https://pulumi.com logo
#general
Title
# general
a

average-tiger-58107

10/04/2022, 9:13 PM
Is there any way to interpolate pulumi Outputs into a JSON stringified IAM policy w/o wrapping the entire resource creation in an
apply
? Example:
Copy code
const scsExecPolicy = pulumi
  .all([commonClusterExecKey.arn, commonClusterEcsExecLogGroup.arn])
  .apply(([commonClusterExecKeyARN, commonClusterEcsExecLogGroupArn]) => {
    return new aws.iam.Policy("scs-exec-policy", {
      name: "cfx-policy-scs-exec",
      policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: [
          {
            Action: [
              "ssmmessages:CreateControlChannel",
              "ssmmessages:CreateDataChannel",
              "ssmmessages:OpenControlChannel",
              "ssmmessages:OpenDataChannel",
            ],
            Effect: "Allow",
            Resource: "*",
          },
          {
            Action: ["logs:DescribeLogGroups"],
            Effect: "Allow",
            Resource: "*",
          },
          {
            Action: [
              "logs:CreateLogStream",
              "logs:DescribeLogStreams",
              "logs:PutLogEvents",
            ],
            Effect: "Allow",
            Resource: `${commonClusterEcsExecLogGroupArn}:*`,
          },
          {
            Effect: "Allow",
            Action: ["kms:Decrypt"],
            Resource: commonClusterExecKeyARN,
          },
        ],
      }),
    });
  });
m

miniature-musician-31262

10/04/2022, 9:15 PM
With TypeScript, you should be able to use
pulumi.interpolate
for this — have you tried it? https://www.pulumi.com/docs/intro/concepts/inputs-outputs/#outputs-and-strings
(Apologies if there’s something in there that prevents it, but from the looks of things, that should work.)
a

average-tiger-58107

10/04/2022, 9:20 PM
Hm I haven't been able to figure out how to make that work
Can you show how you would write it
m

miniature-musician-31262

10/04/2022, 9:21 PM
Sure, lemme see
So since
policy
is typed as
Input<string | aws.iam.PolicyDocument>
, you can give it an object that conforms to the latter and use
pulumi.interpolate
to interpolate the outputs — here’s an example: https://gist.github.com/cnunciato/47acb7f701fb89d0d362d56440344a2b
In the example, the interpolated values are all
Output<string>
s
a

average-tiger-58107

10/04/2022, 10:43 PM
Thank you both! Very helpful
🙌 1
@billowy-army-68599 I have another instance where I need to interpolate some Outputs for an
aws.kms.Key
policy, but it doesn't accept an
aws.iam.PolicyDocument
. It only accepts
Input<string>
.
Copy code
commonClusterExecKey = new aws.kms.Key("cfx-common-cluster-ecs-exec-key", {
    description: "",
    deletionWindowInDays: 30,
    policy: Input<string> | undefined,
  });
It seems to me that an
aws.iam.PolicyDocument
has the exact same structure as a KMS policy document, and the documentation even says I can use
aws.iam.getPolicyDocument
. Why can't I simply pass an
aws.iam.PolicyDocument
object?
When I try to replicate my policy document using
aws.iam.getPolicyDocument
, I lose the ability to interpolate
b

billowy-army-68599

10/05/2022, 5:32 PM
we probably need to allow the input type on that, can you file an issue?
a

average-tiger-58107

10/05/2022, 7:10 PM
You allow the
Input<string>
type, but not
Input<aws.iam.PolicyDocument>
I'll file an issue
m

miniature-musician-31262

10/05/2022, 7:25 PM
This is untested, but maybe you could use
aws.iam.getPolicyDocumentOutput().json
— something like this maybe?
Copy code
const key = new aws.kms.Key("some-key", {
    policy: aws.iam.getPolicyDocumentOutput({
        statements: [
            {
                sid: pulumi.interpolate`Some string containing ${someOutput.value}`,
                //...
            },
        ],
    }).json,
});
(As a potential unblocker; an issue would indeed be great)
Since
policy
is an
Input<string>
and not a plain
string
, something like that should be doable.
a

average-tiger-58107

10/05/2022, 7:35 PM
The problem with this is that we are passing around `aws.iam.PolicyDocument`'s everywhere else, and this would be a one-off thing. I can look into it though
👍 1
7 Views