Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make lambda role configurable #1087

Open
MarkusMOtto opened this issue Jan 8, 2025 · 1 comment · May be fixed by #1089
Open

make lambda role configurable #1087

MarkusMOtto opened this issue Jan 8, 2025 · 1 comment · May be fixed by #1089

Comments

@MarkusMOtto
Copy link

Hi, fellow DB Systel dev here. This Construct looks aewsome and does exactly what we need. Due to how permissions are handled, we cannot create new roles in any environment but DEV, and instead use imported roles created elsewhere. This construct creates its own lambda role and handles its permissions which is handy, but prevents us from using the Construct.

I'm not en expert when it comes to jsii, but from the types I've seen the class SopsSyncProvider implements SingletonFunction, which can use a role as Parameter. Maybe it would suffice to expose that parameter for the constructor of SopsSyncProvider as optional Parameter. Then the user would have to make sure the provided role has all required permissions, but the construct would not have to create a role, so we could use it.

We are using Python in our project, I would suggest something like this:

  import os

  from aws_cdk.aws_iam import Role
  from aws_cdk.aws_kms import Key
  from cdk_sops_secrets import SopsSecret, SopsSyncProvider

  managed_secrets = ["my_first_secret", "my_second_secret"]

  imported_role = Role.from_role_name(scope=scope, id="imported_lambda_role", role_name="my_role_name")

  imported_key = Key.from_key_arn(
        scope=scope,
        id="imported_kms_default_key",
        key_arn="myKeyArn",
    )

  provider = SopsSyncProvider(scope=scope, id="lambda_sops_sync_provider", role=imported_role)

  for secret_name in managed_secrets:
        new_secret = SopsSecret(
            scope=scope,
            id=secret_name,
            secret_name=secret_name,
            encryption_key=imported_key,
            sops_file_path=f"secrets/{secret_name}.yaml",
            sops_provider=provider,
        )

Do you think this is feasible?
@markussiebert
Copy link
Contributor

I think you are not only limited in creating roles, but also (Managed)Policies and linking them to roles.

Allowing to pass the role to the provider is the first step. Apart from that, it is required to disable the IAM autogenerated Policies.

markussiebert added a commit that referenced this issue Jan 13, 2025
@markussiebert
feat: refactor / additional flag autoGenerateIamPermissions
b466435 
- remove CreationType (Single, Multi)
- replace with ResourceType (PARAMETER_MULTI) and move it to properties
   fixes: #1076
- add property 'autoGenerateIamPermissions'
   fixes: #1087
- add property 'role' for SopsSyncProvider
   fixes: #1087
- move resourceType from syncOptions to syncProperties, as it shouldn't be set by users
- move permissionhandling to own functions, to reduce cyclomatic compexity
@markussiebert markussiebert linked a pull request Jan 13, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: refactor / additional flag autoGenerateIamPermissions dbsystel/cdk-sops-secrets
2 participants
@markussiebert @MarkusMOtto