No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

I don’t think you can use `interpolate` inside an `apply` . You’ll need to use `Output.all`

```new aws.s3.BucketPolicy("bucket-policy", {
  bucket: contentBucket.bucket,
  policy: pulumi.all([contentBucket.bucket, originAccessIdentity.id]).apply(([bucketName, accessId]) =&gt;
    JSON.stringify({
      Version: "2012-10-17",
      Statement: [
        {
          Sid: "CloudfrontAllow",
          Effect: "Allow",
          Principal: {
            AWS: `arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${accessId}`,
          },
          Action: "s3:GetObject",
          Resource: `arn:aws:s3:::${bucketName}/*`,
        },
      ],
    })
  ),
}); ```

Many uses of policy documents have the parameter type `Input&lt;string | PolicyDocument&gt;`. This is one of them. If you see that, then you don't need to do the "big" interpolation, and often you can skip interpolating entirely.

Untitled.ts

^ <@U012UJTT55M> you’ll need a `pulumi.interpolate` for the principal too

Sorry, copied/edited your code instead of Daniel's :)

I should raise issues about all the other uses of policy documents that don't do this. It is _sooo_ handy.

<@U012UJTT55M> definitely feel free to open an issue, but if you’re inspired to fix this yourself, we would gladly accept a PR with those changes. All it takes is <https://github.com/pulumi/pulumi-aws/blob/master/provider/resources.go#L732-L740|this change> to the appropriate resource/fields and running `make build` at the repo root

Ooo. Nice. Well, it's golang, but nice _ish_.

learned so much!
<https://github.com/jaxxstorm/pulumi-examples/blob/main/typescript/aws/s3-cloudfront/index.ts>

here's both methods in the form of example, but I'm using the `iamArn` output to make life a little easier :smile:

thanks <@U012UJTT55M>, that worked perfectly. Also thanks for the example you linked to <@UCWG26BH7>, I didn't see that one...

I just wrote it with tenwit and Komal's help, so thank them! I just like to document the solutions :smile:

Looks like the link that Komal gave, to resources.go, is now off a bit? Line 1648 (<https://github.com/pulumi/pulumi-aws/blob/e8ed71ede8a9cb457085859bff662a8b45e4b698/provider/resources.go#L1648>) contains the PolicyDocument alt type.

No that's the right link still... you have to add the `PolicyDocument` alt type to any resource property where it would make sense

Basically this whole section, where `policy` is the name of the field: <https://github.com/pulumi/pulumi-aws/blob/e8ed71ede8a9cb457085859bff662a8b45e4b698/provider/resources.go#L1645-L1650>

Yep, that's the link I included, the earlier link was to lines 732-740, which now mentions aws_cloudhsm_v2_hsm and hsm_state.. which confused me :slightly_smiling_face: