https://pulumi.com logo
Powered by
l

little-whale-73288

07/29/2021, 2:21 PM
Hello, what's the kosher way to put 
Output<string>
into 
aws.iam.GetPolicyDocumentArgs
? this attempt:
Copy code
const policy = aws.iam.getPolicyDocument({statements: [{
    actions: ["sts:AssumeRoleWithWebIdentity"],
    principals: [{
        identifiers: [bitbucket.oidcProvider.arn], // this is line 14
        type: "Federated",
    }],
    condition: {
        test: "StringLike",
        variable: bitbucket.oidcProvider.url.apply(url => `${url.replace("https://", "")}:sub`),
        values: ["...."],
    }
}]})
results in:
Copy code
pulumi.ts(14,23): error TS2322: Type 'Output<string>' is not assignable to type 'string'.
a

astonishing-tiger-81216

07/29/2021, 2:27 PM
Hey @little-whale-73288, This one feels familiar from vague memories. Could you try?
Copy code
identifiers: [bitbucket.oidcProvider.arn.apply(arn => arn)],
I’m afraid that’s my best guess right now.
l

little-whale-73288

07/29/2021, 2:28 PM
@astonishing-tiger-81216 nope, it's still not a string 😞.
a

astonishing-tiger-81216

07/29/2021, 2:32 PM
Ah ok. Sorry. Better leave it to someone more capable. Can’t think why and don’t want to suggest casting which feels wrong for some reason. Good luck 🤞
l

little-whale-73288

07/29/2021, 2:41 PM
thanks 🙂
this seems to be working, but meh:
Copy code
assumeRolePolicy: bitbucket.oidcProvider.arn.apply(
        providerArn => pulumi.all([bitbucket.oidcProvider.arn, bitbucket.oidcProvider.url]).apply(
            ([arn, url]) =>
            aws.iam.getPolicyDocument({statements: [{
                actions: ["sts:AssumeRoleWithWebIdentity"],
                principals: [{
                    identifiers: [arn],
                    type: "Federated",
                }],
                conditions: [{
                    test: "StringLike",
                    variable: `${url.replace("https://", "")}:sub`,
                    values: ["..."],
                }],
            }]}).then(doc => doc.json)
        )
    )
👍 1
then the diff is useless:
Copy code
assumeRolePolicy   : output<string>
e

echoing-actor-55539

07/29/2021, 3:59 PM
try something like this
Copy code
identifiers: [pulumi.interpolate`{bitbucket.oidcProvider.arn}`]
👍 1
☝️ 1
c

clever-sunset-76585

07/29/2021, 4:32 PM
@echoing-actor-55539’s right. 
pulumi.interpolate
is your friend for these sorts of things when using JS/TS. So try:
Copy code
identifiers: [pulumi.interpolate`${bitbucket.oidcProvider.url.replace("https://", "")}:sub`]
Oh I misread the error message. The problem is that 
identifiers
doesn’t take an 
Output<string>
. So yeah you will need to use an outer 
apply
to get the plain string value. As for the string interpolation you are doing inside 
variable
you could use 
pulumi.interpolate
for such.
l

little-cartoon-10569

07/29/2021, 10:39 PM
In this case you should cast to PolicyDocument, not use the 
getPolicyDocument()
function. (Code untested.. I'm particularly not confident in the LHS of the condition...)
Untitled.ts
This means that you don't need 
apply()
to generate the document. You only need 
apply()
to transform fields. Or in this case, 
pulumi.interpolate
.
c

clever-sunset-76585

07/29/2021, 10:43 PM
Yeah I guess what was the reason for using 
aws.iam.getPolicyDocument
@little-whale-73288. If it was to simply construct a policy document that you can use with a 
Policy
resource, you could just use the 
aws.iam.PolicyDocument
type as @little-cartoon-10569 suggests. That is overall better than trying to encapsulate everything inside an 
apply
.
Powered by