Thread
#golang
    a

    alert-crayon-18838

    6 months ago
    Is there a better way to write json iam policies than using a bunch of []map[string]interface{}{ everywhere and pull it together with json.Marshal?
    b

    bored-table-20691

    6 months ago
    There's the structured IAM class
    Look for examples of iam.GetPolicyDocument
    a

    alert-crayon-18838

    6 months ago
    Thanks Itay, I'll have a looksee
    Oof that isn't much better. I think I'll create it manually for now and pull it using LookupInstanceProfile, and then try to figure it out later
    Thanks for the pointer tho
    i

    important-appointment-55126

    6 months ago
    i wrote a helper that made it a bit less painful to build policies.. end up with code like this:
    Policy: policy.New("my-policy",
              policy.Statement("statement-one",
                      policy.Effect(policy.Allow),
                      policy.Action(
                              "s3:GetObject",
                              "s3:PutObject",
                      ),
                      policy.Principal("AWS",
                              "arn:aws:iam::12345:root",
                      ),
                      policy.Resource(
                              pulumi.Sprintf("%s/*", bucketArn),
                      ),
              ),
      ).ToStringOutput(),
    i could probably push the helper up to github if useful
    a

    alert-crayon-18838

    6 months ago
    that would be awesome! @important-appointment-55126
    i

    important-appointment-55126

    6 months ago
    ok let me see what state that code is in and i’ll upload it.. could probably still use some love though 😉
    b

    bored-table-20691

    6 months ago
    Here is my example. I don't find this that bad?
    source, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
    Statements: []iam.GetPolicyDocumentStatement{ // Allow AssumeRole - we allow to assume any role, // but that role will have to have been granted permissions // to be assumable by this role. { Actions: []string{ "sts:AssumeRole", }, Resources: []string{ "*", }, Effect: &allow, }, // Some base bucket policies { Actions: []string{ "s3:HeadBucket", }, Resources: []string{ bucketArn, }, Effect: &allow, },
    i

    important-appointment-55126

    6 months ago
    not bad at all
    does that only accept strings though? what happens if you want to reference resources etc that aren’t yet resolved?
    b

    bored-table-20691

    6 months ago
    Also Hi Gareth - it's been a minute 😀
    I believe it does only accept strings - if you need unresolved references you'd do this inside an ApplyT, which is what I've always done.
    i

    important-appointment-55126

    6 months ago
    it has indeed been a few minutes! Hope you’re doing well 🙂
    yeah i wrote my little hack to avoid having to put more things inside an ApplyT in my main scripts.. tucks it out of the way instead
    b

    bored-table-20691

    6 months ago
    Understood. In my case I usually need it anyway for some other things so it works out OK.
    b

    billowy-army-68599

    6 months ago
    @important-appointment-55126 this helper repo is awesome ❤️
    can you DM me your email? i want to send you some swag as a thanks