diff --git a/docs/resource/aws_iam_role_policies_exclusive.md b/docs/resource/aws_iam_role_policies_exclusive.md
new file mode 100644
index 00000000000..aafd90014c3
--- /dev/null
+++ b/docs/resource/aws_iam_role_policies_exclusive.md
@@ -0,0 +1,52 @@
+---
+subcategory: "IAM (Identity & Access Management)"
+layout: "aws"
+page_title: "AWS: aws_iam_role_policies_exclusive"
+description: |-
+ Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role.
+---
+
+# Resource: aws_iam_role_policies_exclusive
+
+Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role.
+
+-> **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.
+
+!> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `aws_iam_role_policy` resources managed alongside this resource are included in the `policy_names` argument.
+
+~> Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role.
+
+## Example Usage
+
+### Basic Usage
+
+```terraform
+resource "aws_iam_role_policies_exclusive" "example" {
+ role_name = aws_iam_role.example.name
+ policy_names = [aws_iam_role_policy.example.name]
+}
+```
+
+### Disallow Inline Policies
+
+To automatically remove any configured inline policies, set the `policy_names` argument to an empty list.
+
+~> This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.
+
+```terraform
+resource "aws_iam_role_policies_exclusive" "example" {
+ role_name = aws_iam_role.example.name
+ policy_names = []
+}
+```
+
+## Argument Reference
+
+The following arguments are required:
+
+* `role_name` - (Required) IAM role name.
+* `policy_names` - (Required) A list of inline policy names to be assigned to the role. Policies attached to this role but not configured in this argument will be removed.
+
+## Attribute Reference
+
+This resource exports no additional attributes.
diff --git a/docs/resource/aws_iam_role_policy_attachments_exclusive.md b/docs/resource/aws_iam_role_policy_attachments_exclusive.md
new file mode 100644
index 00000000000..596755543cc
--- /dev/null
+++ b/docs/resource/aws_iam_role_policy_attachments_exclusive.md
@@ -0,0 +1,51 @@
+---
+subcategory: "IAM (Identity & Access Management)"
+layout: "aws"
+description: |-
+ Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role.
+---
+
+# Resource: aws.iam.RolePolicyAttachmentsExclusive
+
+Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role.
+
+-> **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.
+
+!> This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `aws_iam_role_policy_attachment` resources managed alongside this resource are included in the `policy_arns` argument.
+
+~> Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role.
+
+## Example Usage
+
+### Basic Usage
+
+```terraform
+resource "aws_iam_role_policy_attachments_exclusive" "example" {
+ role_name = aws_iam_role.example.name
+ policy_arns = [aws_iam_policy.example.arn]
+}
+```
+
+### Disallow Customer Managed Policies
+
+To automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list.
+
+~> This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.
+
+```terraform
+resource "aws_iam_role_policy_attachments_exclusive" "example" {
+ role_name = aws_iam_role.example.name
+ policy_arns = []
+}
+```
+
+## Argument Reference
+
+The following arguments are required:
+
+* `role_name` - (Required) IAM role name.
+* `policy_arns` - (Required) A list of customer managed policy ARNs to be attached to the role. Policies attached to this role but not configured in this argument will be removed.
+
+## Attribute Reference
+
+This resource exports no additional attributes.
diff --git a/provider/cmd/pulumi-resource-aws/schema-minimal.json b/provider/cmd/pulumi-resource-aws/schema-minimal.json
index 320c90c5d31..d144a51bf9f 100644
--- a/provider/cmd/pulumi-resource-aws/schema-minimal.json
+++ b/provider/cmd/pulumi-resource-aws/schema-minimal.json
@@ -278809,7 +278809,7 @@
}
},
"aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive": {
- "description": "\n\n## Import\n\nUsing `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example:\n\n```sh\n$ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole\n```\n",
+ "description": "Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity \u0026 Access Management) role.\n\n\u003e **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.\n\n!\u003e This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policy_arns` argument.\n\n\u003e Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role.\n\n## Example Usage\n\n### Basic Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.RolePolicyAttachmentsExclusive(\"example\", {\n roleName: exampleAwsIamRole.name,\n policyArns: [exampleAwsIamPolicy.arn],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.RolePolicyAttachmentsExclusive(\"example\",\n role_name=example_aws_iam_role[\"name\"],\n policy_arns=[example_aws_iam_policy[\"arn\"]])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.RolePolicyAttachmentsExclusive(\"example\", new()\n {\n RoleName = exampleAwsIamRole.Name,\n PolicyArns = new[]\n {\n exampleAwsIamPolicy.Arn,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRolePolicyAttachmentsExclusive(ctx, \"example\", \u0026iam.RolePolicyAttachmentsExclusiveArgs{\n\t\t\tRoleName: pulumi.Any(exampleAwsIamRole.Name),\n\t\t\tPolicyArns: pulumi.StringArray{\n\t\t\t\texampleAwsIamPolicy.Arn,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusive;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusiveArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new RolePolicyAttachmentsExclusive(\"example\", RolePolicyAttachmentsExclusiveArgs.builder()\n .roleName(exampleAwsIamRole.name())\n .policyArns(exampleAwsIamPolicy.arn())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:RolePolicyAttachmentsExclusive\n properties:\n roleName: ${exampleAwsIamRole.name}\n policyArns:\n - ${exampleAwsIamPolicy.arn}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Disallow Customer Managed Policies\n\nTo automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list.\n\n\u003e This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.RolePolicyAttachmentsExclusive(\"example\", {\n roleName: exampleAwsIamRole.name,\n policyArns: [],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.RolePolicyAttachmentsExclusive(\"example\",\n role_name=example_aws_iam_role[\"name\"],\n policy_arns=[])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.RolePolicyAttachmentsExclusive(\"example\", new()\n {\n RoleName = exampleAwsIamRole.Name,\n PolicyArns = new[] {},\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRolePolicyAttachmentsExclusive(ctx, \"example\", \u0026iam.RolePolicyAttachmentsExclusiveArgs{\n\t\t\tRoleName: pulumi.Any(exampleAwsIamRole.Name),\n\t\t\tPolicyArns: pulumi.StringArray{},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusive;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusiveArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new RolePolicyAttachmentsExclusive(\"example\", RolePolicyAttachmentsExclusiveArgs.builder()\n .roleName(exampleAwsIamRole.name())\n .policyArns()\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:RolePolicyAttachmentsExclusive\n properties:\n roleName: ${exampleAwsIamRole.name}\n policyArns: []\n```\n\u003c!--End PulumiCodeChooser --\u003e\n",
"properties": {
"policyArns": {
"type": "array",
diff --git a/provider/cmd/pulumi-resource-aws/schema.json b/provider/cmd/pulumi-resource-aws/schema.json
index 2c391b00048..428c671a97e 100644
--- a/provider/cmd/pulumi-resource-aws/schema.json
+++ b/provider/cmd/pulumi-resource-aws/schema.json
@@ -279355,7 +279355,7 @@
}
},
"aws:iam/rolePoliciesExclusive:RolePoliciesExclusive": {
- "description": "\n\n## Import\n\nUsing `pulumi import`, import exclusive management of inline policy assignments using the `role_name`. For example:\n\n```sh\n$ pulumi import aws:iam/rolePoliciesExclusive:RolePoliciesExclusive example MyRole\n```\n",
+ "description": "Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity \u0026 Access Management) role.\n\n\u003e **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.\n\n!\u003e This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicy` resources managed alongside this resource are included in the `policy_names` argument.\n\n\u003e Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role.\n\n## Example Usage\n\n### Basic Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.RolePoliciesExclusive(\"example\", {\n roleName: exampleAwsIamRole.name,\n policyNames: [exampleAwsIamRolePolicy.name],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.RolePoliciesExclusive(\"example\",\n role_name=example_aws_iam_role[\"name\"],\n policy_names=[example_aws_iam_role_policy[\"name\"]])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.RolePoliciesExclusive(\"example\", new()\n {\n RoleName = exampleAwsIamRole.Name,\n PolicyNames = new[]\n {\n exampleAwsIamRolePolicy.Name,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRolePoliciesExclusive(ctx, \"example\", \u0026iam.RolePoliciesExclusiveArgs{\n\t\t\tRoleName: pulumi.Any(exampleAwsIamRole.Name),\n\t\t\tPolicyNames: pulumi.StringArray{\n\t\t\t\texampleAwsIamRolePolicy.Name,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.RolePoliciesExclusive;\nimport com.pulumi.aws.iam.RolePoliciesExclusiveArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new RolePoliciesExclusive(\"example\", RolePoliciesExclusiveArgs.builder()\n .roleName(exampleAwsIamRole.name())\n .policyNames(exampleAwsIamRolePolicy.name())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:RolePoliciesExclusive\n properties:\n roleName: ${exampleAwsIamRole.name}\n policyNames:\n - ${exampleAwsIamRolePolicy.name}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Disallow Inline Policies\n\nTo automatically remove any configured inline policies, set the `policy_names` argument to an empty list.\n\n\u003e This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.RolePoliciesExclusive(\"example\", {\n roleName: exampleAwsIamRole.name,\n policyNames: [],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.RolePoliciesExclusive(\"example\",\n role_name=example_aws_iam_role[\"name\"],\n policy_names=[])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.RolePoliciesExclusive(\"example\", new()\n {\n RoleName = exampleAwsIamRole.Name,\n PolicyNames = new[] {},\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRolePoliciesExclusive(ctx, \"example\", \u0026iam.RolePoliciesExclusiveArgs{\n\t\t\tRoleName: pulumi.Any(exampleAwsIamRole.Name),\n\t\t\tPolicyNames: pulumi.StringArray{},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.RolePoliciesExclusive;\nimport com.pulumi.aws.iam.RolePoliciesExclusiveArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new RolePoliciesExclusive(\"example\", RolePoliciesExclusiveArgs.builder()\n .roleName(exampleAwsIamRole.name())\n .policyNames()\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:RolePoliciesExclusive\n properties:\n roleName: ${exampleAwsIamRole.name}\n policyNames: []\n```\n\u003c!--End PulumiCodeChooser --\u003e\n",
"properties": {
"policyNames": {
"type": "array",
@@ -279592,7 +279592,7 @@
}
},
"aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive": {
- "description": "\n\n## Import\n\nUsing `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example:\n\n```sh\n$ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole\n```\n",
+ "description": "Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity \u0026 Access Management) role.\n\n\u003e **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.\n\n!\u003e This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policy_arns` argument.\n\n\u003e Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role.\n\n## Example Usage\n\n### Basic Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.RolePolicyAttachmentsExclusive(\"example\", {\n roleName: exampleAwsIamRole.name,\n policyArns: [exampleAwsIamPolicy.arn],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.RolePolicyAttachmentsExclusive(\"example\",\n role_name=example_aws_iam_role[\"name\"],\n policy_arns=[example_aws_iam_policy[\"arn\"]])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.RolePolicyAttachmentsExclusive(\"example\", new()\n {\n RoleName = exampleAwsIamRole.Name,\n PolicyArns = new[]\n {\n exampleAwsIamPolicy.Arn,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRolePolicyAttachmentsExclusive(ctx, \"example\", \u0026iam.RolePolicyAttachmentsExclusiveArgs{\n\t\t\tRoleName: pulumi.Any(exampleAwsIamRole.Name),\n\t\t\tPolicyArns: pulumi.StringArray{\n\t\t\t\texampleAwsIamPolicy.Arn,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusive;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusiveArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new RolePolicyAttachmentsExclusive(\"example\", RolePolicyAttachmentsExclusiveArgs.builder()\n .roleName(exampleAwsIamRole.name())\n .policyArns(exampleAwsIamPolicy.arn())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:RolePolicyAttachmentsExclusive\n properties:\n roleName: ${exampleAwsIamRole.name}\n policyArns:\n - ${exampleAwsIamPolicy.arn}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Disallow Customer Managed Policies\n\nTo automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list.\n\n\u003e This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.RolePolicyAttachmentsExclusive(\"example\", {\n roleName: exampleAwsIamRole.name,\n policyArns: [],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.RolePolicyAttachmentsExclusive(\"example\",\n role_name=example_aws_iam_role[\"name\"],\n policy_arns=[])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.RolePolicyAttachmentsExclusive(\"example\", new()\n {\n RoleName = exampleAwsIamRole.Name,\n PolicyArns = new[] {},\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRolePolicyAttachmentsExclusive(ctx, \"example\", \u0026iam.RolePolicyAttachmentsExclusiveArgs{\n\t\t\tRoleName: pulumi.Any(exampleAwsIamRole.Name),\n\t\t\tPolicyArns: pulumi.StringArray{},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusive;\nimport com.pulumi.aws.iam.RolePolicyAttachmentsExclusiveArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new RolePolicyAttachmentsExclusive(\"example\", RolePolicyAttachmentsExclusiveArgs.builder()\n .roleName(exampleAwsIamRole.name())\n .policyArns()\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:RolePolicyAttachmentsExclusive\n properties:\n roleName: ${exampleAwsIamRole.name}\n policyArns: []\n```\n\u003c!--End PulumiCodeChooser --\u003e\n",
"properties": {
"policyArns": {
"type": "array",
diff --git a/provider/resources.go b/provider/resources.go
index c33d30afc98..9a770134410 100644
--- a/provider/resources.go
+++ b/provider/resources.go
@@ -2574,6 +2574,18 @@ compatibility shim in favor of the new "name" field.`)
// deletes the same attachment we just created, since it is structurally equivalent!
DeleteBeforeReplace: true,
},
+ "aws_iam_role_policies_exclusive": {
+ Tok: awsResource(iamMod, "RolePoliciesExclusive"),
+ Docs: &info.Doc{
+ Markdown: maybeReadFile("docs/resource/aws_iam_role_policies_exclusive.md"),
+ },
+ },
+ "aws_iam_role_policy_attachments_exclusive": {
+ Tok: awsResource(iamMod, "RolePolicyAttachmentsExclusive"),
+ Docs: &info.Doc{
+ Markdown: maybeReadFile("docs/resource/aws_iam_role_policy_attachments_exclusive.md"),
+ },
+ },
"aws_iam_role_policy": {
Tok: awsResource(iamMod, "RolePolicy"),
Fields: map[string]*tfbridge.SchemaInfo{
diff --git a/sdk/dotnet/Iam/RolePoliciesExclusive.cs b/sdk/dotnet/Iam/RolePoliciesExclusive.cs
index 5be1affb1c5..3b12185ffc2 100644
--- a/sdk/dotnet/Iam/RolePoliciesExclusive.cs
+++ b/sdk/dotnet/Iam/RolePoliciesExclusive.cs
@@ -10,12 +10,59 @@
namespace Pulumi.Aws.Iam
{
///
- /// ## Import
+ /// Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role.
///
- /// Using `pulumi import`, import exclusive management of inline policy assignments using the `role_name`. For example:
+ /// > **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.
///
- /// ```sh
- /// $ pulumi import aws:iam/rolePoliciesExclusive:RolePoliciesExclusive example MyRole
+ /// !> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicy` resources managed alongside this resource are included in the `policy_names` argument.
+ ///
+ /// > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role.
+ ///
+ /// ## Example Usage
+ ///
+ /// ### Basic Usage
+ ///
+ /// ```csharp
+ /// using System.Collections.Generic;
+ /// using System.Linq;
+ /// using Pulumi;
+ /// using Aws = Pulumi.Aws;
+ ///
+ /// return await Deployment.RunAsync(() =>
+ /// {
+ /// var example = new Aws.Iam.RolePoliciesExclusive("example", new()
+ /// {
+ /// RoleName = exampleAwsIamRole.Name,
+ /// PolicyNames = new[]
+ /// {
+ /// exampleAwsIamRolePolicy.Name,
+ /// },
+ /// });
+ ///
+ /// });
+ /// ```
+ ///
+ /// ### Disallow Inline Policies
+ ///
+ /// To automatically remove any configured inline policies, set the `policy_names` argument to an empty list.
+ ///
+ /// > This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.
+ ///
+ /// ```csharp
+ /// using System.Collections.Generic;
+ /// using System.Linq;
+ /// using Pulumi;
+ /// using Aws = Pulumi.Aws;
+ ///
+ /// return await Deployment.RunAsync(() =>
+ /// {
+ /// var example = new Aws.Iam.RolePoliciesExclusive("example", new()
+ /// {
+ /// RoleName = exampleAwsIamRole.Name,
+ /// PolicyNames = new[] {},
+ /// });
+ ///
+ /// });
/// ```
///
[AwsResourceType("aws:iam/rolePoliciesExclusive:RolePoliciesExclusive")]
diff --git a/sdk/dotnet/Iam/RolePolicyAttachmentsExclusive.cs b/sdk/dotnet/Iam/RolePolicyAttachmentsExclusive.cs
index ec90900d732..ba00cc8310f 100644
--- a/sdk/dotnet/Iam/RolePolicyAttachmentsExclusive.cs
+++ b/sdk/dotnet/Iam/RolePolicyAttachmentsExclusive.cs
@@ -10,12 +10,59 @@
namespace Pulumi.Aws.Iam
{
///
- /// ## Import
+ /// Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role.
///
- /// Using `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example:
+ /// > **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.
///
- /// ```sh
- /// $ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole
+ /// !> This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policy_arns` argument.
+ ///
+ /// > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role.
+ ///
+ /// ## Example Usage
+ ///
+ /// ### Basic Usage
+ ///
+ /// ```csharp
+ /// using System.Collections.Generic;
+ /// using System.Linq;
+ /// using Pulumi;
+ /// using Aws = Pulumi.Aws;
+ ///
+ /// return await Deployment.RunAsync(() =>
+ /// {
+ /// var example = new Aws.Iam.RolePolicyAttachmentsExclusive("example", new()
+ /// {
+ /// RoleName = exampleAwsIamRole.Name,
+ /// PolicyArns = new[]
+ /// {
+ /// exampleAwsIamPolicy.Arn,
+ /// },
+ /// });
+ ///
+ /// });
+ /// ```
+ ///
+ /// ### Disallow Customer Managed Policies
+ ///
+ /// To automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list.
+ ///
+ /// > This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.
+ ///
+ /// ```csharp
+ /// using System.Collections.Generic;
+ /// using System.Linq;
+ /// using Pulumi;
+ /// using Aws = Pulumi.Aws;
+ ///
+ /// return await Deployment.RunAsync(() =>
+ /// {
+ /// var example = new Aws.Iam.RolePolicyAttachmentsExclusive("example", new()
+ /// {
+ /// RoleName = exampleAwsIamRole.Name,
+ /// PolicyArns = new[] {},
+ /// });
+ ///
+ /// });
/// ```
///
[AwsResourceType("aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive")]
diff --git a/sdk/go/aws/iam/rolePoliciesExclusive.go b/sdk/go/aws/iam/rolePoliciesExclusive.go
index 1348308e0df..8a20d08b3f7 100644
--- a/sdk/go/aws/iam/rolePoliciesExclusive.go
+++ b/sdk/go/aws/iam/rolePoliciesExclusive.go
@@ -12,12 +12,74 @@ import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
-// ## Import
+// Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role.
//
-// Using `pulumi import`, import exclusive management of inline policy assignments using the `role_name`. For example:
+// > **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.
+//
+// !> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `iam.RolePolicy` resources managed alongside this resource are included in the `policyNames` argument.
+//
+// > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role.
+//
+// ## Example Usage
+//
+// ### Basic Usage
+//
+// ```go
+// package main
+//
+// import (
+//
+// "github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
+// "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+//
+// )
+//
+// func main() {
+// pulumi.Run(func(ctx *pulumi.Context) error {
+// _, err := iam.NewRolePoliciesExclusive(ctx, "example", &iam.RolePoliciesExclusiveArgs{
+// RoleName: pulumi.Any(exampleAwsIamRole.Name),
+// PolicyNames: pulumi.StringArray{
+// exampleAwsIamRolePolicy.Name,
+// },
+// })
+// if err != nil {
+// return err
+// }
+// return nil
+// })
+// }
+//
+// ```
+//
+// ### Disallow Inline Policies
+//
+// To automatically remove any configured inline policies, set the `policyNames` argument to an empty list.
+//
+// > This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.
+//
+// ```go
+// package main
+//
+// import (
+//
+// "github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
+// "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+//
+// )
+//
+// func main() {
+// pulumi.Run(func(ctx *pulumi.Context) error {
+// _, err := iam.NewRolePoliciesExclusive(ctx, "example", &iam.RolePoliciesExclusiveArgs{
+// RoleName: pulumi.Any(exampleAwsIamRole.Name),
+// PolicyNames: pulumi.StringArray{},
+// })
+// if err != nil {
+// return err
+// }
+// return nil
+// })
+// }
//
-// ```sh
-// $ pulumi import aws:iam/rolePoliciesExclusive:RolePoliciesExclusive example MyRole
// ```
type RolePoliciesExclusive struct {
pulumi.CustomResourceState
diff --git a/sdk/go/aws/iam/rolePolicyAttachmentsExclusive.go b/sdk/go/aws/iam/rolePolicyAttachmentsExclusive.go
index 6b823b81492..bcc442d2435 100644
--- a/sdk/go/aws/iam/rolePolicyAttachmentsExclusive.go
+++ b/sdk/go/aws/iam/rolePolicyAttachmentsExclusive.go
@@ -12,12 +12,74 @@ import (
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
-// ## Import
+// Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role.
//
-// Using `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example:
+// > **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.
+//
+// !> This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policyArns` argument.
+//
+// > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role.
+//
+// ## Example Usage
+//
+// ### Basic Usage
+//
+// ```go
+// package main
+//
+// import (
+//
+// "github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
+// "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+//
+// )
+//
+// func main() {
+// pulumi.Run(func(ctx *pulumi.Context) error {
+// _, err := iam.NewRolePolicyAttachmentsExclusive(ctx, "example", &iam.RolePolicyAttachmentsExclusiveArgs{
+// RoleName: pulumi.Any(exampleAwsIamRole.Name),
+// PolicyArns: pulumi.StringArray{
+// exampleAwsIamPolicy.Arn,
+// },
+// })
+// if err != nil {
+// return err
+// }
+// return nil
+// })
+// }
+//
+// ```
+//
+// ### Disallow Customer Managed Policies
+//
+// To automatically remove any configured customer managed policies, set the `policyArns` argument to an empty list.
+//
+// > This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.
+//
+// ```go
+// package main
+//
+// import (
+//
+// "github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam"
+// "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+//
+// )
+//
+// func main() {
+// pulumi.Run(func(ctx *pulumi.Context) error {
+// _, err := iam.NewRolePolicyAttachmentsExclusive(ctx, "example", &iam.RolePolicyAttachmentsExclusiveArgs{
+// RoleName: pulumi.Any(exampleAwsIamRole.Name),
+// PolicyArns: pulumi.StringArray{},
+// })
+// if err != nil {
+// return err
+// }
+// return nil
+// })
+// }
//
-// ```sh
-// $ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole
// ```
type RolePolicyAttachmentsExclusive struct {
pulumi.CustomResourceState
diff --git a/sdk/java/src/main/java/com/pulumi/aws/iam/RolePoliciesExclusive.java b/sdk/java/src/main/java/com/pulumi/aws/iam/RolePoliciesExclusive.java
index 7dd324794a6..15e702a481a 100644
--- a/sdk/java/src/main/java/com/pulumi/aws/iam/RolePoliciesExclusive.java
+++ b/sdk/java/src/main/java/com/pulumi/aws/iam/RolePoliciesExclusive.java
@@ -15,13 +15,91 @@
import javax.annotation.Nullable;
/**
- * ## Import
+ * Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role.
*
- * Using `pulumi import`, import exclusive management of inline policy assignments using the `role_name`. For example:
+ * > **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.
*
- * ```sh
- * $ pulumi import aws:iam/rolePoliciesExclusive:RolePoliciesExclusive example MyRole
- * ```
+ * !> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicy` resources managed alongside this resource are included in the `policy_names` argument.
+ *
+ * > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role.
+ *
+ * ## Example Usage
+ *
+ * ### Basic Usage
+ *
+ * <!--Start PulumiCodeChooser -->
+ *
+ * {@code
+ * package generated_program;
+ *
+ * import com.pulumi.Context;
+ * import com.pulumi.Pulumi;
+ * import com.pulumi.core.Output;
+ * import com.pulumi.aws.iam.RolePoliciesExclusive;
+ * import com.pulumi.aws.iam.RolePoliciesExclusiveArgs;
+ * import java.util.List;
+ * import java.util.ArrayList;
+ * import java.util.Map;
+ * import java.io.File;
+ * import java.nio.file.Files;
+ * import java.nio.file.Paths;
+ *
+ * public class App {
+ * public static void main(String[] args) {
+ * Pulumi.run(App::stack);
+ * }
+ *
+ * public static void stack(Context ctx) {
+ * var example = new RolePoliciesExclusive("example", RolePoliciesExclusiveArgs.builder()
+ * .roleName(exampleAwsIamRole.name())
+ * .policyNames(exampleAwsIamRolePolicy.name())
+ * .build());
+ *
+ * }
+ * }
+ * }
+ *
+ * <!--End PulumiCodeChooser -->
+ *
+ * ### Disallow Inline Policies
+ *
+ * To automatically remove any configured inline policies, set the `policy_names` argument to an empty list.
+ *
+ * > This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.
+ *
+ * <!--Start PulumiCodeChooser -->
+ *
+ * {@code
+ * package generated_program;
+ *
+ * import com.pulumi.Context;
+ * import com.pulumi.Pulumi;
+ * import com.pulumi.core.Output;
+ * import com.pulumi.aws.iam.RolePoliciesExclusive;
+ * import com.pulumi.aws.iam.RolePoliciesExclusiveArgs;
+ * import java.util.List;
+ * import java.util.ArrayList;
+ * import java.util.Map;
+ * import java.io.File;
+ * import java.nio.file.Files;
+ * import java.nio.file.Paths;
+ *
+ * public class App {
+ * public static void main(String[] args) {
+ * Pulumi.run(App::stack);
+ * }
+ *
+ * public static void stack(Context ctx) {
+ * var example = new RolePoliciesExclusive("example", RolePoliciesExclusiveArgs.builder()
+ * .roleName(exampleAwsIamRole.name())
+ * .policyNames()
+ * .build());
+ *
+ * }
+ * }
+ * }
+ *
+ * <!--End PulumiCodeChooser -->
*
*/
@ResourceType(type="aws:iam/rolePoliciesExclusive:RolePoliciesExclusive")
diff --git a/sdk/java/src/main/java/com/pulumi/aws/iam/RolePolicyAttachmentsExclusive.java b/sdk/java/src/main/java/com/pulumi/aws/iam/RolePolicyAttachmentsExclusive.java
index ac18709267b..2283544c039 100644
--- a/sdk/java/src/main/java/com/pulumi/aws/iam/RolePolicyAttachmentsExclusive.java
+++ b/sdk/java/src/main/java/com/pulumi/aws/iam/RolePolicyAttachmentsExclusive.java
@@ -15,13 +15,91 @@
import javax.annotation.Nullable;
/**
- * ## Import
+ * Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role.
*
- * Using `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example:
+ * > **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.
*
- * ```sh
- * $ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole
- * ```
+ * !> This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policy_arns` argument.
+ *
+ * > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role.
+ *
+ * ## Example Usage
+ *
+ * ### Basic Usage
+ *
+ * <!--Start PulumiCodeChooser -->
+ *
+ * {@code
+ * package generated_program;
+ *
+ * import com.pulumi.Context;
+ * import com.pulumi.Pulumi;
+ * import com.pulumi.core.Output;
+ * import com.pulumi.aws.iam.RolePolicyAttachmentsExclusive;
+ * import com.pulumi.aws.iam.RolePolicyAttachmentsExclusiveArgs;
+ * import java.util.List;
+ * import java.util.ArrayList;
+ * import java.util.Map;
+ * import java.io.File;
+ * import java.nio.file.Files;
+ * import java.nio.file.Paths;
+ *
+ * public class App {
+ * public static void main(String[] args) {
+ * Pulumi.run(App::stack);
+ * }
+ *
+ * public static void stack(Context ctx) {
+ * var example = new RolePolicyAttachmentsExclusive("example", RolePolicyAttachmentsExclusiveArgs.builder()
+ * .roleName(exampleAwsIamRole.name())
+ * .policyArns(exampleAwsIamPolicy.arn())
+ * .build());
+ *
+ * }
+ * }
+ * }
+ *
+ * <!--End PulumiCodeChooser -->
+ *
+ * ### Disallow Customer Managed Policies
+ *
+ * To automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list.
+ *
+ * > This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.
+ *
+ * <!--Start PulumiCodeChooser -->
+ *
+ * {@code
+ * package generated_program;
+ *
+ * import com.pulumi.Context;
+ * import com.pulumi.Pulumi;
+ * import com.pulumi.core.Output;
+ * import com.pulumi.aws.iam.RolePolicyAttachmentsExclusive;
+ * import com.pulumi.aws.iam.RolePolicyAttachmentsExclusiveArgs;
+ * import java.util.List;
+ * import java.util.ArrayList;
+ * import java.util.Map;
+ * import java.io.File;
+ * import java.nio.file.Files;
+ * import java.nio.file.Paths;
+ *
+ * public class App {
+ * public static void main(String[] args) {
+ * Pulumi.run(App::stack);
+ * }
+ *
+ * public static void stack(Context ctx) {
+ * var example = new RolePolicyAttachmentsExclusive("example", RolePolicyAttachmentsExclusiveArgs.builder()
+ * .roleName(exampleAwsIamRole.name())
+ * .policyArns()
+ * .build());
+ *
+ * }
+ * }
+ * }
+ *
+ * <!--End PulumiCodeChooser -->
*
*/
@ResourceType(type="aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive")
diff --git a/sdk/nodejs/iam/rolePoliciesExclusive.ts b/sdk/nodejs/iam/rolePoliciesExclusive.ts
index 116224c5e22..09807998629 100644
--- a/sdk/nodejs/iam/rolePoliciesExclusive.ts
+++ b/sdk/nodejs/iam/rolePoliciesExclusive.ts
@@ -5,12 +5,42 @@ import * as pulumi from "@pulumi/pulumi";
import * as utilities from "../utilities";
/**
- * ## Import
+ * Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role.
*
- * Using `pulumi import`, import exclusive management of inline policy assignments using the `role_name`. For example:
+ * > **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.
*
- * ```sh
- * $ pulumi import aws:iam/rolePoliciesExclusive:RolePoliciesExclusive example MyRole
+ * !> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicy` resources managed alongside this resource are included in the `policyNames` argument.
+ *
+ * > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role.
+ *
+ * ## Example Usage
+ *
+ * ### Basic Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as aws from "@pulumi/aws";
+ *
+ * const example = new aws.iam.RolePoliciesExclusive("example", {
+ * roleName: exampleAwsIamRole.name,
+ * policyNames: [exampleAwsIamRolePolicy.name],
+ * });
+ * ```
+ *
+ * ### Disallow Inline Policies
+ *
+ * To automatically remove any configured inline policies, set the `policyNames` argument to an empty list.
+ *
+ * > This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as aws from "@pulumi/aws";
+ *
+ * const example = new aws.iam.RolePoliciesExclusive("example", {
+ * roleName: exampleAwsIamRole.name,
+ * policyNames: [],
+ * });
* ```
*/
export class RolePoliciesExclusive extends pulumi.CustomResource {
diff --git a/sdk/nodejs/iam/rolePolicyAttachmentsExclusive.ts b/sdk/nodejs/iam/rolePolicyAttachmentsExclusive.ts
index 5fe6b634f2e..6cc2e5bdabf 100644
--- a/sdk/nodejs/iam/rolePolicyAttachmentsExclusive.ts
+++ b/sdk/nodejs/iam/rolePolicyAttachmentsExclusive.ts
@@ -5,12 +5,42 @@ import * as pulumi from "@pulumi/pulumi";
import * as utilities from "../utilities";
/**
- * ## Import
+ * Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role.
*
- * Using `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example:
+ * > **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.
*
- * ```sh
- * $ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole
+ * !> This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `aws.iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policyArns` argument.
+ *
+ * > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role.
+ *
+ * ## Example Usage
+ *
+ * ### Basic Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as aws from "@pulumi/aws";
+ *
+ * const example = new aws.iam.RolePolicyAttachmentsExclusive("example", {
+ * roleName: exampleAwsIamRole.name,
+ * policyArns: [exampleAwsIamPolicy.arn],
+ * });
+ * ```
+ *
+ * ### Disallow Customer Managed Policies
+ *
+ * To automatically remove any configured customer managed policies, set the `policyArns` argument to an empty list.
+ *
+ * > This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as aws from "@pulumi/aws";
+ *
+ * const example = new aws.iam.RolePolicyAttachmentsExclusive("example", {
+ * roleName: exampleAwsIamRole.name,
+ * policyArns: [],
+ * });
* ```
*/
export class RolePolicyAttachmentsExclusive extends pulumi.CustomResource {
diff --git a/sdk/python/pulumi_aws/iam/role_policies_exclusive.py b/sdk/python/pulumi_aws/iam/role_policies_exclusive.py
index 5290629100b..3c64e8ab174 100644
--- a/sdk/python/pulumi_aws/iam/role_policies_exclusive.py
+++ b/sdk/python/pulumi_aws/iam/role_policies_exclusive.py
@@ -103,12 +103,40 @@ def __init__(__self__,
role_name: Optional[pulumi.Input[str]] = None,
__props__=None):
"""
- ## Import
+ Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role.
- Using `pulumi import`, import exclusive management of inline policy assignments using the `role_name`. For example:
+ > **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.
- ```sh
- $ pulumi import aws:iam/rolePoliciesExclusive:RolePoliciesExclusive example MyRole
+ !> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `iam.RolePolicy` resources managed alongside this resource are included in the `policy_names` argument.
+
+ > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role.
+
+ ## Example Usage
+
+ ### Basic Usage
+
+ ```python
+ import pulumi
+ import pulumi_aws as aws
+
+ example = aws.iam.RolePoliciesExclusive("example",
+ role_name=example_aws_iam_role["name"],
+ policy_names=[example_aws_iam_role_policy["name"]])
+ ```
+
+ ### Disallow Inline Policies
+
+ To automatically remove any configured inline policies, set the `policy_names` argument to an empty list.
+
+ > This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.
+
+ ```python
+ import pulumi
+ import pulumi_aws as aws
+
+ example = aws.iam.RolePoliciesExclusive("example",
+ role_name=example_aws_iam_role["name"],
+ policy_names=[])
```
:param str resource_name: The name of the resource.
@@ -123,12 +151,40 @@ def __init__(__self__,
args: RolePoliciesExclusiveArgs,
opts: Optional[pulumi.ResourceOptions] = None):
"""
- ## Import
+ Pulumi resource for maintaining exclusive management of inline policies assigned to an AWS IAM (Identity & Access Management) role.
+
+ > **NOTE:** To reliably detect drift between customer managed inline policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.
+
+ !> This resource takes exclusive ownership over inline policies assigned to a role. This includes removal of inline policies which are not explicitly configured. To prevent persistent drift, ensure any `iam.RolePolicy` resources managed alongside this resource are included in the `policy_names` argument.
+
+ > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured inline policy assignments. It __will not__ delete the configured policies from the role.
+
+ ## Example Usage
+
+ ### Basic Usage
+
+ ```python
+ import pulumi
+ import pulumi_aws as aws
+
+ example = aws.iam.RolePoliciesExclusive("example",
+ role_name=example_aws_iam_role["name"],
+ policy_names=[example_aws_iam_role_policy["name"]])
+ ```
+
+ ### Disallow Inline Policies
+
+ To automatically remove any configured inline policies, set the `policy_names` argument to an empty list.
+
+ > This will not __prevent__ inline policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing inline policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.
- Using `pulumi import`, import exclusive management of inline policy assignments using the `role_name`. For example:
+ ```python
+ import pulumi
+ import pulumi_aws as aws
- ```sh
- $ pulumi import aws:iam/rolePoliciesExclusive:RolePoliciesExclusive example MyRole
+ example = aws.iam.RolePoliciesExclusive("example",
+ role_name=example_aws_iam_role["name"],
+ policy_names=[])
```
:param str resource_name: The name of the resource.
diff --git a/sdk/python/pulumi_aws/iam/role_policy_attachments_exclusive.py b/sdk/python/pulumi_aws/iam/role_policy_attachments_exclusive.py
index dd7ded86b93..fd3d0d641b5 100644
--- a/sdk/python/pulumi_aws/iam/role_policy_attachments_exclusive.py
+++ b/sdk/python/pulumi_aws/iam/role_policy_attachments_exclusive.py
@@ -103,12 +103,40 @@ def __init__(__self__,
role_name: Optional[pulumi.Input[str]] = None,
__props__=None):
"""
- ## Import
+ Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role.
- Using `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example:
+ > **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.
- ```sh
- $ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole
+ !> This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policy_arns` argument.
+
+ > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role.
+
+ ## Example Usage
+
+ ### Basic Usage
+
+ ```python
+ import pulumi
+ import pulumi_aws as aws
+
+ example = aws.iam.RolePolicyAttachmentsExclusive("example",
+ role_name=example_aws_iam_role["name"],
+ policy_arns=[example_aws_iam_policy["arn"]])
+ ```
+
+ ### Disallow Customer Managed Policies
+
+ To automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list.
+
+ > This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.
+
+ ```python
+ import pulumi
+ import pulumi_aws as aws
+
+ example = aws.iam.RolePolicyAttachmentsExclusive("example",
+ role_name=example_aws_iam_role["name"],
+ policy_arns=[])
```
:param str resource_name: The name of the resource.
@@ -123,12 +151,40 @@ def __init__(__self__,
args: RolePolicyAttachmentsExclusiveArgs,
opts: Optional[pulumi.ResourceOptions] = None):
"""
- ## Import
+ Pulumi resource for maintaining exclusive management of customer managed policies assigned to an AWS IAM (Identity & Access Management) role.
+
+ > **NOTE:** To reliably detect drift between customer managed policies listed in this resource and actual policies attached to the role in the cloud, you currently need to run Pulumi with `pulumi up --refresh`. See [#4766](https://github.com/pulumi/pulumi-aws/issues/4766) for tracking making this work with regular `pulumi up` invocations.
+
+ !> This resource takes exclusive ownership over customer managed policies attached to a role. This includes removal of customer managed policies which are not explicitly configured. To prevent persistent drift, ensure any `iam.RolePolicyAttachment` resources managed alongside this resource are included in the `policy_arns` argument.
+
+ > Destruction of this resource means Pulumi will no longer manage reconciliation of the configured policy attachments. It __will not__ detach the configured policies from the role.
+
+ ## Example Usage
+
+ ### Basic Usage
+
+ ```python
+ import pulumi
+ import pulumi_aws as aws
+
+ example = aws.iam.RolePolicyAttachmentsExclusive("example",
+ role_name=example_aws_iam_role["name"],
+ policy_arns=[example_aws_iam_policy["arn"]])
+ ```
+
+ ### Disallow Customer Managed Policies
+
+ To automatically remove any configured customer managed policies, set the `policy_arns` argument to an empty list.
+
+ > This will not __prevent__ customer managed policies from being assigned to a role via Pulumi (or any other interface). This resource enables bringing customer managed policy assignments into a configured state, however, this reconciliation happens only when `apply` is proactively run.
- Using `pulumi import`, import exclusive management of customer managed policy assignments using the `role_name`. For example:
+ ```python
+ import pulumi
+ import pulumi_aws as aws
- ```sh
- $ pulumi import aws:iam/rolePolicyAttachmentsExclusive:RolePolicyAttachmentsExclusive example MyRole
+ example = aws.iam.RolePolicyAttachmentsExclusive("example",
+ role_name=example_aws_iam_role["name"],
+ policy_arns=[])
```
:param str resource_name: The name of the resource.