search

pulumi / pulumi-aws-apigateway

Apache License 2.0
13 stars 5 forks source link

Add support for overriding IAM role #59

Open aavileli opened 1 year ago

aavileli commented 1 year ago

When moving to the schematised API Gateway component from the original AWSx TypeScript implementation, there's no way to override the IAM role.

Previously this was possible using stack transformations but these are not yet supported https://github.com/pulumi/pulumi/issues/6948

Could we support overriding the IAM role as an argument to the component instead?

Original Issue

What happened?

Hi dev I am using the following versions

{
    "name": "lambda-test",
    "devDependencies": {
        "@types/node": "^14"
    },
    "dependencies": {
        "@pulumi/aws": "5.10.0",
        "@pulumi/aws-apigateway": "^0.0.11",
        "@pulumi/awsx": "^1.0.0-beta",
        "@pulumi/pulumi": "^3.0.0",
        "typescript": "^4.0.0"
    }
}

I am using pulumis serverless-aws-typescript template and trying to override the IAM role created by the library. I can overide lambda callbackFunction using the global pulumi.runtime.registerStackTransformation but the apigateway.RestAPI role is not getting transformed. It does work at the resource opts also

Steps to reproduce

add global stack transformation

pulumi.runtime.registerStackTransformation( args => {
    if (args.type === 'aws:iam/role:Role'){
      return {
           ...args,
           props: { ...args.props, permissionsBoundary: "arn:aws:iam::xxxxxxxx:policy/OpsBoundary"},
      };
    }
    return undefined;
  });

Expected Behavior

  + aws:iam/role:Role: (create)
            [urn=urn:pulumi:dev::lambda-test::aws-apigateway:index:RestAPI$aws:iam/role:Role::api4c238266]
            [provider=urn:pulumi:dev::lambda-test::pulumi:providers:aws::default_4_30_0::9f4f0d6d-d765-4e28-aaea-c5b8252bf6ad]
            assumeRolePolicy   : (json) {
                Statement: [
                    [0]: {
                        Action   : "sts:AssumeRole"
                        Effect   : "Allow"
                        Principal: {
                            Service: "apigateway.amazonaws.com"
                        }
                    }
                ]
                Version  : "2012-10-17"
            }

            forceDetachPolicies: false
            maxSessionDuration : 3600
            name               : "api4c238266-32f26c7"
            path               : "/"
            permissionsBoundary: "arn:aws:iam::xxxxxxxxxx:policy/OpsBoundary"

Actual Behavior

      + aws:iam/role:Role: (create)
            [urn=urn:pulumi:dev::lambda-test::aws-apigateway:index:RestAPI$aws:iam/role:Role::api4c238266]
            [provider=urn:pulumi:dev::lambda-test::pulumi:providers:aws::default_4_30_0::9f4f0d6d-d765-4e28-aaea-c5b8252bf6ad]
            assumeRolePolicy   : (json) {
                Statement: [
                    [0]: {
                        Action   : "sts:AssumeRole"
                        Effect   : "Allow"
                        Principal: {
                            Service: "apigateway.amazonaws.com"
                        }
                    }
                ]
                Version  : "2012-10-17"
            }

            forceDetachPolicies: false
            maxSessionDuration : 3600
            name               : "api4c238266-32f26c7"
            path               : "/"

Output of pulumi about

No response

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

aavileli commented 1 year ago

I have changed to use the following api and transformations work as intended might be good idea to replace all outdated templates with this api awsx.classic.apigateway.API

danielrbradley commented 1 year ago

Unfortunately, this is a known issues of component plugins: https://github.com/pulumi/pulumi/issues/6948

The classic namespace in AWSx will not be recieving updates apart from security fixes so might not be the best choice for the long-term.

I would suggest we rework this issue into "Add support for overriding IAM role". The new AWSx components already provide equivelent options so we would hopefully be able to adopt the same design for this component too.

aavileli commented 1 year ago

@danielrbradley makes sense and thanks for the response