feat: Enables exclusive IAM policy management of IAM role with managed_policy_arns option

[sksmsWKd]

Description

This PR supports exclusive management of policy attachments on IAM role.

For prevent resource cycling error, managed_policy_arns can't be used with these resources : :aws_iam_role_policy_attachment or aws_iam_role_policy.

Motivation and Context

When using aws_iam_role and this module with the moved command for refactoring (i mean refactor my resource with this module),
although my aws_iam_role already contains managed_policy_arns,
the managed_policy_arns could not be set, so the dependency between IAM role and IAM policy could not be left as code, so aws_iam_role_policy_attachment had to be added as resource.

To prevent unexpected IAM policy changes, i thought adding managed_policy_arns option to IAM role can be clear choice for exclusive management of IAM role's policy.

Breaking Changes

How Has This Been Tested?

• I have updated at least one of the examples/* to demonstrate and validate my change(s)
• I have tested and validated these changes using one or more of the provided examples/* projects

• I have executed pre-commit run -a on my pull request

[GedriteA]

+1 we could use this

[sksmsWKd]

Hello @bryantbiggs, @antonbabenko, Cloud you review my PR, please.

[bryantbiggs]

I don't understand the problem nor the changes proposed

[joan-s-molas]

I believe what @sksmsWKd is trying to achieve is to prevent manually made changes to the policy attachments for that role (via console or cli) to persist between terraform runs. I.e, someone attaches a policy to the terraformed role via the console - that gets reverted when terraform is applied again.

aws_iam_role.managed_policy_arns has been deprecated, so that would not be the best approach.

The way to go around this should probably be implementing the optional use of aws_iam_role_policy_attachments_exclusive or similar.

[bryantbiggs]

I believe what @sksmsWKd is trying to achieve is to prevent manually made changes to the policy attachments for that role (via console or cli) to persist between terraform runs. I.e, someone attaches a policy to the terraformed role via the console - that gets reverted when terraform is applied again.

aws_iam_role.managed_policy_arns has been deprecated, so that would not be the best approach.

The way to go around this should probably be implementing the optional use of aws_iam_role_policy_attachments_exclusive or similar.

that may or may not be the case, I don't know. we should start with an issue first that describes the challenge so we can understand better before we jump into code changes. closing this for now till we see more around the challenge

[sksmsWKd]

@bryantbiggs
thanks for your comment & feedback. i'll start with an issue first when the issue becomes clear.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.