From 1bab37641c0ff680d9d4a53d1720d987764f50c6 Mon Sep 17 00:00:00 2001
From: naxty <9141879+naxty@users.noreply.github.com>
Date: Thu, 27 Nov 2025 12:56:50 +0100
Subject: [PATCH 1/2] Fix resolvable generation for rolepolicy rolename

---
 plugins/aws/schema/pkl/iam/rolepolicy.pkl     |  2 +-
 .../examples/json/types/iam_rolepolicy.json   | 64 +++++++++++++++++++
 2 files changed, 65 insertions(+), 1 deletion(-)

diff --git a/plugins/aws/schema/pkl/iam/rolepolicy.pkl b/plugins/aws/schema/pkl/iam/rolepolicy.pkl
index 6cffdbe..a26cb98 100644
--- a/plugins/aws/schema/pkl/iam/rolepolicy.pkl
+++ b/plugins/aws/schema/pkl/iam/rolepolicy.pkl
@@ -30,6 +30,6 @@ open class RolePolicy extends formae.Resource {
     policyName: String
 
     @aws.FieldHint{createOnly = true}
-    roleName: String
+    roleName: String|formae.Resolvable
 
 }
diff --git a/plugins/pkl/generator/examples/json/types/iam_rolepolicy.json b/plugins/pkl/generator/examples/json/types/iam_rolepolicy.json
index 033871f..d27846e 100644
--- a/plugins/pkl/generator/examples/json/types/iam_rolepolicy.json
+++ b/plugins/pkl/generator/examples/json/types/iam_rolepolicy.json
@@ -2798,6 +2798,70 @@
       },
       "NativeId": "TestInlinePolicy-9|pkl-evaluator-execution-role",
       "Ksuid": "33jy2eVgVFkvWj46Q7hCruatDwf"
+    },
+    {
+      "Label": "SysOpsAdmin|developer",
+      "Type": "AWS::IAM::RolePolicy",
+      "Stack": "$unmanaged",
+      "Target": "us-west-2",
+      "Schema": {
+        "Identifier": "PolicyName",
+        "Tags": "",
+        "Fields": [
+          "PolicyDocument",
+          "PolicyName",
+          "RoleName"
+        ],
+        "Nonprovisionable": false,
+        "Hints": {
+          "PolicyDocument": {
+            "CreateOnly": false,
+            "Persist": false,
+            "WriteOnly": false,
+            "Required": false,
+            "RequiredOnCreate": false
+          },
+          "PolicyName": {
+            "CreateOnly": true,
+            "Persist": false,
+            "WriteOnly": false,
+            "Required": true,
+            "RequiredOnCreate": false
+          },
+          "RoleName": {
+            "CreateOnly": true,
+            "Persist": false,
+            "WriteOnly": false,
+            "Required": true,
+            "RequiredOnCreate": false
+          }
+        },
+        "Discoverable": false,
+        "Extractable": false
+      },
+      "Properties": {
+        "PolicyDocument": {
+          "Statement": [
+            {
+              "Action": "*",
+              "Effect": "Allow",
+              "Resource": "*"
+            }
+          ],
+          "Version": "2012-10-17"
+        },
+        "PolicyName": "SysOpsAdmin",
+        "RoleName": {
+          "$label": "developer",
+          "$property": "RoleName",
+          "$res": true,
+          "$stack": "$unmanaged",
+          "$type": "AWS::IAM::Role",
+          "$value": "developer"
+        }
+      },
+      "NativeID": "SysOpsAdmin|developer",
+      "Ksuid": "363KCYk8M5JahXzZPibwPxwA4Vh"
     }
   ]
 }
\ No newline at end of file

From ca8243c459620ef60dcee4ef42168869172e3c8e Mon Sep 17 00:00:00 2001
From: naxty <9141879+naxty@users.noreply.github.com>
Date: Thu, 27 Nov 2025 12:58:27 +0100
Subject: [PATCH 2/2] Extend pkl to generate real value for unmanaged res

---
 plugins/pkl/generator/gen.pkl | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/plugins/pkl/generator/gen.pkl b/plugins/pkl/generator/gen.pkl
index f75e3f4..e3128ef 100644
--- a/plugins/pkl/generator/gen.pkl
+++ b/plugins/pkl/generator/gen.pkl
@@ -538,12 +538,18 @@ local function formatValueWithTypes(value: Any, indent: String): String =
           let (label = value.getOrNull("FakeLabel"))
           let (property = value.getOrNull("FakeProperty"))
           let (realValue = if (value.getOrNull("$visibility") == "Clear") value.getOrNull("RealValue") else "Secret")
-          let (comment = if (realValue != null) "\n" + indent + "  // RealValue: \(realValue)" else "")
-            typeDeclaration + " {" +
-            comment + "\n" +
-            (if (stack != null) indent + "  stack = \"\(stack)\".label\n" else "") +
-            (if (label != null) indent + "  label = \"\(label)\"\n" else "") +
-             indent + "}.\(property)"
+
+          // Check if stack is unmanaged
+          if (stack == "$unmanaged")
+            let (comment = "// The target resource with the label = \"\(label)\" of type = \"\(value["FakeType"])\" is not managed yet. Bring it under management first to convert this into a Resolvable.")
+            "\"\(realValue)\" \(comment)"
+          else
+            let (comment = if (realValue != null) "\n" + indent + "  // RealValue: \(realValue)" else "")
+              typeDeclaration + " {" +
+              comment + "\n" +
+              (if (stack != null) indent + "  stack = \"\(stack)\".label\n" else "") +
+              (if (label != null) indent + "  label = \"\(label)\"\n" else "") +
+              indent + "}.\(property)"
         else if (typeName == "FakeValue")
           // Special handling for FakeValue
           let (fakeValue = value.getOrNull("FakeValue"))