wide-journalist-154
05/27/2020, 3:22 PMpulumi up
I get this error:
Exception: invocation of aws:iam/getPolicyDocument:getPolicyDocument returned an error: grpc: error while marshaling: proto: repeated field Values has nil element
This is the code from a policy_document
that is causing the error:
"resources": [ds_key.arn.apply(lambda arn: f'{arn}')]
I've tried adding the depends_on
option to the policy_document
resource, but it didn't help.
opts=pulumi.ResourceOptions(depends_on=[ds_key])
This is one of several places in my pulumi code where I need to access the arn
of another resource to create a policy_document
. I used the apply
function as shown in this code for the key, and added the depends_on
option, but I haven't been able to get any of them to work. I've resorted to "build" functions that create arns
from resource names - a hack I'd like to get rid of and not something that works in the case of keys.
Any instructions/suggestions or sample python code you can share would be much appreciated - thanks!future-barista-68134
05/27/2020, 8:20 PMwide-journalist-154
05/27/2020, 10:12 PMattach_policy
function to cut down on the boilerplate needed for this common pattern (which had no effect on the issue I'm having - it wasn't working before the refactor).
Also, this is just one example. I have many other cases where I'm doing the same thing - trying to access the arn of other resources in a policy document - and they all throw the same error.
Thanks!
import pulumi
from pulumi_aws import iam, kms, lambda_, kinesis, cloudwatch
from typing import List, Dict
ds_key = kms.Key("ds_key",
description="Kinesis Firehose Delivery Stream Key",
policy=key_policy_doc.json,
tags=tags
)
def attach_policy(
*,
role: type(iam.Role),
name: str,
description: str,
path: str,
depends_on: List = None,
statements: List
):
if depends_on:
opts = pulumi.ResourceOptions(depends_on=depends_on)
else:
opts = pulumi.ResourceOptions()
policy_doc = iam.get_policy_document(
opts = opts,
statements = statements
)
policy = iam.Policy(name,
description=description,
path=path,
policy=policy_doc.json
)
policy_attachment = iam.RolePolicyAttachment(name + "Attach",
policy_arn=policy.arn,
role=role.id
)
attach_policy(
role = firehose_role,
name = "firehosePolicy",
description = "IAM policy for firehose",
path = "/",
depends_on=[ds_key],
statements = [
{
"actions": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"resources": [ds_key.arn.apply(lambda arn: f'{arn}')],
"condition": [{
"test": "StringEquals",
"values": [f"s3.{aws_region}.<http://amazonaws.com|amazonaws.com>"],
"variable": "kms:ViaService"
}]
}]
)
ds_key.arn.apply(lambda ds_key_arn: iam.get_policy_document(
opts = pulumi.ResourceOptions(depends_on=[ds_key]),
statements = [
{
"actions": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"resources": [ds_key_arn],
"condition": [{
"test": "StringEquals",
"values": [f"s3.{aws_region}.<http://amazonaws.com|amazonaws.com>"],
"variable": "kms:ViaService"
}]
},
future-barista-68134
05/28/2020, 6:34 PMwide-journalist-154
05/28/2020, 7:00 PM