This message was deleted.
# general
s
This message was deleted.
f
Can you share you’re current code 🙂
w
Here's the relevant sections - I created a generic
attach_policy
function to cut down on the boilerplate needed for this common pattern (which had no effect on the issue I'm having - it wasn't working before the refactor). Also, this is just one example. I have many other cases where I'm doing the same thing - trying to access the arn of other resources in a policy document - and they all throw the same error. Thanks!
Copy code
import pulumi
from pulumi_aws import iam, kms, lambda_, kinesis, cloudwatch
from typing import List, Dict

ds_key = kms.Key("ds_key", 
    description="Kinesis Firehose Delivery Stream Key",
    policy=key_policy_doc.json,
    tags=tags
)

def attach_policy(
    *,
    role: type(iam.Role),
    name: str,
    description: str,
    path: str,
    depends_on: List = None,
    statements: List
    ):

    if depends_on:
        opts = pulumi.ResourceOptions(depends_on=depends_on)
    else:
        opts = pulumi.ResourceOptions()

    policy_doc = iam.get_policy_document(
        opts = opts,
        statements = statements
    )

    policy = iam.Policy(name,
        description=description,
        path=path,
        policy=policy_doc.json
    )

    policy_attachment = iam.RolePolicyAttachment(name + "Attach",
        policy_arn=policy.arn,
        role=role.id
    )

attach_policy(
    role = firehose_role,
    name = "firehosePolicy",
    description = "IAM policy for firehose",
    path = "/",
    depends_on=[ds_key],
    statements = [
    {
        "actions": [
            "kms:Decrypt",
            "kms:GenerateDataKey"
        ],
        "resources": [ds_key.arn.apply(lambda arn: f'{arn}')],
        "condition": [{
            "test": "StringEquals",
            "values": [f"s3.{aws_region}.<http://amazonaws.com|amazonaws.com>"],
            "variable": "kms:ViaService"
        }]
    }]
)
I believe I've figured it out. Let me know if there's a better way to do this, but at least it's working now. Thanks.
Copy code
ds_key.arn.apply(lambda ds_key_arn: iam.get_policy_document(
        opts = pulumi.ResourceOptions(depends_on=[ds_key]),
        statements = [
        {
            "actions": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "resources": [ds_key_arn],
            "condition": [{
                "test": "StringEquals",
                "values": [f"s3.{aws_region}.<http://amazonaws.com|amazonaws.com>"],
                "variable": "kms:ViaService"
            }]
        },
f
That’s actually what I would recommend! Apologies for not getting back to this sooner 🙂
The reason for this is the inputs there take strings and not outputs… in this case you need to wrap outside of that in an apply so that the value is a string.
w
Thanks for confirming