I ve got some helpers to create aws iam roles which I ve swi Pulumi Community #dotnet

I've got some helpers to create aws iam roles whic...

worried-city-86458

09/10/2020, 8:28 PM

I've got some helpers to create aws iam roles which I've switched from using c# string interpolation tricks to using

Pulumi.Aws.Iam.GetPolicyDocument

but this has two side effects... •

Sid

is being passed as an empty string despite being a `string?`; I would expect not specifying this to omit the value • I'm now working with an output which causes problems with preview not propagating the value; can this be handled better?

worried-city-86458

09/10/2020, 8:28 PM

Example helpers:

Copy code

public static Role CreateRoleForService(string name, string service) =>
    new Role(name, new RoleArgs { AssumeRolePolicy = AssumeRoleForService(service) });

public static Role CreateRoleForServiceAccount(string name, Output<string> oidcArn, Output<string> oidcUrl, string saNamespace, string saName) =>
    new Role(name, new RoleArgs { AssumeRolePolicy = AssumeRoleForServiceAccount(oidcArn, oidcUrl, saNamespace, saName) });

private static Output<string> AssumeRoleForService(string service) =>
    Output.Create(GetPolicyDocument.InvokeAsync(
        new GetPolicyDocumentArgs
        {
            Statements =
            {
                new GetPolicyDocumentStatementArgs
                {
                    Effect = "Allow",
                    Principals =
                    {
                        new GetPolicyDocumentStatementPrincipalArgs
                        {
                            Type = "Service",
                            Identifiers = { service }
                        }
                    },
                    Actions = { "sts:AssumeRole" }
                }
            }
        })).Apply(policy => policy.Json);

private static Output<string> AssumeRoleForServiceAccount(Output<string> oidcArn, Output<string> oidcUrl, string saNamespace, string saName) =>
    Output.Tuple(oidcArn, oidcUrl).Apply(((string OidcArn, string OidcUrl)tuple) => GetPolicyDocument.InvokeAsync(
        new GetPolicyDocumentArgs
        {
            Statements =
            {
                new GetPolicyDocumentStatementArgs
                {
                    Effect = "Allow",
                    Principals =
                    {
                        new GetPolicyDocumentStatementPrincipalArgs
                        {
                            Type = "Federated",
                            Identifiers = { tuple.OidcArn }
                        }
                    },
                    Actions = { "sts:AssumeRoleWithWebIdentity" },
                    Conditions =
                    {
                        new GetPolicyDocumentStatementConditionArgs
                        {
                            Test = "StringEquals",
                            Values = { $"system:serviceaccount:{saNamespace}:{saName}" },
                            Variable = $"{tuple.OidcUrl}:sub"
                        }
                    }
                }
            }
        })).Apply(policy => policy.Json);

worried-city-86458

09/10/2020, 8:44 PM

Re the

Sid

not being omitted, it would be nice to have more insight into how such properties are handled on the backend. Is there source I can look at that shows the

null

being translated to an empty string in this case, and which I can suggest it omits the value instead?

worried-city-86458

09/10/2020, 8:49 PM

Re the outputs, is there a way to specify that an output is fast, without any real external dependencies, and without any side effects to resources, such that it should be evaluated / materialized during preview so its value can flow throughout and thereby avoid a cascade of unknown values?

worried-city-86458

09/11/2020, 9:57 PM

No replies here so far so I created an issue: https://github.com/pulumi/pulumi/issues/5335

Open in Slack

Previous Next