Having trouble creating an EFS Policy. Getting thi...
# typescript
s
Having trouble creating an EFS Policy. Getting this error
Copy code
error: aws:efs/fileSystemPolicy:FileSystemPolicy resource 'policy' has a problem: "policy" contains an invalid JSON: invalid character '\n' in string literal
I have copied the example exactly from here
<https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/efs/#FileSystemPolicy>
except for fixing the invalid reference
aws_efs_file_system.test.arn
. I also converted the leading spaces in the policy string to tabs in case that made a difference. It didn't. pulumi: v2.10.2 pulumi aws plugin: 3.5.0 node: v12.* (tried several versions to see of that mattered) Any ideas?
l
You're using backticks around the policy string, like in the example? You'd see that error message if you accidentally changed them to quotes...
s
Good call but it's an exact copy/paste as well as just verifying that they are still backticks.
l
How did you fix the arn reference? What does the Resource property look like now?
s
Copy code
"Resource": "${fs.arn}",
I wish the policy would allow either a PolicyDocument or a string, but it only allows
string
. I like how IAM policies allow a PolicyDocument. (
<https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/iam/#PolicyArgs-policy>
)
👍 1
b
If EFs Filesystem accepts an IAM policy as specified by PolicyDocument, feel free to open an issue on Pulumi-aws to ask for the ability to Pass a PolicyDocument as well as a string
l
Hmm, all looks good. Odd example though, seeing as there's a oerfectly good DSL for constructing policies. No need to use a template like that...
Copy code
onst policy = pulumi.output(aws.iam.getPolicyDocument({
      statements: [{
        actions: ["elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite"],
        principals: [{
          identifiers: ["*"],
          type: "AWS",
        }],
       conditions: [{
         test: "Bool",
         variable: "aws:secureTransport",
         values: [true],
      
      }],
    })
    );
https://www.pulumi.com/docs/reference/pkg/aws/iam/getpolicydocument/
(Syntax unchecked, just typed from the spec)
s
I think
efs
policies are different than
iam
policies. Did the above example work? I can try now too.
l
No idea, I just typed from the spec 🙂 The properties are all the same though...
You can get the json text from the doc, using
then()
. See the bottom of the first example on that page.
s
That's actually going to create an IAM policy. EFS policies are definitely not accessible from the IAM side. Also can't apply an IAM policy in place of an EFS policy as far as I can see.
l
The stuff I wrote created a policy doc, not a policy. If the json is compatible, it should still work.
s
Ooh. I see that now.
l
Those policy docs are used in lots of places, it would be "better" in some ways if they were removed from IAM. But backwards compatibility, eh?
s
indeed
@little-cartoon-10569 Thanks for your help.
pulumi
seems to happy with that. For anyone looking in the future, here's a working example that should replace the original
FileSystemPolicy
example referenced in the original question.
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const fs = new aws.efs.FileSystem("fs", {});

const iamPolicyDoc = aws.iam.getPolicyDocument({
	statements: [{
		actions: ["elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite"],
		principals: [{
			identifiers: ["*"],
			type: "AWS",
		}],
		conditions: [{
			test: "Bool",
			variable: "aws:secureTransport",
			values: ["true"],
		}],
	}]
});

const policy = new aws.efs.FileSystemPolicy("policy", {
    fileSystemId: fs.id,
    policy: iamPolicyDoc.then(doc => doc.json)
});
BTW I did not wrap the
getPolicyDocument
statement in
pulumi.output
.
👍 1
l
Yes, the
.then()
does the same thing as
output()
would have. More easily unit-testable, too.