https://pulumi.com logo
#aws
Title
# aws
l

little-cartoon-10569

05/11/2021, 9:38 PM
I've been trying to figure out why my EventRuleEventSubscription has so many RolePolicyAttachment resources that I can't add any of my own.
It seems that if no role / policy is passed into a _CallbackFunction_'s args. then a pile of default ones are added. Fair enough.
Unfortunately, the code in lambdaMixins.ts passes a hard-coded args object,
{callback: handler}
, so it is impossible to pass in a role or policies.
So all EventRuleEventSubscription s have the default managed policies: *
AWSLambda_FullAccess
*
CloudWatchFullAccess
*
CloudWatchEventsFullAccess
*
AmazonS3FullAccess
*
AmazonDynamoDBFullAccess
*
AmazonSQSFullAccess
*
AmazonKinesisFullAccess
*
AWSCloudFormationReadOnlyAccess
*
AmazonCognitoPowerUser
*
AWSXrayWriteOnlyAccess
There are 10 here, and there is a 10-policy-per-role limit. So: no policy configuration is possible.
So I guess I'll change my EventRuleEventSubscription logic to plain-old CallbackFunction logic...
f

faint-table-42725

05/11/2021, 9:44 PM
Ah, interesting. I think this is an area where we didn’t model the mixins well within
@pulumi/aws
You can pass in your own
policies
to the
CallbackFunction
but if you are using mixin that in turn creates a
CallbackFunction
then
policies
is often not made available to you.
l

little-cartoon-10569

05/11/2021, 9:45 PM
I'd raise an issue, but I'm under the pump and this isn't my focus right now. I'll stash this work, and hopefully get back to it later.
f

faint-table-42725

05/11/2021, 9:47 PM
Sure, I’m happy to file the issue. To your point, you can always pass in the
CallbackFunction
itself, which is unfortunately a bit more boilerplate code.
l

little-cartoon-10569

05/11/2021, 9:48 PM
I can't grok the types in eventRuleMixin.ts. The parameter is a lambda.EventHandler<EventRuleEvent, void>, I don't know how to make a CallbackFunction look like that...
f

faint-table-42725

05/11/2021, 9:49 PM
I’ll drop an example into the issue as well
👍 1
I think that’s what you want — lmk if that helps
l

little-cartoon-10569

05/11/2021, 9:54 PM
Oh, a CallbackFunction is an EventHandler? Nice.
I'll try that now, that's a much smaller change than removing the mixin entirely...
How can I mark the CallbackFunction as async?
Oh nmind, I see.
f

faint-table-42725

05/11/2021, 9:57 PM
yeah, it’s not too bad… but i guess more boilerplate than you expected
l

little-cartoon-10569

05/11/2021, 9:59 PM
Ah.. the policies type is string[], not pulumi.Input<string[]> or pulumi.Input<string>[] ....
The boilerplate isn't an issue. If the policies parameter worked, then I wouldn't have to create my own RolePolicyAttachment, so that's less boilerplate...
f

faint-table-42725

05/11/2021, 10:02 PM
That’s probably a bug as I think it could be an array of inputs
l

little-cartoon-10569

05/11/2021, 10:02 PM
I can't follow this at all.. CallbackFunctionArgs allows only callback and callbackFactory properties, how does policies fit into that?
😕
Ah, an args class that extends another one.. hadn't noticed...
Can't see a way around the policies type issue other than to create the CallbackFunction in an apply, which is not recommended...
Hmm.. looks like even the EventRuleEventSubscription would have to be inside the apply(), which means quite a few resources would be created there...
f

faint-table-42725

05/11/2021, 10:30 PM
Yeah, I think in principal, if you ignore the typing on
policies
it should “just work” (i.e. pass in
Output<string>[]
for example)
because I don’t think the elements are ever used in any way except passed in to the attachment, which should accept an
Input<string>
for the arn
l

little-cartoon-10569

05/11/2021, 10:34 PM
So this is the one time I can cast my Output<string> as string... heh.
Nope, doesn't work.
utils.sha1hash(policy)
is complaining in lambdaMixins.ts.
😿
f

faint-table-42725

05/11/2021, 11:49 PM
ah… sorry — missed that
That is indeed unfortunate
l

little-cartoon-10569

05/11/2021, 11:52 PM
I'm unable to find an examples of using custom policies with any sort of lambda function on github...
And I have no idea how any of the on<eventName> functions work.. the disadvantages of being self-taught 🙂
f

faint-table-42725

05/11/2021, 11:57 PM
re: custom policies, what kind of example are you looking for? Basically how you’d create your own policy and attach it or something else?
l

little-cartoon-10569

05/11/2021, 11:59 PM
No, just looking for an example of creating the event rule manually, so that I can bypass the CallbackFunction constructor and use the base classes directly.
It's only code in there that's blocking me. If I did the same thing myself, I can pass my own policy.arn in just fine.
I just can't follow the mixin code.
f

faint-table-42725

05/12/2021, 12:00 AM
Sorry for the frustration. I’ll post this to the issue as well, but an alternative to what you’re doing would be to create just the role. Then you can still use everything else.
The
CallbackFunction
args should take a
role
argument — which, if provided, will skip the whole
policies
part
l

little-cartoon-10569

05/12/2021, 12:01 AM
My particular use case is a scheduled event (cron event bridge trigger) that starts some EC2 instances, with encrypted root volumes. To start an instance with an encrpyted root volume, the relevant role must have kms:Grant privilege. But the default permissions don't include that.
So I need to use my own policy with that permission.
I could try the role.
Need to find out how the role looks 🙂
Ok all sorted I think. Preview looks good. Some resources have changed where they are in the tree (e.g. the Function is now a child of my ComponentResource rather than the EventRuleEventSubscription) but it looks correct. Can't
up
to be sure, I've fallen behind trunk branch and there's a few changes I'd undo if I deployed now 🙂 I'll get to it in a few hours, need to get out of here now. Thanks for all your help!
👍 1