Question here trying to use a get function to retrieve AWS ARN by name for an array of names to then be used in creating a policy document, but i am getting hung up on the pulumi output string type to string along with the callbacks not seemingly working effectively in the policydocument. Snippet of code that I am using here

import * as pulumi from '@pulumi/pulumi';
import * as aws from '@pulumi/aws';
pulumi.getStack;

const sopsUsers = ['Role1', 'Role2', 'Admins'];

const getsopsUsersArns = sopsUsers.map(r => {
  const role: pulumi.Output<
    pulumi.UnwrappedObject<aws.iam.GetRoleResult>
  > = pulumi.output(
    aws.iam.getRole({
      name: r
    })
  );
  return role;
});

export const sopsUsersArns = getsopsUsersArns.map(i => i.apply(a => a.arn));
const keyPolicyDocument = pulumi.output(
  aws.iam.getPolicyDocument({
    statements: [
      {
        sid: 'Allow attachment of persistent resources',
        effect: 'Allow',
        principals: [
          {
            type: 'AWS',
            identifiers: getsopsUsersArns.map(i => i.apply(a => a.arn))
          }
        ],
        actions: ['kms:CreateGrant', 'kms:ListGrants', 'kms:RevokeGrant'],
        resources: ['*'],
        conditions: [
          {
            test: 'Bool',
            variable: 'kms:GrantIsForAWSResource',
            values: ['true']
          }
        ]
      }
    ]
  })
);

const key = new aws.kms.Key('sopsKey',
  {
    policy: keyPolicyDocument.json
  }
);

const alias = new aws.kms.Alias('alias/sopsKey',
  {
    targetKeyId: key.keyId
  }
);

export const kmsKeyName = alias.name;

@cuddly-barista-79466 did you get anywhere with this? I’m having the same problem