This message was deleted.

Would I just want to edit the

existing_role

itself rather than attaching a policy?

don't quote me on this, but i think this is correct

Would I just want to edit the

existing_role

itself rather than attaching a policy?

existing_role = aws.iam.get_role(name="AWSControlTowerAdmin")

=> finds the existing role… But I can’t mutate it that way, right?

nope, you'd have to import it into Pulumi State. Is this resource being managed by something else or was it created imperatively through the API/UI/CLI

Created via Control Tower bootstrapping process in the UI

i'm not familiar with that service, but does it manage the state of the resources it creates or is it mostly a bootstrap-and-forget process? just cause if that's the case you wouldn't want to have a resoruce be managed by both Pulumi and Control Tower

https://docs.aws.amazon.com/controltower/latest/userguide/roles-how.html looks like it’s a bootstrap and forget situation as they recommend you “manually edit your AWS Control Tower trust policy to add at least one aws:SourceArn or aws:SourceAccount conditional to the policy statement” (in the

Optional conditions for your role trust relationships

section)

in that case a pulumi import would work

would it be

pulumi import aws:iam/role:Role AWSControlTowerAdmin AWSControlTowerAdmin

yup

Ok so now that I have the code that will bring me back to the base state, I can just edit that code to include the changes I want?

yup!

Thank you!!