https://pulumi.com logo
#general
Title
# general
f

full-dress-10026

11/27/2018, 11:45 PM
Is it possible to attach multiple IAM policies to an IAM role at once?
s

stocky-spoon-28903

11/28/2018, 12:00 AM
Depends what you mean by “at once” - using multiple role policy attachments, yes
So “in the same program”
f

full-dress-10026

11/28/2018, 12:01 AM
I mean in one statement, as opposed to having a bunch of
new aws.iam.RolePolicyAttachment
.
s

stocky-spoon-28903

11/28/2018, 12:01 AM
Ah, not really - there is no AWS primitive for that, so nothing exists in the Terraform provider to do that
With Pulumi you could use a loop or a
.map
or similar though instead of writing them out in full
f

full-dress-10026

11/28/2018, 12:03 AM
If it doesn't already exist, seems like a useful function to include in a lib 🙂
s

stocky-spoon-28903

11/28/2018, 12:06 AM
Do you have a reference in your program to a bunch of policies?
f

full-dress-10026

11/28/2018, 12:07 AM
Yes. I have a
Output<string[]>
of policy arns.
s

stocky-spoon-28903

11/28/2018, 12:20 AM
Copy code
youroutput.apply(x => x.map(y => new RolePolicyAttachment(...))))
f

full-dress-10026

11/28/2018, 12:30 AM
It's acceptable to create resources in
apply
?
m

microscopic-florist-22719

11/28/2018, 12:45 AM
It’s not a best practice—the resources may not appear in previews and will not properly depend upon the inputs to the apply—but it will work.
f

full-dress-10026

11/28/2018, 5:21 AM
Is there a best practice way to accomplish this?
m

microscopic-florist-22719

11/28/2018, 6:35 AM
Where is the output<string>[] coming from?
Is it from other resources?
s

stocky-spoon-28903

11/28/2018, 8:00 AM
If it’s an output<string>[] rather than an output<string[]> then this becomes much neater - you can just map over the array directly and pass the output<string> into the attachment
f

full-dress-10026

11/28/2018, 5:37 PM
It is from other resources. I could make it a output<string>[] I think.
Right now it's defined as this:
Copy code
export let servicesPolicyArns = servicesIamPolicy.arn.apply(arn => {
    return [
        arn,
        "arn:aws:iam::aws:policy/AWSLambdaFullAccess",
        "arn:aws:iam::aws:policy/AmazonEC2ContainerServiceFullAccess",
    ];
});
But it could be defined like this:
Copy code
let servicesPolicyArns = [
    "arn:aws:iam::aws:policy/AWSLambdaFullAccess",
    "arn:aws:iam::aws:policy/AmazonEC2ContainerServiceFullAccess",
    servicesIamPolicy.arn
];
2 Views