Simplify management of inline policies for IAM roles

[flostadler]

IAM role inline policies have three modes. When setting inlinePolicies:

• to an empty array or undefined (None, nil, etc.), the provider does not manage the inline policies.
• to an array with one empty block, the provider removes all inline policies (even ones added out of band) and exclusively manages them.
• to an array of inline policies, then the provider adds those inline policies and exclusively manages them.

This has the drawback, that removing inline policies requires users to set the inlinePolicies not to an empty array, but an array with the special empty block (i.e. delete marker). This behavior might be unintuitive to users (see https://github.com/pulumi/pulumi-aws/issues/4031 for example).

An improvement for this could be extracting the decision whether to manage the inlinePolicies or not into it's own property. This would be a breaking change though.

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[flostadler]

We should also evaluate how to improve the description of the inlinePolicies parameter in the meantime to make the current behavior more obvious.

[jmcarp]

This may or may not be related to #4031, but we've also observed pulumi failing to detect changes to policy documents in iam policies and iam user policies. We've only been able to get pulumi to reliability detect these changes by appending a hash of the policy document to the policy name. Is this a known limitation of pulumi-aws in general, or possibly specific to multi-statement policies?

cc @sudomateo @duskeagle

[flostadler]

@jmcarp I'm sorry that you're running into these problems! What you're describing sounds like a different issue to me. I'm not aware of such behavior, could you open an issue (ideally with an example/repro) so we can dig into this?