loud-bear-51491
10/04/2021, 3:46 PMconst accountDev = new aws.organizations.Account( "dev", {
name: "dev",
email: "<mailto:xxxx@xxx.com|xxxx@xxx.com>",
parentId: infrastructure.id,
roleName: "admin",
} );
export const accountDevArn = accountDev.arn;
export const accountIdDev = pulumi.output(accountDev).id;
This works all good and i am exporting the arn and account id.
In another file i am using the accountIdDev to create a policy for a user to assume role and use admin role to perform operations..
import { accountIdDev } from "./accounts"
const policy = new aws.iam.Policy( "devAssumePolicy", {
path: "/",
name: "devAssumePolicy",
description: "assume policy for dev accounts created",
policy: JSON.stringify( {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::"+accountIdDev+":role/admin"
]
}
]
} ),
} );
const attachPolicyInfra = new aws.iam.UserPolicyAttachment( "attachPolicyInfra", {
user: "Infra-accounts-ci",
policyArn: policy.arn,
} );
However i am struggling to get the accountIdDev and its giving malformed policy.. Can some help in telling what am i doing wrong here..
Thanks!arn:aws:iam::${accountIdDev}:role/admin
)`green-stone-37839
10/04/2021, 5:31 PMapply()
function to resolve accountIdDev to a string. Docs on apply: https://www.pulumi.com/docs/intro/concepts/inputs-outputs/accountIdDev.apply(id => use id as string here...})
little-cartoon-10569
10/04/2021, 8:56 PMpulumi.interpolate
. It gets messy very quickly. To help with this, Pulumi has provided the class aws.iam.PolicyDocument
, which can be used instead of JSON.stringify, in the same place. And as a bonus, all its properties are correctly typed so the IDE support is great šloud-bear-51491
10/05/2021, 9:09 AMimport * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import { accountDev } from "./accounts"
let accIdDev = accountIdDev.apply( ( id: string ) => "arn:aws:iam::" + id + ":role/admin" );
console.log( accIdDev );
const userPolicyDocument = aws.iam.getPolicyDocument({
statements: [
{
effect: "Allow",
actions: [
"sts:AssumeRole"
],
resources: [accountDev.id.apply( ( id: string ) => "arn:aws:iam::" + id + ":role/admin" )],
}
],
} );
const policy = new aws.iam.Policy( "devAssumePolicy", {
path: "/",
name: "devAssumePolicy",
description: "assume policy for dev accounts created",
policy: userPolicyDocument.then((userPolicyDocument: { json: any; }) => userPolicyDocument.json),
} );
const attachPolicyInfra = new aws.iam.UserPolicyAttachment( "attachPolicyInfra", {
user: "Infra-accounts-ci",
policyArn: policy.arn,
} );
little-cartoon-10569
10/05/2021, 7:33 PMconsole.log( accIdDev );
is logging an output, so it won't show anything useful. You might want accIdDev.apply(id => pulumi.log.debug(id));
.
⢠resources: [accountDev.id.apply( ( id: string ) => "arn:aws:iam::" + id + ":role/admin" )]
Assuming there's a typo here, you should be able to use resources: [ accIdDev ]
because you're in an aws.iam.PolicyDocument.
⢠policy: userPolicyDocument.then((userPolicyDocument: { json: any; }) => userPolicyDocument.json),
This negates the power of PolicyDocument. You want policy: userPolicyDocument
.