search

pulumi / pulumi-aws-iam

A Pulumi Multi Language Component for working with AWS IAM resources.
Apache License 2.0
6 stars 5 forks source link

AssumableRoleWithOIDC fails when passing a reference to a policy arn #8

Closed MitchellGerdisch closed 1 year ago

MitchellGerdisch commented 1 year ago

What happened?

Have a small program (see Steps to reproduce section for code) that creates a policy and then creates an AssumableRoleWithOIDC resource that references the arn of that created policy. pulumi up/preview throws this error:

 error: Running program '/Users/mitch/Downloads/ticket-2212' failed with an unhandled exception:
    Error: failed to register new resource aws-iam-example-assumable-role-with-oidc [aws-iam:index:AssumableRoleWithOIDC]: 2 UNKNOWN: setting args: copying input "role": expected destination type to implement pulumi.Input or pulumi.Output, got utils.RoleArgs
        at Object.registerResource (/Users/mitch/Downloads/ticket-2212/node_modules/@pulumi/runtime/resource.ts:294:27)
        at new Resource (/Users/mitch/Downloads/ticket-2212/node_modules/@pulumi/resource.ts:402:13)
        at new ComponentResource (/Users/mitch/Downloads/ticket-2212/node_modules/@pulumi/resource.ts:895:9)
        at new AssumableRoleWithOIDC (/Users/mitch/Downloads/ticket-2212/node_modules/@pulumi/assumableRoleWithOIDC.ts:94:9)
        at Object.<anonymous> (/Users/mitch/Downloads/ticket-2212/index.ts:24:38)
        at Module._compile (node:internal/modules/cjs/loader:1105:14)
        at Module.m._compile (/Users/mitch/Downloads/ticket-2212/node_modules/ts-node/src/index.ts:439:23)
        at Module._extensions..js (node:internal/modules/cjs/loader:1159:10)
        at Object.require.extensions.<computed> [as .ts] (/Users/mitch/Downloads/ticket-2212/node_modules/ts-node/src/index.ts:442:12)
        at Module.load (node:internal/modules/cjs/loader:981:32)

If one passes a hard-coded ARN string it's fine. Attempts to use apply and similar techniques (see attached file) throw the same error.

Steps to reproduce

  1. Set up a project using the code below
  2. Note that typescript typechecking is clean.
  3. run pulumi up or pulumi preview and see the thrown error
  4. Try uncommenting the bit that uses an explicitly given arn string and do pulumi up and see that it works.
  5. Try other commented out variations on the theme and see the error.

----- code ----

import * as iam from "@pulumi/aws-iam";
import * as pulumi from "@pulumi/pulumi";

// Policy
export const policy = new iam.Policy("aws-iam-example-policy", {
  name: "aws-iam-example-policy",
  path: "/",
  description: "My example policy",
  policyDocument: `{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": [
            "ec2:Describe*"
          ],
          "Effect": "Allow",
          "Resource": "*"
        }
      ]
  }`,
});

// Assumable Role With OIDC
export const assumableRoleWithOidc = new iam.AssumableRoleWithOIDC("aws-iam-example-assumable-role-with-oidc", {
    providerUrls: ["oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"],
    role: {
        name: "oidc-role",
        // policyArns: [ "arn:aws:iam::052848974346:policy/aws-iam-example-policy" ],
        // policyArns: [pulumi.interpolate`${policy.arn}`]
        // policyArns: policy.arn.apply(arn => [arn])
        policyArns: [policy.arn]
    },
    tags: {
        Role: "oidc-role",
    },
});

Expected Behavior

Should not throw an error when referencing a policy resource arn.

Actual Behavior

Throws error

Output of pulumi about

CLI
Version 3.49.0 Go Version go1.19.3 Go Compiler gc

Plugins NAME VERSION aws 5.24.0 aws-iam 0.0.6 awsx 1.0.1 docker 3.6.1 nodejs unknown

Host
OS darwin Version 12.5.1 Arch x86_64

This project is written in nodejs: executable='/Users/mitch/.nvm/versions/node/v18.0.0/bin/node' version='v18.0.0'

Current Stack: dev

Found no resources associated with dev

Found no pending operations associated with dev

Backend
Name pulumi.com URL https://app.pulumi.com/MitchGerdisch

Dependencies: NAME VERSION @types/node 14.18.35 @pulumi/aws-iam 0.0.6 @pulumi/aws 5.24.0 @pulumi/awsx 1.0.1 @pulumi/pulumi 3.49.0

Pulumi locates its logs in /var/folders/qp/6k0zsrj13rz5ll53hsmlksvw0000gq/T/ by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

zchase commented 1 year ago

@MitchellGerdisch this looks to be an issue with how the nested arguments are marshaled by the engine. For some reason when you pass in an output to any argument in role object it throws this error. Will update this issue when I have some more clarity on how to get this working. Thanks for filing this!!

zchase commented 1 year ago

@MitchellGerdisch The latest version (0.1.0) fixes this issue. Please let me know if you run into any other issues along the way!