https://pulumi.com logo
Title
s

steep-lamp-20408

09/29/2022, 10:07 AM
Hi there, I’m trying to do Python string interpolation within AWS policies JSON string defined in Pulumi object:
import pulumi_aws as aws

iam_role = aws.iam.Role(
        "my-role",
        name="my-role",
        assume_role_policy="""{
                ...
            }
        """,
        inline_policies=[
            aws.iam.RoleInlinePolicyArgs(
                name=f"my-policy-{stack_name}",
                policy=f"""{
                            "Version": "2012-10-17",
                            "Statement": [
                                {
                                    "Effect": "Allow",
                                    "Action": [
                                        "dynamodb:BatchGetItem",
                                        "dynamodb:GetItem",
                                        "dynamodb:Query",
                                        "dynamodb:Scan",
                                    ],
                                    "Resource": "arn:aws:dynamodb:ap-northeast-1:123456:table/myTablesPrefix-{stack_name}-*"
                                }
                            ]
                        }
                    """
            ),
        ],
    )
...but I get the following error:
SyntaxError: f-string: expressions nested too deeply
However, it does not look like I’m trying to do nested string interpolation: I’m just doing string interpolation in a triple quoted string. Right? So maybe it’s Pulumi is doing some string interpolation on top of it? Any idea on how to solve that?
Solved, thanks to the first answer here: https://stackoverflow.com/questions/42444130/python-multi-line-json-and-variables We just need to do this:
import pulumi_aws as aws

iam_role = aws.iam.Role(
        "my-role",
        name="my-role",
        assume_role_policy="""{
                ...
            }
        """,
        inline_policies=[
            aws.iam.RoleInlinePolicyArgs(
                name=f"my-policy-{stack_name}",
                policy="""{
                            "Version": "2012-10-17",
                            "Statement": [
                                {
                                    "Effect": "Allow",
                                    "Action": [
                                        "dynamodb:BatchGetItem",
                                        "dynamodb:GetItem",
                                        "dynamodb:Query",
                                        "dynamodb:Scan",
                                    ],
                                    "Resource": "arn:aws:dynamodb:ap-northeast-1:123456:table/myTablesPrefix-{stack_name}-*"
                                }
                            ]
                        }
                    """.format(stack_name=stack_name)
            ),
        ],
    )
s

stocky-restaurant-98004

09/29/2022, 1:59 PM
I think you'll have an easier time with IAM policies using
json.dumps
for what it's worth. Writing a Python map is significantly easier and less fragile.