This message was deleted.
# aws
s
This message was deleted.
d
Would I just want to edit the
existing_role
itself rather than attaching a policy?
Or would I want to add a (permission) policy to the
SSO_ROLE_ARN
that allows it to assume the
existing_role
?
s
don't quote me on this, but i think this is correct
Would I just want to edit the
existing_role
itself rather than attaching a policy?
d
existing_role = aws.iam.get_role(name="AWSControlTowerAdmin")
=> finds the existing role… But I can’t mutate it that way, right?
s
nope, you'd have to import it into Pulumi State. Is this resource being managed by something else or was it created imperatively through the API/UI/CLI
d
Created via Control Tower bootstrapping process in the UI
s
i'm not familiar with that service, but does it manage the state of the resources it creates or is it mostly a bootstrap-and-forget process? just cause if that's the case you wouldn't want to have a resoruce be managed by both Pulumi and Control Tower
d
https://docs.aws.amazon.com/controltower/latest/userguide/roles-how.html looks like it’s a bootstrap and forget situation as they recommend you “manually edit your AWS Control Tower trust policy to add at least one aws:SourceArn or aws:SourceAccount conditional to the policy statement” (in the
Optional conditions for your role trust relationships
section)
👍 1
s
in that case a pulumi import would work
d
would it be
Copy code
pulumi import aws:iam/role:Role AWSControlTowerAdmin AWSControlTowerAdmin
s
yup
d
Ok so now that I have the code that will bring me back to the base state, I can just edit that code to include the changes I want?
s
yup!
d
Thank you!!
p 1