https://pulumi.com logo
Powered by
w

wide-journalist-154

05/27/2020, 3:22 PM
When I run 
pulumi up
 I get this error: 
Exception: invocation of aws:iam/getPolicyDocument:getPolicyDocument returned an error: grpc: error while marshaling: proto: repeated field Values has nil element
This is the code from a 
policy_document
that is causing the error: 
"resources": [ds_key.arn.apply(lambda arn: f'{arn}')]
I've tried adding the 
depends_on
 option to the 
policy_document
 resource, but it didn't help. 
opts=pulumi.ResourceOptions(depends_on=[ds_key])
This is one of several places in my pulumi code where I need to access the 
arn
of another resource to create a 
policy_document
. I used the 
apply
function as shown in this code for the key, and added the 
depends_on
option, but I haven't been able to get any of them to work. I've resorted to "build" functions that create 
arns
from resource names - a hack I'd like to get rid of and not something that works in the case of keys. Any instructions/suggestions or sample python code you can share would be much appreciated - thanks!
f

future-barista-68134

05/27/2020, 8:20 PM
Can you share you’re current code 🙂
w

wide-journalist-154

05/27/2020, 10:12 PM
Here's the relevant sections - I created a generic 
attach_policy
function to cut down on the boilerplate needed for this common pattern (which had no effect on the issue I'm having - it wasn't working before the refactor). Also, this is just one example. I have many other cases where I'm doing the same thing - trying to access the arn of other resources in a policy document - and they all throw the same error. Thanks!
Copy code
import pulumi
from pulumi_aws import iam, kms, lambda_, kinesis, cloudwatch
from typing import List, Dict

ds_key = kms.Key("ds_key", 
    description="Kinesis Firehose Delivery Stream Key",
    policy=key_policy_doc.json,
    tags=tags
)

def attach_policy(
    *,
    role: type(iam.Role),
    name: str,
    description: str,
    path: str,
    depends_on: List = None,
    statements: List
    ):

    if depends_on:
        opts = pulumi.ResourceOptions(depends_on=depends_on)
    else:
        opts = pulumi.ResourceOptions()

    policy_doc = iam.get_policy_document(
        opts = opts,
        statements = statements
    )

    policy = iam.Policy(name,
        description=description,
        path=path,
        policy=policy_doc.json
    )

    policy_attachment = iam.RolePolicyAttachment(name + "Attach",
        policy_arn=policy.arn,
        role=role.id
    )

attach_policy(
    role = firehose_role,
    name = "firehosePolicy",
    description = "IAM policy for firehose",
    path = "/",
    depends_on=[ds_key],
    statements = [
    {
        "actions": [
            "kms:Decrypt",
            "kms:GenerateDataKey"
        ],
        "resources": [ds_key.arn.apply(lambda arn: f'{arn}')],
        "condition": [{
            "test": "StringEquals",
            "values": [f"s3.{aws_region}.<http://amazonaws.com|amazonaws.com>"],
            "variable": "kms:ViaService"
        }]
    }]
)
I believe I've figured it out. Let me know if there's a better way to do this, but at least it's working now. Thanks.
Copy code
ds_key.arn.apply(lambda ds_key_arn: iam.get_policy_document(
        opts = pulumi.ResourceOptions(depends_on=[ds_key]),
        statements = [
        {
            "actions": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "resources": [ds_key_arn],
            "condition": [{
                "test": "StringEquals",
                "values": [f"s3.{aws_region}.<http://amazonaws.com|amazonaws.com>"],
                "variable": "kms:ViaService"
            }]
        },
f

future-barista-68134

05/28/2020, 6:34 PM
That’s actually what I would recommend! Apologies for not getting back to this sooner 🙂
The reason for this is the inputs there take strings and not outputs… in this case you need to wrap outside of that in an apply so that the value is a string.
w

wide-journalist-154

05/28/2020, 7:00 PM
Thanks for confirming
Powered by