Resources with complicated Ref intrinsic behavior

t0yv0 commented 1 week ago

When working https://github.com/pulumi/pulumi-cdk/issues/173 and attempting to schematize Ref intrinsic behavior in https://github.com/pulumi/pulumi-aws-native/pull/1836 I noticed a few resources from the top-100 list that

aws-native:ec2:SecurityGroup

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the security group if you specified the VpcId property. Otherwise, it returns the name of the security group. If you omit the VpcId property and need the ID of the VPC, use Fn::GetAtt instead.

For more information about using the Ref function, see Ref.

This might need custom logic.

aws-native:ec2:Vpc

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the VPC.

For more information about using the Ref function, see Ref.

There are no properties named Id in the schema. Perhaps a little experiment is needed to verify we get this right.

aws-native:wafv2:WebAclAssociation

There is a problem as this data is not in properties. The Ref for the resource, containing the resource name, physical ID, and scope, formatted as follows: name|id|scope.

For example: my-webacl-name|1234a1a-a1b1-12a1-abcd-a123b123456|REGIONAL.

This does not seem to map cleanly to the available properties.

aws-native:sso:PermissionSet

When you pass the logical ID of this resource to the intrinsic Reffunction, Refreturns a generated ID, such as permission-arn|sso-instance-arn.

Maybe the doc is wrong because PrimaryID is this:

PrimaryID : /properties/InstanceArn /properties/PermissionSetArn

We might need to confirm experimentally.

aws-native:secretsmanager:Secret

Returns ARN, but is it actually in any of the properties?

aws-native:lambda:Url

Not clear what actually returns.

aws-native:iam:RolePolicy

Not sure from the docs, need to find out.

aws-native:eks:AccessEntry

Documentation is incorrect possibly.

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource name. For example:

{ "Ref": "arn:aws:iam::012345678910:role/my-role" }

This does not look like the resource name in the example. Need to confirm.

Resources without a Ref section

The following resources have no "Ref" section in the docs:

aws-native:identitystore:GroupMembership
aws-native:identitystore:Group
aws-native:supportapp:SlackChannelConfiguration
aws-native:memorydb:SubnetGroup
aws-native:memorydb:Cluster
aws-native:logs:MetricFilter
aws-native:supportapp:AccountAlias
aws-native:lambda:Permission
aws-native:cloudfront:Function
aws-native:gamelift:Location

t0yv0 commented 6 days ago

Moved SecurityGroup to https://github.com/pulumi/pulumi-cdk/issues/240 - I think we can match the common case and leave the corner case for later until required.

t0yv0 commented 6 days ago

Checked on RolePolicy and Secret experimentally. They return the primary ID though it is not obvious from the docs.

pulumi / pulumi-cdk