green-bird-4706
10/12/2022, 5:15 AMerror: aws:iam/policy:Policy resource 'Amazing-Lambda-can-log-to-cloudwatch' has a problem: "policy" contains an invalid JSON: invalid character '\n' in string literal. Examine values at 'Policy.Policy'.
Here's the code, surely I can use the output of LogGroup
in my Policy
?
export class Lambda extends pulumi.ComponentResource {
constructor(name: string, args?: any, opts?: pulumi.ComponentResourceOptions) {
<<<>>><<<>>>
this.cloudwatchLog = new aws.cloudwatch.LogGroup(`${name}-lambda-vpc-cloudwatch- log`, {
name: `/aws/lambda/amazingLambda`,
retentionInDays: 14
}, {parent: this});
this.cloudwatchPolicy = new aws.iam.Policy(`AmazingLambda-can-log-to-cloudwatch`, {
description: `Grants AmazingLambda permission to write to Cloudwatch logs for monitoring`,
policy: `{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AmazingLambdaCanLog",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": "${this.cloudwatchLog.arn}"
}
]
}`,
}, { parent: this });
little-cartoon-10569
10/12/2022, 5:46 AMthis.cloudwatchLog
is an output, so this.cloudwatchLog.arn
is a lifted output.green-bird-4706
10/12/2022, 6:24 AMPolicyDocument
looks to be the answer. I'm just trying to port what I had in Terraform to Pulumi and learning along the way. Thanks for the help.this.cloudwatchPolicy = new aws.iam.Policy(`${name}-can-log-to-cloudwatch`, {
description: `Grants ${name} permission to write to Cloudwatch logs for monitoring`,
policy: {
"Version": "2012-10-17",
"Statement": [
{
"Sid": `${snakeCaseName}CanLog`,
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": this.cloudwatchLog.arn.apply((arn: string) => arn)
}
]
},
}, { parent: this });
For anyone else with this issue - this worked for me. And I think this is how it's done??little-cartoon-10569
10/12/2022, 9:01 PMthis.cloudwatchLog.arn.apply((arn: string) => arn)
. Just use this.cloudwatchLog.arn
green-bird-4706
10/12/2022, 9:03 PMAnd this is redundant:I did try that and it failed. Error message said I should try this and it worked. Let me try it again.. Just usethis.cloudwatchLog.arn.apply((arn: string) => arn)
this.cloudwatchLog.arn
this.cloudwatchPolicy = new aws.iam.Policy(`${name}-can-log-to-cloudwatch`, {
description: `Grants ${name} permission to write to Cloudwatch logs for monitoring`,
policy: {
Version: "2012-10-17",
Statement: [
{
Sid: `${snakeCaseName}CanLog`,
Effect: "Allow",
Action: [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
Resource: this.cloudwatchLog.arn //.apply((value: string) => value)
}
]
},
}, { parent: this.vpcRole });
And it works. I think my state got a little bit funky and might have caused the error last night. Thank you. :thank-you:pulumi.interpolate`${myS3Bucket.arn}/*`
Which is good for making policies. Just if anyone else reads this before Slack deletes it.