Channels
#general
Title
d
damp-book-35965
03/26/2019, 12:06 AMI'm trying to write a iam policy which depends on an iam role But I'm unable to reference it in the policy doc like:
Copy code
const iamRole = new aws.iam.Role(clusterName + "-server", {
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Action: "sts:AssumeRole",
Principal: {
"AWS": cluster.instanceRole <- this is type=pulumi.Output<aws.iam.Role>;
},
Effect: "Allow"
}]
})
});c
creamy-potato-29402
03/26/2019, 12:07 AM@damp-book-35965 this is a trick part of the API, you want
cluster.instanceRole.apply(ir => JSON.stringify(...))✔️ 1
where
assumeRolePolicythat field is really supposed to be a string, but we’ve added some nice sugar to make it a JSON object — the downside is that you can’t use
Inputif that makes sense.
d
damp-book-35965
03/26/2019, 12:10 AMKind of..still trying to grok it fully with using pulumi .Output
But basically this makes the instance role available to use within the apply() function
c
creamy-potato-29402
03/26/2019, 12:11 AMok so here’s what’s happening.
assumeRolePolicystringnew aws.iam.RoletoStringSo, what this means is:
oh wait
no it doesn’t actually even do that, YOU have to do that.
d
damp-book-35965
03/26/2019, 12:16 AMtoString is not supported
c
creamy-potato-29402
03/26/2019, 12:16 AMSo the reason
cluster.instanceRoleJSON.stringifyOutputSo, in order to generate the correct string,
JSON.stringfy.applyd
damp-book-35965
03/26/2019, 12:17 AMYes got that
c
creamy-potato-29402
03/26/2019, 12:17 AMotherwise you’re just `toString`’ing the promise. But you don’t want that. You want the value inside the promise once it resolves
d
damp-book-35965
03/26/2019, 12:18 AMYes..makes sense..I think i got a bit confused because in some places it is supported to directly use the pulumi.Output<> but not everywhere
c
creamy-potato-29402
03/26/2019, 12:19 AMyeah
It’s hard to grok, we’re actively working on simplifying. 🙂
👍 1
d
damp-book-35965
03/26/2019, 12:19 AMHave to say it's beautiful when it works