Is there a better way to do ``` const awsIamPolicy = new aws Pulumi Community #general

Is there a better way to do: ``` const awsIamPolic...

cool-egg-852

06/21/2019, 7:31 PM

Is there a better way to do:

Copy code

const awsIamPolicy = new aws.iam.Policy('rsin-provider', {
  name: `${config.environment}-rsin-provider`,
  description: 'Allow rsin-provider to connect to ElasticSearch',
  policy: JSON.stringify(pulumi.interpolate`{
      Version: '2012-10-17',
      Statement: [
        {
          Action: ['es:*'],
          Effect: 'Allow',
          Resource: "${elasticSearchDomain.arn}/*"
        },
        {
          Effect: 'Allow',
          Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
          Resource: ${clientsTable.arn}
        },
        {
          Effect: 'Allow',
          Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
          Resource: ${auditLogsTable.arn}
        },
        {
          Effect: 'Allow',
          Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
          Resource: ${linksTable.arn}
        },
        {
          Effect: 'Allow',
          Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
          Resource: ${notificationsTable.arn}
        },
        {
          Effect: 'Allow',
          Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
          Resource: ${usersTable.arn}
        }
      ]
    }`)
});

cool-egg-852

06/21/2019, 7:32 PM

I really dislike having to do it this way (string template)

white-balloon-205

06/21/2019, 7:32 PM

I believe you can now do

policy: pulumi.output({ ... })

. That means it’s still mostly strongly typed.

white-balloon-205

06/21/2019, 7:33 PM

As for even higher level things to help build up these policy documents - if you have thoughts on how you’d like to be able to write this - feel free to share in an issue on awsx repo. We’re thinking of doing some work around simplifying IAM further there soon.

broad-dog-22463

06/21/2019, 7:33 PM

You can also use the aws.iam.PolicyDocument AFAIR - right @white-balloon-205?

broad-dog-22463

06/21/2019, 7:34 PM

https://pulumi.io/reference/crosswalk/aws/iam/#creating-iam-policy-documents-safely-and-easily

white-balloon-205

06/21/2019, 7:36 PM

Yes - the suggestion I shared above implicitly is checking that the

{ ... }

adheres to the

PolicyDocument

interface.

white-balloon-205

06/21/2019, 7:36 PM

Because

policy: pulumi.Input<string | PolicyDocument>;

cool-egg-852

06/21/2019, 7:37 PM

Is this just a language issue, or does pulumi just need some work? Because the whole input/output thing always bites us. It’s my current #1 issue with pulumi

white-balloon-205

06/21/2019, 7:37 PM

So you can pass either a

string

(as @cool-egg-852 did originally) or a

PolicyDocument

which is a strongly typed object.

white-balloon-205

06/21/2019, 7:40 PM

the whole input/output thing always bites us

We are continuing to do work to try to make this simpler in Pulumi. There are typically just a few common patterns that can be used to cover most cases, but we do want to find ways to remove more friction here.

cool-egg-852

06/21/2019, 7:40 PM

I must be doing something wrong. With PolicyDocument I can’t reference resources’ arns.

white-balloon-205

06/21/2019, 7:43 PM

Copy code

const awsIamPolicy = new aws.iam.Policy('rsin-provider', {
    name: `${config.environment}-rsin-provider`,
    description: 'Allow rsin-provider to connect to ElasticSearch',
    policy: pulumi.output({
        Version: '2012-10-17',
        Statement: [
          {
            Action: ['es:*'],
            Effect: 'Allow',
            Resource: pulumi.interpolate`${elasticSearchDomain.arn}/*`
          },
          {
            Effect: 'Allow',
            Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
            Resource: clientsTable.arn
          },
          {
            Effect: 'Allow',
            Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
            Resource: auditLogsTable.arn
          },
          {
            Effect: 'Allow',
            Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
            Resource: linksTable.arn
          },
          {
            Effect: 'Allow',
            Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
            Resource: notificationsTable.arn
          },
          {
            Effect: 'Allow',
            Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
            Resource: usersTable.arn
          }
        ]
      })
  });

cool-egg-852

06/21/2019, 7:43 PM

That doesn’t work unless WebStorm is stating an incorrect error

cool-egg-852

06/21/2019, 7:44 PM

white-balloon-205

06/21/2019, 7:44 PM

Ahh - I do think this was improved recently - if you have an older

@pulumi/aws

- this may not work.

white-balloon-205

06/21/2019, 7:44 PM

Yes - from your error message it looks like you must be using an older

@pulumi/aws

. With the latest - the code above works.

cool-egg-852

06/21/2019, 7:44 PM

Ah, I’ll run yarn here and see.

cool-egg-852

06/21/2019, 7:45 PM

yep, error free now.

cool-egg-852

06/21/2019, 7:45 PM

This way makes a lot more sense to me. Still not ideal, but it makes more sense.

white-balloon-205

06/21/2019, 7:45 PM

For reference - this was improved with https://github.com/pulumi/pulumi-aws/pull/601 from @broad-dog-22463 recently.

cool-egg-852

06/21/2019, 7:46 PM

Thanks so much for all of the help.

Open in Slack

Previous Next