrong. Are you saying that there is a difference between
managedPolicyArns
being set in code by me and being set by Pulumi? How does Pulumi track whether it set it to store it in the state or whether I set it to store it in the state? I expected that the two notes were about it being present in the state or absent from the state. Policies do get attached and are managed by Pulumi when setting the following
managedPolicyArns: []
and using something like
aws.iam.RolePolicyAttachment
. If that is the case, it may be worth adding another note about this in the documentation to explain this difference as it is unexpected.
l

little-cartoon-10569

12/04/2022, 7:50 PM
How does Pulumi track whether it set it to store it in the state or whether I set it to store it in the state?
It doesn't. Instead, it tells you not to do this:
NOTE: For a given role, this resource is incompatible with using the aws.iam.Role resource managed_policy_arns argument. When using that argument and this resource, both will attempt to manage the role’s managed policy attachments and the provider will show a permanent difference.