Pulumi AWS provider should withhold input property deprecations introduced by the Terraform AWS provider until Pulumi-specific issues on the intended upgrade path are resolved.
The affected properties include (see 39376 for a full list):
Upstream wants to deprecate inline_policy repeated argument in favor of N relationship resources such as aws_iam_role_policy
The community pushes back on this change because having N aws_iam_role_policy resources in Terraform does not guarantee that the associated aws_iam_role has no policies in the cloud that are not being tracked, something that inline_policy used to guarantee
Hence aws_iam_role_policies_exclusive is introduced: if users list all aws_iam_role_policy in aws_iam_role_policies_exclusive then Terraform will proactively detect when the actual set of policies in the cloud does not match the one specified by aws_iam_role_policies_exclusive
Unfortunately when testing this upgrade scenario in the Pulumi provider we found that aws.iam.RolePoliciesExclusive does not detect role policy drift due to specifics of how Pulumi maps Terraform providers (https://github.com/pulumi/pulumi-aws/issues/4766).
Because of this issue, users trying to act on the deprecation notice in Pulumi will not be able to rely on aws.iam.RolePoliciesExclusive to ensure all inline policies are tracked in Pulumi. Other property deprecations are likely similarly affected.
The proposal going forward is as follows:
remove deprecation notices from the affected Pulumi AWS provider properties and continue supporting them
proactively fix the issues so that Exclusive Management Resources work as well as they do in upstream
re-introduce deprecations and supporting migration deprecation when there is full confidence in the upgrade path
Pulumi AWS provider should withhold input property deprecations introduced by the Terraform AWS provider until Pulumi-specific issues on the intended upgrade path are resolved.
The affected properties include (see 39376 for a full list):
aws.iam.RolemanagedPolicyArnsaws.iam.RoleinlinePoliciesThe latest iteration of Terraform AWS provider design thinking is introducing exclusive relationship management resources. To illustrate on the
aws.iam.Roleresource:inline_policyrepeated argument in favor of N relationship resources such asaws_iam_role_policyaws_iam_role_policyresources in Terraform does not guarantee that the associatedaws_iam_rolehas no policies in the cloud that are not being tracked, something thatinline_policyused to guaranteeaws_iam_role_policies_exclusiveis introduced: if users list allaws_iam_role_policyinaws_iam_role_policies_exclusivethen Terraform will proactively detect when the actual set of policies in the cloud does not match the one specified byaws_iam_role_policies_exclusiveUnfortunately when testing this upgrade scenario in the Pulumi provider we found that
aws.iam.RolePoliciesExclusivedoes not detect role policy drift due to specifics of how Pulumi maps Terraform providers (https://github.com/pulumi/pulumi-aws/issues/4766).Because of this issue, users trying to act on the deprecation notice in Pulumi will not be able to rely on
aws.iam.RolePoliciesExclusiveto ensure all inline policies are tracked in Pulumi. Other property deprecations are likely similarly affected.The proposal going forward is as follows:
References