``` instance assume role policy = iam get policy document op Pulumi Community #python

``` instance_assume_role_policy = iam.get_polic...

witty-ice-69000

08/13/2020, 2:53 PM

Copy code

instance_assume_role_policy = iam.get_policy_document(
        opts=pulumi.ResourceOptions(depends_on=[user], provider=provider),
        statements=[
            {
                "actions": ["sts:AssumeRole"],
                "effect": "Allow",
                "principals": [
                    {"identifiers": [user.arn.apply(lambda arn: arn)], "type": "AWS"}
                ],
            },
        ],
    )

witty-ice-69000

08/13/2020, 6:55 PM

I've figured out that initially replacing the policy document with literal text (good or bad, doesn't matter). Run

pulumi up

and the user gets created and then pulumi fails. Then I can revert to acquiring the ARN of the user automatically and everything works. I thought that by declaring the "depends_on" parameters that the user ARN acquisition would work, but that doesn't seem to work. Is there a timing configuration, or something else that needs to be resolved?

Copy code

user = iam.User(
        "pulumi_user",
        name=construct_iam_resource_name("iam_deployment"),
        path=automata_iam_path,
        tags={"purpose": "Account used to perform Pulumi stack updates on CI/CD."},
    )

    user_arn = user.arn.apply(lambda arn: arn)

    instance_assume_role_policy = iam.get_policy_document(
        opts=pulumi.ResourceOptions(depends_on=[user]),
        statements=[
            {
                "actions": ["sts:AssumeRole"],
                "effect": "Allow",
                "principals": [{"identifiers": [user_arn], "type": "AWS"}],
            },
        ],
        version="2012-10-17",
    )

2 Views

Open in Slack

Previous Next