https://pulumi.com logo
l

little-whale-73288

07/29/2021, 2:21 PM
Hello, what's the kosher way to put
Output<string>
into
aws.iam.GetPolicyDocumentArgs
? this attempt:
Copy code
const policy = aws.iam.getPolicyDocument({statements: [{
    actions: ["sts:AssumeRoleWithWebIdentity"],
    principals: [{
        identifiers: [bitbucket.oidcProvider.arn], // this is line 14
        type: "Federated",
    }],
    condition: {
        test: "StringLike",
        variable: bitbucket.oidcProvider.url.apply(url => `${url.replace("https://", "")}:sub`),
        values: ["...."],
    }
}]})
results in:
Copy code
pulumi.ts(14,23): error TS2322: Type 'Output<string>' is not assignable to type 'string'.
a

astonishing-tiger-81216

07/29/2021, 2:27 PM
Hey @little-whale-73288, This one feels familiar from vague memories. Could you try?
Copy code
identifiers: [bitbucket.oidcProvider.arn.apply(arn => arn)],
I’m afraid that’s my best guess right now.
l

little-whale-73288

07/29/2021, 2:28 PM
@astonishing-tiger-81216 nope, it's still not a string 😞.
a

astonishing-tiger-81216

07/29/2021, 2:32 PM
Ah ok. Sorry. Better leave it to someone more capable. Can’t think why and don’t want to suggest casting which feels wrong for some reason. Good luck 🤞
l

little-whale-73288

07/29/2021, 2:41 PM
thanks 🙂
this seems to be working, but meh:
Copy code
assumeRolePolicy: bitbucket.oidcProvider.arn.apply(
        providerArn => pulumi.all([bitbucket.oidcProvider.arn, bitbucket.oidcProvider.url]).apply(
            ([arn, url]) =>
            aws.iam.getPolicyDocument({statements: [{
                actions: ["sts:AssumeRoleWithWebIdentity"],
                principals: [{
                    identifiers: [arn],
                    type: "Federated",
                }],
                conditions: [{
                    test: "StringLike",
                    variable: `${url.replace("https://", "")}:sub`,
                    values: ["..."],
                }],
            }]}).then(doc => doc.json)
        )
    )
👍 1
then the diff is useless:
Copy code
assumeRolePolicy   : output<string>
e

echoing-actor-55539

07/29/2021, 3:59 PM
try something like this
Copy code
identifiers: [pulumi.interpolate`{bitbucket.oidcProvider.arn}`]
👍 1
☝️ 1
c

clever-sunset-76585

07/29/2021, 4:32 PM
@echoing-actor-55539’s right.
pulumi.interpolate
is your friend for these sorts of things when using JS/TS. So try:
Copy code
identifiers: [pulumi.interpolate`${bitbucket.oidcProvider.url.replace("https://", "")}:sub`]
Oh I misread the error message. The problem is that
identifiers
doesn’t take an
Output<string>
. So yeah you will need to use an outer
apply
to get the plain string value. As for the string interpolation you are doing inside
variable
you could use
pulumi.interpolate
for such.
l

little-cartoon-10569

07/29/2021, 10:39 PM
In this case you should cast to PolicyDocument, not use the
getPolicyDocument()
function. (Code untested.. I'm particularly not confident in the LHS of the condition...)
This means that you don't need
apply()
to generate the document. You only need
apply()
to transform fields. Or in this case,
pulumi.interpolate
.
c

clever-sunset-76585

07/29/2021, 10:43 PM
Yeah I guess what was the reason for using
aws.iam.getPolicyDocument
@little-whale-73288. If it was to simply construct a policy document that you can use with a
Policy
resource, you could just use the
aws.iam.PolicyDocument
type as @little-cartoon-10569 suggests. That is overall better than trying to encapsulate everything inside an
apply
.