Hi! I'm trying to use

pulumi_aws.iam.get_policy_document()

helper in python to generate a policy document for an S3 bucket. Along the way, I'm using

iam.GetPolicyDocumentStatementArgs

and passing into its constructor

resources

arg where I want my bucket's ARN. The problem is that

resources

is

Optional[Sequence[str]]

whereas

my_bucket.arn

is of course

Output[str]

. I've read https://www.pulumi.com/docs/concepts/inputs-outputs doc and I understand I can probably get what I want using plain JSON, but I'm curious how one is supposed to use the above helpers in this context. Below is the full snippet where in both cases (direct use of an Output and transformed via apply Output) there's a type mismatch

bucket_policy = iam.get_policy_document(statements=[
    iam.GetPolicyDocumentStatementArgs(
        actions=['s3:ListBucket'],
        resources=[my_bucket.arn],
        principals=[iam.GetPolicyDocumentStatementPrincipalArgs(
            type="AWS",
            identifiers=["*"],
        )],
    ),
    iam.GetPolicyDocumentStatementArgs(
        actions=["s3:GetObject", "s3:PutObject"],
        resources=[my_bucket.arn.apply(lambda arn: f"{arn}/*")],
        principals=[iam.GetPolicyDocumentStatementPrincipalArgs(
            type="AWS",
            identifiers=["*"],
        )],
    )
])

If this example (actually produced by PulumiAI) is not the best practice, then what is?

I'm using C# but for the record, the expression iam.get_policy_document() can be evaluated outside of the apply lambda. It's just accessing properties of the result needs to be done inside the apply().