https://pulumi.com logo
Title
s

salmon-ghost-86211

09/29/2020, 9:34 PM
Having trouble creating an EFS Policy. Getting this error
error: aws:efs/fileSystemPolicy:FileSystemPolicy resource 'policy' has a problem: "policy" contains an invalid JSON: invalid character '\n' in string literal
I have copied the example exactly from here
<https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/efs/#FileSystemPolicy>
except for fixing the invalid reference
aws_efs_file_system.test.arn
. I also converted the leading spaces in the policy string to tabs in case that made a difference. It didn't. pulumi: v2.10.2 pulumi aws plugin: 3.5.0 node: v12.* (tried several versions to see of that mattered) Any ideas?
l

little-cartoon-10569

09/29/2020, 9:44 PM
You're using backticks around the policy string, like in the example? You'd see that error message if you accidentally changed them to quotes...
s

salmon-ghost-86211

09/29/2020, 9:45 PM
Good call but it's an exact copy/paste as well as just verifying that they are still backticks.
l

little-cartoon-10569

09/29/2020, 9:46 PM
How did you fix the arn reference? What does the Resource property look like now?
s

salmon-ghost-86211

09/29/2020, 9:47 PM
"Resource": "${fs.arn}",
I wish the policy would allow either a PolicyDocument or a string, but it only allows
string
. I like how IAM policies allow a PolicyDocument. (
<https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/iam/#PolicyArgs-policy>
)
👍 1
b

broad-dog-22463

09/29/2020, 9:53 PM
If EFs Filesystem accepts an IAM policy as specified by PolicyDocument, feel free to open an issue on Pulumi-aws to ask for the ability to Pass a PolicyDocument as well as a string
l

little-cartoon-10569

09/29/2020, 9:53 PM
Hmm, all looks good. Odd example though, seeing as there's a oerfectly good DSL for constructing policies. No need to use a template like that...
onst policy = pulumi.output(aws.iam.getPolicyDocument({
      statements: [{
        actions: ["elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite"],
        principals: [{
          identifiers: ["*"],
          type: "AWS",
        }],
       conditions: [{
         test: "Bool",
         variable: "aws:secureTransport",
         values: [true],
      
      }],
    })
    );
https://www.pulumi.com/docs/reference/pkg/aws/iam/getpolicydocument/
(Syntax unchecked, just typed from the spec)
s

salmon-ghost-86211

09/29/2020, 9:55 PM
I think
efs
policies are different than
iam
policies. Did the above example work? I can try now too.
l

little-cartoon-10569

09/29/2020, 9:55 PM
No idea, I just typed from the spec 🙂 The properties are all the same though...
You can get the json text from the doc, using
then()
. See the bottom of the first example on that page.
s

salmon-ghost-86211

09/29/2020, 9:57 PM
That's actually going to create an IAM policy. EFS policies are definitely not accessible from the IAM side. Also can't apply an IAM policy in place of an EFS policy as far as I can see.
l

little-cartoon-10569

09/29/2020, 9:58 PM
The stuff I wrote created a policy doc, not a policy. If the json is compatible, it should still work.
s

salmon-ghost-86211

09/29/2020, 9:58 PM
Ooh. I see that now.
l

little-cartoon-10569

09/29/2020, 10:00 PM
Those policy docs are used in lots of places, it would be "better" in some ways if they were removed from IAM. But backwards compatibility, eh?
s

salmon-ghost-86211

09/29/2020, 10:02 PM
indeed
@little-cartoon-10569 Thanks for your help.
pulumi
seems to happy with that. For anyone looking in the future, here's a working example that should replace the original
FileSystemPolicy
example referenced in the original question.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const fs = new aws.efs.FileSystem("fs", {});

const iamPolicyDoc = aws.iam.getPolicyDocument({
	statements: [{
		actions: ["elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite"],
		principals: [{
			identifiers: ["*"],
			type: "AWS",
		}],
		conditions: [{
			test: "Bool",
			variable: "aws:secureTransport",
			values: ["true"],
		}],
	}]
});

const policy = new aws.efs.FileSystemPolicy("policy", {
    fileSystemId: fs.id,
    policy: iamPolicyDoc.then(doc => doc.json)
});
BTW I did not wrap the
getPolicyDocument
statement in
pulumi.output
.
👍 1
l

little-cartoon-10569

09/30/2020, 12:19 AM
Yes, the
.then()
does the same thing as
output()
would have. More easily unit-testable, too.