This message was deleted.
# generals
sparse-intern-71089
06/21/2019, 7:31 PMThis message was deleted.
c
cool-egg-852
06/21/2019, 7:32 PMI really dislike having to do it this way (string template)
w
white-balloon-205
06/21/2019, 7:32 PM
I believe you can now do
policy: pulumi.output({ ... })white-balloon-205
06/21/2019, 7:33 PM
As for even higher level things to help build up these policy documents - if you have thoughts on how you’d like to be able to write this - feel free to share in an issue on awsx repo. We’re thinking of doing some work around simplifying IAM further there soon.
b
broad-dog-22463
06/21/2019, 7:33 PMYou can also use the aws.iam.PolicyDocument AFAIR - right @white-balloon-205?
broad-dog-22463
06/21/2019, 7:34 PMw
white-balloon-205
06/21/2019, 7:36 PM
Yes - the suggestion I shared above implicitly is checking that the
{ ... }PolicyDocumentwhite-balloon-205
06/21/2019, 7:36 PM
Because
policy: pulumi.Input<string | PolicyDocument>;c
cool-egg-852
06/21/2019, 7:37 PMIs this just a language issue, or does pulumi just need some work? Because the whole input/output thing always bites us. It’s my current #1 issue with pulumi
w
white-balloon-205
06/21/2019, 7:37 PM
So you can pass either a
stringPolicyDocumentwhite-balloon-205
06/21/2019, 7:40 PM
the whole input/output thing always bites usWe are continuing to do work to try to make this simpler in Pulumi. There are typically just a few common patterns that can be used to cover most cases, but we do want to find ways to remove more friction here.
c
cool-egg-852
06/21/2019, 7:40 PMI must be doing something wrong. With PolicyDocument I can’t reference resources’ arns.
w
white-balloon-205
06/21/2019, 7:43 PM
Copy code
const awsIamPolicy = new aws.iam.Policy('rsin-provider', {
name: `${config.environment}-rsin-provider`,
description: 'Allow rsin-provider to connect to ElasticSearch',
policy: pulumi.output({
Version: '2012-10-17',
Statement: [
{
Action: ['es:*'],
Effect: 'Allow',
Resource: pulumi.interpolate`${elasticSearchDomain.arn}/*`
},
{
Effect: 'Allow',
Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
Resource: clientsTable.arn
},
{
Effect: 'Allow',
Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
Resource: auditLogsTable.arn
},
{
Effect: 'Allow',
Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
Resource: linksTable.arn
},
{
Effect: 'Allow',
Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
Resource: notificationsTable.arn
},
{
Effect: 'Allow',
Action: ['dynamodb:DescribeTable', 'dynamodb:Query', 'dynamodb:Scan'],
Resource: usersTable.arn
}
]
})
});c
cool-egg-852
06/21/2019, 7:43 PMThat doesn’t work unless WebStorm is stating an incorrect error
w
white-balloon-205
06/21/2019, 7:44 PM
Ahh - I do think this was improved recently - if you have an older
@pulumi/awswhite-balloon-205
06/21/2019, 7:44 PM
Yes - from your error message it looks like you must be using an older
@pulumi/awsc
cool-egg-852
06/21/2019, 7:44 PMAh, I’ll run yarn here and see.
cool-egg-852
06/21/2019, 7:45 PMyep, error free now.
cool-egg-852
06/21/2019, 7:45 PMThis way makes a lot more sense to me. Still not ideal, but it makes more sense.
w
white-balloon-205
06/21/2019, 7:45 PM
For reference - this was improved with https://github.com/pulumi/pulumi-aws/pull/601 from @broad-dog-22463 recently.
c
cool-egg-852
06/21/2019, 7:46 PMThanks so much for all of the help.
4 Views