This message was deleted.

sparse-intern-71089

10/12/2022, 5:15 AM

This message was deleted.

little-cartoon-10569

10/12/2022, 5:46 AM

No. You're building a string there, and

this.cloudwatchLog

is an output, so

this.cloudwatchLog.arn

is a lifted output.

little-cartoon-10569

10/12/2022, 5:47 AM

Instead of building the JSON document yourself, build an aws.iam.PolicyDocument object. Then you can use the output in the expected way.

little-cartoon-10569

10/12/2022, 5:47 AM

And you get syntax checking!

little-cartoon-10569

10/12/2022, 5:48 AM

If you just get rid of the backticks, and change the JSON syntax to TS/JS syntax (remove the quotes around the keys), it should work. Maybe some capitalization issues, not sure.

green-bird-4706

10/12/2022, 6:24 AM

It's definitely an issue trying to use template literals with the Pulumi Ouput<string> type which seems to be a pseudo promise, But I can't work out how else to do it,

PolicyDocument

looks to be the answer. I'm just trying to port what I had in Terraform to Pulumi and learning along the way. Thanks for the help.

green-bird-4706

10/12/2022, 8:59 PM

Copy code

this.cloudwatchPolicy = new aws.iam.Policy(`${name}-can-log-to-cloudwatch`, {
        description: `Grants ${name} permission to write to Cloudwatch logs for monitoring`,
        policy: {
          "Version": "2012-10-17",
          "Statement": [
            {
                "Sid": `${snakeCaseName}CanLog`,
                "Effect": "Allow",
                "Action": [
                    "logs:PutLogEvents",
                    "logs:CreateLogStream",
                    "logs:CreateLogGroup"
                ],
                "Resource": this.cloudwatchLog.arn.apply((arn: string) => arn)
            }
          ]
        },
      }, { parent: this });

For anyone else with this issue - this worked for me. And I think this is how it's done??

little-cartoon-10569

10/12/2022, 9:01 PM

The policy object is a normal object, so you don't need to quote the keys.

little-cartoon-10569

10/12/2022, 9:02 PM

And this is redundant:

this.cloudwatchLog.arn.apply((arn: string) => arn)

. Just use

this.cloudwatchLog.arn

green-bird-4706

10/12/2022, 9:03 PM

And this is redundant:
this.cloudwatchLog.arn.apply((arn: string) => arn)
. Just use
this.cloudwatchLog.arn

I did try that and it failed. Error message said I should try this and it worked. Let me try it again.

green-bird-4706

10/12/2022, 9:12 PM

Copy code

this.cloudwatchPolicy = new aws.iam.Policy(`${name}-can-log-to-cloudwatch`, {
        description: `Grants ${name} permission to write to Cloudwatch logs for monitoring`,
        policy: {
          Version: "2012-10-17",
          Statement: [
            {
                Sid: `${snakeCaseName}CanLog`,
                Effect: "Allow",
                Action: [
                    "logs:PutLogEvents",
                    "logs:CreateLogStream",
                    "logs:CreateLogGroup"
                ],
                Resource: this.cloudwatchLog.arn //.apply((value: string) => value)
            }
          ]
        },
      }, { parent: this.vpcRole });

And it works. I think my state got a little bit funky and might have caused the error last night. Thank you. 🙏

green-bird-4706

10/13/2022, 6:00 AM

Also found this little gem hidden in the docs today for string interpolation...

Copy code

pulumi.interpolate`${myS3Bucket.arn}/*`

Which is good for making policies. Just if anyone else reads this before Slack deletes it.

Open in Slack

Previous Next

Pulumi Community

No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.