Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for overriding IAM role #59

Open
aavileli opened this issue Nov 21, 2022 · 3 comments
Open

Add support for overriding IAM role #59

aavileli opened this issue Nov 21, 2022 · 3 comments
Labels
kind/enhancement Improvements or new features

Comments

@aavileli
Copy link

aavileli commented Nov 21, 2022
edited by danielrbradley
Loading

When moving to the schematised API Gateway component from the original AWSx TypeScript implementation, there's no way to override the IAM role.

Previously this was possible using stack transformations but these are not yet supported pulumi/pulumi#6948

Could we support overriding the IAM role as an argument to the component instead?

Original Issue

What happened?

Hi dev
I am using the following versions

{
	"name": "lambda-test",
	"devDependencies": {
		"@types/node": "^14"
	},
	"dependencies": {
		"@pulumi/aws": "5.10.0",
		"@pulumi/aws-apigateway": "^0.0.11",
		"@pulumi/awsx": "^1.0.0-beta",
		"@pulumi/pulumi": "^3.0.0",
		"typescript": "^4.0.0"
	}
}

I am using pulumis serverless-aws-typescript template and trying to override the IAM role created by the library. I can overide lambda callbackFunction using the global pulumi.runtime.registerStackTransformation but the apigateway.RestAPI role is not getting transformed. It does work at the resource opts also

Steps to reproduce

  • pulumi new serverless-aws-typescript

add global stack transformation

pulumi.runtime.registerStackTransformation( args => {
    if (args.type === 'aws:iam/role:Role'){
      return {
           ...args,
           props: { ...args.props, permissionsBoundary: "arn:aws:iam::xxxxxxxx:policy/OpsBoundary"},
      };
    }
    return undefined;
  });

Expected Behavior

  + aws:iam/role:Role: (create)
            [urn=urn:pulumi:dev::lambda-test::aws-apigateway:index:RestAPI$aws:iam/role:Role::api4c238266]
            [provider=urn:pulumi:dev::lambda-test::pulumi:providers:aws::default_4_30_0::9f4f0d6d-d765-4e28-aaea-c5b8252bf6ad]
            assumeRolePolicy   : (json) {
                Statement: [
                    [0]: {
                        Action   : "sts:AssumeRole"
                        Effect   : "Allow"
                        Principal: {
                            Service: "apigateway.amazonaws.com"
                        }
                    }
                ]
                Version  : "2012-10-17"
            }

            forceDetachPolicies: false
            maxSessionDuration : 3600
            name               : "api4c238266-32f26c7"
            path               : "/"
            permissionsBoundary: "arn:aws:iam::xxxxxxxxxx:policy/OpsBoundary"

Actual Behavior

      + aws:iam/role:Role: (create)
            [urn=urn:pulumi:dev::lambda-test::aws-apigateway:index:RestAPI$aws:iam/role:Role::api4c238266]
            [provider=urn:pulumi:dev::lambda-test::pulumi:providers:aws::default_4_30_0::9f4f0d6d-d765-4e28-aaea-c5b8252bf6ad]
            assumeRolePolicy   : (json) {
                Statement: [
                    [0]: {
                        Action   : "sts:AssumeRole"
                        Effect   : "Allow"
                        Principal: {
                            Service: "apigateway.amazonaws.com"
                        }
                    }
                ]
                Version  : "2012-10-17"
            }

            forceDetachPolicies: false
            maxSessionDuration : 3600
            name               : "api4c238266-32f26c7"
            path               : "/"

Output of pulumi about

No response

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@aavileli aavileli added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Nov 21, 2022
@aavileli
Copy link
Author

I have changed to use the following api and transformations work as intended might be good idea to replace all outdated templates with this api awsx.classic.apigateway.API

@danielrbradley
Copy link
Member

Unfortunately, this is a known issues of component plugins: pulumi/pulumi#6948

The classic namespace in AWSx will not be recieving updates apart from security fixes so might not be the best choice for the long-term.

I would suggest we rework this issue into "Add support for overriding IAM role". The new AWSx components already provide equivelent options so we would hopefully be able to adopt the same design for this component too.

@danielrbradley danielrbradley removed the needs-triage Needs attention from the triage team label Nov 21, 2022
@aavileli
Copy link
Author

@danielrbradley makes sense and thanks for the response

@danielrbradley danielrbradley changed the title transformations to overide iam role does not work Add support for overriding IAM role Nov 23, 2022
@danielrbradley danielrbradley added kind/enhancement Improvements or new features and removed kind/bug Some behavior is incorrect or out of spec labels Nov 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement Improvements or new features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@danielrbradley @aavileli