https://pulumi.com logo
Title
r

rhythmic-receptionist-62263

02/09/2023, 10:22 PM
Hi Guys I'm trying to understand the best approach for using arrays of data for creating cloud objects using Pulumi when using python (but I imagine its the same across all) The use case I wanted to try was if I had an array of Azure Policies that I wanted to assign. For example. I have a list of Azure Policies that I want to assign, in the terraform world I would have a list of policy names, then I would get it to loop through them assigning the values. an example of how I thought this might work on Pulumi.
policySet = [{'policyid' : '/providers/Microsoft.Authorization/policyDefinitions/4f11b553-d42e-4e3a-89be-32ca364cad4c',
'policyname' : '3 Max SubOwners'},
{'policyid' : '/providers/Microsoft.Authorization/policyDefinitions/044985bb-afe1-42cd-8a36-9d5d42424537',
'policyname' : 'AuditExpiredStorageKeys'}]
count = 0
for policyObject in policySet:
count = count + 1
assignmentName = "policyAssignment" + str(count)
policy_assignment = authorization.PolicyAssignment(assignmentName,
policy_assignment_name=policyObject['policyname'],
policy_definition_id=policyObject['policyid'],
scope=managementGroup)
First question is, what is the best approach here? Ideally I'd like to get this array from an external file be it json/whatever. The documentation doesn't delve very deep into using external data or more complex configurations beyond simple key/values. I initially though I could leverage the config but when using a yaml array of objects it gets translated into an array of strings when its accessed using the Config(). So I tried the above by just creating an inline array, but when this ran through it was only showing that it would create a single policy assignment rather than 2.
s

steep-toddler-94095

02/10/2023, 12:30 AM
i'd recommend against doing a count-based approach like this. Imagine if you remove a policy in the middle of the list, it would cause each item after that to be renamed and thus recreated. I think a better approach would be to name your PolicyAssignments based on the data you are reading in. E.g. the
policyname
in your JSON object.
The documentation doesn't delve very deep into using external data or more complex configurations beyond simple key/values.
i think this is on purpose. the best way to retrieve outside data depends on your specific situation, and since you're given the full power of a general purpose language, there's a lot of options. In your specific case, where is the "source of truth" for this configuration data you want to pass into Pulumi?
r

rhythmic-receptionist-62263

02/10/2023, 12:53 AM
Thanks for the feedback Mike, your right about the count naming. I didn't consider that I could just reuse the policy name. Right now I'm wanting to do a proof of concept comparison between how Terraform deploys a landing zone based set of azure policies across various management groups. Ideally I would have json files with a list of the policies and let the iterate through that so that they can be updated easily then rerun. That way an architect can provide the policies without needing to fully understand the automation, just the expected data structure. I did a quick test just now of reshuffling the policy order in the inline list and I can see why using the count is a silly idea.
s

steep-toddler-94095

02/10/2023, 1:06 AM
reading a json file into a python object and iterating over it makes sense then. Can just parse it with
json.load
f = open("./path/to/yourData.json")
policySet = json.load(f)
...
if you're into type-safety you can further convert it into an array of TypedDict or NamedTuples or something
r

rhythmic-receptionist-62263

02/10/2023, 2:38 AM
Ah right, very cool that we can treat it as pure code with classes that do magic.