flostadler
commented
1 month ago We should also evaluate how to improve the description of the inlinePolicies parameter in the meantime to make the current behavior more obvious.
Open flostadler opened 1 month ago
flostadler
commented
1 month ago We should also evaluate how to improve the description of the inlinePolicies parameter in the meantime to make the current behavior more obvious.
jmcarp
commented
1 month ago This may or may not be related to #4031, but we've also observed pulumi failing to detect changes to policy documents in iam policies and iam user policies. We've only been able to get pulumi to reliability detect these changes by appending a hash of the policy document to the policy name. Is this a known limitation of pulumi-aws in general, or possibly specific to multi-statement policies?
cc @sudomateo @duskeagle
flostadler
commented
1 month ago @jmcarp I'm sorry that you're running into these problems! What you're describing sounds like a different issue to me. I'm not aware of such behavior, could you open an issue (ideally with an example/repro) so we can dig into this?
IAM role inline policies have three modes. When setting
inlinePolicies:undefined(None,nil, etc.), the provider does not manage the inline policies.This has the drawback, that removing inline policies requires users to set the
inlinePoliciesnot to an empty array, but an array with the special empty block (i.e. delete marker). This behavior might be unintuitive to users (see https://github.com/pulumi/pulumi-aws/issues/4031 for example).An improvement for this could be extracting the decision whether to manage the inlinePolicies or not into it's own property. This would be a breaking change though.
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).