https://pulumi.com logo
Title
d

dry-journalist-60579

02/15/2023, 7:22 PM
This may be more of an AWS-itself question, but if I have a role
AWSControlTowerAdmin
with the following `Trusted entities`:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "<http://controltower.amazonaws.com|controltower.amazonaws.com>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
but I want to use pulumi to make it so that another role can assume this role… what approach would I want to take? I though to create an
aws.iam.Policy
as so:
existing_role = aws.iam.get_role(name="AWSControlTowerAdmin")

policy = aws.iam.Policy(
    "AllowSSOAdminsToAssumeAWSControlTowerAdmin",
    policy=json.dumps(
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {"AWS": SSO_ROLE_ARN},
                }
            ],
        }
    ),
)

attachment = aws.iam.RolePolicyAttachment(
    "AllowSSOAdminsToAssumeAWSControlTowerAdminAttachment",
    role=existing_role.name,
    policy_arn=policy.arn,
)
but I get
MalformedPolicyDocument: Policy document should not specify a principal.
Would I just want to edit the
existing_role
itself rather than attaching a policy?
Or would I want to add a (permission) policy to the
SSO_ROLE_ARN
that allows it to assume the
existing_role
?
image.png
s

steep-toddler-94095

02/15/2023, 7:31 PM
don't quote me on this, but i think this is correct
Would I just want to edit the
existing_role
itself rather than attaching a policy?
d

dry-journalist-60579

02/15/2023, 7:32 PM
existing_role = aws.iam.get_role(name="AWSControlTowerAdmin")
=> finds the existing role… But I can’t mutate it that way, right?
s

steep-toddler-94095

02/15/2023, 7:35 PM
nope, you'd have to import it into Pulumi State. Is this resource being managed by something else or was it created imperatively through the API/UI/CLI
d

dry-journalist-60579

02/15/2023, 7:36 PM
Created via Control Tower bootstrapping process in the UI
s

steep-toddler-94095

02/15/2023, 7:40 PM
i'm not familiar with that service, but does it manage the state of the resources it creates or is it mostly a bootstrap-and-forget process? just cause if that's the case you wouldn't want to have a resoruce be managed by both Pulumi and Control Tower
d

dry-journalist-60579

02/15/2023, 7:42 PM
https://docs.aws.amazon.com/controltower/latest/userguide/roles-how.html looks like it’s a bootstrap and forget situation as they recommend you “manually edit your AWS Control Tower trust policy to add at least one aws:SourceArn or aws:SourceAccount conditional to the policy statement” (in the
Optional conditions for your role trust relationships
section)
s

steep-toddler-94095

02/15/2023, 7:43 PM
in that case a pulumi import would work
d

dry-journalist-60579

02/15/2023, 7:44 PM
would it be
pulumi import aws:iam/role:Role AWSControlTowerAdmin AWSControlTowerAdmin
s

steep-toddler-94095

02/15/2023, 7:46 PM
yup
d

dry-journalist-60579

02/15/2023, 7:49 PM
Ok so now that I have the code that will bring me back to the base state, I can just edit that code to include the changes I want?
s

steep-toddler-94095

02/15/2023, 7:50 PM
yup!
d

dry-journalist-60579

02/15/2023, 7:50 PM
Thank you!!