worried-city-86458
09/10/2020, 8:28 PMPulumi.Aws.Iam.GetPolicyDocument
but this has two side effects...
• Sid
is being passed as an empty string despite being a `string?`; I would expect not specifying this to omit the value
• I'm now working with an output which causes problems with preview not propagating the value; can this be handled better?public static Role CreateRoleForService(string name, string service) =>
new Role(name, new RoleArgs { AssumeRolePolicy = AssumeRoleForService(service) });
public static Role CreateRoleForServiceAccount(string name, Output<string> oidcArn, Output<string> oidcUrl, string saNamespace, string saName) =>
new Role(name, new RoleArgs { AssumeRolePolicy = AssumeRoleForServiceAccount(oidcArn, oidcUrl, saNamespace, saName) });
private static Output<string> AssumeRoleForService(string service) =>
Output.Create(GetPolicyDocument.InvokeAsync(
new GetPolicyDocumentArgs
{
Statements =
{
new GetPolicyDocumentStatementArgs
{
Effect = "Allow",
Principals =
{
new GetPolicyDocumentStatementPrincipalArgs
{
Type = "Service",
Identifiers = { service }
}
},
Actions = { "sts:AssumeRole" }
}
}
})).Apply(policy => policy.Json);
private static Output<string> AssumeRoleForServiceAccount(Output<string> oidcArn, Output<string> oidcUrl, string saNamespace, string saName) =>
Output.Tuple(oidcArn, oidcUrl).Apply(((string OidcArn, string OidcUrl)tuple) => GetPolicyDocument.InvokeAsync(
new GetPolicyDocumentArgs
{
Statements =
{
new GetPolicyDocumentStatementArgs
{
Effect = "Allow",
Principals =
{
new GetPolicyDocumentStatementPrincipalArgs
{
Type = "Federated",
Identifiers = { tuple.OidcArn }
}
},
Actions = { "sts:AssumeRoleWithWebIdentity" },
Conditions =
{
new GetPolicyDocumentStatementConditionArgs
{
Test = "StringEquals",
Values = { $"system:serviceaccount:{saNamespace}:{saName}" },
Variable = $"{tuple.OidcUrl}:sub"
}
}
}
}
})).Apply(policy => policy.Json);
Sid
not being omitted, it would be nice to have more insight into how such properties are handled on the backend. Is there source I can look at that shows the null
being translated to an empty string in this case, and which I can suggest it omits the value instead?