https://pulumi.com logo
Powered by
#dotnet
Title
w

worried-city-86458

09/10/2020, 8:28 PM
I've got some helpers to create aws iam roles which I've switched from using c# string interpolation tricks to using 
Pulumi.Aws.Iam.GetPolicyDocument
but this has two side effects... • 
Sid
is being passed as an empty string despite being a `string?`; I would expect not specifying this to omit the value • I'm now working with an output which causes problems with preview not propagating the value; can this be handled better?
Example helpers:
Copy code
public static Role CreateRoleForService(string name, string service) =>
    new Role(name, new RoleArgs { AssumeRolePolicy = AssumeRoleForService(service) });

public static Role CreateRoleForServiceAccount(string name, Output<string> oidcArn, Output<string> oidcUrl, string saNamespace, string saName) =>
    new Role(name, new RoleArgs { AssumeRolePolicy = AssumeRoleForServiceAccount(oidcArn, oidcUrl, saNamespace, saName) });

private static Output<string> AssumeRoleForService(string service) =>
    Output.Create(GetPolicyDocument.InvokeAsync(
        new GetPolicyDocumentArgs
        {
            Statements =
            {
                new GetPolicyDocumentStatementArgs
                {
                    Effect = "Allow",
                    Principals =
                    {
                        new GetPolicyDocumentStatementPrincipalArgs
                        {
                            Type = "Service",
                            Identifiers = { service }
                        }
                    },
                    Actions = { "sts:AssumeRole" }
                }
            }
        })).Apply(policy => policy.Json);

private static Output<string> AssumeRoleForServiceAccount(Output<string> oidcArn, Output<string> oidcUrl, string saNamespace, string saName) =>
    Output.Tuple(oidcArn, oidcUrl).Apply(((string OidcArn, string OidcUrl)tuple) => GetPolicyDocument.InvokeAsync(
        new GetPolicyDocumentArgs
        {
            Statements =
            {
                new GetPolicyDocumentStatementArgs
                {
                    Effect = "Allow",
                    Principals =
                    {
                        new GetPolicyDocumentStatementPrincipalArgs
                        {
                            Type = "Federated",
                            Identifiers = { tuple.OidcArn }
                        }
                    },
                    Actions = { "sts:AssumeRoleWithWebIdentity" },
                    Conditions =
                    {
                        new GetPolicyDocumentStatementConditionArgs
                        {
                            Test = "StringEquals",
                            Values = { $"system:serviceaccount:{saNamespace}:{saName}" },
                            Variable = $"{tuple.OidcUrl}:sub"
                        }
                    }
                }
            }
        })).Apply(policy => policy.Json);
Re the 
Sid
not being omitted, it would be nice to have more insight into how such properties are handled on the backend. Is there source I can look at that shows the 
null
being translated to an empty string in this case, and which I can suggest it omits the value instead?
Re the outputs, is there a way to specify that an output is fast, without any real external dependencies, and without any side effects to resources, such that it should be evaluated / materialized during preview so its value can flow throughout and thereby avoid a cascade of unknown values?
No replies here so far so I created an issue: https://github.com/pulumi/pulumi/issues/5335
Powered by