IAM Policy Conditions are rendered as ['null']
#157
Comments
|
Can you give an example in YAML of the file you are trying to process. I have a PR that sounds like it is trying to solve a similar problem #158 It doe not support Goformation can store intrinsic objects as Base64 encoded strings in the Gostruct and will decode those to the properly when using Or you could use the encoding intrinsics: Or turn off all intrinsics processing all together: |
|
We're using the Go template, so start with an IAM policy document with the following statement: {
Effect: iam.EffectAllow,
Resource: iam.Resources{fmt.Sprintf(
"arn:aws:iam::%s:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing",
accountID),
},
Action: iam.Actions{
"iam:CreateServiceLinkedRole",
},
Condition: iam.Conditions{
"StringLike": map[string]string{"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"},
},
},we should end up with a resultant template with the following resource: AWSIAMManagedPolicyControllers:
Properties:
Description: For the Kubernetes Cluster API Provider AWS Controllers
Groups:
- Ref: AWSIAMGroupBootstrapper
ManagedPolicyName: controllers.cluster-api-provider-aws.sigs.k8s.io
PolicyDocument:
Statement:
- Action:
- ec2:AllocateAddress
- elasticloadbalancing:RegisterInstancesWithLoadBalancer
Effect: Allow
Resource:
- '*'
- Action:
- iam:CreateServiceLinkedRole
Effect: Allow
Condition:
StringLike:
iam:AWSServiceName: elasticloadbalancing.amazonaws.com
Resource:
- arn:aws:iam::012345678901:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing
Version: "2012-10-17"
Roles:
- Ref: AWSIAMRoleControllers
- Ref: AWSIAMRoleControlPlane
Type: AWS::IAM::ManagedPolicybut instead get: AWSIAMManagedPolicyControllers:
Properties:
Description: For the Kubernetes Cluster API Provider AWS Controllers
Groups:
- Ref: AWSIAMGroupBootstrapper
ManagedPolicyName: controllers.cluster-api-provider-aws.sigs.k8s.io
PolicyDocument:
Statement:
- Action:
- ec2:AllocateAddress
- elasticloadbalancing:RegisterInstancesWithLoadBalancer
Effect: Allow
Resource:
- '*'
- null
Roles:
- Ref: AWSIAMRoleControllers
- Ref: AWSIAMRoleControlPlane
Type: AWS::IAM::ManagedPolicyI did try going down the |
|
My PR just got merged so you could try To render a template with the base64 decoded you have to use either |
|
Got the same result. Did the following func reparseTemplate(t *cloudformation.Template) (*cloudformation.Template, error) {
j, err := json.MarshalIndent(t, "", " ")
if err != nil {
return nil, err
}
rendered, err := intrinsics.ProcessJSON(j, &intrinsics.ProcessorOptions{
NoProcess: true,
})
if err != nil {
return nil, err
}
return goformation.ParseJSONWithOptions(
rendered, &intrinsics.ProcessorOptions{
IntrinsicHandlerOverrides: cloudformation.EncoderIntrinsics,
},
)
}
// YAMLWithoutConditions returns rendered GoFormation without Condition
// intrinsic function processing
func YAMLWithoutConditions(t *cloudformation.Template) ([]byte, error) {
reparsed, err := reparseTemplate(t)
if err != nil {
return nil, err
}
return reparsed.YAML()
}and then in the command line: template := cloudformation.BootstrapTemplate(args[0])
j, err := cloudformation.YAMLWithoutConditions(template)
if err != nil {
return err
} |
|
Explicitly, see the commit here: kubernetes-sigs/cluster-api-provider-aws@1a73f44 |
|
Appears to be resolved by v3 at least |
In CFN, IAM Policy conditions are represented in a PolicyDocument object with a
Conditionkey.Unfortunately, GoFormation interprets this as a Condition intrinsic and attempts to process it, fails and represents the output as null.
We are using a workaround based on string replacement, but would be good to solve properly.
The text was updated successfully, but these errors were encountered: