https://pulumi.com logo
#general
Title
# general
r

rough-baker-21016

05/13/2020, 12:22 PM
I’d be very grateful for help in resolving both a bucket name AND a role arn in a BucketPolicy. My use case closely follows the example given here: https://www.pulumi.com/docs/aws/s3/ Except in the
function publicReadPolicyForBucket
I need access to both the name of the bucket which has just been created created, AND the arn of a role that has just been created. Specifically, my policy needs to look like this (the difference from the example is the
Principal
which in my case needs to interpolate the role, instead of just being
*
Copy code
function publicReadPolicyForBucket(bucketName: string, roleName: string) {
    return JSON.stringify({
        Version: "2012-10-17",
        Statement: [{
            Effect: "Allow",
            Principal: "`${role.arn}`",
            Action: [
                "s3:GetObject"
            ],
            Resource: [
                `arn:aws:s3:::${bucketName}/*` // policy refers to bucket name explicitly
            ]
        }]
    });
}
The error message I get recommends using the
bucket.bucket.apply()
pattern, but I can’t see how this extends to allowing me to interpolate both the bucket name and the role
w

wonderful-dog-9045

05/13/2020, 12:28 PM
Basically you cannot generate the JSON at the point in time you call your function.
But you can create an output that generates the JSON.
Copy code
const jsonOutput = unresolvedInputs.apply((resolvedInputs) => createJson(resolvedInputs))
from your snippet it's not clear which variables are outputs. if it is
role.arn
then it would be:
r

rough-baker-21016

05/13/2020, 12:33 PM
Yes - so role is created using
const role = new aws.iam.Role()
w

wonderful-dog-9045

05/13/2020, 12:33 PM
Copy code
policy = role.arn.apply(arn => JSON.stringify({ ... , Principal: arn }))
r

rough-baker-21016

05/13/2020, 12:34 PM
Right - thank you. But doesn’t that just flip the problem around -I now have the role, but how do I get the bucket into that? do I need a nested bucket.bucket.apply within the `role.arn.apply``?
w

wonderful-dog-9045

05/13/2020, 12:35 PM
yes that would be one way to do it
but you can also resolve multiple outputs at once:
pulumi.output({ bucket, arn: role.arn}).apply(({bucket, arn}) => ...));
👍 1
r

rough-baker-21016

05/13/2020, 12:37 PM
Amazin g- thanks you so much for your help - super appreciated
w

wonderful-dog-9045

05/13/2020, 12:38 PM
you're welcome 🙂
👍 1