Resources with complicated Ref intrinsic behavior #237
Labels
kind/task
Work that's part of an ongoing epic
Comments
|
Moved SecurityGroup to #240 - I think we can match the common case and leave the corner case for later until required. |
|
Checked on RolePolicy and Secret experimentally. They return the primary ID though it is not obvious from the docs. |
t0yv0
added a commit
to pulumi/pulumi-aws-native
that referenced
this issue
Nov 23, 2024
CloudFormation Ref intrinsic behavior varies from resource to resource. This change is an attempt to schematize behavior and expose is in the provider metadata. One intended use case is `pulumi/pulumi-cdk` CF emulator. This change implies the `ref-db.json` becomes the source of truth for this metadata and we maintain it as well as possible. About 1/2 of CF resources are currently covered in the file, including 81 of the top used resources (pulumi/pulumi-cdk#237). Data cleaning and data label attachment helper code is included but is not intended to be used in production but only to maintain `ref-db.json`.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When working #173 and attempting to schematize Ref intrinsic behavior in pulumi/pulumi-aws-native#1836 I noticed a few resources from the top-100 list that
aws-native:ec2:SecurityGroup
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the security group if
you specified the VpcId property. Otherwise, it returns the name of the security group. If you omit the VpcId property
and need the ID of the VPC, use Fn::GetAtt instead.
For more information about using the Ref function, see Ref.
This might need custom logic.
aws-native:ec2:Vpc
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the VPC.
For more information about using the Ref function, see Ref.
There are no properties named Id in the schema. Perhaps a little experiment is needed to verify we get this right.
aws-native:wafv2:WebAclAssociation
There is a problem as this data is not in properties.
The
Reffor the resource, containing the resource name, physical ID, and scope, formatted as follows:name|id|scope.For example:
my-webacl-name|1234a1a-a1b1-12a1-abcd-a123b123456|REGIONAL.This does not seem to map cleanly to the available properties.
aws-native:sso:PermissionSet
When you pass the logical ID of this resource to the intrinsic
Reffunction,Refreturns a generated ID, such aspermission-arn|sso-instance-arn.Maybe the doc is wrong because PrimaryID is this:
PrimaryID : /properties/InstanceArn /properties/PermissionSetArn
We might need to confirm experimentally.
aws-native:secretsmanager:Secret
Returns ARN, but is it actually in any of the properties?
aws-native:lambda:Url
Not clear what actually returns.
aws-native:iam:RolePolicy
Not sure from the docs, need to find out.
aws-native:eks:AccessEntry
Documentation is incorrect possibly.
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource name. For example:
This does not look like the resource name in the example. Need to confirm.
Resources without a Ref section
The following resources have no "Ref" section in the docs:
The text was updated successfully, but these errors were encountered: