From aeddb2bab0f7b70d0aae79eb3ad8d746ab411557 Mon Sep 17 00:00:00 2001 From: Florian Stadler Date: Wed, 4 Dec 2024 15:21:42 +0100 Subject: [PATCH 1/2] Replace Terraform with Pulumi to stop eliding iam.PolicyAttachment docs --- provider/cmd/pulumi-resource-aws/schema.json | 2 +- provider/doc_edits.go | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/provider/cmd/pulumi-resource-aws/schema.json b/provider/cmd/pulumi-resource-aws/schema.json index 30c53d65fc6..e9317458f1c 100644 --- a/provider/cmd/pulumi-resource-aws/schema.json +++ b/provider/cmd/pulumi-resource-aws/schema.json @@ -279678,7 +279678,7 @@ } }, "aws:iam/policyAttachment:PolicyAttachment": { - "description": "## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst user = new aws.iam.User(\"user\", {name: \"test-user\"});\nconst assumeRole = aws.iam.getPolicyDocument({\n statements: [{\n effect: \"Allow\",\n principals: [{\n type: \"Service\",\n identifiers: [\"ec2.amazonaws.com\"],\n }],\n actions: [\"sts:AssumeRole\"],\n }],\n});\nconst role = new aws.iam.Role(\"role\", {\n name: \"test-role\",\n assumeRolePolicy: assumeRole.then(assumeRole =\u003e assumeRole.json),\n});\nconst group = new aws.iam.Group(\"group\", {name: \"test-group\"});\nconst policy = aws.iam.getPolicyDocument({\n statements: [{\n effect: \"Allow\",\n actions: [\"ec2:Describe*\"],\n resources: [\"*\"],\n }],\n});\nconst policyPolicy = new aws.iam.Policy(\"policy\", {\n name: \"test-policy\",\n description: \"A test policy\",\n policy: policy.then(policy =\u003e policy.json),\n});\nconst test_attach = new aws.iam.PolicyAttachment(\"test-attach\", {\n name: \"test-attachment\",\n users: [user.name],\n roles: [role.name],\n groups: [group.name],\n policyArn: policyPolicy.arn,\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nuser = aws.iam.User(\"user\", name=\"test-user\")\nassume_role = aws.iam.get_policy_document(statements=[{\n \"effect\": \"Allow\",\n \"principals\": [{\n \"type\": \"Service\",\n \"identifiers\": [\"ec2.amazonaws.com\"],\n }],\n \"actions\": [\"sts:AssumeRole\"],\n}])\nrole = aws.iam.Role(\"role\",\n name=\"test-role\",\n assume_role_policy=assume_role.json)\ngroup = aws.iam.Group(\"group\", name=\"test-group\")\npolicy = aws.iam.get_policy_document(statements=[{\n \"effect\": \"Allow\",\n \"actions\": [\"ec2:Describe*\"],\n \"resources\": [\"*\"],\n}])\npolicy_policy = aws.iam.Policy(\"policy\",\n name=\"test-policy\",\n description=\"A test policy\",\n policy=policy.json)\ntest_attach = aws.iam.PolicyAttachment(\"test-attach\",\n name=\"test-attachment\",\n users=[user.name],\n roles=[role.name],\n groups=[group.name],\n policy_arn=policy_policy.arn)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var user = new Aws.Iam.User(\"user\", new()\n {\n Name = \"test-user\",\n });\n\n var assumeRole = Aws.Iam.GetPolicyDocument.Invoke(new()\n {\n Statements = new[]\n {\n new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs\n {\n Effect = \"Allow\",\n Principals = new[]\n {\n new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs\n {\n Type = \"Service\",\n Identifiers = new[]\n {\n \"ec2.amazonaws.com\",\n },\n },\n },\n Actions = new[]\n {\n \"sts:AssumeRole\",\n },\n },\n },\n });\n\n var role = new Aws.Iam.Role(\"role\", new()\n {\n Name = \"test-role\",\n AssumeRolePolicy = assumeRole.Apply(getPolicyDocumentResult =\u003e getPolicyDocumentResult.Json),\n });\n\n var @group = new Aws.Iam.Group(\"group\", new()\n {\n Name = \"test-group\",\n });\n\n var policy = Aws.Iam.GetPolicyDocument.Invoke(new()\n {\n Statements = new[]\n {\n new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs\n {\n Effect = \"Allow\",\n Actions = new[]\n {\n \"ec2:Describe*\",\n },\n Resources = new[]\n {\n \"*\",\n },\n },\n },\n });\n\n var policyPolicy = new Aws.Iam.Policy(\"policy\", new()\n {\n Name = \"test-policy\",\n Description = \"A test policy\",\n PolicyDocument = policy.Apply(getPolicyDocumentResult =\u003e getPolicyDocumentResult.Json),\n });\n\n var test_attach = new Aws.Iam.PolicyAttachment(\"test-attach\", new()\n {\n Name = \"test-attachment\",\n Users = new[]\n {\n user.Name,\n },\n Roles = new[]\n {\n role.Name,\n },\n Groups = new[]\n {\n @group.Name,\n },\n PolicyArn = policyPolicy.Arn,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tuser, err := iam.NewUser(ctx, \"user\", \u0026iam.UserArgs{\n\t\t\tName: pulumi.String(\"test-user\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tassumeRole, err := iam.GetPolicyDocument(ctx, \u0026iam.GetPolicyDocumentArgs{\n\t\t\tStatements: []iam.GetPolicyDocumentStatement{\n\t\t\t\t{\n\t\t\t\t\tEffect: pulumi.StringRef(\"Allow\"),\n\t\t\t\t\tPrincipals: []iam.GetPolicyDocumentStatementPrincipal{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tType: \"Service\",\n\t\t\t\t\t\t\tIdentifiers: []string{\n\t\t\t\t\t\t\t\t\"ec2.amazonaws.com\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tActions: []string{\n\t\t\t\t\t\t\"sts:AssumeRole\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trole, err := iam.NewRole(ctx, \"role\", \u0026iam.RoleArgs{\n\t\t\tName: pulumi.String(\"test-role\"),\n\t\t\tAssumeRolePolicy: pulumi.String(assumeRole.Json),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgroup, err := iam.NewGroup(ctx, \"group\", \u0026iam.GroupArgs{\n\t\t\tName: pulumi.String(\"test-group\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tpolicy, err := iam.GetPolicyDocument(ctx, \u0026iam.GetPolicyDocumentArgs{\n\t\t\tStatements: []iam.GetPolicyDocumentStatement{\n\t\t\t\t{\n\t\t\t\t\tEffect: pulumi.StringRef(\"Allow\"),\n\t\t\t\t\tActions: []string{\n\t\t\t\t\t\t\"ec2:Describe*\",\n\t\t\t\t\t},\n\t\t\t\t\tResources: []string{\n\t\t\t\t\t\t\"*\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tpolicyPolicy, err := iam.NewPolicy(ctx, \"policy\", \u0026iam.PolicyArgs{\n\t\t\tName: pulumi.String(\"test-policy\"),\n\t\t\tDescription: pulumi.String(\"A test policy\"),\n\t\t\tPolicy: pulumi.String(policy.Json),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = iam.NewPolicyAttachment(ctx, \"test-attach\", \u0026iam.PolicyAttachmentArgs{\n\t\t\tName: pulumi.String(\"test-attachment\"),\n\t\t\tUsers: pulumi.Array{\n\t\t\t\tuser.Name,\n\t\t\t},\n\t\t\tRoles: pulumi.Array{\n\t\t\t\trole.Name,\n\t\t\t},\n\t\t\tGroups: pulumi.Array{\n\t\t\t\tgroup.Name,\n\t\t\t},\n\t\t\tPolicyArn: policyPolicy.Arn,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.User;\nimport com.pulumi.aws.iam.UserArgs;\nimport com.pulumi.aws.iam.IamFunctions;\nimport com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;\nimport com.pulumi.aws.iam.Role;\nimport com.pulumi.aws.iam.RoleArgs;\nimport com.pulumi.aws.iam.Group;\nimport com.pulumi.aws.iam.GroupArgs;\nimport com.pulumi.aws.iam.Policy;\nimport com.pulumi.aws.iam.PolicyArgs;\nimport com.pulumi.aws.iam.PolicyAttachment;\nimport com.pulumi.aws.iam.PolicyAttachmentArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var user = new User(\"user\", UserArgs.builder()\n .name(\"test-user\")\n .build());\n\n final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()\n .statements(GetPolicyDocumentStatementArgs.builder()\n .effect(\"Allow\")\n .principals(GetPolicyDocumentStatementPrincipalArgs.builder()\n .type(\"Service\")\n .identifiers(\"ec2.amazonaws.com\")\n .build())\n .actions(\"sts:AssumeRole\")\n .build())\n .build());\n\n var role = new Role(\"role\", RoleArgs.builder()\n .name(\"test-role\")\n .assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -\u003e getPolicyDocumentResult.json()))\n .build());\n\n var group = new Group(\"group\", GroupArgs.builder()\n .name(\"test-group\")\n .build());\n\n final var policy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()\n .statements(GetPolicyDocumentStatementArgs.builder()\n .effect(\"Allow\")\n .actions(\"ec2:Describe*\")\n .resources(\"*\")\n .build())\n .build());\n\n var policyPolicy = new Policy(\"policyPolicy\", PolicyArgs.builder()\n .name(\"test-policy\")\n .description(\"A test policy\")\n .policy(policy.applyValue(getPolicyDocumentResult -\u003e getPolicyDocumentResult.json()))\n .build());\n\n var test_attach = new PolicyAttachment(\"test-attach\", PolicyAttachmentArgs.builder()\n .name(\"test-attachment\")\n .users(user.name())\n .roles(role.name())\n .groups(group.name())\n .policyArn(policyPolicy.arn())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n user:\n type: aws:iam:User\n properties:\n name: test-user\n role:\n type: aws:iam:Role\n properties:\n name: test-role\n assumeRolePolicy: ${assumeRole.json}\n group:\n type: aws:iam:Group\n properties:\n name: test-group\n policyPolicy:\n type: aws:iam:Policy\n name: policy\n properties:\n name: test-policy\n description: A test policy\n policy: ${policy.json}\n test-attach:\n type: aws:iam:PolicyAttachment\n properties:\n name: test-attachment\n users:\n - ${user.name}\n roles:\n - ${role.name}\n groups:\n - ${group.name}\n policyArn: ${policyPolicy.arn}\nvariables:\n assumeRole:\n fn::invoke:\n Function: aws:iam:getPolicyDocument\n Arguments:\n statements:\n - effect: Allow\n principals:\n - type: Service\n identifiers:\n - ec2.amazonaws.com\n actions:\n - sts:AssumeRole\n policy:\n fn::invoke:\n Function: aws:iam:getPolicyDocument\n Arguments:\n statements:\n - effect: Allow\n actions:\n - ec2:Describe*\n resources:\n - '*'\n```\n\u003c!--End PulumiCodeChooser --\u003e\n", + "description": "Attaches a Managed IAM Policy to user(s), role(s), and/or group(s)\n\n!\u003e **WARNING:** The aws.iam.PolicyAttachment resource creates **exclusive** attachments of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single aws.iam.PolicyAttachment resource. This means that even any users/roles/groups that have the attached policy via any other mechanism (including other resources managed by this provider) will have that attached policy revoked by this resource. Consider `aws.iam.RolePolicyAttachment`, `aws.iam.UserPolicyAttachment`, or `aws.iam.GroupPolicyAttachment` instead. These resources do not enforce exclusive attachment of an IAM policy.\n\n\u003e **NOTE:** The usage of this resource conflicts with the `aws.iam.GroupPolicyAttachment`, `aws.iam.RolePolicyAttachment`, and `aws.iam.UserPolicyAttachment` resources and will permanently show a difference if both are defined.\n\n\u003e **NOTE:** For a given role, this resource is incompatible with using the `aws.iam.Role` resource `managed_policy_arns` argument. When using that argument and this resource, both will attempt to manage the role's managed policy attachments and the provider will show a permanent difference.\n\n\u003e **NOTE:** To ensure Pulumi correctly manages dependencies during updates, use a reference to the IAM resource when defining the `policy_arn` for `aws.iam.PolicyAttachment`, rather than constructing the ARN directly. For example, use `policy_arn = aws_iam_policy.example.arn` instead of `policy_arn = \"arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/Example\"`. Failing to do so may lead to errors like `DeleteConflict: Cannot delete a policy attached to entities` or `NoSuchEntity`.\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst user = new aws.iam.User(\"user\", {name: \"test-user\"});\nconst assumeRole = aws.iam.getPolicyDocument({\n statements: [{\n effect: \"Allow\",\n principals: [{\n type: \"Service\",\n identifiers: [\"ec2.amazonaws.com\"],\n }],\n actions: [\"sts:AssumeRole\"],\n }],\n});\nconst role = new aws.iam.Role(\"role\", {\n name: \"test-role\",\n assumeRolePolicy: assumeRole.then(assumeRole =\u003e assumeRole.json),\n});\nconst group = new aws.iam.Group(\"group\", {name: \"test-group\"});\nconst policy = aws.iam.getPolicyDocument({\n statements: [{\n effect: \"Allow\",\n actions: [\"ec2:Describe*\"],\n resources: [\"*\"],\n }],\n});\nconst policyPolicy = new aws.iam.Policy(\"policy\", {\n name: \"test-policy\",\n description: \"A test policy\",\n policy: policy.then(policy =\u003e policy.json),\n});\nconst test_attach = new aws.iam.PolicyAttachment(\"test-attach\", {\n name: \"test-attachment\",\n users: [user.name],\n roles: [role.name],\n groups: [group.name],\n policyArn: policyPolicy.arn,\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nuser = aws.iam.User(\"user\", name=\"test-user\")\nassume_role = aws.iam.get_policy_document(statements=[{\n \"effect\": \"Allow\",\n \"principals\": [{\n \"type\": \"Service\",\n \"identifiers\": [\"ec2.amazonaws.com\"],\n }],\n \"actions\": [\"sts:AssumeRole\"],\n}])\nrole = aws.iam.Role(\"role\",\n name=\"test-role\",\n assume_role_policy=assume_role.json)\ngroup = aws.iam.Group(\"group\", name=\"test-group\")\npolicy = aws.iam.get_policy_document(statements=[{\n \"effect\": \"Allow\",\n \"actions\": [\"ec2:Describe*\"],\n \"resources\": [\"*\"],\n}])\npolicy_policy = aws.iam.Policy(\"policy\",\n name=\"test-policy\",\n description=\"A test policy\",\n policy=policy.json)\ntest_attach = aws.iam.PolicyAttachment(\"test-attach\",\n name=\"test-attachment\",\n users=[user.name],\n roles=[role.name],\n groups=[group.name],\n policy_arn=policy_policy.arn)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var user = new Aws.Iam.User(\"user\", new()\n {\n Name = \"test-user\",\n });\n\n var assumeRole = Aws.Iam.GetPolicyDocument.Invoke(new()\n {\n Statements = new[]\n {\n new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs\n {\n Effect = \"Allow\",\n Principals = new[]\n {\n new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs\n {\n Type = \"Service\",\n Identifiers = new[]\n {\n \"ec2.amazonaws.com\",\n },\n },\n },\n Actions = new[]\n {\n \"sts:AssumeRole\",\n },\n },\n },\n });\n\n var role = new Aws.Iam.Role(\"role\", new()\n {\n Name = \"test-role\",\n AssumeRolePolicy = assumeRole.Apply(getPolicyDocumentResult =\u003e getPolicyDocumentResult.Json),\n });\n\n var @group = new Aws.Iam.Group(\"group\", new()\n {\n Name = \"test-group\",\n });\n\n var policy = Aws.Iam.GetPolicyDocument.Invoke(new()\n {\n Statements = new[]\n {\n new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs\n {\n Effect = \"Allow\",\n Actions = new[]\n {\n \"ec2:Describe*\",\n },\n Resources = new[]\n {\n \"*\",\n },\n },\n },\n });\n\n var policyPolicy = new Aws.Iam.Policy(\"policy\", new()\n {\n Name = \"test-policy\",\n Description = \"A test policy\",\n PolicyDocument = policy.Apply(getPolicyDocumentResult =\u003e getPolicyDocumentResult.Json),\n });\n\n var test_attach = new Aws.Iam.PolicyAttachment(\"test-attach\", new()\n {\n Name = \"test-attachment\",\n Users = new[]\n {\n user.Name,\n },\n Roles = new[]\n {\n role.Name,\n },\n Groups = new[]\n {\n @group.Name,\n },\n PolicyArn = policyPolicy.Arn,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tuser, err := iam.NewUser(ctx, \"user\", \u0026iam.UserArgs{\n\t\t\tName: pulumi.String(\"test-user\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tassumeRole, err := iam.GetPolicyDocument(ctx, \u0026iam.GetPolicyDocumentArgs{\n\t\t\tStatements: []iam.GetPolicyDocumentStatement{\n\t\t\t\t{\n\t\t\t\t\tEffect: pulumi.StringRef(\"Allow\"),\n\t\t\t\t\tPrincipals: []iam.GetPolicyDocumentStatementPrincipal{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tType: \"Service\",\n\t\t\t\t\t\t\tIdentifiers: []string{\n\t\t\t\t\t\t\t\t\"ec2.amazonaws.com\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tActions: []string{\n\t\t\t\t\t\t\"sts:AssumeRole\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\trole, err := iam.NewRole(ctx, \"role\", \u0026iam.RoleArgs{\n\t\t\tName: pulumi.String(\"test-role\"),\n\t\t\tAssumeRolePolicy: pulumi.String(assumeRole.Json),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tgroup, err := iam.NewGroup(ctx, \"group\", \u0026iam.GroupArgs{\n\t\t\tName: pulumi.String(\"test-group\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tpolicy, err := iam.GetPolicyDocument(ctx, \u0026iam.GetPolicyDocumentArgs{\n\t\t\tStatements: []iam.GetPolicyDocumentStatement{\n\t\t\t\t{\n\t\t\t\t\tEffect: pulumi.StringRef(\"Allow\"),\n\t\t\t\t\tActions: []string{\n\t\t\t\t\t\t\"ec2:Describe*\",\n\t\t\t\t\t},\n\t\t\t\t\tResources: []string{\n\t\t\t\t\t\t\"*\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tpolicyPolicy, err := iam.NewPolicy(ctx, \"policy\", \u0026iam.PolicyArgs{\n\t\t\tName: pulumi.String(\"test-policy\"),\n\t\t\tDescription: pulumi.String(\"A test policy\"),\n\t\t\tPolicy: pulumi.String(policy.Json),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = iam.NewPolicyAttachment(ctx, \"test-attach\", \u0026iam.PolicyAttachmentArgs{\n\t\t\tName: pulumi.String(\"test-attachment\"),\n\t\t\tUsers: pulumi.Array{\n\t\t\t\tuser.Name,\n\t\t\t},\n\t\t\tRoles: pulumi.Array{\n\t\t\t\trole.Name,\n\t\t\t},\n\t\t\tGroups: pulumi.Array{\n\t\t\t\tgroup.Name,\n\t\t\t},\n\t\t\tPolicyArn: policyPolicy.Arn,\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.User;\nimport com.pulumi.aws.iam.UserArgs;\nimport com.pulumi.aws.iam.IamFunctions;\nimport com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;\nimport com.pulumi.aws.iam.Role;\nimport com.pulumi.aws.iam.RoleArgs;\nimport com.pulumi.aws.iam.Group;\nimport com.pulumi.aws.iam.GroupArgs;\nimport com.pulumi.aws.iam.Policy;\nimport com.pulumi.aws.iam.PolicyArgs;\nimport com.pulumi.aws.iam.PolicyAttachment;\nimport com.pulumi.aws.iam.PolicyAttachmentArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var user = new User(\"user\", UserArgs.builder()\n .name(\"test-user\")\n .build());\n\n final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()\n .statements(GetPolicyDocumentStatementArgs.builder()\n .effect(\"Allow\")\n .principals(GetPolicyDocumentStatementPrincipalArgs.builder()\n .type(\"Service\")\n .identifiers(\"ec2.amazonaws.com\")\n .build())\n .actions(\"sts:AssumeRole\")\n .build())\n .build());\n\n var role = new Role(\"role\", RoleArgs.builder()\n .name(\"test-role\")\n .assumeRolePolicy(assumeRole.applyValue(getPolicyDocumentResult -\u003e getPolicyDocumentResult.json()))\n .build());\n\n var group = new Group(\"group\", GroupArgs.builder()\n .name(\"test-group\")\n .build());\n\n final var policy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()\n .statements(GetPolicyDocumentStatementArgs.builder()\n .effect(\"Allow\")\n .actions(\"ec2:Describe*\")\n .resources(\"*\")\n .build())\n .build());\n\n var policyPolicy = new Policy(\"policyPolicy\", PolicyArgs.builder()\n .name(\"test-policy\")\n .description(\"A test policy\")\n .policy(policy.applyValue(getPolicyDocumentResult -\u003e getPolicyDocumentResult.json()))\n .build());\n\n var test_attach = new PolicyAttachment(\"test-attach\", PolicyAttachmentArgs.builder()\n .name(\"test-attachment\")\n .users(user.name())\n .roles(role.name())\n .groups(group.name())\n .policyArn(policyPolicy.arn())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n user:\n type: aws:iam:User\n properties:\n name: test-user\n role:\n type: aws:iam:Role\n properties:\n name: test-role\n assumeRolePolicy: ${assumeRole.json}\n group:\n type: aws:iam:Group\n properties:\n name: test-group\n policyPolicy:\n type: aws:iam:Policy\n name: policy\n properties:\n name: test-policy\n description: A test policy\n policy: ${policy.json}\n test-attach:\n type: aws:iam:PolicyAttachment\n properties:\n name: test-attachment\n users:\n - ${user.name}\n roles:\n - ${role.name}\n groups:\n - ${group.name}\n policyArn: ${policyPolicy.arn}\nvariables:\n assumeRole:\n fn::invoke:\n Function: aws:iam:getPolicyDocument\n Arguments:\n statements:\n - effect: Allow\n principals:\n - type: Service\n identifiers:\n - ec2.amazonaws.com\n actions:\n - sts:AssumeRole\n policy:\n fn::invoke:\n Function: aws:iam:getPolicyDocument\n Arguments:\n statements:\n - effect: Allow\n actions:\n - ec2:Describe*\n resources:\n - '*'\n```\n\u003c!--End PulumiCodeChooser --\u003e\n", "properties": { "groups": { "type": "array", diff --git a/provider/doc_edits.go b/provider/doc_edits.go index 2f2e7e02518..fe2017a66d1 100644 --- a/provider/doc_edits.go +++ b/provider/doc_edits.go @@ -68,6 +68,8 @@ func editRules(defaults []tfbridge.DocsEdit) []tfbridge.DocsEdit { " `pulumi up --refresh`."+ " See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766)"+ " for tracking making this work with regular `pulumi up`"), + + targetedSimpleReplace("iam_policy_attachment.html.markdown", "Terraform", "Pulumi"), ) } From f613c7fed1dd5dd33e2e685724c49fb492497b51 Mon Sep 17 00:00:00 2001 From: Florian Stadler Date: Wed, 4 Dec 2024 15:31:30 +0100 Subject: [PATCH 2/2] Regenerate SDK --- sdk/dotnet/Iam/PolicyAttachment.cs | 10 ++++++++++ sdk/go/aws/iam/policyAttachment.go | 10 ++++++++++ .../com/pulumi/aws/iam/PolicyAttachment.java | 10 ++++++++++ sdk/nodejs/iam/policyAttachment.ts | 10 ++++++++++ .../pulumi_aws/iam/policy_attachment.py | 20 +++++++++++++++++++ 5 files changed, 60 insertions(+) diff --git a/sdk/dotnet/Iam/PolicyAttachment.cs b/sdk/dotnet/Iam/PolicyAttachment.cs index 9ba737c4344..30b6e7b1eb0 100644 --- a/sdk/dotnet/Iam/PolicyAttachment.cs +++ b/sdk/dotnet/Iam/PolicyAttachment.cs @@ -10,6 +10,16 @@ namespace Pulumi.Aws.Iam { /// + /// Attaches a Managed IAM Policy to user(s), role(s), and/or group(s) + /// + /// !> **WARNING:** The aws.iam.PolicyAttachment resource creates **exclusive** attachments of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single aws.iam.PolicyAttachment resource. This means that even any users/roles/groups that have the attached policy via any other mechanism (including other resources managed by this provider) will have that attached policy revoked by this resource. Consider `aws.iam.RolePolicyAttachment`, `aws.iam.UserPolicyAttachment`, or `aws.iam.GroupPolicyAttachment` instead. These resources do not enforce exclusive attachment of an IAM policy. + /// + /// > **NOTE:** The usage of this resource conflicts with the `aws.iam.GroupPolicyAttachment`, `aws.iam.RolePolicyAttachment`, and `aws.iam.UserPolicyAttachment` resources and will permanently show a difference if both are defined. + /// + /// > **NOTE:** For a given role, this resource is incompatible with using the `aws.iam.Role` resource `managed_policy_arns` argument. When using that argument and this resource, both will attempt to manage the role's managed policy attachments and the provider will show a permanent difference. + /// + /// > **NOTE:** To ensure Pulumi correctly manages dependencies during updates, use a reference to the IAM resource when defining the `policy_arn` for `aws.iam.PolicyAttachment`, rather than constructing the ARN directly. For example, use `policy_arn = aws_iam_policy.example.arn` instead of `policy_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/Example"`. Failing to do so may lead to errors like `DeleteConflict: Cannot delete a policy attached to entities` or `NoSuchEntity`. + /// /// ## Example Usage /// /// ```csharp diff --git a/sdk/go/aws/iam/policyAttachment.go b/sdk/go/aws/iam/policyAttachment.go index ba28e1e2e16..41c083d6f8c 100644 --- a/sdk/go/aws/iam/policyAttachment.go +++ b/sdk/go/aws/iam/policyAttachment.go @@ -12,6 +12,16 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) +// Attaches a Managed IAM Policy to user(s), role(s), and/or group(s) +// +// !> **WARNING:** The iam.PolicyAttachment resource creates **exclusive** attachments of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single iam.PolicyAttachment resource. This means that even any users/roles/groups that have the attached policy via any other mechanism (including other resources managed by this provider) will have that attached policy revoked by this resource. Consider `iam.RolePolicyAttachment`, `iam.UserPolicyAttachment`, or `iam.GroupPolicyAttachment` instead. These resources do not enforce exclusive attachment of an IAM policy. +// +// > **NOTE:** The usage of this resource conflicts with the `iam.GroupPolicyAttachment`, `iam.RolePolicyAttachment`, and `iam.UserPolicyAttachment` resources and will permanently show a difference if both are defined. +// +// > **NOTE:** For a given role, this resource is incompatible with using the `iam.Role` resource `managedPolicyArns` argument. When using that argument and this resource, both will attempt to manage the role's managed policy attachments and the provider will show a permanent difference. +// +// > **NOTE:** To ensure Pulumi correctly manages dependencies during updates, use a reference to the IAM resource when defining the `policyArn` for `iam.PolicyAttachment`, rather than constructing the ARN directly. For example, use `policyArn = aws_iam_policy.example.arn` instead of `policyArn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/Example"`. Failing to do so may lead to errors like `DeleteConflict: Cannot delete a policy attached to entities` or `NoSuchEntity`. +// // ## Example Usage // // ```go diff --git a/sdk/java/src/main/java/com/pulumi/aws/iam/PolicyAttachment.java b/sdk/java/src/main/java/com/pulumi/aws/iam/PolicyAttachment.java index 79e2e69002d..f97081689dd 100644 --- a/sdk/java/src/main/java/com/pulumi/aws/iam/PolicyAttachment.java +++ b/sdk/java/src/main/java/com/pulumi/aws/iam/PolicyAttachment.java @@ -16,6 +16,16 @@ import javax.annotation.Nullable; /** + * Attaches a Managed IAM Policy to user(s), role(s), and/or group(s) + * + * !> **WARNING:** The aws.iam.PolicyAttachment resource creates **exclusive** attachments of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single aws.iam.PolicyAttachment resource. This means that even any users/roles/groups that have the attached policy via any other mechanism (including other resources managed by this provider) will have that attached policy revoked by this resource. Consider `aws.iam.RolePolicyAttachment`, `aws.iam.UserPolicyAttachment`, or `aws.iam.GroupPolicyAttachment` instead. These resources do not enforce exclusive attachment of an IAM policy. + * + * > **NOTE:** The usage of this resource conflicts with the `aws.iam.GroupPolicyAttachment`, `aws.iam.RolePolicyAttachment`, and `aws.iam.UserPolicyAttachment` resources and will permanently show a difference if both are defined. + * + * > **NOTE:** For a given role, this resource is incompatible with using the `aws.iam.Role` resource `managed_policy_arns` argument. When using that argument and this resource, both will attempt to manage the role's managed policy attachments and the provider will show a permanent difference. + * + * > **NOTE:** To ensure Pulumi correctly manages dependencies during updates, use a reference to the IAM resource when defining the `policy_arn` for `aws.iam.PolicyAttachment`, rather than constructing the ARN directly. For example, use `policy_arn = aws_iam_policy.example.arn` instead of `policy_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/Example"`. Failing to do so may lead to errors like `DeleteConflict: Cannot delete a policy attached to entities` or `NoSuchEntity`. + * * ## Example Usage * * <!--Start PulumiCodeChooser --> diff --git a/sdk/nodejs/iam/policyAttachment.ts b/sdk/nodejs/iam/policyAttachment.ts index 4a1a1d88016..ead7b257a58 100644 --- a/sdk/nodejs/iam/policyAttachment.ts +++ b/sdk/nodejs/iam/policyAttachment.ts @@ -8,6 +8,16 @@ import {ARN} from ".."; import {Group, Role, User} from "./index"; /** + * Attaches a Managed IAM Policy to user(s), role(s), and/or group(s) + * + * !> **WARNING:** The aws.iam.PolicyAttachment resource creates **exclusive** attachments of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single aws.iam.PolicyAttachment resource. This means that even any users/roles/groups that have the attached policy via any other mechanism (including other resources managed by this provider) will have that attached policy revoked by this resource. Consider `aws.iam.RolePolicyAttachment`, `aws.iam.UserPolicyAttachment`, or `aws.iam.GroupPolicyAttachment` instead. These resources do not enforce exclusive attachment of an IAM policy. + * + * > **NOTE:** The usage of this resource conflicts with the `aws.iam.GroupPolicyAttachment`, `aws.iam.RolePolicyAttachment`, and `aws.iam.UserPolicyAttachment` resources and will permanently show a difference if both are defined. + * + * > **NOTE:** For a given role, this resource is incompatible with using the `aws.iam.Role` resource `managedPolicyArns` argument. When using that argument and this resource, both will attempt to manage the role's managed policy attachments and the provider will show a permanent difference. + * + * > **NOTE:** To ensure Pulumi correctly manages dependencies during updates, use a reference to the IAM resource when defining the `policyArn` for `aws.iam.PolicyAttachment`, rather than constructing the ARN directly. For example, use `policyArn = aws_iam_policy.example.arn` instead of `policyArn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/Example"`. Failing to do so may lead to errors like `DeleteConflict: Cannot delete a policy attached to entities` or `NoSuchEntity`. + * * ## Example Usage * * ```typescript diff --git a/sdk/python/pulumi_aws/iam/policy_attachment.py b/sdk/python/pulumi_aws/iam/policy_attachment.py index a946f04e44d..1729e342c74 100644 --- a/sdk/python/pulumi_aws/iam/policy_attachment.py +++ b/sdk/python/pulumi_aws/iam/policy_attachment.py @@ -203,6 +203,16 @@ def __init__(__self__, users: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, __props__=None): """ + Attaches a Managed IAM Policy to user(s), role(s), and/or group(s) + + !> **WARNING:** The iam.PolicyAttachment resource creates **exclusive** attachments of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single iam.PolicyAttachment resource. This means that even any users/roles/groups that have the attached policy via any other mechanism (including other resources managed by this provider) will have that attached policy revoked by this resource. Consider `iam.RolePolicyAttachment`, `iam.UserPolicyAttachment`, or `iam.GroupPolicyAttachment` instead. These resources do not enforce exclusive attachment of an IAM policy. + + > **NOTE:** The usage of this resource conflicts with the `iam.GroupPolicyAttachment`, `iam.RolePolicyAttachment`, and `iam.UserPolicyAttachment` resources and will permanently show a difference if both are defined. + + > **NOTE:** For a given role, this resource is incompatible with using the `iam.Role` resource `managed_policy_arns` argument. When using that argument and this resource, both will attempt to manage the role's managed policy attachments and the provider will show a permanent difference. + + > **NOTE:** To ensure Pulumi correctly manages dependencies during updates, use a reference to the IAM resource when defining the `policy_arn` for `iam.PolicyAttachment`, rather than constructing the ARN directly. For example, use `policy_arn = aws_iam_policy.example.arn` instead of `policy_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/Example"`. Failing to do so may lead to errors like `DeleteConflict: Cannot delete a policy attached to entities` or `NoSuchEntity`. + ## Example Usage ```python @@ -254,6 +264,16 @@ def __init__(__self__, args: PolicyAttachmentArgs, opts: Optional[pulumi.ResourceOptions] = None): """ + Attaches a Managed IAM Policy to user(s), role(s), and/or group(s) + + !> **WARNING:** The iam.PolicyAttachment resource creates **exclusive** attachments of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single iam.PolicyAttachment resource. This means that even any users/roles/groups that have the attached policy via any other mechanism (including other resources managed by this provider) will have that attached policy revoked by this resource. Consider `iam.RolePolicyAttachment`, `iam.UserPolicyAttachment`, or `iam.GroupPolicyAttachment` instead. These resources do not enforce exclusive attachment of an IAM policy. + + > **NOTE:** The usage of this resource conflicts with the `iam.GroupPolicyAttachment`, `iam.RolePolicyAttachment`, and `iam.UserPolicyAttachment` resources and will permanently show a difference if both are defined. + + > **NOTE:** For a given role, this resource is incompatible with using the `iam.Role` resource `managed_policy_arns` argument. When using that argument and this resource, both will attempt to manage the role's managed policy attachments and the provider will show a permanent difference. + + > **NOTE:** To ensure Pulumi correctly manages dependencies during updates, use a reference to the IAM resource when defining the `policy_arn` for `iam.PolicyAttachment`, rather than constructing the ARN directly. For example, use `policy_arn = aws_iam_policy.example.arn` instead of `policy_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/Example"`. Failing to do so may lead to errors like `DeleteConflict: Cannot delete a policy attached to entities` or `NoSuchEntity`. + ## Example Usage ```python