Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
package-authoring
pulumi-ai
pulumi-cdk
pulumi-cloud
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Title
g
green-bird-4706
10/12/2022, 5:15 AMI am trying to add the ARN of a log group at an IAM policy, but Pulumi doesn't like me doing it. I get the error
error: aws:iam/policy:Policy resource 'Amazing-Lambda-can-log-to-cloudwatch' has a problem: "policy" contains an invalid JSON: invalid character '\n' in string literal. Examine values at 'Policy.Policy'.LogGroupPolicyexport class Lambda extends pulumi.ComponentResource {
constructor(name: string, args?: any, opts?: pulumi.ComponentResourceOptions) {
<<<>>><<<>>>
this.cloudwatchLog = new aws.cloudwatch.LogGroup(`${name}-lambda-vpc-cloudwatch- log`, {
name: `/aws/lambda/amazingLambda`,
retentionInDays: 14
}, {parent: this});
this.cloudwatchPolicy = new aws.iam.Policy(`AmazingLambda-can-log-to-cloudwatch`, {
description: `Grants AmazingLambda permission to write to Cloudwatch logs for monitoring`,
policy: `{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AmazingLambdaCanLog",
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": "${this.cloudwatchLog.arn}"
}
]
}`,
}, { parent: this });l
little-cartoon-10569
10/12/2022, 5:46 AMNo. You're building a string there, and
this.cloudwatchLogthis.cloudwatchLog.arnInstead of building the JSON document yourself, build an aws.iam.PolicyDocument object. Then you can use the output in the expected way.
And you get syntax checking!
If you just get rid of the backticks, and change the JSON syntax to TS/JS syntax (remove the quotes around the keys), it should work. Maybe some capitalization issues, not sure.
g
green-bird-4706
10/12/2022, 6:24 AMIt's definitely an issue trying to use template literals with the Pulumi Ouput<string> type which seems to be a pseudo promise, But I can't work out how else to do it,
PolicyDocumentthis.cloudwatchPolicy = new aws.iam.Policy(`${name}-can-log-to-cloudwatch`, {
description: `Grants ${name} permission to write to Cloudwatch logs for monitoring`,
policy: {
"Version": "2012-10-17",
"Statement": [
{
"Sid": `${snakeCaseName}CanLog`,
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
"Resource": this.cloudwatchLog.arn.apply((arn: string) => arn)
}
]
},
}, { parent: this });l
little-cartoon-10569
10/12/2022, 9:01 PMThe policy object is a normal object, so you don't need to quote the keys.
And this is redundant:
this.cloudwatchLog.arn.apply((arn: string) => arn)this.cloudwatchLog.arng
green-bird-4706
10/12/2022, 9:03 PMAnd this is redundant:I did try that and it failed. Error message said I should try this and it worked. Let me try it again.. Just usethis.cloudwatchLog.arn.apply((arn: string) => arn)this.cloudwatchLog.arn
this.cloudwatchPolicy = new aws.iam.Policy(`${name}-can-log-to-cloudwatch`, {
description: `Grants ${name} permission to write to Cloudwatch logs for monitoring`,
policy: {
Version: "2012-10-17",
Statement: [
{
Sid: `${snakeCaseName}CanLog`,
Effect: "Allow",
Action: [
"logs:PutLogEvents",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
Resource: this.cloudwatchLog.arn //.apply((value: string) => value)
}
]
},
}, { parent: this.vpcRole });Also found this little gem hidden in the docs today for string interpolation...
pulumi.interpolate`${myS3Bucket.arn}/*`