https://pulumi.com logo
#general
Title
# general
b

busy-umbrella-36067

04/02/2019, 2:35 AM
Is there a cleaner way of using pulumi outputs inside of IAM Policies? Using
.apply
on just the kms key id results in
"Calling [toJSON] on an [Output<T>] is not supported.
Copy code
const taskRolePolicy = new aws.iam.Policy('ecs-XXXXXX-task', {
    name: 'ecs-XXXXXX-task',
    policy: kmsKey.arn.apply(id => JSON.stringify({
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "kms:Decrypt"
          ],
          "Resource": [
            id
          ]
        }
      ]
    }))
  })
w

white-balloon-205

04/02/2019, 2:51 AM
That should definitely work as-is and not result in that error. Is there anything else in your repro case that might be triggering this?
s

stocky-spoon-28903

04/02/2019, 2:57 AM
I think the error is from a slightly different construction where the apply is called from inside the object?
✔️ 1
b

busy-umbrella-36067

04/02/2019, 12:12 PM
Yeah, the error happens when I use it like this.
Copy code
const taskRolePolicy = new aws.iam.Policy('ecs-XXXXXX-task', {
    name: 'ecs-XXXXXX-task',
    policy: JSON.stringify({
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "kms:Decrypt"
          ],
          "Resource": [
            kmsKey.id.apply(id => id)
          ]
        }
      ]
    })
  })
or this
Copy code
const taskRolePolicy = new aws.iam.Policy('ecs-XXXXXX-task', {
    name: 'ecs-XXXXX-task',
    policy: `{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt"
      ],
      "Resource": [
        ${kmsKey.id.apply(id => id)}
      ]
    }
  ]
}`
  })
s

stocky-spoon-28903

04/02/2019, 12:14 PM
@busy-umbrella-36067 they are expected: see the other way I posted here: https://pulumi-community.slack.com/archives/C84L4E3N1/p1554173011157600
👍 1
2 Views