Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
s
salmon-ghost-86211
09/29/2020, 9:34 PMHaving trouble creating an EFS Policy. Getting this error
error: aws:efs/fileSystemPolicy:FileSystemPolicy resource 'policy' has a problem: "policy" contains an invalid JSON: invalid character '\n' in string literal<https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/efs/#FileSystemPolicy>aws_efs_file_system.test.arnl
little-cartoon-10569
09/29/2020, 9:44 PMYou're using backticks around the policy string, like in the example? You'd see that error message if you accidentally changed them to quotes...
s
salmon-ghost-86211
09/29/2020, 9:45 PMGood call but it's an exact copy/paste as well as just verifying that they are still backticks.
l
little-cartoon-10569
09/29/2020, 9:46 PMHow did you fix the arn reference? What does the Resource property look like now?
s
salmon-ghost-86211
09/29/2020, 9:47 PM"Resource": "${fs.arn}",I wish the policy would allow either a PolicyDocument or a string, but it only allows
string<https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/iam/#PolicyArgs-policy>👍 1
b
broad-dog-22463
09/29/2020, 9:53 PMIf EFs Filesystem accepts an IAM policy as specified by PolicyDocument, feel free to open an issue on Pulumi-aws to ask for the ability to Pass a PolicyDocument as well as a string
l
little-cartoon-10569
09/29/2020, 9:53 PMHmm, all looks good. Odd example though, seeing as there's a oerfectly good DSL for constructing policies. No need to use a template like that...
onst policy = pulumi.output(aws.iam.getPolicyDocument({
statements: [{
actions: ["elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite"],
principals: [{
identifiers: ["*"],
type: "AWS",
}],
conditions: [{
test: "Bool",
variable: "aws:secureTransport",
values: [true],
}],
})
);(Syntax unchecked, just typed from the spec)
s
salmon-ghost-86211
09/29/2020, 9:55 PMI think
efsiaml
little-cartoon-10569
09/29/2020, 9:55 PMNo idea, I just typed from the spec 🙂 The properties are all the same though...
You can get the json text from the doc, using
then()s
salmon-ghost-86211
09/29/2020, 9:57 PMThat's actually going to create an IAM policy. EFS policies are definitely not accessible from the IAM side. Also can't apply an IAM policy in place of an EFS policy as far as I can see.
l
little-cartoon-10569
09/29/2020, 9:58 PMThe stuff I wrote created a policy doc, not a policy. If the json is compatible, it should still work.
s
salmon-ghost-86211
09/29/2020, 9:58 PMOoh. I see that now.
l
little-cartoon-10569
09/29/2020, 10:00 PMThose policy docs are used in lots of places, it would be "better" in some ways if they were removed from IAM. But backwards compatibility, eh?
s
salmon-ghost-86211
09/29/2020, 10:02 PMindeed
@little-cartoon-10569 Thanks for your help.
pulumiFileSystemPolicyimport * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const fs = new aws.efs.FileSystem("fs", {});
const iamPolicyDoc = aws.iam.getPolicyDocument({
statements: [{
actions: ["elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite"],
principals: [{
identifiers: ["*"],
type: "AWS",
}],
conditions: [{
test: "Bool",
variable: "aws:secureTransport",
values: ["true"],
}],
}]
});
const policy = new aws.efs.FileSystemPolicy("policy", {
fileSystemId: fs.id,
policy: iamPolicyDoc.then(doc => doc.json)
});getPolicyDocumentpulumi.output👍 1
l
little-cartoon-10569
09/30/2020, 12:19 AMYes, the
.then()output()