Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
a
average-tiger-58107
10/04/2022, 9:13 PMIs there any way to interpolate pulumi Outputs into a JSON stringified IAM policy w/o wrapping the entire resource creation in an
applyconst scsExecPolicy = pulumi
.all([commonClusterExecKey.arn, commonClusterEcsExecLogGroup.arn])
.apply(([commonClusterExecKeyARN, commonClusterEcsExecLogGroupArn]) => {
return new aws.iam.Policy("scs-exec-policy", {
name: "cfx-policy-scs-exec",
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Action: [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
],
Effect: "Allow",
Resource: "*",
},
{
Action: ["logs:DescribeLogGroups"],
Effect: "Allow",
Resource: "*",
},
{
Action: [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
],
Effect: "Allow",
Resource: `${commonClusterEcsExecLogGroupArn}:*`,
},
{
Effect: "Allow",
Action: ["kms:Decrypt"],
Resource: commonClusterExecKeyARN,
},
],
}),
});
});m
miniature-musician-31262
10/04/2022, 9:15 PMWith TypeScript, you should be able to use
pulumi.interpolate(Apologies if there’s something in there that prevents it, but from the looks of things, that should work.)
a
average-tiger-58107
10/04/2022, 9:20 PMHm I haven't been able to figure out how to make that work
Can you show how you would write it
m
miniature-musician-31262
10/04/2022, 9:21 PMSure, lemme see
So since
policyInput<string | aws.iam.PolicyDocument>pulumi.interpolateIn the example, the interpolated values are all
Output<string>b
billowy-army-68599
10/04/2022, 10:02 PMa
average-tiger-58107
10/04/2022, 10:43 PMThank you both! Very helpful
🙌 1
@billowy-army-68599 I have another instance where I need to interpolate some Outputs for an
aws.kms.Keyaws.iam.PolicyDocumentInput<string>commonClusterExecKey = new aws.kms.Key("cfx-common-cluster-ecs-exec-key", {
description: "",
deletionWindowInDays: 30,
policy: Input<string> | undefined,
});aws.iam.PolicyDocumentaws.iam.getPolicyDocumentaws.iam.PolicyDocumentWhen I try to replicate my policy document using
aws.iam.getPolicyDocumentb
billowy-army-68599
10/05/2022, 5:32 PMwe probably need to allow the input type on that, can you file an issue?
a
average-tiger-58107
10/05/2022, 7:10 PMYou allow the
Input<string>Input<aws.iam.PolicyDocument>I'll file an issue
m
miniature-musician-31262
10/05/2022, 7:25 PMThis is untested, but maybe you could use
aws.iam.getPolicyDocumentOutput().jsonconst key = new aws.kms.Key("some-key", {
policy: aws.iam.getPolicyDocumentOutput({
statements: [
{
sid: pulumi.interpolate`Some string containing ${someOutput.value}`,
//...
},
],
}).json,
});(As a potential unblocker; an issue would indeed be great)
Since
policyInput<string>stringa
average-tiger-58107
10/05/2022, 7:35 PMThe problem with this is that we are passing around `aws.iam.PolicyDocument`'s everywhere else, and this would be a one-off thing. I can look into it though
👍 1