fix: fixes found from actually trying to use this code (#27)

Author: rswanson

pkg/aws/iam.go

@@ -132,9 +132,10 @@ func CreateIAMResources(
 //   - kms:Sign: Allows signing messages using the KMS key
 //   - kms:GetPublicKey: Allows retrieving the public key associated with the KMS key
 func CreateKMSPolicy(key pulumi.StringInput) pulumi.StringOutput {
-	policy := KMSPolicy{
+	// Create internal policy with Pulumi types
+	policy := kmsPolicyInternal{
 		Version: IAMPolicyVersion,
-		Statement: []KMSStatement{
+		Statement: []kmsStatementInternal{
 			{
 				Effect: EffectAllow,
 				Action: []string{
@@ -155,3 +156,64 @@ func CreateKMSPolicy(key pulumi.StringInput) pulumi.StringOutput {
 		return string(jsonBytes), nil
 	}).(pulumi.StringOutput)
 }
+
+// CreateKMSPolicyFromPublic creates a KMS policy document from public types
+// and converts it to internal types for use with Pulumi.
+//
+// Parameters:
+//   - policy: The public KMSPolicy struct
+//
+// Returns:
+//   - pulumi.StringOutput: A Pulumi output containing the JSON policy document
+func CreateKMSPolicyFromPublic(policy KMSPolicy) (pulumi.StringOutput, error) {
+	if err := policy.Validate(); err != nil {
+		return pulumi.StringOutput{}, fmt.Errorf("invalid KMS policy: %w", err)
+	}
+
+	// Convert to internal format
+	internalPolicy := policy.toInternal()
+
+	// Convert to JSON string output
+	// Since we're working with internal types that have Pulumi inputs,
+	// we need to handle the conversion carefully
+	statements := internalPolicy.Statement
+	if len(statements) == 0 {
+		return pulumi.StringOutput{}, fmt.Errorf("policy must have at least one statement")
+	}
+
+	// For now, we'll create a simple policy with the first statement
+	// In a more complex scenario, you might need to handle multiple statements differently
+	firstStmt := statements[0]
+
+	return pulumi.All(firstStmt.Resource).ApplyT(func(values []interface{}) (string, error) {
+		resource := values[0].(string)
+		// Create a temporary struct for marshaling
+		tempPolicy := struct {
+			Version   string `json:"Version"`
+			Statement []struct {
+				Effect   string   `json:"Effect"`
+				Action   []string `json:"Action"`
+				Resource string   `json:"Resource"`
+			} `json:"Statement"`
+		}{
+			Version: internalPolicy.Version,
+			Statement: []struct {
+				Effect   string   `json:"Effect"`
+				Action   []string `json:"Action"`
+				Resource string   `json:"Resource"`
+			}{
+				{
+					Effect:   firstStmt.Effect,
+					Action:   firstStmt.Action,
+					Resource: resource,
+				},
+			},
+		}
+
+		jsonBytes, err := json.Marshal(tempPolicy)
+		if err != nil {
+			return "", err
+		}
+		return string(jsonBytes), nil
+	}).(pulumi.StringOutput), nil
+}

pkg/aws/types.go

@@ -7,6 +7,8 @@ import (
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )
 
+// Public-facing structs with base Go types
+
 // IAMStatement represents a statement in an IAM policy document.
 // It defines a single permission statement that specifies what actions
 // are allowed or denied on which resources.
@@ -41,7 +43,7 @@ type KMSStatement struct {
 	// Action specifies the KMS actions that are allowed or denied
 	Action []string `json:"Action"`
 	// Resource specifies the KMS key ARN that the permissions apply to
-	Resource pulumi.StringInput `json:"Resource"`
+	Resource string `json:"Resource"`
 }
 
 // KMSPolicy represents a complete KMS policy document.
@@ -52,3 +54,39 @@ type KMSPolicy struct {
 	// Statement contains the list of KMS permission statements
 	Statement []KMSStatement `json:"Statement"`
 }
+
+// Internal structs with Pulumi types
+
+type kmsStatementInternal struct {
+	Effect   string             `json:"Effect"`
+	Action   []string           `json:"Action"`
+	Resource pulumi.StringInput `json:"Resource"`
+}
+
+type kmsPolicyInternal struct {
+	Version   string                 `json:"Version"`
+	Statement []kmsStatementInternal `json:"Statement"`
+}
+
+// Conversion functions
+
+// toInternal converts a public KMSStatement to internal format
+func (s KMSStatement) toInternal() kmsStatementInternal {
+	return kmsStatementInternal{
+		Effect:   s.Effect,
+		Action:   s.Action,
+		Resource: pulumi.String(s.Resource),
+	}
+}
+
+// toInternal converts a public KMSPolicy to internal format
+func (p KMSPolicy) toInternal() kmsPolicyInternal {
+	statements := make([]kmsStatementInternal, len(p.Statement))
+	for i, stmt := range p.Statement {
+		statements[i] = stmt.toInternal()
+	}
+	return kmsPolicyInternal{
+		Version:   p.Version,
+		Statement: statements,
+	}
+}

pkg/aws/validation.go

@@ -0,0 +1,62 @@
+package aws
+
+import (
+	"fmt"
+)
+
+// Validate validates the IAMStatement
+func (s *IAMStatement) Validate() error {
+	if s.Effect == "" {
+		return fmt.Errorf("effect is required")
+	}
+	if len(s.Action) == 0 {
+		return fmt.Errorf("action is required")
+	}
+	return nil
+}
+
+// Validate validates the IAMPolicy
+func (p *IAMPolicy) Validate() error {
+	if p.Version == "" {
+		return fmt.Errorf("version is required")
+	}
+	if len(p.Statement) == 0 {
+		return fmt.Errorf("statement is required")
+	}
+	for i, stmt := range p.Statement {
+		if err := stmt.Validate(); err != nil {
+			return fmt.Errorf("statement %d: %w", i, err)
+		}
+	}
+	return nil
+}
+
+// Validate validates the KMSStatement
+func (s *KMSStatement) Validate() error {
+	if s.Effect == "" {
+		return fmt.Errorf("effect is required")
+	}
+	if len(s.Action) == 0 {
+		return fmt.Errorf("action is required")
+	}
+	if s.Resource == "" {
+		return fmt.Errorf("resource is required")
+	}
+	return nil
+}
+
+// Validate validates the KMSPolicy
+func (p *KMSPolicy) Validate() error {
+	if p.Version == "" {
+		return fmt.Errorf("version is required")
+	}
+	if len(p.Statement) == 0 {
+		return fmt.Errorf("statement is required")
+	}
+	for i, stmt := range p.Statement {
+		if err := stmt.Validate(); err != nil {
+			return fmt.Errorf("statement %d: %w", i, err)
+		}
+	}
+	return nil
+}

pkg/aws/validation_test.go

@@ -0,0 +1,174 @@
+package aws
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// TestIAMStatementValidate tests the validation of IAMStatement
+func TestIAMStatementValidate(t *testing.T) {
+	// Test valid statement
+	validStmt := IAMStatement{
+		Effect: "Allow",
+		Action: []string{"kms:Sign", "kms:GetPublicKey"},
+	}
+	err := validStmt.Validate()
+	assert.NoError(t, err)
+
+	// Test missing effect
+	invalidStmt1 := IAMStatement{
+		Action: []string{"kms:Sign"},
+	}
+	err = invalidStmt1.Validate()
+	assert.Error(t, err)
+	assert.Equal(t, "effect is required", err.Error())
+
+	// Test missing action
+	invalidStmt2 := IAMStatement{
+		Effect: "Allow",
+	}
+	err = invalidStmt2.Validate()
+	assert.Error(t, err)
+	assert.Equal(t, "action is required", err.Error())
+}
+
+// TestIAMPolicyValidate tests the validation of IAMPolicy
+func TestIAMPolicyValidate(t *testing.T) {
+	// Test valid policy
+	validPolicy := IAMPolicy{
+		Version: "2012-10-17",
+		Statement: []IAMStatement{
+			{
+				Effect: "Allow",
+				Action: []string{"kms:Sign"},
+			},
+		},
+	}
+	err := validPolicy.Validate()
+	assert.NoError(t, err)
+
+	// Test missing version
+	invalidPolicy1 := IAMPolicy{
+		Statement: []IAMStatement{
+			{
+				Effect: "Allow",
+				Action: []string{"kms:Sign"},
+			},
+		},
+	}
+	err = invalidPolicy1.Validate()
+	assert.Error(t, err)
+	assert.Equal(t, "version is required", err.Error())
+
+	// Test missing statement
+	invalidPolicy2 := IAMPolicy{
+		Version: "2012-10-17",
+	}
+	err = invalidPolicy2.Validate()
+	assert.Error(t, err)
+	assert.Equal(t, "statement is required", err.Error())
+}
+
+// TestKMSStatementValidate tests the validation of KMSStatement
+func TestKMSStatementValidate(t *testing.T) {
+	// Test valid statement
+	validStmt := KMSStatement{
+		Effect:   "Allow",
+		Action:   []string{"kms:Sign", "kms:GetPublicKey"},
+		Resource: "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+	}
+	err := validStmt.Validate()
+	assert.NoError(t, err)
+
+	// Test missing effect
+	invalidStmt1 := KMSStatement{
+		Action:   []string{"kms:Sign"},
+		Resource: "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+	}
+	err = invalidStmt1.Validate()
+	assert.Error(t, err)
+	assert.Equal(t, "effect is required", err.Error())
+
+	// Test missing action
+	invalidStmt2 := KMSStatement{
+		Effect:   "Allow",
+		Resource: "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+	}
+	err = invalidStmt2.Validate()
+	assert.Error(t, err)
+	assert.Equal(t, "action is required", err.Error())
+
+	// Test missing resource
+	invalidStmt3 := KMSStatement{
+		Effect: "Allow",
+		Action: []string{"kms:Sign"},
+	}
+	err = invalidStmt3.Validate()
+	assert.Error(t, err)
+	assert.Equal(t, "resource is required", err.Error())
+}
+
+// TestKMSPolicyValidate tests the validation of KMSPolicy
+func TestKMSPolicyValidate(t *testing.T) {
+	// Test valid policy
+	validPolicy := KMSPolicy{
+		Version: "2012-10-17",
+		Statement: []KMSStatement{
+			{
+				Effect:   "Allow",
+				Action:   []string{"kms:Sign", "kms:GetPublicKey"},
+				Resource: "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+			},
+		},
+	}
+	err := validPolicy.Validate()
+	assert.NoError(t, err)
+
+	// Test missing version
+	invalidPolicy1 := KMSPolicy{
+		Statement: []KMSStatement{
+			{
+				Effect:   "Allow",
+				Action:   []string{"kms:Sign"},
+				Resource: "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+			},
+		},
+	}
+	err = invalidPolicy1.Validate()
+	assert.Error(t, err)
+	assert.Equal(t, "version is required", err.Error())
+
+	// Test missing statement
+	invalidPolicy2 := KMSPolicy{
+		Version: "2012-10-17",
+	}
+	err = invalidPolicy2.Validate()
+	assert.Error(t, err)
+	assert.Equal(t, "statement is required", err.Error())
+}
+
+// TestKMSPolicyToInternal tests the conversion from public to internal types
+func TestKMSPolicyToInternal(t *testing.T) {
+	// Create a public policy
+	publicPolicy := KMSPolicy{
+		Version: "2012-10-17",
+		Statement: []KMSStatement{
+			{
+				Effect:   "Allow",
+				Action:   []string{"kms:Sign", "kms:GetPublicKey"},
+				Resource: "arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+			},
+		},
+	}
+
+	// Convert to internal
+	internalPolicy := publicPolicy.toInternal()
+
+	// Verify the conversion
+	assert.Equal(t, publicPolicy.Version, internalPolicy.Version)
+	assert.Len(t, internalPolicy.Statement, 1)
+	assert.Equal(t, publicPolicy.Statement[0].Effect, internalPolicy.Statement[0].Effect)
+	assert.Equal(t, publicPolicy.Statement[0].Action, internalPolicy.Statement[0].Action)
+	assert.NotNil(t, internalPolicy.Statement[0].Resource)
+}