Title: [FEATURE] External Policy/Configuration Loading with `${include()}` Function · Issue #57 · stackql/stackql-deploy · GitHub
Open Graph Title: [FEATURE] External Policy/Configuration Loading with `${include()}` Function · Issue #57 · stackql/stackql-deploy
X Title: [FEATURE] External Policy/Configuration Loading with `${include()}` Function · Issue #57 · stackql/stackql-deploy
Description: Feature Description Implement a function-style syntax for loading policies, IAM roles, and other complex JSON/YAML configurations from external files in stackql-deploy, similar to Terraform's file loading capabilities. Current Behavior C...
Open Graph Description: Feature Description Implement a function-style syntax for loading policies, IAM roles, and other complex JSON/YAML configurations from external files in stackql-deploy, similar to Terraform's file ...
X Description: Feature Description Implement a function-style syntax for loading policies, IAM roles, and other complex JSON/YAML configurations from external files in stackql-deploy, similar to Terraform's f...
Opengraph URL: https://github.com/stackql/stackql-deploy/issues/57
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"[FEATURE] External Policy/Configuration Loading with `${include()}` Function","articleBody":"## Feature Description\nImplement a function-style syntax for loading policies, IAM roles, and other complex JSON/YAML configurations from external files in `stackql-deploy`, similar to Terraform's file loading capabilities.\n\n## Current Behavior\nCurrently, all policies, IAM role definitions, and other complex JSON configurations must be embedded directly within the `stackql-deploy` manifest file, making manifests verbose and difficult to maintain, especially for complex policy documents.\n\n## Desired Behavior\nAllow users to reference external JSON/YAML files for policies and complex configurations using a function-style syntax:\n\n```yaml\n- name: policy_document\n value: \"${include('policies/s3_bucket_policy.json')}\"\n```\nThe `${include()}` function would:\n1. Load content from the specified JSON or YAML file\n2. Parse the file content into a native object structure\n3. Support variable substitution for template variables within the loaded file\n4. Replace the function call with the loaded and processed content\n\n## File Format Requirements\n- Support both JSON (.json) and YAML (.yaml, .yml) file formats\n- Automatically detect format based on file extension\n- Validate file syntax during loading\n- Support nested includes (files including other files, with cycle detection)\n\n## Use Cases\n- IAM role policies (like the cross_account_role in the manifest)\n- S3 bucket policies\n- Assume role policy documents\n- Storage configurations\n- Any complex nested JSON structure\n\n## Implementation Details\n1. Implement a new `include()` function in the stackql-deploy template processing engine (at the `resource.props` level)\n2. Add file path resolution relative to the manifest file location\n3. Support environment-specific overrides (e.g., `policy.dev.json` vs `policy.prod.json`)\n4. Process template variables inside the loaded files\n5. Implement error handling for missing or invalid files\n\n## Example\nConsider a complex IAM policy currently embedded in the manifest:\n\n**Current approach (policy embedded in manifest):**\n```yaml\n- name: aws/iam/cross_account_role\n file: aws/iam/iam_role.iql\n props:\n - name: assume_role_policy_document\n value:\n Version: \"2012-10-17\"\n Statement:\n - Sid: \"\"\n Effect: \"Allow\"\n Principal:\n AWS: \"arn:aws:iam::{{ databricks_aws_account_id }}:root\"\n Action: \"sts:AssumeRole\"\n Condition:\n StringEquals:\n sts:ExternalId: \"{{ databricks_account_id }}\"\n - name: policies\n value:\n - PolicyDocument:\n Statement:\n - Sid: Stmt1403287045000\n Effect: Allow\n Action:\n - \"ec2:AllocateAddress\"\n - \"ec2:AssociateDhcpOptions\"\n # ... many more actions ...\n Resource:\n - \"*\"\n Version: '2012-10-17'\n PolicyName: \"{{ stack_name }}-{{ stack_env }}-policy\"\n```\n\n**Proposed approach with external files:**\n```yaml\n- name: aws/iam/cross_account_role\n file: aws/iam/iam_role.iql\n props:\n - name: assume_role_policy_document\n value: \"${include('policies/assume_role_policy.json')}\"\n - name: policies\n value:\n - PolicyDocument: \"${include('policies/ec2_policy.json')}\"\n PolicyName: \"{{ stack_name }}-{{ stack_env }}-policy\"\n```\n\n**External file: `policies/assume_role_policy.json`:**\n```json\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::{{ databricks_aws_account_id }}:root\"\n },\n \"Action\": \"sts:AssumeRole\",\n \"Condition\": {\n \"StringEquals\": {\n \"sts:ExternalId\": \"{{ databricks_account_id }}\"\n }\n }\n }\n ]\n}\n```\n\n**External file: `policies/ec2_policy.json`:**\n```json\n{\n \"Statement\": [\n {\n \"Sid\": \"Stmt1403287045000\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:AllocateAddress\",\n \"ec2:AssociateDhcpOptions\",\n \"ec2:AssociateIamInstanceProfile\"\n // ... more actions ...\n ],\n \"Resource\": [\"*\"]\n }\n ],\n \"Version\": \"2012-10-17\"\n}\n```\n\n## Template Variable Processing\nTemplate variables (using the `{{ variable_name }}` syntax) in external files would be processed just like they are in the main manifest file, allowing for dynamic configuration:\n\n**Example with template variables in external file:**\n```json\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Allow\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::{{ databricks_aws_account_id }}:root\"\n },\n \"Action\": \"sts:AssumeRole\",\n \"Condition\": {\n \"StringEquals\": {\n \"sts:ExternalId\": \"{{ databricks_account_id }}\"\n }\n }\n }\n ]\n}\n```\n## Benefits\n- Cleaner, more maintainable manifest files\n- Easier version control of individual policies\n- Ability to reuse common policies across multiple stacks\n- Better separation of concerns in the infrastructure code\n- Familiar function-style syntax similar to other IaC tools\n\n## Additional Considerations\n- Path resolution: Relative to manifest file or working directory?\n- Error handling for missing or invalid files\n- Support for partial includes (specific sections of a file)\n- Documentation for best practices in organizing policy files","author":{"url":"https://github.com/jeffreyaven","@type":"Person","name":"jeffreyaven"},"datePublished":"2025-07-22T00:41:05.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/57/stackql-deploy/issues/57"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:92ec2908-e8bd-70c9-fb95-76d8f2c523af |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | B75E:91DE5:88B440:C98D51:6A4E1740 |
| html-safe-nonce | 5d41e7e1e493b19099517d5cf0f9e3b21922f8913082fc4ef0718a9238343ff1 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJCNzVFOjkxREU1Ojg4QjQ0MDpDOThENTE6NkE0RTE3NDAiLCJ2aXNpdG9yX2lkIjoiMjY3NDgxNDc2MDgxNDI1Mzg4OCIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | b6782c9d822999798260d1d35a7a0f1920766534556db5d14bf14d6ea5cafa8e |
| hovercard-subject-tag | issue:3250532998 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/stackql/stackql-deploy/57/issue_layout |
| twitter:image | https://opengraph.githubassets.com/309835fe9a0c163bb8200f5452fa15e0c5fa666e9ebfb33b5346dfcfd74eac60/stackql/stackql-deploy/issues/57 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/309835fe9a0c163bb8200f5452fa15e0c5fa666e9ebfb33b5346dfcfd74eac60/stackql/stackql-deploy/issues/57 |
| og:image:alt | Feature Description Implement a function-style syntax for loading policies, IAM roles, and other complex JSON/YAML configurations from external files in stackql-deploy, similar to Terraform's file ... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | jeffreyaven |
| hostname | github.com |
| expected-hostname | github.com |
| None | 030096ee0db095447bfe77409d33bfac127ca7128299c58deef27c52eaa1b1f0 |
| turbo-cache-control | no-preview |
| go-import | github.com/stackql/stackql-deploy git https://github.com/stackql/stackql-deploy.git |
| octolytics-dimension-user_id | 95105302 |
| octolytics-dimension-user_login | stackql |
| octolytics-dimension-repository_id | 785476010 |
| octolytics-dimension-repository_nwo | stackql/stackql-deploy |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 785476010 |
| octolytics-dimension-repository_network_root_nwo | stackql/stackql-deploy |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | ea9187571e3edc5f2780f750631138669441ca50 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width