https://pulumi.com logo
#typescript
Title
# typescript
g

green-bird-4706

10/12/2022, 5:15 AM
I am trying to add the ARN of a log group at an IAM policy, but Pulumi doesn't like me doing it. I get the error
error: aws:iam/policy:Policy resource 'Amazing-Lambda-can-log-to-cloudwatch' has a problem: "policy" contains an invalid JSON: invalid character '\n' in string literal. Examine values at 'Policy.Policy'.
Here's the code, surely I can use the output of
LogGroup
in my
Policy
?
Copy code
export class Lambda extends pulumi.ComponentResource {
  constructor(name: string, args?: any, opts?: pulumi.ComponentResourceOptions) {

<<<>>><<<>>>

  this.cloudwatchLog = new aws.cloudwatch.LogGroup(`${name}-lambda-vpc-cloudwatch-    log`, {
    name: `/aws/lambda/amazingLambda`,
    retentionInDays: 14
  }, {parent: this});

  this.cloudwatchPolicy = new aws.iam.Policy(`AmazingLambda-can-log-to-cloudwatch`, {
    description: `Grants AmazingLambda permission to write to Cloudwatch logs for monitoring`,
    policy: `{
       "Version": "2012-10-17",
          "Statement": [
            {
              "Sid": "AmazingLambdaCanLog",
              "Effect": "Allow",
              "Action": [
                "logs:PutLogEvents",
                "logs:CreateLogStream",
                "logs:CreateLogGroup"
              ],
            "Resource": "${this.cloudwatchLog.arn}"
         }
       ]
     }`,
  }, { parent: this });
l

little-cartoon-10569

10/12/2022, 5:46 AM
No. You're building a string there, and
this.cloudwatchLog
is an output, so
this.cloudwatchLog.arn
is a lifted output.
Instead of building the JSON document yourself, build an aws.iam.PolicyDocument object. Then you can use the output in the expected way.
And you get syntax checking!
If you just get rid of the backticks, and change the JSON syntax to TS/JS syntax (remove the quotes around the keys), it should work. Maybe some capitalization issues, not sure.
g

green-bird-4706

10/12/2022, 6:24 AM
It's definitely an issue trying to use template literals with the Pulumi Ouput<string> type which seems to be a pseudo promise, But I can't work out how else to do it,
PolicyDocument
looks to be the answer. I'm just trying to port what I had in Terraform to Pulumi and learning along the way. Thanks for the help.
Copy code
this.cloudwatchPolicy = new aws.iam.Policy(`${name}-can-log-to-cloudwatch`, {
        description: `Grants ${name} permission to write to Cloudwatch logs for monitoring`,
        policy: {
          "Version": "2012-10-17",
          "Statement": [
            {
                "Sid": `${snakeCaseName}CanLog`,
                "Effect": "Allow",
                "Action": [
                    "logs:PutLogEvents",
                    "logs:CreateLogStream",
                    "logs:CreateLogGroup"
                ],
                "Resource": this.cloudwatchLog.arn.apply((arn: string) => arn)
            }
          ]
        },
      }, { parent: this });
For anyone else with this issue - this worked for me. And I think this is how it's done??
l

little-cartoon-10569

10/12/2022, 9:01 PM
The policy object is a normal object, so you don't need to quote the keys.
And this is redundant:
this.cloudwatchLog.arn.apply((arn: string) => arn)
. Just use
this.cloudwatchLog.arn
g

green-bird-4706

10/12/2022, 9:03 PM
And this is redundant:
this.cloudwatchLog.arn.apply((arn: string) => arn)
. Just use
this.cloudwatchLog.arn
I did try that and it failed. Error message said I should try this and it worked. Let me try it again.
Copy code
this.cloudwatchPolicy = new aws.iam.Policy(`${name}-can-log-to-cloudwatch`, {
        description: `Grants ${name} permission to write to Cloudwatch logs for monitoring`,
        policy: {
          Version: "2012-10-17",
          Statement: [
            {
                Sid: `${snakeCaseName}CanLog`,
                Effect: "Allow",
                Action: [
                    "logs:PutLogEvents",
                    "logs:CreateLogStream",
                    "logs:CreateLogGroup"
                ],
                Resource: this.cloudwatchLog.arn //.apply((value: string) => value)
            }
          ]
        },
      }, { parent: this.vpcRole });
And it works. I think my state got a little bit funky and might have caused the error last night. Thank you. 🙏
Also found this little gem hidden in the docs today for string interpolation...
Copy code
pulumi.interpolate`${myS3Bucket.arn}/*`
Which is good for making policies. Just if anyone else reads this before Slack deletes it.