Hey guys, opening this to a little discussion, wha...
# awsm
mysterious-sugar-58229
07/23/2024, 12:39 AMHey guys, opening this to a little discussion, what are some of the tradeoffs that you consider when deciding to create a Pulumi-backed IAM Policy Document via ONE of the following mechanisms:
1. Invoking aws.iam.getPolicyDocument (function approach)
2. Assigning a variable of type aws.iam.PolicyDocument (interface approach)
3. JSON.stringify approach e.g. (raw approach, inline or file, etc.)
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const policy = new aws.iam.Policy("policy", {
name: "test_policy",
path: "/",
description: "My test policy",
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Action: ["ec2:Describe*"],
Effect: "Allow",
Resource: "*",
}],
}),
});👀 1
m
modern-zebra-45309
07/23/2024, 8:10 AMI prefer `pulumi.jsonStringify` (or the equivalent `pulumi.Output.json_dumps` in Python) because it allows me to write the IAM policy documents in their original format while adding in Pulumi output values where I need them.
m
mysterious-sugar-58229
07/23/2024, 8:39 AMAh, that's a fairly interesting approach. I just took a look at how the other two mechanisms would be employed in Python, and, in that case I'd likely choose that approach as well. It seems like there isn't as much bang for your buck when actually authoring it cus tl;dr dynamic typing + you end typing just about the same amount of characters anyways. Am I correct in this assessment?
mysterious-sugar-58229
07/23/2024, 8:45 AMTypescript let's me do some neat things working w/ interfaces, so the general pattern I follow is declaring and exporting per property (e.g. a list of actions assigned to a variable)
m
modern-zebra-45309
07/23/2024, 8:47 AMI can't speak to other languages, but with Python I feel that using
get_policy_documentmodern-zebra-45309
07/23/2024, 8:48 AMI think that with the new TypedDict input types my assessment might change but I haven't had the chance to try this in the wild yet
m
mysterious-sugar-58229
07/23/2024, 8:52 AM Copy code
const S3_READ_ACTIONS = ['s3:GetObject', 's3:ListBucket'] as const;
const S3_WRITE_ACTIONS = ['s3:PutObject', 's3:DeleteObject'] as const;mysterious-sugar-58229
07/23/2024, 8:52 AMyou can do cheeky things like this.
mysterious-sugar-58229
07/23/2024, 8:54 AMI author and maintain an internal library my org uses to write the Pulumi proggies that ultimately get ran by the engine.
mysterious-sugar-58229
07/23/2024, 8:55 AMso encapsulating things for semantics sake is a design pattern I try to maximize on.
👍 1
m
modern-zebra-45309
07/23/2024, 8:57 AM> you can do cheeky things like this.
This is possible in Python as well, unless I'm missing something here? You're creating blocks of (arrays of) strings and then assemble the policy out of that?
m
mysterious-sugar-58229
07/23/2024, 9:04 AMI'm sure it is but from a cursory glance, it wouldn't be too "pythonic" I suppose. Haven't written a python library in awhile so I could be wrong on that.
mysterious-sugar-58229
07/23/2024, 9:08 AMI'm actually assembling GetPolicyDocumentStatementArgs, I export something like the above, and assign that to the properties of the GetPolicyDocumentStatementArgs I am assembling.
mysterious-sugar-58229
07/23/2024, 9:13 AMOops I mean GetPolicyDocumentStatement lol
mysterious-sugar-58229
07/23/2024, 9:18 AMGetPolicyDocumentStatementArgs is (a bit confusingly) the output analog to GetPolicyStatement (which is also confusingly the name of the type/interface representing a IAM Policy Document statement)
mysterious-sugar-58229
07/23/2024, 9:19 AMits 5am gn.
m
modern-zebra-45309
07/23/2024, 2:52 PMI don't think that's necessarily "unpythonic" to create such a system of building blocks.
modern-zebra-45309
07/23/2024, 2:54 PMA pattern which I've found to be very convenient for standard permissions management is AWS CDK's "grants". Not sure if someone has tried to replicate this in Pulumi yet, but being able to say
bucket.grant_read(role)m
mysterious-sugar-58229
07/24/2024, 1:58 PMthis.grants(that)30 Views