search

pulumi / pulumi-policy-aws

A policy pack of rules to enforce AWS best practices for security, reliability, cost, and more!
https://www.pulumi.com
Apache License 2.0
33 stars 6 forks source link

Add a check for managed_policy conflicts on aws.iam.Role #107

Closed t0yv0 closed 3 months ago

t0yv0 commented 4 months ago

AWS iam.Role has this NOTE:

// NOTE: If you use this resource’s managed_policy_arns argument or inline_policy configuration blocks, this resource
// will take over exclusive management of the role's respective policy types (e.g., both policy types if both arguments
// are used). These arguments are incompatible with other ways of managing a role's policies, such as
// aws.iam.PolicyAttachment, aws.iam.RolePolicyAttachment, and aws.iam.RolePolicy. If you attempt to manage a role’s
// policies by multiple means, you will get resource cycling and/or errors.

This change adds check to pulumi-policy-aws to check against usages that violate the recommendation of this NOTE.

t0yv0 commented 3 months ago

@flostadler you were right about the check not working across stacks. If I define a role in Stack 1 with managedPolicyArns and I use it from Stack 2 to add a RolePolicyAttachment, the problem is not detected.