sparse-intern-71089
10/04/2021, 3:46 PMloud-bear-51491
10/04/2021, 3:51 PMarn:aws:iam::${accountIdDev}:role/admin
)`green-stone-37839
10/04/2021, 5:31 PMapply()
function to resolve accountIdDev to a string. Docs on apply: https://www.pulumi.com/docs/intro/concepts/inputs-outputs/green-stone-37839
10/04/2021, 5:31 PMaccountIdDev.apply(id => use id as string here...})
little-cartoon-10569
10/04/2021, 8:56 PMpulumi.interpolate
. It gets messy very quickly. To help with this, Pulumi has provided the class aws.iam.PolicyDocument
, which can be used instead of JSON.stringify, in the same place. And as a bonus, all its properties are correctly typed so the IDE support is great šloud-bear-51491
10/05/2021, 9:09 AMloud-bear-51491
10/05/2021, 12:23 PMimport * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import { accountDev } from "./accounts"
let accIdDev = accountIdDev.apply( ( id: string ) => "arn:aws:iam::" + id + ":role/admin" );
console.log( accIdDev );
const userPolicyDocument = aws.iam.getPolicyDocument({
statements: [
{
effect: "Allow",
actions: [
"sts:AssumeRole"
],
resources: [accountDev.id.apply( ( id: string ) => "arn:aws:iam::" + id + ":role/admin" )],
}
],
} );
const policy = new aws.iam.Policy( "devAssumePolicy", {
path: "/",
name: "devAssumePolicy",
description: "assume policy for dev accounts created",
policy: userPolicyDocument.then((userPolicyDocument: { json: any; }) => userPolicyDocument.json),
} );
const attachPolicyInfra = new aws.iam.UserPolicyAttachment( "attachPolicyInfra", {
user: "Infra-accounts-ci",
policyArn: policy.arn,
} );
little-cartoon-10569
10/05/2021, 7:33 PMconsole.log( accIdDev );
is logging an output, so it won't show anything useful. You might want accIdDev.apply(id => pulumi.log.debug(id));
.
⢠resources: [accountDev.id.apply( ( id: string ) => "arn:aws:iam::" + id + ":role/admin" )]
Assuming there's a typo here, you should be able to use resources: [ accIdDev ]
because you're in an aws.iam.PolicyDocument.
⢠policy: userPolicyDocument.then((userPolicyDocument: { json: any; }) => userPolicyDocument.json),
This negates the power of PolicyDocument. You want policy: userPolicyDocument
.