Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a check for managed_policy conflicts on aws.iam.Role #107

Merged
merged 8 commits into from
May 7, 2024

Conversation

t0yv0
Copy link
Member

@t0yv0 t0yv0 commented Apr 22, 2024

AWS iam.Role has this NOTE:

// NOTE: If you use this resource’s managed_policy_arns argument or inline_policy configuration blocks, this resource
// will take over exclusive management of the role's respective policy types (e.g., both policy types if both arguments
// are used). These arguments are incompatible with other ways of managing a role's policies, such as
// aws.iam.PolicyAttachment, aws.iam.RolePolicyAttachment, and aws.iam.RolePolicy. If you attempt to manage a role’s
// policies by multiple means, you will get resource cycling and/or errors.

This change adds check to pulumi-policy-aws to check against usages that violate the recommendation of this NOTE.

src/security.ts Outdated Show resolved Hide resolved
@t0yv0 t0yv0 requested a review from justinvp April 22, 2024 19:35
src/security.ts Outdated Show resolved Hide resolved
src/security.ts Outdated Show resolved Hide resolved
@t0yv0 t0yv0 requested review from corymhall and flostadler May 6, 2024 21:54
@t0yv0
Copy link
Member Author

t0yv0 commented May 6, 2024

@flostadler you were right about the check not working across stacks. If I define a role in Stack 1 with managedPolicyArns and I use it from Stack 2 to add a RolePolicyAttachment, the problem is not detected.

@t0yv0 t0yv0 merged commit f97308c into master May 7, 2024
5 checks passed
@t0yv0 t0yv0 deleted the t0yv0/policy-checks branch May 7, 2024 13:17
@t0yv0 t0yv0 mentioned this pull request May 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants