https://pulumi.com logo
l

loud-bear-51491

10/04/2021, 3:46 PM
Hi.. I am creating an account via pulumi in typescript
Copy code
const accountDev = new aws.organizations.Account( "dev", {
    name: "dev",
    email: "<mailto:xxxx@xxx.com|xxxx@xxx.com>",
    parentId: infrastructure.id,
    roleName: "admin",
} );
export const accountDevArn = accountDev.arn;
export const accountIdDev = pulumi.output(accountDev).id;
This works all good and i am exporting the arn and account id. In another file i am using the accountIdDev to create a policy for a user to assume role and use admin role to perform operations..
Copy code
import { accountIdDev } from "./accounts"

const policy = new aws.iam.Policy( "devAssumePolicy", {
    path: "/",
    name: "devAssumePolicy",
    description: "assume policy for dev accounts created",
    policy: JSON.stringify( {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": [
                    "sts:AssumeRole"
                ],
                "Effect": "Allow",
                "Resource": [
                    "arn:aws:iam::"+accountIdDev+":role/admin"
                ]
            }
        ]
    } ),
} );

const attachPolicyInfra = new aws.iam.UserPolicyAttachment( "attachPolicyInfra", {
    user: "Infra-accounts-ci",
    policyArn: policy.arn,
} );
However i am struggling to get the accountIdDev and its giving malformed policy.. Can some help in telling what am i doing wrong here.. Thanks!
tried doing this function but for some reason it doesn't interpret it correctly :`const resource = pulumi.interpolate(
arn:aws:iam::${accountIdDev}:role/admin
)`
g

green-stone-37839

10/04/2021, 5:31 PM
You'll need to use the
apply()
function to resolve accountIdDev to a string. Docs on apply: https://www.pulumi.com/docs/intro/concepts/inputs-outputs/
something like
accountIdDev.apply(id => use id as string here...})
l

little-cartoon-10569

10/04/2021, 8:56 PM
You're creating a Policy using JSON.stringify(). To do this, you need to wrap the whole JSON.stringify in
pulumi.interpolate
. It gets messy very quickly. To help with this, Pulumi has provided the class
aws.iam.PolicyDocument
, which can be used instead of JSON.stringify, in the same place. And as a bonus, all its properties are correctly typed so the IDE support is great šŸ™‚
l

loud-bear-51491

10/05/2021, 9:09 AM
Thanks you guys for the replies.. I'll try them and let you know if i am successful with the multiple options mentioned.
still not able to figure this out.. Tried various interpretations .. Nothing seems to be working šŸ˜•
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";


import { accountDev } from "./accounts"

let accIdDev = accountIdDev.apply( ( id: string ) => "arn:aws:iam::" + id + ":role/admin" );
console.log( accIdDev );

const userPolicyDocument = aws.iam.getPolicyDocument({
    statements: [
        {
            effect: "Allow",
            actions: [
                "sts:AssumeRole"
            ],
            resources: [accountDev.id.apply( ( id: string ) => "arn:aws:iam::" + id + ":role/admin" )],
        }
    ],
} );

const policy = new aws.iam.Policy( "devAssumePolicy", {
    path: "/",
    name: "devAssumePolicy",
    description: "assume policy for dev accounts created",
    policy: userPolicyDocument.then((userPolicyDocument: { json: any; }) => userPolicyDocument.json),
} );

const attachPolicyInfra = new aws.iam.UserPolicyAttachment( "attachPolicyInfra", {
    user: "Infra-accounts-ci",
    policyArn: policy.arn,
} );
l

little-cartoon-10569

10/05/2021, 7:33 PM
Here's what I can see, maybe more will become apparent if I see errors, line numbers, etc.: ā€¢
console.log( accIdDev );
is logging an output, so it won't show anything useful. You might want
accIdDev.apply(id => pulumi.log.debug(id));
. ā€¢
resources: [accountDev.id.apply( ( id: string ) => "arn:aws:iam::" + id + ":role/admin" )]
Assuming there's a typo here, you should be able to use
resources: [ accIdDev ]
because you're in an aws.iam.PolicyDocument. ā€¢
policy: userPolicyDocument.then((userPolicyDocument: { json: any; }) => userPolicyDocument.json),
This negates the power of PolicyDocument. You want
policy: userPolicyDocument
.