diff --git a/provider/cmd/pulumi-resource-aws/schema.json b/provider/cmd/pulumi-resource-aws/schema.json
index 912473b4959..6171155ddef 100644
--- a/provider/cmd/pulumi-resource-aws/schema.json
+++ b/provider/cmd/pulumi-resource-aws/schema.json
@@ -275175,7 +275175,7 @@
}
},
"aws:iam/role:Role": {
- "description": "\n\n## Import\n\nUsing `pulumi import`, import IAM Roles using the `name`. For example:\n\n```sh\n$ pulumi import aws:iam/role:Role developer developer_name\n```\n",
+ "description": "Provides an IAM role.\n\n\u003e **NOTE:** If policies are attached to the role via the `aws.iam.PolicyAttachment` resource and you are modifying the role `name` or `path`, the `force_detach_policies` argument must be set to `true` and applied before attempting the operation otherwise you will encounter a `DeleteConflict` error. The `aws.iam.RolePolicyAttachment` resource (recommended) does not have this requirement.\n\n\u003e **NOTE:** If you use this resource's `managed_policy_arns` argument or `inline_policy` configuration blocks, this resource will take over exclusive management of the role's respective policy types (e.g., both policy types if both arguments are used). These arguments are incompatible with other ways of managing a role's policies, such as `aws.iam.PolicyAttachment`, `aws.iam.RolePolicyAttachment`, and `aws.iam.RolePolicy`. If you attempt to manage a role's policies by multiple means, you will get resource cycling and/or errors.\n\n\u003e **NOTE:** We suggest using explicit JSON encoding or `aws.iam.getPolicyDocument` when assigning a value to `policy`. They seamlessly translate configuration to JSON, enabling you to maintain consistency within your configuration without the need for context switches. Also, you can sidestep potential complications arising from formatting discrepancies, whitespace inconsistencies, and other nuances inherent to JSON.\n\n## Example Usage\n\n### Basic Example\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst testRole = new aws.iam.Role(\"test_role\", {\n name: \"test_role\",\n assumeRolePolicy: JSON.stringify({\n Version: \"2012-10-17\",\n Statement: [{\n Action: \"sts:AssumeRole\",\n Effect: \"Allow\",\n Sid: \"\",\n Principal: {\n Service: \"ec2.amazonaws.com\",\n },\n }],\n }),\n tags: {\n \"tag-key\": \"tag-value\",\n },\n});\n```\n```python\nimport pulumi\nimport json\nimport pulumi_aws as aws\n\ntest_role = aws.iam.Role(\"test_role\",\n name=\"test_role\",\n assume_role_policy=json.dumps({\n \"Version\": \"2012-10-17\",\n \"Statement\": [{\n \"Action\": \"sts:AssumeRole\",\n \"Effect\": \"Allow\",\n \"Sid\": \"\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\",\n },\n }],\n }),\n tags={\n \"tag-key\": \"tag-value\",\n })\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text.Json;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var testRole = new Aws.Iam.Role(\"test_role\", new()\n {\n Name = \"test_role\",\n AssumeRolePolicy = JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n {\n [\"Version\"] = \"2012-10-17\",\n [\"Statement\"] = new[]\n {\n new Dictionary\u003cstring, object?\u003e\n {\n [\"Action\"] = \"sts:AssumeRole\",\n [\"Effect\"] = \"Allow\",\n [\"Sid\"] = \"\",\n [\"Principal\"] = new Dictionary\u003cstring, object?\u003e\n {\n [\"Service\"] = \"ec2.amazonaws.com\",\n },\n },\n },\n }),\n Tags = \n {\n { \"tag-key\", \"tag-value\" },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\ttmpJSON0, err := json.Marshal(map[string]interface{}{\n\t\t\t\"Version\": \"2012-10-17\",\n\t\t\t\"Statement\": []map[string]interface{}{\n\t\t\t\tmap[string]interface{}{\n\t\t\t\t\t\"Action\": \"sts:AssumeRole\",\n\t\t\t\t\t\"Effect\": \"Allow\",\n\t\t\t\t\t\"Sid\": \"\",\n\t\t\t\t\t\"Principal\": map[string]interface{}{\n\t\t\t\t\t\t\"Service\": \"ec2.amazonaws.com\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson0 := string(tmpJSON0)\n\t\t_, err = iam.NewRole(ctx, \"test_role\", \u0026iam.RoleArgs{\n\t\t\tName: pulumi.String(\"test_role\"),\n\t\t\tAssumeRolePolicy: pulumi.String(json0),\n\t\t\tTags: pulumi.StringMap{\n\t\t\t\t\"tag-key\": pulumi.String(\"tag-value\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.Role;\nimport com.pulumi.aws.iam.RoleArgs;\nimport static com.pulumi.codegen.internal.Serialization.*;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var testRole = new Role(\"testRole\", RoleArgs.builder()\n .name(\"test_role\")\n .assumeRolePolicy(serializeJson(\n jsonObject(\n jsonProperty(\"Version\", \"2012-10-17\"),\n jsonProperty(\"Statement\", jsonArray(jsonObject(\n jsonProperty(\"Action\", \"sts:AssumeRole\"),\n jsonProperty(\"Effect\", \"Allow\"),\n jsonProperty(\"Sid\", \"\"),\n jsonProperty(\"Principal\", jsonObject(\n jsonProperty(\"Service\", \"ec2.amazonaws.com\")\n ))\n )))\n )))\n .tags(Map.of(\"tag-key\", \"tag-value\"))\n .build());\n\n }\n}\n```\n```yaml\nresources:\n testRole:\n type: aws:iam:Role\n name: test_role\n properties:\n name: test_role\n assumeRolePolicy:\n fn::toJSON:\n Version: 2012-10-17\n Statement:\n - Action: sts:AssumeRole\n Effect: Allow\n Sid:\n Principal:\n Service: ec2.amazonaws.com\n tags:\n tag-key: tag-value\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Example of Using Data Source for Assume Role Policy\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst instanceAssumeRolePolicy = aws.iam.getPolicyDocument({\n statements: [{\n actions: [\"sts:AssumeRole\"],\n principals: [{\n type: \"Service\",\n identifiers: [\"ec2.amazonaws.com\"],\n }],\n }],\n});\nconst instance = new aws.iam.Role(\"instance\", {\n name: \"instance_role\",\n path: \"/system/\",\n assumeRolePolicy: instanceAssumeRolePolicy.then(instanceAssumeRolePolicy =\u003e instanceAssumeRolePolicy.json),\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\ninstance_assume_role_policy = aws.iam.get_policy_document(statements=[{\n \"actions\": [\"sts:AssumeRole\"],\n \"principals\": [{\n \"type\": \"Service\",\n \"identifiers\": [\"ec2.amazonaws.com\"],\n }],\n}])\ninstance = aws.iam.Role(\"instance\",\n name=\"instance_role\",\n path=\"/system/\",\n assume_role_policy=instance_assume_role_policy.json)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var instanceAssumeRolePolicy = Aws.Iam.GetPolicyDocument.Invoke(new()\n {\n Statements = new[]\n {\n new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs\n {\n Actions = new[]\n {\n \"sts:AssumeRole\",\n },\n Principals = new[]\n {\n new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs\n {\n Type = \"Service\",\n Identifiers = new[]\n {\n \"ec2.amazonaws.com\",\n },\n },\n },\n },\n },\n });\n\n var instance = new Aws.Iam.Role(\"instance\", new()\n {\n Name = \"instance_role\",\n Path = \"/system/\",\n AssumeRolePolicy = instanceAssumeRolePolicy.Apply(getPolicyDocumentResult =\u003e getPolicyDocumentResult.Json),\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tinstanceAssumeRolePolicy, err := iam.GetPolicyDocument(ctx, \u0026iam.GetPolicyDocumentArgs{\n\t\t\tStatements: []iam.GetPolicyDocumentStatement{\n\t\t\t\t{\n\t\t\t\t\tActions: []string{\n\t\t\t\t\t\t\"sts:AssumeRole\",\n\t\t\t\t\t},\n\t\t\t\t\tPrincipals: []iam.GetPolicyDocumentStatementPrincipal{\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tType: \"Service\",\n\t\t\t\t\t\t\tIdentifiers: []string{\n\t\t\t\t\t\t\t\t\"ec2.amazonaws.com\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = iam.NewRole(ctx, \"instance\", \u0026iam.RoleArgs{\n\t\t\tName: pulumi.String(\"instance_role\"),\n\t\t\tPath: pulumi.String(\"/system/\"),\n\t\t\tAssumeRolePolicy: pulumi.String(instanceAssumeRolePolicy.Json),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.IamFunctions;\nimport com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;\nimport com.pulumi.aws.iam.Role;\nimport com.pulumi.aws.iam.RoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n final var instanceAssumeRolePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()\n .statements(GetPolicyDocumentStatementArgs.builder()\n .actions(\"sts:AssumeRole\")\n .principals(GetPolicyDocumentStatementPrincipalArgs.builder()\n .type(\"Service\")\n .identifiers(\"ec2.amazonaws.com\")\n .build())\n .build())\n .build());\n\n var instance = new Role(\"instance\", RoleArgs.builder()\n .name(\"instance_role\")\n .path(\"/system/\")\n .assumeRolePolicy(instanceAssumeRolePolicy.applyValue(getPolicyDocumentResult -\u003e getPolicyDocumentResult.json()))\n .build());\n\n }\n}\n```\n```yaml\nresources:\n instance:\n type: aws:iam:Role\n properties:\n name: instance_role\n path: /system/\n assumeRolePolicy: ${instanceAssumeRolePolicy.json}\nvariables:\n instanceAssumeRolePolicy:\n fn::invoke:\n Function: aws:iam:getPolicyDocument\n Arguments:\n statements:\n - actions:\n - sts:AssumeRole\n principals:\n - type: Service\n identifiers:\n - ec2.amazonaws.com\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Example of Exclusive Inline Policies\n\n\u003e The `inline_policy` argument is deprecated. Use the `aws.iam.RolePolicy` resource instead. If Pulumi should exclusively manage all inline policy associations (the current behavior of this argument), use the `aws.iam.RolePoliciesExclusive` resource as well.\n\nThis example creates an IAM role with two inline IAM policies. If someone adds another inline policy out-of-band, on the next apply, this provider will remove that policy. If someone deletes these policies out-of-band, this provider will recreate them.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst inlinePolicy = aws.iam.getPolicyDocument({\n statements: [{\n actions: [\"ec2:DescribeAccountAttributes\"],\n resources: [\"*\"],\n }],\n});\nconst example = new aws.iam.Role(\"example\", {\n name: \"yak_role\",\n assumeRolePolicy: instanceAssumeRolePolicy.json,\n inlinePolicies: [\n {\n name: \"my_inline_policy\",\n policy: JSON.stringify({\n Version: \"2012-10-17\",\n Statement: [{\n Action: [\"ec2:Describe*\"],\n Effect: \"Allow\",\n Resource: \"*\",\n }],\n }),\n },\n {\n name: \"policy-8675309\",\n policy: inlinePolicy.then(inlinePolicy =\u003e inlinePolicy.json),\n },\n ],\n});\n```\n```python\nimport pulumi\nimport json\nimport pulumi_aws as aws\n\ninline_policy = aws.iam.get_policy_document(statements=[{\n \"actions\": [\"ec2:DescribeAccountAttributes\"],\n \"resources\": [\"*\"],\n}])\nexample = aws.iam.Role(\"example\",\n name=\"yak_role\",\n assume_role_policy=instance_assume_role_policy[\"json\"],\n inline_policies=[\n {\n \"name\": \"my_inline_policy\",\n \"policy\": json.dumps({\n \"version\": \"2012-10-17\",\n \"statement\": [{\n \"action\": [\"ec2:Describe*\"],\n \"effect\": \"Allow\",\n \"resource\": \"*\",\n }],\n }),\n },\n {\n \"name\": \"policy-8675309\",\n \"policy\": inline_policy.json,\n },\n ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text.Json;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var inlinePolicy = Aws.Iam.GetPolicyDocument.Invoke(new()\n {\n Statements = new[]\n {\n new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs\n {\n Actions = new[]\n {\n \"ec2:DescribeAccountAttributes\",\n },\n Resources = new[]\n {\n \"*\",\n },\n },\n },\n });\n\n var example = new Aws.Iam.Role(\"example\", new()\n {\n Name = \"yak_role\",\n AssumeRolePolicy = instanceAssumeRolePolicy.Json,\n InlinePolicies = new[]\n {\n new Aws.Iam.Inputs.RoleInlinePolicyArgs\n {\n Name = \"my_inline_policy\",\n Policy = JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n {\n [\"Version\"] = \"2012-10-17\",\n [\"Statement\"] = new[]\n {\n new Dictionary\u003cstring, object?\u003e\n {\n [\"Action\"] = new[]\n {\n \"ec2:Describe*\",\n },\n [\"Effect\"] = \"Allow\",\n [\"Resource\"] = \"*\",\n },\n },\n }),\n },\n new Aws.Iam.Inputs.RoleInlinePolicyArgs\n {\n Name = \"policy-8675309\",\n Policy = inlinePolicy.Apply(getPolicyDocumentResult =\u003e getPolicyDocumentResult.Json),\n },\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tinlinePolicy, err := iam.GetPolicyDocument(ctx, \u0026iam.GetPolicyDocumentArgs{\n\t\t\tStatements: []iam.GetPolicyDocumentStatement{\n\t\t\t\t{\n\t\t\t\t\tActions: []string{\n\t\t\t\t\t\t\"ec2:DescribeAccountAttributes\",\n\t\t\t\t\t},\n\t\t\t\t\tResources: []string{\n\t\t\t\t\t\t\"*\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttmpJSON0, err := json.Marshal(map[string]interface{}{\n\t\t\t\"Version\": \"2012-10-17\",\n\t\t\t\"Statement\": []map[string]interface{}{\n\t\t\t\tmap[string]interface{}{\n\t\t\t\t\t\"Action\": []string{\n\t\t\t\t\t\t\"ec2:Describe*\",\n\t\t\t\t\t},\n\t\t\t\t\t\"Effect\": \"Allow\",\n\t\t\t\t\t\"Resource\": \"*\",\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson0 := string(tmpJSON0)\n\t\t_, err = iam.NewRole(ctx, \"example\", \u0026iam.RoleArgs{\n\t\t\tName: pulumi.String(\"yak_role\"),\n\t\t\tAssumeRolePolicy: pulumi.Any(instanceAssumeRolePolicy.Json),\n\t\t\tInlinePolicies: iam.RoleInlinePolicyArray{\n\t\t\t\t\u0026iam.RoleInlinePolicyArgs{\n\t\t\t\t\tName: pulumi.String(\"my_inline_policy\"),\n\t\t\t\t\tPolicy: pulumi.String(json0),\n\t\t\t\t},\n\t\t\t\t\u0026iam.RoleInlinePolicyArgs{\n\t\t\t\t\tName: pulumi.String(\"policy-8675309\"),\n\t\t\t\t\tPolicy: pulumi.String(inlinePolicy.Json),\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.IamFunctions;\nimport com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;\nimport com.pulumi.aws.iam.Role;\nimport com.pulumi.aws.iam.RoleArgs;\nimport com.pulumi.aws.iam.inputs.RoleInlinePolicyArgs;\nimport static com.pulumi.codegen.internal.Serialization.*;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n final var inlinePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()\n .statements(GetPolicyDocumentStatementArgs.builder()\n .actions(\"ec2:DescribeAccountAttributes\")\n .resources(\"*\")\n .build())\n .build());\n\n var example = new Role(\"example\", RoleArgs.builder()\n .name(\"yak_role\")\n .assumeRolePolicy(instanceAssumeRolePolicy.json())\n .inlinePolicies( \n RoleInlinePolicyArgs.builder()\n .name(\"my_inline_policy\")\n .policy(serializeJson(\n jsonObject(\n jsonProperty(\"Version\", \"2012-10-17\"),\n jsonProperty(\"Statement\", jsonArray(jsonObject(\n jsonProperty(\"Action\", jsonArray(\"ec2:Describe*\")),\n jsonProperty(\"Effect\", \"Allow\"),\n jsonProperty(\"Resource\", \"*\")\n )))\n )))\n .build(),\n RoleInlinePolicyArgs.builder()\n .name(\"policy-8675309\")\n .policy(inlinePolicy.applyValue(getPolicyDocumentResult -\u003e getPolicyDocumentResult.json()))\n .build())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:Role\n properties:\n name: yak_role\n assumeRolePolicy: ${instanceAssumeRolePolicy.json}\n inlinePolicies:\n - name: my_inline_policy\n policy:\n fn::toJSON:\n Version: 2012-10-17\n Statement:\n - Action:\n - ec2:Describe*\n Effect: Allow\n Resource: '*'\n - name: policy-8675309\n policy: ${inlinePolicy.json}\nvariables:\n inlinePolicy:\n fn::invoke:\n Function: aws:iam:getPolicyDocument\n Arguments:\n statements:\n - actions:\n - ec2:DescribeAccountAttributes\n resources:\n - '*'\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Example of Removing Inline Policies\n\n\u003e The `inline_policy` argument is deprecated. Use the `aws.iam.RolePolicy` resource instead. If Pulumi should exclusively manage all inline policy associations (the current behavior of this argument), use the `aws.iam.RolePoliciesExclusive` resource as well.\n\nThis example creates an IAM role with what appears to be empty IAM `inline_policy` argument instead of using `inline_policy` as a configuration block. The result is that if someone were to add an inline policy out-of-band, on the next apply, this provider will remove that policy.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.Role(\"example\", {\n inlinePolicies: [{}],\n name: \"yak_role\",\n assumeRolePolicy: instanceAssumeRolePolicy.json,\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.Role(\"example\",\n inline_policies=[{}],\n name=\"yak_role\",\n assume_role_policy=instance_assume_role_policy[\"json\"])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.Role(\"example\", new()\n {\n InlinePolicies = new[]\n {\n null,\n },\n Name = \"yak_role\",\n AssumeRolePolicy = instanceAssumeRolePolicy.Json,\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRole(ctx, \"example\", \u0026iam.RoleArgs{\n\t\t\tInlinePolicies: iam.RoleInlinePolicyArray{\n\t\t\t\tnil,\n\t\t\t},\n\t\t\tName: pulumi.String(\"yak_role\"),\n\t\t\tAssumeRolePolicy: pulumi.Any(instanceAssumeRolePolicy.Json),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.Role;\nimport com.pulumi.aws.iam.RoleArgs;\nimport com.pulumi.aws.iam.inputs.RoleInlinePolicyArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new Role(\"example\", RoleArgs.builder()\n .inlinePolicies()\n .name(\"yak_role\")\n .assumeRolePolicy(instanceAssumeRolePolicy.json())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:Role\n properties:\n inlinePolicies:\n - {}\n name: yak_role\n assumeRolePolicy: ${instanceAssumeRolePolicy.json}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Example of Exclusive Managed Policies\n\nThis example creates an IAM role and attaches two managed IAM policies. If someone attaches another managed policy out-of-band, on the next apply, this provider will detach that policy. If someone detaches these policies out-of-band, this provider will attach them again.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst policyOne = new aws.iam.Policy(\"policy_one\", {\n name: \"policy-618033\",\n policy: JSON.stringify({\n Version: \"2012-10-17\",\n Statement: [{\n Action: [\"ec2:Describe*\"],\n Effect: \"Allow\",\n Resource: \"*\",\n }],\n }),\n});\nconst policyTwo = new aws.iam.Policy(\"policy_two\", {\n name: \"policy-381966\",\n policy: JSON.stringify({\n Version: \"2012-10-17\",\n Statement: [{\n Action: [\n \"s3:ListAllMyBuckets\",\n \"s3:ListBucket\",\n \"s3:HeadBucket\",\n ],\n Effect: \"Allow\",\n Resource: \"*\",\n }],\n }),\n});\nconst example = new aws.iam.Role(\"example\", {\n name: \"yak_role\",\n assumeRolePolicy: instanceAssumeRolePolicy.json,\n managedPolicyArns: [\n policyOne.arn,\n policyTwo.arn,\n ],\n});\n```\n```python\nimport pulumi\nimport json\nimport pulumi_aws as aws\n\npolicy_one = aws.iam.Policy(\"policy_one\",\n name=\"policy-618033\",\n policy=json.dumps({\n \"Version\": \"2012-10-17\",\n \"Statement\": [{\n \"Action\": [\"ec2:Describe*\"],\n \"Effect\": \"Allow\",\n \"Resource\": \"*\",\n }],\n }))\npolicy_two = aws.iam.Policy(\"policy_two\",\n name=\"policy-381966\",\n policy=json.dumps({\n \"Version\": \"2012-10-17\",\n \"Statement\": [{\n \"Action\": [\n \"s3:ListAllMyBuckets\",\n \"s3:ListBucket\",\n \"s3:HeadBucket\",\n ],\n \"Effect\": \"Allow\",\n \"Resource\": \"*\",\n }],\n }))\nexample = aws.iam.Role(\"example\",\n name=\"yak_role\",\n assume_role_policy=instance_assume_role_policy[\"json\"],\n managed_policy_arns=[\n policy_one.arn,\n policy_two.arn,\n ])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing System.Text.Json;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var policyOne = new Aws.Iam.Policy(\"policy_one\", new()\n {\n Name = \"policy-618033\",\n PolicyDocument = JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n {\n [\"Version\"] = \"2012-10-17\",\n [\"Statement\"] = new[]\n {\n new Dictionary\u003cstring, object?\u003e\n {\n [\"Action\"] = new[]\n {\n \"ec2:Describe*\",\n },\n [\"Effect\"] = \"Allow\",\n [\"Resource\"] = \"*\",\n },\n },\n }),\n });\n\n var policyTwo = new Aws.Iam.Policy(\"policy_two\", new()\n {\n Name = \"policy-381966\",\n PolicyDocument = JsonSerializer.Serialize(new Dictionary\u003cstring, object?\u003e\n {\n [\"Version\"] = \"2012-10-17\",\n [\"Statement\"] = new[]\n {\n new Dictionary\u003cstring, object?\u003e\n {\n [\"Action\"] = new[]\n {\n \"s3:ListAllMyBuckets\",\n \"s3:ListBucket\",\n \"s3:HeadBucket\",\n },\n [\"Effect\"] = \"Allow\",\n [\"Resource\"] = \"*\",\n },\n },\n }),\n });\n\n var example = new Aws.Iam.Role(\"example\", new()\n {\n Name = \"yak_role\",\n AssumeRolePolicy = instanceAssumeRolePolicy.Json,\n ManagedPolicyArns = new[]\n {\n policyOne.Arn,\n policyTwo.Arn,\n },\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\ttmpJSON0, err := json.Marshal(map[string]interface{}{\n\t\t\t\"Version\": \"2012-10-17\",\n\t\t\t\"Statement\": []map[string]interface{}{\n\t\t\t\tmap[string]interface{}{\n\t\t\t\t\t\"Action\": []string{\n\t\t\t\t\t\t\"ec2:Describe*\",\n\t\t\t\t\t},\n\t\t\t\t\t\"Effect\": \"Allow\",\n\t\t\t\t\t\"Resource\": \"*\",\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson0 := string(tmpJSON0)\n\t\tpolicyOne, err := iam.NewPolicy(ctx, \"policy_one\", \u0026iam.PolicyArgs{\n\t\t\tName: pulumi.String(\"policy-618033\"),\n\t\t\tPolicy: pulumi.String(json0),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ttmpJSON1, err := json.Marshal(map[string]interface{}{\n\t\t\t\"Version\": \"2012-10-17\",\n\t\t\t\"Statement\": []map[string]interface{}{\n\t\t\t\tmap[string]interface{}{\n\t\t\t\t\t\"Action\": []string{\n\t\t\t\t\t\t\"s3:ListAllMyBuckets\",\n\t\t\t\t\t\t\"s3:ListBucket\",\n\t\t\t\t\t\t\"s3:HeadBucket\",\n\t\t\t\t\t},\n\t\t\t\t\t\"Effect\": \"Allow\",\n\t\t\t\t\t\"Resource\": \"*\",\n\t\t\t\t},\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tjson1 := string(tmpJSON1)\n\t\tpolicyTwo, err := iam.NewPolicy(ctx, \"policy_two\", \u0026iam.PolicyArgs{\n\t\t\tName: pulumi.String(\"policy-381966\"),\n\t\t\tPolicy: pulumi.String(json1),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = iam.NewRole(ctx, \"example\", \u0026iam.RoleArgs{\n\t\t\tName: pulumi.String(\"yak_role\"),\n\t\t\tAssumeRolePolicy: pulumi.Any(instanceAssumeRolePolicy.Json),\n\t\t\tManagedPolicyArns: pulumi.StringArray{\n\t\t\t\tpolicyOne.Arn,\n\t\t\t\tpolicyTwo.Arn,\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.Policy;\nimport com.pulumi.aws.iam.PolicyArgs;\nimport com.pulumi.aws.iam.Role;\nimport com.pulumi.aws.iam.RoleArgs;\nimport static com.pulumi.codegen.internal.Serialization.*;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var policyOne = new Policy(\"policyOne\", PolicyArgs.builder()\n .name(\"policy-618033\")\n .policy(serializeJson(\n jsonObject(\n jsonProperty(\"Version\", \"2012-10-17\"),\n jsonProperty(\"Statement\", jsonArray(jsonObject(\n jsonProperty(\"Action\", jsonArray(\"ec2:Describe*\")),\n jsonProperty(\"Effect\", \"Allow\"),\n jsonProperty(\"Resource\", \"*\")\n )))\n )))\n .build());\n\n var policyTwo = new Policy(\"policyTwo\", PolicyArgs.builder()\n .name(\"policy-381966\")\n .policy(serializeJson(\n jsonObject(\n jsonProperty(\"Version\", \"2012-10-17\"),\n jsonProperty(\"Statement\", jsonArray(jsonObject(\n jsonProperty(\"Action\", jsonArray(\n \"s3:ListAllMyBuckets\", \n \"s3:ListBucket\", \n \"s3:HeadBucket\"\n )),\n jsonProperty(\"Effect\", \"Allow\"),\n jsonProperty(\"Resource\", \"*\")\n )))\n )))\n .build());\n\n var example = new Role(\"example\", RoleArgs.builder()\n .name(\"yak_role\")\n .assumeRolePolicy(instanceAssumeRolePolicy.json())\n .managedPolicyArns( \n policyOne.arn(),\n policyTwo.arn())\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:Role\n properties:\n name: yak_role\n assumeRolePolicy: ${instanceAssumeRolePolicy.json}\n managedPolicyArns:\n - ${policyOne.arn}\n - ${policyTwo.arn}\n policyOne:\n type: aws:iam:Policy\n name: policy_one\n properties:\n name: policy-618033\n policy:\n fn::toJSON:\n Version: 2012-10-17\n Statement:\n - Action:\n - ec2:Describe*\n Effect: Allow\n Resource: '*'\n policyTwo:\n type: aws:iam:Policy\n name: policy_two\n properties:\n name: policy-381966\n policy:\n fn::toJSON:\n Version: 2012-10-17\n Statement:\n - Action:\n - s3:ListAllMyBuckets\n - s3:ListBucket\n - s3:HeadBucket\n Effect: Allow\n Resource: '*'\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n### Example of Removing Managed Policies\n\nThis example creates an IAM role with an empty `managed_policy_arns` argument. If someone attaches a policy out-of-band, on the next apply, this provider will detach that policy.\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as aws from \"@pulumi/aws\";\n\nconst example = new aws.iam.Role(\"example\", {\n name: \"yak_role\",\n assumeRolePolicy: instanceAssumeRolePolicy.json,\n managedPolicyArns: [],\n});\n```\n```python\nimport pulumi\nimport pulumi_aws as aws\n\nexample = aws.iam.Role(\"example\",\n name=\"yak_role\",\n assume_role_policy=instance_assume_role_policy[\"json\"],\n managed_policy_arns=[])\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Aws = Pulumi.Aws;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var example = new Aws.Iam.Role(\"example\", new()\n {\n Name = \"yak_role\",\n AssumeRolePolicy = instanceAssumeRolePolicy.Json,\n ManagedPolicyArns = new[] {},\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/iam\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := iam.NewRole(ctx, \"example\", \u0026iam.RoleArgs{\n\t\t\tName: pulumi.String(\"yak_role\"),\n\t\t\tAssumeRolePolicy: pulumi.Any(instanceAssumeRolePolicy.Json),\n\t\t\tManagedPolicyArns: pulumi.StringArray{},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.aws.iam.Role;\nimport com.pulumi.aws.iam.RoleArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new Role(\"example\", RoleArgs.builder()\n .name(\"yak_role\")\n .assumeRolePolicy(instanceAssumeRolePolicy.json())\n .managedPolicyArns()\n .build());\n\n }\n}\n```\n```yaml\nresources:\n example:\n type: aws:iam:Role\n properties:\n name: yak_role\n assumeRolePolicy: ${instanceAssumeRolePolicy.json}\n managedPolicyArns: []\n```\n\u003c!--End PulumiCodeChooser --\u003e\n\n## Import\n\nUsing `pulumi import`, import IAM Roles using the `name`. For example:\n\n```sh\n$ pulumi import aws:iam/role:Role developer developer_name\n```\n",
"properties": {
"arn": {
"type": "string",
@@ -275202,6 +275202,7 @@
"items": {
"$ref": "#/types/aws:iam/RoleInlinePolicy:RoleInlinePolicy"
},
+ "description": "Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., `inline_policy {}`) will cause Pulumi to remove _all_ inline policies added out of band on `apply`.\n",
"deprecationMessage": "The inline_policy argument is deprecated. Use the aws.iam.RolePolicy resource instead. If Terraform should exclusively manage all inline policy associations (the current behavior of this argument), use the aws.iam.RolePoliciesExclusive resource as well."
},
"managedPolicyArns": {
@@ -275288,6 +275289,7 @@
"items": {
"$ref": "#/types/aws:iam/RoleInlinePolicy:RoleInlinePolicy"
},
+ "description": "Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., `inline_policy {}`) will cause Pulumi to remove _all_ inline policies added out of band on `apply`.\n",
"deprecationMessage": "The inline_policy argument is deprecated. Use the aws.iam.RolePolicy resource instead. If Terraform should exclusively manage all inline policy associations (the current behavior of this argument), use the aws.iam.RolePoliciesExclusive resource as well."
},
"managedPolicyArns": {
@@ -275367,6 +275369,7 @@
"items": {
"$ref": "#/types/aws:iam/RoleInlinePolicy:RoleInlinePolicy"
},
+ "description": "Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., `inline_policy {}`) will cause Pulumi to remove _all_ inline policies added out of band on `apply`.\n",
"deprecationMessage": "The inline_policy argument is deprecated. Use the aws.iam.RolePolicy resource instead. If Terraform should exclusively manage all inline policy associations (the current behavior of this argument), use the aws.iam.RolePoliciesExclusive resource as well."
},
"managedPolicyArns": {
diff --git a/sdk/java/src/main/java/com/pulumi/aws/iam/Role.java b/sdk/java/src/main/java/com/pulumi/aws/iam/Role.java
index c5abfb788f4..7eb6c6350c0 100644
--- a/sdk/java/src/main/java/com/pulumi/aws/iam/Role.java
+++ b/sdk/java/src/main/java/com/pulumi/aws/iam/Role.java
@@ -20,6 +20,337 @@
import javax.annotation.Nullable;
/**
+ * Provides an IAM role.
+ *
+ * > **NOTE:** If policies are attached to the role via the `aws.iam.PolicyAttachment` resource and you are modifying the role `name` or `path`, the `force_detach_policies` argument must be set to `true` and applied before attempting the operation otherwise you will encounter a `DeleteConflict` error. The `aws.iam.RolePolicyAttachment` resource (recommended) does not have this requirement.
+ *
+ * > **NOTE:** If you use this resource's `managed_policy_arns` argument or `inline_policy` configuration blocks, this resource will take over exclusive management of the role's respective policy types (e.g., both policy types if both arguments are used). These arguments are incompatible with other ways of managing a role's policies, such as `aws.iam.PolicyAttachment`, `aws.iam.RolePolicyAttachment`, and `aws.iam.RolePolicy`. If you attempt to manage a role's policies by multiple means, you will get resource cycling and/or errors.
+ *
+ * > **NOTE:** We suggest using explicit JSON encoding or `aws.iam.getPolicyDocument` when assigning a value to `policy`. They seamlessly translate configuration to JSON, enabling you to maintain consistency within your configuration without the need for context switches. Also, you can sidestep potential complications arising from formatting discrepancies, whitespace inconsistencies, and other nuances inherent to JSON.
+ *
+ * ## Example Usage
+ *
+ * ### Basic Example
+ *
+ * <!--Start PulumiCodeChooser -->
+ *
+ * {@code
+ * package generated_program;
+ *
+ * import com.pulumi.Context;
+ * import com.pulumi.Pulumi;
+ * import com.pulumi.core.Output;
+ * import com.pulumi.aws.iam.Role;
+ * import com.pulumi.aws.iam.RoleArgs;
+ * import static com.pulumi.codegen.internal.Serialization.*;
+ * import java.util.List;
+ * import java.util.ArrayList;
+ * import java.util.Map;
+ * import java.io.File;
+ * import java.nio.file.Files;
+ * import java.nio.file.Paths;
+ *
+ * public class App {
+ * public static void main(String[] args) {
+ * Pulumi.run(App::stack);
+ * }
+ *
+ * public static void stack(Context ctx) {
+ * var testRole = new Role("testRole", RoleArgs.builder()
+ * .name("test_role")
+ * .assumeRolePolicy(serializeJson(
+ * jsonObject(
+ * jsonProperty("Version", "2012-10-17"),
+ * jsonProperty("Statement", jsonArray(jsonObject(
+ * jsonProperty("Action", "sts:AssumeRole"),
+ * jsonProperty("Effect", "Allow"),
+ * jsonProperty("Sid", ""),
+ * jsonProperty("Principal", jsonObject(
+ * jsonProperty("Service", "ec2.amazonaws.com")
+ * ))
+ * )))
+ * )))
+ * .tags(Map.of("tag-key", "tag-value"))
+ * .build());
+ *
+ * }
+ * }
+ * }
+ *
+ * <!--End PulumiCodeChooser -->
+ *
+ * ### Example of Using Data Source for Assume Role Policy
+ *
+ * <!--Start PulumiCodeChooser -->
+ *
+ * {@code
+ * package generated_program;
+ *
+ * import com.pulumi.Context;
+ * import com.pulumi.Pulumi;
+ * import com.pulumi.core.Output;
+ * import com.pulumi.aws.iam.IamFunctions;
+ * import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
+ * import com.pulumi.aws.iam.Role;
+ * import com.pulumi.aws.iam.RoleArgs;
+ * import java.util.List;
+ * import java.util.ArrayList;
+ * import java.util.Map;
+ * import java.io.File;
+ * import java.nio.file.Files;
+ * import java.nio.file.Paths;
+ *
+ * public class App {
+ * public static void main(String[] args) {
+ * Pulumi.run(App::stack);
+ * }
+ *
+ * public static void stack(Context ctx) {
+ * final var instanceAssumeRolePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
+ * .statements(GetPolicyDocumentStatementArgs.builder()
+ * .actions("sts:AssumeRole")
+ * .principals(GetPolicyDocumentStatementPrincipalArgs.builder()
+ * .type("Service")
+ * .identifiers("ec2.amazonaws.com")
+ * .build())
+ * .build())
+ * .build());
+ *
+ * var instance = new Role("instance", RoleArgs.builder()
+ * .name("instance_role")
+ * .path("/system/")
+ * .assumeRolePolicy(instanceAssumeRolePolicy.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
+ * .build());
+ *
+ * }
+ * }
+ * }
+ *
+ * <!--End PulumiCodeChooser -->
+ *
+ * ### Example of Exclusive Inline Policies
+ *
+ * > The `inline_policy` argument is deprecated. Use the `aws.iam.RolePolicy` resource instead. If Pulumi should exclusively manage all inline policy associations (the current behavior of this argument), use the `aws.iam.RolePoliciesExclusive` resource as well.
+ *
+ * This example creates an IAM role with two inline IAM policies. If someone adds another inline policy out-of-band, on the next apply, this provider will remove that policy. If someone deletes these policies out-of-band, this provider will recreate them.
+ *
+ * <!--Start PulumiCodeChooser -->
+ *
+ * {@code
+ * package generated_program;
+ *
+ * import com.pulumi.Context;
+ * import com.pulumi.Pulumi;
+ * import com.pulumi.core.Output;
+ * import com.pulumi.aws.iam.IamFunctions;
+ * import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
+ * import com.pulumi.aws.iam.Role;
+ * import com.pulumi.aws.iam.RoleArgs;
+ * import com.pulumi.aws.iam.inputs.RoleInlinePolicyArgs;
+ * import static com.pulumi.codegen.internal.Serialization.*;
+ * import java.util.List;
+ * import java.util.ArrayList;
+ * import java.util.Map;
+ * import java.io.File;
+ * import java.nio.file.Files;
+ * import java.nio.file.Paths;
+ *
+ * public class App {
+ * public static void main(String[] args) {
+ * Pulumi.run(App::stack);
+ * }
+ *
+ * public static void stack(Context ctx) {
+ * final var inlinePolicy = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
+ * .statements(GetPolicyDocumentStatementArgs.builder()
+ * .actions("ec2:DescribeAccountAttributes")
+ * .resources("*")
+ * .build())
+ * .build());
+ *
+ * var example = new Role("example", RoleArgs.builder()
+ * .name("yak_role")
+ * .assumeRolePolicy(instanceAssumeRolePolicy.json())
+ * .inlinePolicies(
+ * RoleInlinePolicyArgs.builder()
+ * .name("my_inline_policy")
+ * .policy(serializeJson(
+ * jsonObject(
+ * jsonProperty("Version", "2012-10-17"),
+ * jsonProperty("Statement", jsonArray(jsonObject(
+ * jsonProperty("Action", jsonArray("ec2:Describe*")),
+ * jsonProperty("Effect", "Allow"),
+ * jsonProperty("Resource", "*")
+ * )))
+ * )))
+ * .build(),
+ * RoleInlinePolicyArgs.builder()
+ * .name("policy-8675309")
+ * .policy(inlinePolicy.applyValue(getPolicyDocumentResult -> getPolicyDocumentResult.json()))
+ * .build())
+ * .build());
+ *
+ * }
+ * }
+ * }
+ *
+ * <!--End PulumiCodeChooser -->
+ *
+ * ### Example of Removing Inline Policies
+ *
+ * > The `inline_policy` argument is deprecated. Use the `aws.iam.RolePolicy` resource instead. If Pulumi should exclusively manage all inline policy associations (the current behavior of this argument), use the `aws.iam.RolePoliciesExclusive` resource as well.
+ *
+ * This example creates an IAM role with what appears to be empty IAM `inline_policy` argument instead of using `inline_policy` as a configuration block. The result is that if someone were to add an inline policy out-of-band, on the next apply, this provider will remove that policy.
+ *
+ * <!--Start PulumiCodeChooser -->
+ *
+ * {@code
+ * package generated_program;
+ *
+ * import com.pulumi.Context;
+ * import com.pulumi.Pulumi;
+ * import com.pulumi.core.Output;
+ * import com.pulumi.aws.iam.Role;
+ * import com.pulumi.aws.iam.RoleArgs;
+ * import com.pulumi.aws.iam.inputs.RoleInlinePolicyArgs;
+ * import java.util.List;
+ * import java.util.ArrayList;
+ * import java.util.Map;
+ * import java.io.File;
+ * import java.nio.file.Files;
+ * import java.nio.file.Paths;
+ *
+ * public class App {
+ * public static void main(String[] args) {
+ * Pulumi.run(App::stack);
+ * }
+ *
+ * public static void stack(Context ctx) {
+ * var example = new Role("example", RoleArgs.builder()
+ * .inlinePolicies()
+ * .name("yak_role")
+ * .assumeRolePolicy(instanceAssumeRolePolicy.json())
+ * .build());
+ *
+ * }
+ * }
+ * }
+ *
+ * <!--End PulumiCodeChooser -->
+ *
+ * ### Example of Exclusive Managed Policies
+ *
+ * This example creates an IAM role and attaches two managed IAM policies. If someone attaches another managed policy out-of-band, on the next apply, this provider will detach that policy. If someone detaches these policies out-of-band, this provider will attach them again.
+ *
+ * <!--Start PulumiCodeChooser -->
+ *
+ * {@code
+ * package generated_program;
+ *
+ * import com.pulumi.Context;
+ * import com.pulumi.Pulumi;
+ * import com.pulumi.core.Output;
+ * import com.pulumi.aws.iam.Policy;
+ * import com.pulumi.aws.iam.PolicyArgs;
+ * import com.pulumi.aws.iam.Role;
+ * import com.pulumi.aws.iam.RoleArgs;
+ * import static com.pulumi.codegen.internal.Serialization.*;
+ * import java.util.List;
+ * import java.util.ArrayList;
+ * import java.util.Map;
+ * import java.io.File;
+ * import java.nio.file.Files;
+ * import java.nio.file.Paths;
+ *
+ * public class App {
+ * public static void main(String[] args) {
+ * Pulumi.run(App::stack);
+ * }
+ *
+ * public static void stack(Context ctx) {
+ * var policyOne = new Policy("policyOne", PolicyArgs.builder()
+ * .name("policy-618033")
+ * .policy(serializeJson(
+ * jsonObject(
+ * jsonProperty("Version", "2012-10-17"),
+ * jsonProperty("Statement", jsonArray(jsonObject(
+ * jsonProperty("Action", jsonArray("ec2:Describe*")),
+ * jsonProperty("Effect", "Allow"),
+ * jsonProperty("Resource", "*")
+ * )))
+ * )))
+ * .build());
+ *
+ * var policyTwo = new Policy("policyTwo", PolicyArgs.builder()
+ * .name("policy-381966")
+ * .policy(serializeJson(
+ * jsonObject(
+ * jsonProperty("Version", "2012-10-17"),
+ * jsonProperty("Statement", jsonArray(jsonObject(
+ * jsonProperty("Action", jsonArray(
+ * "s3:ListAllMyBuckets",
+ * "s3:ListBucket",
+ * "s3:HeadBucket"
+ * )),
+ * jsonProperty("Effect", "Allow"),
+ * jsonProperty("Resource", "*")
+ * )))
+ * )))
+ * .build());
+ *
+ * var example = new Role("example", RoleArgs.builder()
+ * .name("yak_role")
+ * .assumeRolePolicy(instanceAssumeRolePolicy.json())
+ * .managedPolicyArns(
+ * policyOne.arn(),
+ * policyTwo.arn())
+ * .build());
+ *
+ * }
+ * }
+ * }
+ *
+ * <!--End PulumiCodeChooser -->
+ *
+ * ### Example of Removing Managed Policies
+ *
+ * This example creates an IAM role with an empty `managed_policy_arns` argument. If someone attaches a policy out-of-band, on the next apply, this provider will detach that policy.
+ *
+ * <!--Start PulumiCodeChooser -->
+ *
+ * {@code
+ * package generated_program;
+ *
+ * import com.pulumi.Context;
+ * import com.pulumi.Pulumi;
+ * import com.pulumi.core.Output;
+ * import com.pulumi.aws.iam.Role;
+ * import com.pulumi.aws.iam.RoleArgs;
+ * import java.util.List;
+ * import java.util.ArrayList;
+ * import java.util.Map;
+ * import java.io.File;
+ * import java.nio.file.Files;
+ * import java.nio.file.Paths;
+ *
+ * public class App {
+ * public static void main(String[] args) {
+ * Pulumi.run(App::stack);
+ * }
+ *
+ * public static void stack(Context ctx) {
+ * var example = new Role("example", RoleArgs.builder()
+ * .name("yak_role")
+ * .assumeRolePolicy(instanceAssumeRolePolicy.json())
+ * .managedPolicyArns()
+ * .build());
+ *
+ * }
+ * }
+ * }
+ *
+ * <!--End PulumiCodeChooser -->
+ *
* ## Import
*
* Using `pulumi import`, import IAM Roles using the `name`. For example:
@@ -110,6 +441,8 @@ public Output> forceDetachPolicies() {
return Codegen.optional(this.forceDetachPolicies);
}
/**
+ * Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., `inline_policy {}`) will cause Pulumi to remove _all_ inline policies added out of band on `apply`.
+ *
* @deprecated
* The inline_policy argument is deprecated. Use the aws.iam.RolePolicy resource instead. If Terraform should exclusively manage all inline policy associations (the current behavior of this argument), use the aws.iam.RolePoliciesExclusive resource as well.
*
@@ -118,6 +451,10 @@ public Output> forceDetachPolicies() {
@Export(name="inlinePolicies", refs={List.class,RoleInlinePolicy.class}, tree="[0,1]")
private Output> inlinePolicies;
+ /**
+ * @return Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., `inline_policy {}`) will cause Pulumi to remove _all_ inline policies added out of band on `apply`.
+ *
+ */
public Output> inlinePolicies() {
return this.inlinePolicies;
}
diff --git a/sdk/java/src/main/java/com/pulumi/aws/iam/RoleArgs.java b/sdk/java/src/main/java/com/pulumi/aws/iam/RoleArgs.java
index 27c50c2b6a7..d9a07869f54 100644
--- a/sdk/java/src/main/java/com/pulumi/aws/iam/RoleArgs.java
+++ b/sdk/java/src/main/java/com/pulumi/aws/iam/RoleArgs.java
@@ -75,6 +75,8 @@ public Optional> forceDetachPolicies() {
}
/**
+ * Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., `inline_policy {}`) will cause Pulumi to remove _all_ inline policies added out of band on `apply`.
+ *
* @deprecated
* The inline_policy argument is deprecated. Use the aws.iam.RolePolicy resource instead. If Terraform should exclusively manage all inline policy associations (the current behavior of this argument), use the aws.iam.RolePoliciesExclusive resource as well.
*
@@ -84,6 +86,8 @@ public Optional> forceDetachPolicies() {
private @Nullable Output> inlinePolicies;
/**
+ * @return Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., `inline_policy {}`) will cause Pulumi to remove _all_ inline policies added out of band on `apply`.
+ *
* @deprecated
* The inline_policy argument is deprecated. Use the aws.iam.RolePolicy resource instead. If Terraform should exclusively manage all inline policy associations (the current behavior of this argument), use the aws.iam.RolePoliciesExclusive resource as well.
*
@@ -296,6 +300,8 @@ public Builder forceDetachPolicies(Boolean forceDetachPolicies) {
}
/**
+ * @param inlinePolicies Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., `inline_policy {}`) will cause Pulumi to remove _all_ inline policies added out of band on `apply`.
+ *
* @return builder
*
* @deprecated
@@ -309,6 +315,8 @@ public Builder inlinePolicies(@Nullable Output> inlin
}
/**
+ * @param inlinePolicies Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., `inline_policy {}`) will cause Pulumi to remove _all_ inline policies added out of band on `apply`.
+ *
* @return builder
*
* @deprecated
@@ -321,6 +329,8 @@ public Builder inlinePolicies(List inlinePolicies) {
}
/**
+ * @param inlinePolicies Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., `inline_policy {}`) will cause Pulumi to remove _all_ inline policies added out of band on `apply`.
+ *
* @return builder
*
* @deprecated
diff --git a/sdk/java/src/main/java/com/pulumi/aws/iam/inputs/RoleState.java b/sdk/java/src/main/java/com/pulumi/aws/iam/inputs/RoleState.java
index e21d273be33..37f5dac0a4c 100644
--- a/sdk/java/src/main/java/com/pulumi/aws/iam/inputs/RoleState.java
+++ b/sdk/java/src/main/java/com/pulumi/aws/iam/inputs/RoleState.java
@@ -104,6 +104,8 @@ public Optional> forceDetachPolicies() {
}
/**
+ * Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., `inline_policy {}`) will cause Pulumi to remove _all_ inline policies added out of band on `apply`.
+ *
* @deprecated
* The inline_policy argument is deprecated. Use the aws.iam.RolePolicy resource instead. If Terraform should exclusively manage all inline policy associations (the current behavior of this argument), use the aws.iam.RolePoliciesExclusive resource as well.
*
@@ -113,6 +115,8 @@ public Optional> forceDetachPolicies() {
private @Nullable Output> inlinePolicies;
/**
+ * @return Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., `inline_policy {}`) will cause Pulumi to remove _all_ inline policies added out of band on `apply`.
+ *
* @deprecated
* The inline_policy argument is deprecated. Use the aws.iam.RolePolicy resource instead. If Terraform should exclusively manage all inline policy associations (the current behavior of this argument), use the aws.iam.RolePoliciesExclusive resource as well.
*
@@ -409,6 +413,8 @@ public Builder forceDetachPolicies(Boolean forceDetachPolicies) {
}
/**
+ * @param inlinePolicies Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., `inline_policy {}`) will cause Pulumi to remove _all_ inline policies added out of band on `apply`.
+ *
* @return builder
*
* @deprecated
@@ -422,6 +428,8 @@ public Builder inlinePolicies(@Nullable Output> inlin
}
/**
+ * @param inlinePolicies Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., `inline_policy {}`) will cause Pulumi to remove _all_ inline policies added out of band on `apply`.
+ *
* @return builder
*
* @deprecated
@@ -434,6 +442,8 @@ public Builder inlinePolicies(List inlinePolicies) {
}
/**
+ * @param inlinePolicies Configuration block defining an exclusive set of IAM inline policies associated with the IAM role. See below. If no blocks are configured, Pulumi will not manage any inline policies in this resource. Configuring one empty block (i.e., `inline_policy {}`) will cause Pulumi to remove _all_ inline policies added out of band on `apply`.
+ *
* @return builder
*
* @deprecated