average-tiger-58107
10/04/2022, 9:13 PMapply
? Example:
const scsExecPolicy = pulumi
.all([commonClusterExecKey.arn, commonClusterEcsExecLogGroup.arn])
.apply(([commonClusterExecKeyARN, commonClusterEcsExecLogGroupArn]) => {
return new aws.iam.Policy("scs-exec-policy", {
name: "cfx-policy-scs-exec",
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Action: [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
],
Effect: "Allow",
Resource: "*",
},
{
Action: ["logs:DescribeLogGroups"],
Effect: "Allow",
Resource: "*",
},
{
Action: [
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents",
],
Effect: "Allow",
Resource: `${commonClusterEcsExecLogGroupArn}:*`,
},
{
Effect: "Allow",
Action: ["kms:Decrypt"],
Resource: commonClusterExecKeyARN,
},
],
}),
});
});
miniature-musician-31262
10/04/2022, 9:15 PMpulumi.interpolate
for this — have you tried it? https://www.pulumi.com/docs/intro/concepts/inputs-outputs/#outputs-and-stringsaverage-tiger-58107
10/04/2022, 9:20 PMminiature-musician-31262
10/04/2022, 9:21 PMpolicy
is typed as Input<string | aws.iam.PolicyDocument>
, you can give it an object that conforms to the latter and use pulumi.interpolate
to interpolate the outputs — here’s an example: https://gist.github.com/cnunciato/47acb7f701fb89d0d362d56440344a2bOutput<string>
sbillowy-army-68599
10/04/2022, 10:02 PMaverage-tiger-58107
10/04/2022, 10:43 PMaws.kms.Key
policy, but it doesn't accept an aws.iam.PolicyDocument
. It only accepts Input<string>
.
commonClusterExecKey = new aws.kms.Key("cfx-common-cluster-ecs-exec-key", {
description: "",
deletionWindowInDays: 30,
policy: Input<string> | undefined,
});
It seems to me that an aws.iam.PolicyDocument
has the exact same structure as a KMS policy document, and the documentation even says I can use aws.iam.getPolicyDocument
. Why can't I simply pass an aws.iam.PolicyDocument
object?aws.iam.getPolicyDocument
, I lose the ability to interpolatebillowy-army-68599
10/05/2022, 5:32 PMaverage-tiger-58107
10/05/2022, 7:10 PMInput<string>
type, but not Input<aws.iam.PolicyDocument>
miniature-musician-31262
10/05/2022, 7:25 PMaws.iam.getPolicyDocumentOutput().json
— something like this maybe?
const key = new aws.kms.Key("some-key", {
policy: aws.iam.getPolicyDocumentOutput({
statements: [
{
sid: pulumi.interpolate`Some string containing ${someOutput.value}`,
//...
},
],
}).json,
});
policy
is an Input<string>
and not a plain string
, something like that should be doable.average-tiger-58107
10/05/2022, 7:35 PM