Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
d
dry-journalist-60579
02/15/2023, 7:22 PMThis may be more of an AWS-itself question, but if I have a role
AWSControlTowerAdmin{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "<http://controltower.amazonaws.com|controltower.amazonaws.com>"
},
"Action": "sts:AssumeRole"
}
]
}aws.iam.Policyexisting_role = aws.iam.get_role(name="AWSControlTowerAdmin")
policy = aws.iam.Policy(
"AllowSSOAdminsToAssumeAWSControlTowerAdmin",
policy=json.dumps(
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {"AWS": SSO_ROLE_ARN},
}
],
}
),
)
attachment = aws.iam.RolePolicyAttachment(
"AllowSSOAdminsToAssumeAWSControlTowerAdminAttachment",
role=existing_role.name,
policy_arn=policy.arn,
)MalformedPolicyDocument: Policy document should not specify a principal.Would I just want to edit the
existing_roleOr would I want to add a (permission) policy to the
SSO_ROLE_ARNexisting_roleimage.png
s
steep-toddler-94095
02/15/2023, 7:31 PMdon't quote me on this, but i think this is correct
Would I just want to edit theitself rather than attaching a policy?existing_role
d
dry-journalist-60579
02/15/2023, 7:32 PMexisting_role = aws.iam.get_role(name="AWSControlTowerAdmin")s
steep-toddler-94095
02/15/2023, 7:35 PMnope, you'd have to import it into Pulumi State. Is this resource being managed by something else or was it created imperatively through the API/UI/CLI
d
dry-journalist-60579
02/15/2023, 7:36 PMCreated via Control Tower bootstrapping process in the UI
s
steep-toddler-94095
02/15/2023, 7:40 PMi'm not familiar with that service, but does it manage the state of the resources it creates or is it mostly a bootstrap-and-forget process? just cause if that's the case you wouldn't want to have a resoruce be managed by both Pulumi and Control Tower
d
dry-journalist-60579
02/15/2023, 7:42 PMhttps://docs.aws.amazon.com/controltower/latest/userguide/roles-how.html looks like it’s a bootstrap and forget situation as they recommend you “manually edit your AWS Control Tower trust policy to add at least one aws:SourceArn or aws:SourceAccount conditional to the policy statement” (in the
Optional conditions for your role trust relationshipss
steep-toddler-94095
02/15/2023, 7:43 PMin that case a pulumi import would work
d
dry-journalist-60579
02/15/2023, 7:44 PMwould it be
pulumi import aws:iam/role:Role AWSControlTowerAdmin AWSControlTowerAdmins
steep-toddler-94095
02/15/2023, 7:46 PMyup
d
dry-journalist-60579
02/15/2023, 7:49 PMOk so now that I have the code that will bring me back to the base state, I can just edit that code to include the changes I want?
s
steep-toddler-94095
02/15/2023, 7:50 PMyup!
d
dry-journalist-60579
02/15/2023, 7:50 PMThank you!!