This message was deleted Pulumi Community #general

Join Slack

This message was deleted.

# general

sparse-intern-71089

06/18/2019, 4:20 PM

This message was deleted.

white-balloon-205

06/18/2019, 6:26 PM

When you say "external"

user_data

- do you mean loaded from a file? If so, how did you want to do the variable replacements? Certainly any combination of these is possible via

fs.readFileSync

, string interpolation,

.replace()

or other techniques.

elegant-crayon-4967

06/18/2019, 6:38 PM

well for instance, in Terraform I create a template file called user data, and I can pass in variables to that `*.tpl* file which is external (aka, not imbedded in my TF Code

elegant-crayon-4967

06/18/2019, 6:38 PM

looks something like this

Copy code

data "template_file" "user_data" {
  template = "${file("./modules/asg/user_data.tpl")}"
  vars {
    ssmDomainJoin   = "${var.ssm-domain-join}"
    ssmServerBuild  = "${var.ssm-server-build}"
    tEnv            = "${var.tags["t_env"]}"
    fsxDrive        = "${var.fsxDrive}"
  }
}

elegant-crayon-4967

06/18/2019, 6:39 PM

and then I'm able to reference that within the launchtemplate resource

user_data                 = "${base64encode(data.template_file.user_data.rendered)}"

elegant-crayon-4967

06/18/2019, 6:39 PM

I just don't know the proper way of doing all this via TS

elegant-crayon-4967

06/18/2019, 6:40 PM

was hoping there might be an example of something similar I could follow

cold-coat-35200

06/18/2019, 7:41 PM

just use a template language for ts, handlebars or mustache

cold-coat-35200

06/18/2019, 7:43 PM

Copy code

const policyDocumentTemplate = handlebars.compile(fs.readFileSync(path.join('templates', 'kmsKeyPolicy.json'), 'utf8'))
    const policyDocument = pulumi.all([this.iamRole.arn, callerIdentity]).apply(([iamRoleArn, callerIdentity]) => {
      return policyDocumentTemplate({
        accountID: callerIdentity.accountId,
        iamRoleArn: iamRoleArn
      })
    })

cold-coat-35200

06/18/2019, 7:44 PM

example file:

Copy code

{
  "Version": "2012-10-17",
  "Id": "etcd-cluster-kms-key-policy",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::{{accountID}}:root"
      },
      "Action": "kms:*",
      "Resource": "*"
    },
    {
      "Sid": "Allow access for Key Administrators",
      "Effect": "Allow",
      "Principal": {
        "AWS": "{{ iamRoleArn }}"
      },
      "Action": [
        "kms:Create*",
        "kms:Describe*",
        "kms:Enable*",
        "kms:List*",
        "kms:Put*",
        "kms:Update*",
        "kms:Revoke*",
        "kms:Disable*",
        "kms:Get*",
        "kms:Delete*",
        "kms:TagResource",
        "kms:UntagResource"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow use of the key",
      "Effect": "Allow",
      "Principal": {
        "AWS": "{{ iamRoleArn }}"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Allow attachment of persistent resources",
      "Effect": "Allow",
      "Principal": {
        "AWS": "{{ iamRoleArn }}"
      },
      "Action": [
        "kms:CreateGrant",
        "kms:ListGrants",
        "kms:RevokeGrant"
      ],
      "Resource": "*",
      "Condition": {
        "Bool": {
          "kms:GrantIsForAWSResource": "true"
        }
      }
    }
  ]
}

elegant-crayon-4967

06/18/2019, 8:01 PM

perfect, thanks! I just needed a spark to get me going 🙂

2 Views

Open in Slack

Previous Next