Replies: 7 comments
-
|
I like that! The first one would be pretty straightforward. The 2nd seems to be quite tricky though. It would be easy to make them available as collection or something similar. But how would you, on the fly, inject conditions/resources or make other changes to the statements? Most of those policies contain multiple statements and conditions/resources will only make sense on one/some statement(s) of a policy. How would you apply it to the correct statement? There also is quite some movement on those policies and neither the order nor the SID is guaranteed to be static. Applying a change would require to select a specific version of a policy. So we would need to store every version of all AWS policies.... ooof. But even with this in place, I fear the API wouldn't feel very convenient. It would feel much like jq manipulation, where you won't understand your query 15 minutes after you've written it. 😹 Another thing I could imagine, would be some cli/online helper tool, where a user can paste any JSON policy in and it generates Floyd code, where then of course you can make adjustments to your needs. In fact, I would have loved to have this tool in the past months when migrating old CFN templates to CDK+Floyd code. 😸 |
Beta Was this translation helpful? Give feedback.
-
|
Fair enough. I can think of a way to manage versions, but first the value should justify the cost. I'm not sure about the exact API that might be useful either. You're right, customizing managed policy is not straightforward (it was easy in my case though, since those I was interested were all single statement). I also support your idea about a helper to convert JOSN documents to iam-floyd objects. Let me know if I can help with anything. |
Beta Was this translation helpful? Give feedback.
-
|
I started a prototype of an online converter tool in the policy-converter branch. It is integrated in the online documentation and can be previewed here: https://iam-floyd.readthedocs.io/en/policy-converter/policy-converter.html. Paste JSON in the upper field, push the JavaScript or Python button and some code should show up in the lower field. In case you want to check it out or contribute, here is how to work with the docs locally:
After any of the files have been modified, you need to call Todos:
|
Beta Was this translation helpful? Give feedback.
-
|
You can now import any AWS managed policy. This functionality will not work when served via file:// protocol locally. So if you want to run it locally, you need to serve the dir /docs/build/html though a http server. |
Beta Was this translation helpful? Give feedback.
-
|
Except .Net/Java, everything should be covered. I hadn't have time yet to test if the generated code for all languages actually runs. But it looks good. 😸 |
Beta Was this translation helpful? Give feedback.
-
|
Thanks man. I'll try to test it later. |
Beta Was this translation helpful? Give feedback.
-
|
The online policy converter is now live: https://iam-floyd.readthedocs.io/en/latest/policy-converter.html |
Beta Was this translation helpful? Give feedback.
-
This is more of a discussion than a specific feature.
There are cases that we need to work with AWS managed policies, (e.g. attach them to a role). This might seem to be out of scope of this library, but I think it adds enough value to justify including it into this library.
Specifically two use cases come to my mind:
cdk.iam.ManagedPolicy.fromAwsManagedPolicyName("SomeAwsManagedPolicy"). Even having their name as a constant would be nice.Beta Was this translation helpful? Give feedback.
All reactions