-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to define roles with inline policy in the iam.Role
resource
#745
Conversation
/test-examples="examples/iam/role.yaml" |
/test-examples="examples/iam/role-with-inline-policy.yaml" |
iam.Role
resourceiam.Role
resource
FTR, we currently have a lot of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have not tested, but looks like exact functionality which available in deprecated community aws terrajet provider, which I am actively using to provision IAM roles with inline policy and which was missing (before this PR) and which prevented me to migrate to this provider
It seems that, we moved the The basic context of this approach is based on the So, if a field can be managed as a separate MR, it is a basic principle not to include it in the resource’s schema. There is an exception to this principle. For example, resource In the context of this issue, if that’s the case, I wouldn’t worry about moving the relevant field to Spec. However, as far as I understand, the In short, moving this field to Spec seems that against the Crossplane Resource Model’s High Fidelity principle. So I think we must not move this field to Spec. |
@sergenyalcin as far as I know |
Thanks for your comment @mcanevet. Let me clarify my comment to explain myself better. Is the following equivalence right (in context of goal to be achieved/work to be done): Role + RolePolicy + RolePolicyAttachment (3 resources) = Role ( If this is right, according to the High Fidelity principle of Crossplane, inlining this field is not a correct behavior in the context of API design. And we cannot involve them to the exceptation that explained above. So, what I mean is, can the |
The thing is that |
@sergenyalcin aren't you convinced yet? I (or someone else) may try to explain it differently. |
Role + RolePolicy + RolePolicyAttachment (3 resources) != Role (inline_policy) because inline policies don't have AWS service quotas attached to them in the same way policies and policyAttachments do. AWS has a limit of 20 policy attachments per role, and 1,500 policies per account. The service quotas can be lifted to a point, but this isn't an issue with inline policies, and crossplane introduces a new limitation that doesn't exist in the underlying provider it's using. At a certain point functionality breaks down due to these limits, since there isn't parity between the underlying provider and the crossplane provider. |
@sergenyalcin Which part of the high fidelity notes take precedence?
Inline policies in AWS are explicitly treated as part of the Role itself and are a different paradigm than RolePolicy + Attachment. The inline policies do not prevent RolePolicy + RolePolicyAttachments to occur additionally, nor do they prevent the role from being changed. Inline policies are actually somewhat prevalent and common to implement as part of terraform over role policy + attachment because they can cause issues with detach/reattachment with dynamic inputs and can cause significant reconciliation loops at the provider level on their own. Ex. deleting a role, policy and attachment can actually cause problems if the role tries to delete first. In prior versions of terraform (not sure of present) changes would fail and leave a messed up state behind. In short, it's similar but still separate. |
Thanks everyone for your patience here, we'll revert this week with an update on the direction we believe we should go in. |
After further internal discussion, we will add the For further context, I will add that while the arguments made by community members here are not invalid (e.g., resource quotas, etc.), we feel the approach goes against the Crossplane Resource Model and, as such, should lead to a broader consideration upstream in Crossplane. We still intend to have this discussion, but we won't block proceeding with this PR. That said, what really made us change our mind is an alternative use case that has come to the fore, which allowed us to understand that the use case is not limited to reducing resources. For example, the use of the inline policy field enables the deletion of all the associated inline policies of the role with an empty block, as described here: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role (and the same holds true for the Other technical considerations were making us apprehensive of this change, for example, race conditions with resource reconciliation, however, we will address this in a future update. |
/test-examples="examples/iam/role.yaml" |
/test-examples="examples/iam/role-with-inline-policy.yaml" |
/test-examples="examples/iam/role.yaml" |
/test-examples="examples/iam/role.yaml" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @turkenf LGTM!
Description of your changes
In this PR:
inline_policy
parameter fromconfig.MoveToStatus
to be able to define inline policy roles.inline_policy
parameter.managed_policy_arns
parameter fromconfig.MoveToStatus
Fixes: #170
I have:
make reviewable test
to ensure this PR is ready for review.How has this code been tested
The example containing the
inline_policy
parameter and the existing example tested manually:Uptest: