aws cdk-import: Cannot import IAM Inline Policies using cdk-import feature

[kashyap467]

Describe the bug

I have an existing IAM Group/User/Role that has inline policies attached to it, in my AWS console account.
For instance: Construct code of an existing IAM group with one inline policy attached to it -

const iamGroup = new iam.Group(this, "Sample-group", {
    groupName: "Sample-group"
});
iamGroup.attachInlinePolicy(new iam.Policy(this, "Sample-Inline", {
    policyName: "Sample-Inline",
    statements: [
        new iam.PolicyStatement({
            effect: iam.Effect.ALLOW,
            actions: ["cloudfront:GetCachePolicy"],
            resources: ["arn:aws:cloudfront::<accountID>:cache-policy/*"]
        })
    ]
}));

When I'm trying to import this IAM resource along with its inline policies using cdk-import feature, the cli command skips importing inline policies with warning unsupported resource type and imports just the IAM resource.
I am also unable to add any existing inline policy (using attachInlinePolicy) after the IAM resource is imported.

When I do a cdk diff, I can see that the IAM group and inline policy are seen as two individual resources for creation into the stack.

❯ cdk diff ImportIAMStack
Resources
[+] AWS::IAM::Group Sample-group SamplegroupFA3E2E60 
[+] AWS::IAM::Policy Sample-Inline SampleInline4D735828

But when I try cdk import once cdk deploy fails with error message Sample-group already exists, the inline policy is getting skipped from import.

❯ cdk deploy ImportIAMStack
❌  ImportIAMStack failed: Error: The stack named ImportIAMStack failed to deploy: UPDATE_ROLLBACK_COMPLETE: Sample-group already exists

❯ cdk import ImportIAMStack
ImportIAMStack
ImportIAMStack/Sample-group/Resource (AWS::IAM::Group): import with GroupName=Sample-group (yes/no) [default: yes]? yes
ImportIAMStack/Sample-Inline/Resource: unsupported resource type AWS::IAM::Policy, skipping import.
Import operation complete.
Some resources were skipped. Run another cdk import or a cdk deploy to bring the stack up-to-date with your CDK app definition.

And running another cdk import or cdk deploy didn't work either.

❯ cdk import ImportIAMStack
ImportIAMStack
ImportIAMStack/Sample-Inline/Resource: unsupported resource type AWS::IAM::Policy, skipping import.


❯ cdk deploy ImportIAMStack
ImportIAMStack: creating CloudFormation changeset...
8:35:54 AM | CREATE_FAILED        | AWS::IAM::Policy        | SampleInline4D735828

❌ ImportIAMStack failed: Error: The stack named ImportIAMStack failed to deploy: UPDATE_ROLLBACK_COMPLETE: The policy Sample-Inline already exists on the group Sample-group.

Is importing IAM inline policies not yet supported in cdk-import feature? or am I doing something wrong here?
If so, what is the recommended way w.r.t importing IAM Inline Policies?

Expected Behavior

IAM Inline Policies should be successfully imported like other IAM resources using the cdk-import feature (during or after the IAM resources, that these policies are attached to, are imported).

Current Behavior

IAM Inline Policies are getting skipped from import operation with error message "unsupported resource type AWS::IAM::Policy, skipping import", whereas performing cdk deploy <stack_name> fails with error message - "Sample-Inline already exists on the group Sample-group".

Reproduction Steps

1. Create an IAM Group through the AWS IAM Console account. Create an inline policy with a custom policy name within the group.
2. Setup a cdk pipeline package and a stack into which the IAM Group and policies will be imported.
3. Add the cdk construct code for the created group and its inline policy for import in the cdk stack.
4. Build the cdk package and run cdk diff <stack_name> to confirm if two resources (group, inline policy) are listed for creation in the stack.
5. Perform a deployment (cdk deploy <stack_name>). It fails with error like - "<iam_group_name> already exists"
6. Run cdk import <stack_name> and confirm the import operation on the resources. The IAM group will be imported successfully, but inline policy will be skipped from import, with error message "unsupported resource type AWS::IAM::Policy, skipping import".
7. Find the imported IAM group added under the resources tab of the CloudFormaion stack on AWS Console, but there is no inline policy.
8. Even the CloudFormation stack template on console or the drift detection of the resource will not show any policy or inline-policy field attached.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.85.0 (build 4e0d726)

Framework Version

No response

Node.js Version

v16.20.0

OS

MacOs

Language

Typescript

Language Version

No response

Other information

No response

[kashyap467]

Was able to figure it out. Turns out the issue is actually present even with the CloudFormation import feature on which the cdk import feature works.

Solution -
Instead of AWS::IAM::Policy type (cdk: iam.Policy), using AWS::IAM::GroupPolicy type (cdk: iam.CfnGroupPolicy ) worked.

const iamGroup = new iam.Group(this, "Sample-group", {  
    groupName: "Sample-group"
});
const iamCfnGroupPolicy = new iam.CfnGroupPolicy(this, "Sample-Inline", {
    groupName: "Sample-group",
    policyName: "Sample-Inline",
    policyDocument: new iam.PolicyDocument({
           statements: [...]
    });
});

Similarly, for IAM User inline policy, use iam.CfnUserPolicy and so on.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.