This message was deleted.
# general
s
This message was deleted.
k
and then, the result of that apply is another
Output<string>
so the only way to pass it as a string is inside an apply block, e.g.
Copy code
const s3_glue_access_policy_doc = pulumi
  .all([json_load_bucket.id, glue_scripts_bucket.id])
  .apply(([json_load_bucket_id, glue_scripts_bucket_id]) =>
    // S3 json load allow glue access
    pulumi.output(
      aws.iam.getPolicyDocument({
        version: "2012-10-17",
        statements: [
          {
            actions: ["s3:*"],
            resources: [
              `arn:aws:s3:::${json_load_bucket_id}`,
              `arn:aws:s3:::${json_load_bucket_id}/*`,
              `arn:aws:s3:::${glue_scripts_bucket_id}`,
              `arn:aws:s3:::${glue_scripts_bucket_id}/*`,
            ],
          },
        ],
      })
    )
  );
And, if that is the case, why don't array parameters accept string[] | Output<string>[]
l
You can pulumi.interpolate`${val}`.
g
It accepts Input The interpolation that needs to be tagged to work with outputs
l
It looks like you're doing all this during
pulumi up
? You can use
Output.get()
to get values from an Output during
up
.
k
I can't use interpolate as it returns Output<string>
Output.get() looks like a winner though 🙂
or not
looks like it's only available after, not during up?
l
Ah. Um. Yes.
I don't think I understand your problem properly. Are you trying to use the ID of a bucket to create more resources, and you are trying to get that ID by applying?
k
i have to use the id of the bucket to restrict access by passing it interpolated to the
resources string[]
, the code I posted above does work, but it is unwieldy to have to do pulumi.all().apply(...) instead of just interpolating the values which I could do if
resources
was
resources: string[] | Output<string>[]
I've read through that section, multiple times 🙂
I think my interpretation is correct and the only way is to ..all.apply.., so then the question becomes why don't resources accept
string[] | Output<string>[]
instead of just
string[]
, this is quite possibly a typescript Co/Contra variance thing which I haven't looked at in depth
there's a lot of language magic in pulumi, way over my level 😄
e.g., I don't even know why you can (have to) call pulumi.interpolate without
(
magic 😄
g
But the code you posted does not create any resource. It gets an external (to Pulumi) Document Policy (it calls an API outside of the deploy graph lifecycle). And indeed you can't have unknown values to get external resources. Output values are not guaranteed to have values during deploy time, but the function can't just not return. So indeed, to get that you need an apply
k
ah, sorry, my mistake, I then use the
.json
to pass to create
policy
Copy code
const s3_glue_access_policy = new aws.iam.RolePolicy("s3_glue_access_policy", {
  namePrefix: `${namePrefixLower}-s3-glue-access-policy`,
  role: glue_role,
  policy: s3_glue_access_policy_doc.json,
});
l
This is interesting to me.. I have done all this in Terraform, and plan to migrate my tf code to Pulumi whenever someone magics up some times for me to do that. I just had a look into the .js files, saw something interesting in the docs, and located it in the API docs. Does this section do what you're trying to do? https://www.pulumi.com/docs/reference/pkg/aws/s3/bucket/#using-replication-configuration
That's a pretty involved example. There's a simpler version, probably too simple, just a bit lower down: https://www.pulumi.com/docs/reference/pkg/aws/s3/bucket/#using-acl-policy-grants
k
sorry, I can't see anything in that doc, might be me 🙂
g
Now the "magic" of pulumi.interpolate It is just a normal function, but it is used as a template tag. It is a JS syntax to allow custom templating, in the case of Pulumi interpolation of outputs into a new output Check here under "Tagged templates": https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals
🙂 1
k
I have created the bucket, that's no problem
thanks @green-school-95910, TIL 🙂
g
Yeah, removing the external get no apply is needed
k
ah, yes, I see
that makes sense, but then removes the strong typing of the policy
I prefer to have it validated at compile time 🙂
g
Main difference here is that external and managed resources on terraform look the same and they do a few deep sorcery tricks to put them all in the same graph while still updating the external resources on every apply Pulumi keeps these two separated. A get is only made with readily available data, so to get external data based on a managed resource you need to do an apply.
By apply in terraform I mean the command, the equivalent to
pulumi up
Output does a deep type unfolding, I'm not sure if Input is also deep, but I think it isn't. But can be relatively easily done with some typing mathmagics to have a function taking those objects allowing outputs statically checked and returning what you want
k
ah, I see, so that is why
getPolicyDocument
has to have
resources: string[]
and not
resources: string[] | Output<string>[]
is that correct?
g
Yes, the
get...
methods are not bound to Pulumi resource graph, they are refreshed every time. To make them run after a particular resource you need apply. Treat them as any normal function in your code. If you make a function that save a string to a file and run it at the root of you code it will execute even during the preview phase. But if you want to save a resource output to a file you need to apply the output to that function and it will only run if and when that output has data
k
thanks, that makes perfect sense
152 Views