refined-quill-24494
11/14/2023, 4:09 PMpulumi_aws.iam.get_policy_document()
helper in python to generate a policy document for an S3 bucket. Along the way, I'm using iam.GetPolicyDocumentStatementArgs
and passing into its constructor resources
arg where I want my bucket's ARN. The problem is that resources
is Optional[Sequence[str]]
whereas my_bucket.arn
is of course Output[str]
. I've read https://www.pulumi.com/docs/concepts/inputs-outputs doc and I understand I can probably get what I want using plain JSON, but I'm curious how one is supposed to use the above helpers in this context. Below is the full snippet where in both cases (direct use of an Output and transformed via apply Output) there's a type mismatch
bucket_policy = iam.get_policy_document(statements=[
iam.GetPolicyDocumentStatementArgs(
actions=['s3:ListBucket'],
resources=[my_bucket.arn],
principals=[iam.GetPolicyDocumentStatementPrincipalArgs(
type="AWS",
identifiers=["*"],
)],
),
iam.GetPolicyDocumentStatementArgs(
actions=["s3:GetObject", "s3:PutObject"],
resources=[my_bucket.arn.apply(lambda arn: f"{arn}/*")],
principals=[iam.GetPolicyDocumentStatementPrincipalArgs(
type="AWS",
identifiers=["*"],
)],
)
])
If this example (actually produced by PulumiAI) is not the best practice, then what is?iam.get_policy_document
call inside of the bucket.arn.apply
lambda, like this
my_bucket.arn.apply(
lambda bucket_arn:
iam.get_policy_document(...)
).json
the above produces Output[str]
which I can then feed to iam.PolicyArg
adventurous-television-68331
12/08/2023, 10:18 PM