https://pulumi.com logo
p

plain-businessperson-30883

06/19/2019, 3:19 PM
I tried, but the apply still returns an Output.
w

white-balloon-205

06/19/2019, 3:20 PM
That’s right. And you can use that output as the input to another resource.
In this case you are computing a value that cannot be known until your original outputs value is known, and which is dependent on the things that your original output is dependent on - so that resulting value must itself be an output.
p

plain-businessperson-30883

06/19/2019, 3:22 PM
Should the
aws.iam.getPolicyDocument
expect and
Output<string>
and resolve it later then? This is where I’m having the issue:
Copy code
const iamExecutionPolicy = new aws.iam.Policy('foo', {
  policy: pulumi.output(
    aws.iam.getPolicyDocument({
      statements: [
        {
          effect: 'Allow',
          actions: ['ssm:GetParameters', 'kms:Decrypt'],
          resources: [
            key.arn.apply(a => a),
          ],
        },
      ],
    }),
  ).json,
});
If I replace the
key.arn.apply(a => a)
with a string, it works fine.
w

white-balloon-205

06/19/2019, 3:27 PM
It should be
policy: key.arn.apply(a => aws.iam.getPolicyDocument(...))
.
p

plain-businessperson-30883

06/19/2019, 3:41 PM
Yep, I just found that in here, before I saw you message: https://github.com/pulumi/pulumi/issues/1911
If I had two arns to reference, it would “surround” the other one?
Copy code
policy: anotherKey.arn.apply(anotherArn =>
    key.arn.apply(keyArn =>
        aws.iam.getPolicyDocument({
Is it correct or is there a better approach to this?
w

white-balloon-205

06/19/2019, 4:46 PM
If you have more than one output to reference - you can use `pulumi.all`: https://pulumi.io/reference/programming-model/#all
BTW - not to complicate things more here - but why are you using
getPolicyDocument
here? That function is nearly never needed in Pulumi, since its goal is just to create a JSON document, and Pulumi/TypeScript can just do that directly. Here's a more direct way to accomplish this:
Copy code
const key = new aws.kms.Key("key");

const iamExecutionPolicy = new aws.iam.Policy('foo', {
    policy: pulumi.output({
        Version: '2008-10-17',
        Statement: [
            {
                Effect: 'Allow',
                Action: ['ssm:GetParameters', 'kms:Decrypt'],
                Resource: [ key.arn ],
            },
        ],
    }),
});
(this has the other slight benefit of using the real names of the JSON fields for an IAM policy document - instead of the slight differences the Terraform-derived
getPolicyDocument
made up)
p

plain-businessperson-30883

06/19/2019, 5:32 PM
It seemed like a good option due to the typing in the policy document.
I think we may switch to your example then, seems way more simple.
@white-balloon-205 this example you sent does not work for me. I get this:
Type 'UnwrappedObject<{ Version: string; Statement: { Effect: string; Action: string[]; Resource: string[]; }[]; }>' is not assignable to type 'string'.
Adding
any
here made the trick:
policy: pulumi.output<any>({
🙂