https://pulumi.com logo
#general
Title
# general
c

cool-egg-852

06/21/2019, 7:31 PM
Is there a better way to do:
Copy code
const awsIamPolicy = new aws.iam.Policy('rsin-provider', {
  name: `${config.environment}-rsin-provider`,
  description: 'Allow rsin-provider to connect to ElasticSearch',
  policy: JSON.stringify(pulumi.interpolate`{
      Version: '2012-10-17',
      Statement: [
        {
          Action: ['es:*'],
          Effect: 'Allow',
          Resource: "${elasticSearchDomain.arn}/*"
        },
        {
          Effect: 'Allow',
          Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
          Resource: ${clientsTable.arn}
        },
        {
          Effect: 'Allow',
          Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
          Resource: ${auditLogsTable.arn}
        },
        {
          Effect: 'Allow',
          Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
          Resource: ${linksTable.arn}
        },
        {
          Effect: 'Allow',
          Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
          Resource: ${notificationsTable.arn}
        },
        {
          Effect: 'Allow',
          Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
          Resource: ${usersTable.arn}
        }
      ]
    }`)
});
I really dislike having to do it this way (string template)
w

white-balloon-205

06/21/2019, 7:32 PM
I believe you can now do
policy: pulumi.output({ ... })
. That means it’s still mostly strongly typed.
As for even higher level things to help build up these policy documents - if you have thoughts on how you’d like to be able to write this - feel free to share in an issue on awsx repo. We’re thinking of doing some work around simplifying IAM further there soon.
b

broad-dog-22463

06/21/2019, 7:33 PM
You can also use the aws.iam.PolicyDocument AFAIR - right @white-balloon-205?
w

white-balloon-205

06/21/2019, 7:36 PM
Yes - the suggestion I shared above implicitly is checking that the
{ ... }
adheres to the
PolicyDocument
interface.
Because
policy: pulumi.Input<string | PolicyDocument>;
c

cool-egg-852

06/21/2019, 7:37 PM
Is this just a language issue, or does pulumi just need some work? Because the whole input/output thing always bites us. It’s my current #1 issue with pulumi
w

white-balloon-205

06/21/2019, 7:37 PM
So you can pass either a
string
(as @cool-egg-852 did originally) or a
PolicyDocument
which is a strongly typed object.
the whole input/output thing always bites us
We are continuing to do work to try to make this simpler in Pulumi. There are typically just a few common patterns that can be used to cover most cases, but we do want to find ways to remove more friction here.
c

cool-egg-852

06/21/2019, 7:40 PM
I must be doing something wrong. With PolicyDocument I can’t reference resources’ arns.
w

white-balloon-205

06/21/2019, 7:43 PM
Copy code
const awsIamPolicy = new aws.iam.Policy('rsin-provider', {
    name: `${config.environment}-rsin-provider`,
    description: 'Allow rsin-provider to connect to ElasticSearch',
    policy: pulumi.output({
        Version: '2012-10-17',
        Statement: [
          {
            Action: ['es:*'],
            Effect: 'Allow',
            Resource: pulumi.interpolate`${elasticSearchDomain.arn}/*`
          },
          {
            Effect: 'Allow',
            Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
            Resource: clientsTable.arn
          },
          {
            Effect: 'Allow',
            Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
            Resource: auditLogsTable.arn
          },
          {
            Effect: 'Allow',
            Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
            Resource: linksTable.arn
          },
          {
            Effect: 'Allow',
            Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
            Resource: notificationsTable.arn
          },
          {
            Effect: 'Allow',
            Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
            Resource: usersTable.arn
          }
        ]
      })
  });
c

cool-egg-852

06/21/2019, 7:43 PM
That doesn’t work unless WebStorm is stating an incorrect error
w

white-balloon-205

06/21/2019, 7:44 PM
Ahh - I do think this was improved recently - if you have an older
@pulumi/aws
- this may not work.
Yes - from your error message it looks like you must be using an older
@pulumi/aws
. With the latest - the code above works.
c

cool-egg-852

06/21/2019, 7:44 PM
Ah, I’ll run yarn here and see.
yep, error free now.
This way makes a lot more sense to me. Still not ideal, but it makes more sense.
w

white-balloon-205

06/21/2019, 7:45 PM
For reference - this was improved with https://github.com/pulumi/pulumi-aws/pull/601 from @broad-dog-22463 recently.
c

cool-egg-852

06/21/2019, 7:46 PM
Thanks so much for all of the help.