Hi.. I am creating an account via pulumi in typescript

const accountDev = new aws.organizations.Account( "dev", {
    name: "dev",
    email: "<mailto:xxxx@xxx.com|xxxx@xxx.com>",
    parentId: infrastructure.id,
    roleName: "admin",
} );
export const accountDevArn = accountDev.arn;
export const accountIdDev = pulumi.output(accountDev).id;

This works all good and i am exporting the arn and account id. In another file i am using the accountIdDev to create a policy for a user to assume role and use admin role to perform operations..

import { accountIdDev } from "./accounts"

const policy = new aws.iam.Policy( "devAssumePolicy", {
    path: "/",
    name: "devAssumePolicy",
    description: "assume policy for dev accounts created",
    policy: JSON.stringify( {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "sts:AssumeRole"
                ],
                "Effect": "Allow",
                "Resource": [
                    "arn:aws:iam::"+accountIdDev+":role/admin"
                ]
            }
        ]
    } ),
} );

const attachPolicyInfra = new aws.iam.UserPolicyAttachment( "attachPolicyInfra", {
    user: "Infra-accounts-ci",
    policyArn: policy.arn,
} );

However i am struggling to get the accountIdDev and its giving malformed policy.. Can some help in telling what am i doing wrong here.. Thanks!

You'll need to use the

apply()

function to resolve accountIdDev to a string. Docs on apply: https://www.pulumi.com/docs/intro/concepts/inputs-outputs/

You're creating a Policy using JSON.stringify(). To do this, you need to wrap the whole JSON.stringify in

pulumi.interpolate

. It gets messy very quickly. To help with this, Pulumi has provided the class

aws.iam.PolicyDocument

, which can be used instead of JSON.stringify, in the same place. And as a bonus, all its properties are correctly typed so the IDE support is great 🙂

Thanks you guys for the replies.. I'll try them and let you know if i am successful with the multiple options mentioned.

Here's what I can see, maybe more will become apparent if I see errors, line numbers, etc.: •

console.log( accIdDev );

is logging an output, so it won't show anything useful. You might want

accIdDev.apply(id => pulumi.log.debug(id));

. •

resources: [accountDev.id.apply( ( id: string ) => "arn:aws:iam::" + id + ":role/admin" )]

Assuming there's a typo here, you should be able to use

resources: [ accIdDev ]

because you're in an aws.iam.PolicyDocument. •

policy: userPolicyDocument.then((userPolicyDocument: { json: any; }) => userPolicyDocument.json),

This negates the power of PolicyDocument. You want

policy: userPolicyDocument

.