Working with JSON in .NET, Infrastructure as Code with Pulumi
Full source code available here.
This is a follow up to my previous post where I used dynamic
and JSON files to make querying ElasticSearch with a HttpClient much easier.
To deploy my ElasticSearch domain on AWS I used Pulumi. ElasticSearch requires a JSON policy to define the permissions. In the post linked above, I have a heavily escaped that This policy can be complex and needs values substituted into it. In the example below I need to pass in the region, account id, domain name and allowed IP address.
Here is a very simple policy with four substitutions -
1"{{
2""Version"": ""2012-10-17"",
3""Statement"": [
4 {{
5 ""Action"": ""es:*"",
6 ""Principal"": {{
7 ""AWS"": ""*""
8 }},
9 ""Effect"": ""Allow"",
10 ""Resource"": ""arn:aws:es:{currentRegion.Name}:{currentCallerIdentity.AccountId}:domain/{esDomainName}/*"",
11 ""Condition"": {{
12 ""IpAddress"": {{""aws:SourceIp"": [""{myIPAddress}""]}}
13 }}
14 }}
15]
16}}"
Just escaping this is not easy, and very prone to error. A more realistic policy would be significantly longer and would need more substitutions.
Using a JSON file
Here is what I think is an easier way. As in the previous post, the JSON file becomes part of my source code. It is deserialized into a dynamic
object and the required values are set.
Here is the AWS policy as it appears in my JSON file. The resource (made up of region, account, and domain name) and IpAddress are left blank, but the structure of the policy is the same as you would paste into the AWS console.
1{
2 "Version": "2012-10-17",
3 "Statement": [
4 {
5 "Effect": "Allow",
6 "Principal": {
7 "AWS": "*"
8 },
9 "Action": "es:*",
10 "Resource": "",
11 "Condition": {
12 "IpAddress": {
13 "aws:SourceIp": ""
14 }
15 }
16 }
17 ]
18}
In my C# I read the file, deserialize, and set the values with simple C#.
Here is an example -
1private string GetAWSElasticSearchPolicy(string region, string account, string elasticSearchDomainName, string allowedIPAddress)
2{
3 string blankPolicy = File.ReadAllText("AWSPolicy.json");
4 dynamic awsElasticSearchPolicy = JsonConvert.DeserializeObject(blankPolicy);
5
6 awsElasticSearchPolicy.Statement[0].Resource = $"arn:aws:es:{region}:{account}:domain/{elasticSearchDomainName}/*";
7 awsElasticSearchPolicy.Statement[0].Condition.IpAddress = new JObject(new JProperty("aws:SourceIp", allowedIPAddress));
8
9 return awsElasticSearchPolicy.ToString(); // this is correctly formatted JSON that can be used with Pulumi.
10}
Line 3 reads the JSON file into a string. Line 4 turns the string into a dynamic object. Lines 6 & 7 set the values I want. Line 9 returns a nice JSON string that can be used with Pulumi.
This is much cleaner than the heavily escaped version in this post.
Full source code available here.