How do I find the code for creating an AWS IAM role policy attachment in TypeScript

Question

Pulumi · Accepted Answer

To create an AWS IAM role and attach a policy to it using Pulumi in TypeScript, you will need to use the `aws.iam.Role` and `aws.iam.RolePolicyAttachment` resources. The `aws.iam.Role` resource is used to create a new IAM role, and the `aws.iam.RolePolicyAttachment` resource is responsible for attaching a managed policy to an IAM role.

Here is how you would do it step by step:

1. **Define the IAM Role**: This is where you specify the role, including the trust policy that grants an entity permission to assume the role.
2. **Create the Policy Attachment**: After creating the role, you will attach a policy to it. This can be an AWS managed policy or a custom policy you have created.

Below is a TypeScript program using Pulumi to create an IAM role and attach an `AdministratorAccess` policy to that role:

```typescript
import * as aws from "@pulumi/aws";

// Create an IAM Role with an assumed policy document.
// This trust relationship policy document allows entities (like EC2 instances) to assume the role.
const role = new aws.iam.Role("myRole", {
    assumeRolePolicy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [
            {
                Action: "sts:AssumeRole",
                Effect: "Allow",
                Sid: "",
                Principal: {
                    Service: "ec2.amazonaws.com", // You can change this to the service that needs to assume this role
                },
            },
        ],
    }),
});

// Attach an AWS managed policy (AdministratorAccess) to the role.
// This will grant the role full access to AWS services.
const rolePolicyAttachment = new aws.iam.RolePolicyAttachment("myRolePolicyAttachment", {
    role: role.name,
    policyArn: "arn:aws:iam::aws:policy/AdministratorAccess", // You can change this ARN to any other managed policy
});

export const roleName = role.name;
```

In this program:
- We import the `aws` module from Pulumi's AWS package to interact with AWS resources.
- We create a new IAM role named `myRole` with a trust relationship policy document (`assumeRolePolicy`) that allows an EC2 service to assume the role.
- We then create a `RolePolicyAttachment` named `myRolePolicyAttachment`, which attaches an AWS managed policy (`AdministratorAccess`) to `myRole` by specifying the role's name and the policy ARN.

Remember to replace `"ec2.amazonaws.com"` with the appropriate AWS service principal if you require a different service to assume the role, and `"arn:aws:iam::aws:policy/AdministratorAccess"` with the ARN of the desired policy if you want to grant different permissions.

After writing and deploying this code with Pulumi, you will have an AWS IAM role with the `AdministratorAccess` policy attached to it. You can find more information on these resources in the Pulumi documentation:
- [`aws.iam.Role`](https://www.pulumi.com/registry/packages/aws/api-docs/iam/role/)
- [`aws.iam.RolePolicyAttachment`](https://www.pulumi.com/registry/packages/aws/api-docs/iam/rolepolicyattachment/)