https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# typescript
s
This message was deleted.
l
You're using backticks around the policy string, like in the example? You'd see that error message if you accidentally changed them to quotes...
s
Good call but it's an exact copy/paste as well as just verifying that they are still backticks.
l
How did you fix the arn reference? What does the Resource property look like now?
s
Copy code
"Resource": "${fs.arn}",
I wish the policy would allow either a PolicyDocument or a string, but it only allows 
string
. I like how IAM policies allow a PolicyDocument. (
<https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/aws/iam/#PolicyArgs-policy>
)
👍 1
b
If EFs Filesystem accepts an IAM policy as specified by PolicyDocument, feel free to open an issue on Pulumi-aws to ask for the ability to Pass a PolicyDocument as well as a string
l
Hmm, all looks good. Odd example though, seeing as there's a oerfectly good DSL for constructing policies. No need to use a template like that...
Copy code
onst policy = pulumi.output(aws.iam.getPolicyDocument({
      statements: [{
        actions: ["elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite"],
        principals: [{
          identifiers: ["*"],
          type: "AWS",
        }],
       conditions: [{
         test: "Bool",
         variable: "aws:secureTransport",
         values: [true],
      
      }],
    })
    );
https://www.pulumi.com/docs/reference/pkg/aws/iam/getpolicydocument/
(Syntax unchecked, just typed from the spec)
s
I think 
efs
policies are different than 
iam
policies. Did the above example work? I can try now too.
l
No idea, I just typed from the spec 🙂 The properties are all the same though...
You can get the json text from the doc, using 
then()
. See the bottom of the first example on that page.
s
That's actually going to create an IAM policy. EFS policies are definitely not accessible from the IAM side. Also can't apply an IAM policy in place of an EFS policy as far as I can see.
l
The stuff I wrote created a policy doc, not a policy. If the json is compatible, it should still work.
s
Ooh. I see that now.
l
Those policy docs are used in lots of places, it would be "better" in some ways if they were removed from IAM. But backwards compatibility, eh?
s
indeed
@little-cartoon-10569 Thanks for your help. 
pulumi
seems to happy with that. For anyone looking in the future, here's a working example that should replace the original 
FileSystemPolicy
example referenced in the original question.
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const fs = new aws.efs.FileSystem("fs", {});

const iamPolicyDoc = aws.iam.getPolicyDocument({
	statements: [{
		actions: ["elasticfilesystem:ClientMount", "elasticfilesystem:ClientWrite"],
		principals: [{
			identifiers: ["*"],
			type: "AWS",
		}],
		conditions: [{
			test: "Bool",
			variable: "aws:secureTransport",
			values: ["true"],
		}],
	}]
});

const policy = new aws.efs.FileSystemPolicy("policy", {
    fileSystemId: fs.id,
    policy: iamPolicyDoc.then(doc => doc.json)
});
BTW I did not wrap the 
getPolicyDocument
statement in 
pulumi.output
.
👍 1
l
Yes, the 
.then()
does the same thing as 
output()
would have. More easily unit-testable, too.
26 Views
Open in Slack
PreviousNext
Powered by