-
Notifications
You must be signed in to change notification settings - Fork 196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IAM Policy Conditions are rendered as ['null']
#157
Comments
Can you give an example in YAML of the file you are trying to process. I have a PR that sounds like it is trying to solve a similar problem #158 It doe not support Goformation can store intrinsic objects as Base64 encoded strings in the Gostruct and will decode those to the properly when using Or you could use the encoding intrinsics:
Or turn off all intrinsics processing all together:
|
We're using the Go template, so start with an IAM policy document with the following statement: {
Effect: iam.EffectAllow,
Resource: iam.Resources{fmt.Sprintf(
"arn:aws:iam::%s:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing",
accountID),
},
Action: iam.Actions{
"iam:CreateServiceLinkedRole",
},
Condition: iam.Conditions{
"StringLike": map[string]string{"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"},
},
}, we should end up with a resultant template with the following resource: AWSIAMManagedPolicyControllers:
Properties:
Description: For the Kubernetes Cluster API Provider AWS Controllers
Groups:
- Ref: AWSIAMGroupBootstrapper
ManagedPolicyName: controllers.cluster-api-provider-aws.sigs.k8s.io
PolicyDocument:
Statement:
- Action:
- ec2:AllocateAddress
- elasticloadbalancing:RegisterInstancesWithLoadBalancer
Effect: Allow
Resource:
- '*'
- Action:
- iam:CreateServiceLinkedRole
Effect: Allow
Condition:
StringLike:
iam:AWSServiceName: elasticloadbalancing.amazonaws.com
Resource:
- arn:aws:iam::012345678901:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing
Version: "2012-10-17"
Roles:
- Ref: AWSIAMRoleControllers
- Ref: AWSIAMRoleControlPlane
Type: AWS::IAM::ManagedPolicy but instead get: AWSIAMManagedPolicyControllers:
Properties:
Description: For the Kubernetes Cluster API Provider AWS Controllers
Groups:
- Ref: AWSIAMGroupBootstrapper
ManagedPolicyName: controllers.cluster-api-provider-aws.sigs.k8s.io
PolicyDocument:
Statement:
- Action:
- ec2:AllocateAddress
- elasticloadbalancing:RegisterInstancesWithLoadBalancer
Effect: Allow
Resource:
- '*'
- null
Roles:
- Ref: AWSIAMRoleControllers
- Ref: AWSIAMRoleControlPlane
Type: AWS::IAM::ManagedPolicy I did try going down the |
My PR just got merged so you could try
To render a template with the base64 decoded you have to use either |
Got the same result. Did the following func reparseTemplate(t *cloudformation.Template) (*cloudformation.Template, error) {
j, err := json.MarshalIndent(t, "", " ")
if err != nil {
return nil, err
}
rendered, err := intrinsics.ProcessJSON(j, &intrinsics.ProcessorOptions{
NoProcess: true,
})
if err != nil {
return nil, err
}
return goformation.ParseJSONWithOptions(
rendered, &intrinsics.ProcessorOptions{
IntrinsicHandlerOverrides: cloudformation.EncoderIntrinsics,
},
)
}
// YAMLWithoutConditions returns rendered GoFormation without Condition
// intrinsic function processing
func YAMLWithoutConditions(t *cloudformation.Template) ([]byte, error) {
reparsed, err := reparseTemplate(t)
if err != nil {
return nil, err
}
return reparsed.YAML()
} and then in the command line: template := cloudformation.BootstrapTemplate(args[0])
j, err := cloudformation.YAMLWithoutConditions(template)
if err != nil {
return err
} |
Explicitly, see the commit here: kubernetes-sigs/cluster-api-provider-aws@1a73f44 |
Appears to be resolved by v3 at least |
In CFN, IAM Policy conditions are represented in a PolicyDocument object with a
Condition
key.Unfortunately, GoFormation interprets this as a Condition intrinsic and attempts to process it, fails and represents the output as null.
We are using a workaround based on string replacement, but would be good to solve properly.
The text was updated successfully, but these errors were encountered: