provider/aws: Export AWS ELB service account ARN #8700
Conversation
steveh
changed the title
steveh
changed the title
|
Hi @steveh Thanks for the work here :) It's great to see someone new be able to work with the repository! Can you give me a small usecase for this - i.e. what requires the ARN over the ID? Paul |
|
@stack72: I updated the description: While id is helpful, AWS will re-write plain IDs in policies to use the full ARN, generating spurious diffs. Perhaps that is better solved by changing the policy parser/differ, but I don't know how to do that... |
|
I think I understand what do you mean @steveh Even though the following policy is accepted: {
"Id": "Policy",
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-elb-tf-test-bucket/AWSLogs/*",
"Principal": {
"AWS": [
"123456789012"
]
}
}
]
}it is in reality understood and translated by S3/IAM as "any users in that AWS account", therefore this becomes So it is indeed helpful. The policy diff comparator could be improved as well. I'm sure @jen20 would be happy to accept a PR for this. 😉 |
|
@radeksimko Yes, pretty much. If you put |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
I'm new to Go so please bear with me.
This PR exports the
arnattribute for the AWS ELB service account data source.While
idis helpful, AWS will re-write plain IDs in policies to use the full ARN, generating spurious diffs. Perhaps that is better solved by changing the policy parser/differ, but I don't know how to do that...I was unable to get
make test TEST=./builtin/providers/aws/to work so I'm relying on CI or someone to tell me what's wrong, or how to test just this data source.