Hello everyone, I’m generating various IAM policies, and i need to merge them and create another policy; the policies apply to certain individual roles, but i need them to be available for another role all grouped together, and the limit of 10 attachments per user or role is an issue. It may look unorthodox, but that’s where i’m at currently. The problem I have is these policies are generated dynamically (the resources may be, for instance, an S3 bucket with a random name created at runtime), and I can’t figure out how to extract the aws.iam.Policy.policy content, which is an Output, at runtime to parse and stitch it together with the other policies content. Tried multiple variants of apply() to no avail. Does anyone have an example of how to do that, or a suggestion for a better idea?

Have you seen the Converting JSON strings to outputs section? This should get you over the hurdle of converting the

aws.iam.Policy.policy

output into a JSON you can handle. You can merge documents with

aws.iam.get_policy_document

as shown in this example. Roughly something like the following should work if you need more fine-grained control over the merge process:

import pulumi
import pulumi_aws as aws

# ...

policies_as_json = [
  pulumi.Output.json_loads(policy.policy)
  for policy in all_my_policies
]

def merge(policies: list[pulumi.Output[str]]) -> pulumi.Output:
   # combine all JSON documents into a single document
   ...

merged_policy = pulumi.Output.all(**policies_as_json).apply(merge)

new_doc = pulumi.Output.json_dumps(merged_policy)

Thanks a lot @modern-zebra-45309 🙂