https://pulumi.com logo
Join Slack
Powered by
Hi.. I am creating an account via pulumi in typesc...
# typescript
l
Hi.. I am creating an account via pulumi in typescript
Copy code
const accountDev = new aws.organizations.Account( "dev", {
    name: "dev",
    email: "<mailto:xxxx@xxx.com|xxxx@xxx.com>",
    parentId: infrastructure.id,
    roleName: "admin",
} );
export const accountDevArn = accountDev.arn;
export const accountIdDev = pulumi.output(accountDev).id;
This works all good and i am exporting the arn and account id. In another file i am using the accountIdDev to create a policy for a user to assume role and use admin role to perform operations..
Copy code
import { accountIdDev } from "./accounts"

const policy = new aws.iam.Policy( "devAssumePolicy", {
    path: "/",
    name: "devAssumePolicy",
    description: "assume policy for dev accounts created",
    policy: JSON.stringify( {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "sts:AssumeRole"
                ],
                "Effect": "Allow",
                "Resource": [
                    "arn:aws:iam::"+accountIdDev+":role/admin"
                ]
            }
        ]
    } ),
} );

const attachPolicyInfra = new aws.iam.UserPolicyAttachment( "attachPolicyInfra", {
    user: "Infra-accounts-ci",
    policyArn: policy.arn,
} );
However i am struggling to get the accountIdDev and its giving malformed policy.. Can some help in telling what am i doing wrong here.. Thanks!
tried doing this function but for some reason it doesn't interpret it correctly :`const resource = pulumi.interpolate(
arn:aws:iam::${accountIdDev}:role/admin
)`
g
You'll need to use the 
apply()
function to resolve accountIdDev to a string. Docs on apply: https://www.pulumi.com/docs/intro/concepts/inputs-outputs/
something like 
accountIdDev.apply(id => use id as string here...})
l
You're creating a Policy using JSON.stringify(). To do this, you need to wrap the whole JSON.stringify in 
pulumi.interpolate
. It gets messy very quickly. To help with this, Pulumi has provided the class 
aws.iam.PolicyDocument
, which can be used instead of JSON.stringify, in the same place. And as a bonus, all its properties are correctly typed so the IDE support is great šŸ™‚
l
Thanks you guys for the replies.. I'll try them and let you know if i am successful with the multiple options mentioned.
still not able to figure this out.. Tried various interpretations .. Nothing seems to be working šŸ˜•
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";


import { accountDev } from "./accounts"

let accIdDev = accountIdDev.apply( ( id: string ) => "arn:aws:iam::" + id + ":role/admin" );
console.log( accIdDev );

const userPolicyDocument = aws.iam.getPolicyDocument({
    statements: [
        {
            effect: "Allow",
            actions: [
                "sts:AssumeRole"
            ],
            resources: [accountDev.id.apply( ( id: string ) => "arn:aws:iam::" + id + ":role/admin" )],
        }
    ],
} );

const policy = new aws.iam.Policy( "devAssumePolicy", {
    path: "/",
    name: "devAssumePolicy",
    description: "assume policy for dev accounts created",
    policy: userPolicyDocument.then((userPolicyDocument: { json: any; }) => userPolicyDocument.json),
} );

const attachPolicyInfra = new aws.iam.UserPolicyAttachment( "attachPolicyInfra", {
    user: "Infra-accounts-ci",
    policyArn: policy.arn,
} );
l
Here's what I can see, maybe more will become apparent if I see errors, line numbers, etc.: ā€¢ 
console.log( accIdDev );
is logging an output, so it won't show anything useful. You might want 
accIdDev.apply(id => pulumi.log.debug(id));
. ā€¢ 
resources: [accountDev.id.apply( ( id: string ) => "arn:aws:iam::" + id + ":role/admin" )]
Assuming there's a typo here, you should be able to use 
resources: [ accIdDev ]
because you're in an aws.iam.PolicyDocument. ā€¢ 
policy: userPolicyDocument.then((userPolicyDocument: { json: any; }) => userPolicyDocument.json),
This negates the power of PolicyDocument. You want 
policy: userPolicyDocument
.
Open in Slack
PreviousNext
Powered by