https://pulumi.com logo
Title
m

microscopic-zoo-3564

05/10/2021, 3:09 AM
Does anyone know how to interpolate the id of another resource inside an S3 bucket policy? I'm trying to do the below, but the interpolation of the
originAccessIdentity.id
value is not working, and results in an error
Error putting S3 policy: MalformedPolicy: Policy has invalid principal
I can't seem to find an example anywhere that uses anything other than the bucket name in the policy.
const domain = "<mailto:testing@example.com|testing@example.com>";

const contentBucket = new aws.s3.Bucket("content-bucket", {
  bucket: domain,
  acl: "private",
  website: {
    indexDocument: "index.html",
    errorDocument: "index.html",
  },
  forceDestroy: true,
});

const originAccessIdentity = new aws.cloudfront.OriginAccessIdentity(
  "cloudfront-oai",
  {
    comment: pulumi.interpolate`OAI-${contentBucket.bucketDomainName}`,
  }
);

new aws.s3.BucketPolicy("bucket-policy", {
  bucket: contentBucket.bucket,
  policy: contentBucket.bucket.apply((bucketName) =>
    JSON.stringify({
      Version: "2012-10-17",
      Statement: [
        {
          Sid: "CloudfrontAllow",
          Effect: "Allow",
          Principal: {
            AWS: pulumi.interpolate`arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${originAccessIdentity.id}`,
          },
          Action: "s3:GetObject",
          Resource: `arn:aws:s3:::${bucketName}/*`,
        },
      ],
    })
  ),
});
r

red-match-15116

05/10/2021, 3:19 AM
I don’t think you can use
interpolate
inside an
apply
. You’ll need to use
Output.all
new aws.s3.BucketPolicy("bucket-policy", {
  bucket: contentBucket.bucket,
  policy: pulumi.all([contentBucket.bucket, originAccessIdentity.id]).apply(([bucketName, accessId]) =>
    JSON.stringify({
      Version: "2012-10-17",
      Statement: [
        {
          Sid: "CloudfrontAllow",
          Effect: "Allow",
          Principal: {
            AWS: `arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${accessId}`,
          },
          Action: "s3:GetObject",
          Resource: `arn:aws:s3:::${bucketName}/*`,
        },
      ],
    })
  ),
});
l

little-cartoon-10569

05/10/2021, 3:24 AM
Many uses of policy documents have the parameter type
Input<string | PolicyDocument>
. This is one of them. If you see that, then you don't need to do the "big" interpolation, and often you can skip interpolating entirely.
1
Try this code instead:
r

red-match-15116

05/10/2021, 3:29 AM
^ @little-cartoon-10569 you’ll need a
pulumi.interpolate
for the principal too
l

little-cartoon-10569

05/10/2021, 3:30 AM
Sorry, copied/edited your code instead of Daniel's :)
😛artypus-8bit: 1
🚀 1
I should raise issues about all the other uses of policy documents that don't do this. It is sooo handy.
r

red-match-15116

05/10/2021, 3:35 AM
@little-cartoon-10569 definitely feel free to open an issue, but if you’re inspired to fix this yourself, we would gladly accept a PR with those changes. All it takes is this change to the appropriate resource/fields and running
make build
at the repo root
l

little-cartoon-10569

05/10/2021, 3:36 AM
Ooo. Nice. Well, it's golang, but nice ish.
😆 2
b

billowy-army-68599

05/10/2021, 3:38 AM
learned so much! https://github.com/jaxxstorm/pulumi-examples/blob/main/typescript/aws/s3-cloudfront/index.ts here's both methods in the form of example, but I'm using the
iamArn
output to make life a little easier 😄
m

microscopic-zoo-3564

05/10/2021, 3:48 AM
thanks @little-cartoon-10569, that worked perfectly. Also thanks for the example you linked to @billowy-army-68599, I didn't see that one...
b

billowy-army-68599

05/10/2021, 3:49 AM
I just wrote it with tenwit and Komal's help, so thank them! I just like to document the solutions 😄
😛artypus: 1
m

microscopic-zoo-3564

05/10/2021, 3:49 AM
lol awesome
e

eager-librarian-67047

01/11/2022, 9:31 PM
Thanks for this discussion
👍 1
l

little-cartoon-10569

01/11/2022, 9:45 PM
Looks like the link that Komal gave, to resources.go, is now off a bit? Line 1648 (https://github.com/pulumi/pulumi-aws/blob/e8ed71ede8a9cb457085859bff662a8b45e4b698/provider/resources.go#L1648) contains the PolicyDocument alt type.
r

red-match-15116

01/11/2022, 9:48 PM
No that's the right link still... you have to add the
PolicyDocument
alt type to any resource property where it would make sense
and the
Transform
l

little-cartoon-10569

01/11/2022, 9:51 PM
Yep, that's the link I included, the earlier link was to lines 732-740, which now mentions aws_cloudhsm_v2_hsm and hsm_state.. which confused me 🙂
r

red-match-15116

01/11/2022, 9:51 PM
aha! lol okay thank you