Proposal: normalize IAM policies upon rendering

[rix0rrr]

Problem

IAM policy documents that are generated sometimes get larger than the allowed size limit (in bytes); this happens especially when statements repeatedly (automatically) get added to it.

See #1777 for an example involving StepFunctions state machines.

Solution

Statements are modeled as a list, but they actually represent a set; duplicate elements have no meaning.

Therefore (upon resolve()ing of a policy document), any statement will only be emitted once.

Example:

const poldoc = new PolicyDocument();
poldoc.addStatement(new PolicyStatement()
  .addResource('arn:bla')
  .addAction('bla:Hello'));
poldoc.addStatement(new PolicyStatement()
  .addResource('arn:bla')
  .addAction('bla:Hello'));

console.log(poldoc.resolve()); // will contain only one copy of the 2 identical statements

Emphatically out of scope (or: why we think this is safe)

We are only going to drop statements that are exactly the same (deep equal of JSON structures). We are not going to try to analyze statements to see if they cover the same set of permissions.

[eladb]

Sounds good (and safe) to me. Let’s do it.

[rix0rrr]

Made a ticket so Shaun has a place to comment

[jogold]

@rix0rrr If no one is already on it, I'm willing to take this.

[rix0rrr]

Hi Jonathan, you are amazing! Thanks.