https://pulumi.com logo
Join Slack
Powered by
I've been trying to figure out why my EventRuleEve...
# aws
l
I've been trying to figure out why my EventRuleEventSubscription has so many RolePolicyAttachment resources that I can't add any of my own.
It seems that if no role / policy is passed into a _CallbackFunction_'s args. then a pile of default ones are added. Fair enough.
Unfortunately, the code in lambdaMixins.ts passes a hard-coded args object, 
{callback: handler}
, so it is impossible to pass in a role or policies.
So all EventRuleEventSubscription s have the default managed policies: * 
AWSLambda_FullAccess
* 
CloudWatchFullAccess
* 
CloudWatchEventsFullAccess
* 
AmazonS3FullAccess
* 
AmazonDynamoDBFullAccess
* 
AmazonSQSFullAccess
* 
AmazonKinesisFullAccess
* 
AWSCloudFormationReadOnlyAccess
* 
AmazonCognitoPowerUser
* 
AWSXrayWriteOnlyAccess
There are 10 here, and there is a 10-policy-per-role limit. So: no policy configuration is possible.
So I guess I'll change my EventRuleEventSubscription logic to plain-old CallbackFunction logic...
f
Ah, interesting. I think this is an area where we didn’t model the mixins well within 
@pulumi/aws
You can pass in your own 
policies
to the 
CallbackFunction
but if you are using mixin that in turn creates a 
CallbackFunction
then 
policies
is often not made available to you.
l
I'd raise an issue, but I'm under the pump and this isn't my focus right now. I'll stash this work, and hopefully get back to it later.
f
Sure, I’m happy to file the issue. To your point, you can always pass in the 
CallbackFunction
itself, which is unfortunately a bit more boilerplate code.
l
I can't grok the types in eventRuleMixin.ts. The parameter is a lambda.EventHandler<EventRuleEvent, void>, I don't know how to make a CallbackFunction look like that...
f
I’ll drop an example into the issue as well
👍 1
I think that’s what you want — lmk if that helps
l
Oh, a CallbackFunction is an EventHandler? Nice.
I'll try that now, that's a much smaller change than removing the mixin entirely...
How can I mark the CallbackFunction as async?
Oh nmind, I see.
f
yeah, it’s not too bad… but i guess more boilerplate than you expected
l
Ah.. the policies type is string[], not pulumi.Input<string[]> or pulumi.Input<string>[] ....
The boilerplate isn't an issue. If the policies parameter worked, then I wouldn't have to create my own RolePolicyAttachment, so that's less boilerplate...
f
That’s probably a bug as I think it could be an array of inputs
l
I can't follow this at all.. CallbackFunctionArgs allows only callback and callbackFactory properties, how does policies fit into that?
😕
Ah, an args class that extends another one.. hadn't noticed...
Can't see a way around the policies type issue other than to create the CallbackFunction in an apply, which is not recommended...
Hmm.. looks like even the EventRuleEventSubscription would have to be inside the apply(), which means quite a few resources would be created there...
f
Yeah, I think in principal, if you ignore the typing on 
policies
it should “just work” (i.e. pass in 
Output<string>[]
for example)
because I don’t think the elements are ever used in any way except passed in to the attachment, which should accept an 
Input<string>
for the arn
l
So this is the one time I can cast my Output<string> as string... heh.
Nope, doesn't work. 
utils.sha1hash(policy)
is complaining in lambdaMixins.ts.
😿
f
ah… sorry — missed that
That is indeed unfortunate
l
I'm unable to find an examples of using custom policies with any sort of lambda function on github...
And I have no idea how any of the on<eventName> functions work.. the disadvantages of being self-taught 🙂
f
re: custom policies, what kind of example are you looking for? Basically how you’d create your own policy and attach it or something else?
l
No, just looking for an example of creating the event rule manually, so that I can bypass the CallbackFunction constructor and use the base classes directly.
It's only code in there that's blocking me. If I did the same thing myself, I can pass my own policy.arn in just fine.
I just can't follow the mixin code.
f
Sorry for the frustration. I’ll post this to the issue as well, but an alternative to what you’re doing would be to create just the role. Then you can still use everything else.
The 
CallbackFunction
args should take a 
role
argument — which, if provided, will skip the whole 
policies
part
l
My particular use case is a scheduled event (cron event bridge trigger) that starts some EC2 instances, with encrypted root volumes. To start an instance with an encrpyted root volume, the relevant role must have kms:Grant privilege. But the default permissions don't include that.
So I need to use my own policy with that permission.
I could try the role.
Need to find out how the role looks 🙂
Ok all sorted I think. Preview looks good. Some resources have changed where they are in the tree (e.g. the Function is now a child of my ComponentResource rather than the EventRuleEventSubscription) but it looks correct. Can't 
up
to be sure, I've fallen behind trunk branch and there's a few changes I'd undo if I deployed now 🙂 I'll get to it in a few hours, need to get out of here now. Thanks for all your help!
👍 1
Open in Slack
PreviousNext
Powered by