I am trying to add the ARN of a log group at an IA...
# typescriptg
green-bird-4706
10/12/2022, 5:15 AMI am trying to add the ARN of a log group at an IAM policy, but Pulumi doesn't like me doing it. I get the error
error: aws:iam/policy:Policy resource 'Amazing-Lambda-can-log-to-cloudwatch' has a problem: "policy" contains an invalid JSON: invalid character '\n' in string literal. Examine values at 'Policy.Policy'.LogGroupPolicy Copy code
export class Lambda extends pulumi.ComponentResource {
constructor(name: string, args?: any, opts?: pulumi.ComponentResourceOptions) {
<<<>>><<<>>>
this.cloudwatchLog = new aws.cloudwatch.LogGroup(`${name}-lambda-vpc-cloudwatch- log`, {
name: `/aws/lambda/amazingLambda`,
retentionInDays: 14
}, {parent: this});
this.cloudwatchPolicy = new aws.iam.Policy(`AmazingLambda-can-log-to-cloudwatch`, {
description: `Grants AmazingLambda permission to write to Cloudwatch logs for monitoring`,
policy: `{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AmazingLambdaCanLog",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": "${this.cloudwatchLog.arn}"
}
]
}`,
}, { parent: this });l
little-cartoon-10569
10/12/2022, 5:46 AMNo. You're building a string there, and
this.cloudwatchLogthis.cloudwatchLog.arnlittle-cartoon-10569
10/12/2022, 5:47 AMInstead of building the JSON document yourself, build an aws.iam.PolicyDocument object. Then you can use the output in the expected way.
little-cartoon-10569
10/12/2022, 5:47 AMAnd you get syntax checking!
little-cartoon-10569
10/12/2022, 5:48 AMIf you just get rid of the backticks, and change the JSON syntax to TS/JS syntax (remove the quotes around the keys), it should work. Maybe some capitalization issues, not sure.
g
green-bird-4706
10/12/2022, 6:24 AMIt's definitely an issue trying to use template literals with the Pulumi Ouput<string> type which seems to be a pseudo promise, But I can't work out how else to do it,
PolicyDocumentgreen-bird-4706
10/12/2022, 8:59 PM Copy code
this.cloudwatchPolicy = new aws.iam.Policy(`${name}-can-log-to-cloudwatch`, {
description: `Grants ${name} permission to write to Cloudwatch logs for monitoring`,
policy: {
"Version": "2012-10-17",
"Statement": [
{
"Sid": `${snakeCaseName}CanLog`,
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": this.cloudwatchLog.arn.apply((arn: string) => arn)
}
]
},
}, { parent: this });l
little-cartoon-10569
10/12/2022, 9:01 PMThe policy object is a normal object, so you don't need to quote the keys.
little-cartoon-10569
10/12/2022, 9:02 PMAnd this is redundant:
this.cloudwatchLog.arn.apply((arn: string) => arn)this.cloudwatchLog.arng
green-bird-4706
10/12/2022, 9:03 PMAnd this is redundant:I did try that and it failed. Error message said I should try this and it worked. Let me try it again.. Just usethis.cloudwatchLog.arn.apply((arn: string) => arn)this.cloudwatchLog.arn
green-bird-4706
10/12/2022, 9:12 PM Copy code
this.cloudwatchPolicy = new aws.iam.Policy(`${name}-can-log-to-cloudwatch`, {
description: `Grants ${name} permission to write to Cloudwatch logs for monitoring`,
policy: {
Version: "2012-10-17",
Statement: [
{
Sid: `${snakeCaseName}CanLog`,
Effect: "Allow",
Action: [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
Resource: this.cloudwatchLog.arn //.apply((value: string) => value)
}
]
},
}, { parent: this.vpcRole });green-bird-4706
10/13/2022, 6:00 AMAlso found this little gem hidden in the docs today for string interpolation...
Copy code
pulumi.interpolate`${myS3Bucket.arn}/*`