No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

You need to do your verifications inside apply()s. This pseudo-code might help?
```validateResource: validateResourceOfType(aws.s3.BucketPolicy, (policy, args, reportViolation) =&gt; {
  policy.statements.apply((statements: PolicyStatement[]) =&gt; {
    statements.forEach(statement =&gt; {
      if (statement.principals.length == 1 &amp;&amp; statement.principals[0] == "*" &amp;&amp; statement.conditions.length == 0) {
        reportViolation(`Statement ${statement.sid} allows any principal but has no conditions applied`);
      }
    });
  });
})```
(Code completely untested.. it's just pseudo-code..)

`policy` here is an `UnwrappedObject&lt;aws.s3.BucketPolicyArgs&gt;` , and `policy.policy` (which contains the Statement) is a `string | UnwrappedObject&lt;aws.iam.PolicyDocument&gt;` . For me, it ends up a `string`, which means you’ll have to JSON.parse it (and then cast that) to examine its contents. This seems to work for me:
```...
validateResource: validateResourceOfType(aws.s3.BucketPolicy, (policy, args, reportViolation) =&gt; {
    const policyDoc = JSON.parse(policy.policy as string) as UnwrappedObject&lt;aws.iam.PolicyDocument&gt;;

    const violations = policyDoc.Statement
        .filter(statement =&gt; statement.Principal === "*");

    if (violations.length &gt; 0) {
        reportViolation("Hey -- don't do that.");
    }
}),
...```

There may well be a more elegant way to do this, but hopefully this’ll at least work for ya. :crossed_fingers:

I think aws,iam.PolicyDocument should be an implicit cast-with-marshalling thanks to some Pulumi magic.. if not, then maybe an issue should be raised? It works in Role and other places that use PolicyDocuments.

image.png

That may well be, too. Here’s what I see, at least, in my IDE:

I haven’t used PAC much, though — if this is different from the norm, then yeah maybe an issue should be filed. It definitely doesn’t feel quite _right_ though I agree.

I must be looking at the wrong thing. :thinking_face: When I `validateResourceOfType(aws.iam.Role…)`, I see the same thing — `role` is an `UnwrappedObject`, and `role.assumeRolePolicy` is a `string | UnwrappedObject` as well:

And you can't just cast it to an aws.iam.PolicyDocument? Darn. That'd be nice...

Yeah, I agree. I’ll see if I can file something to consider for this one. Thanks!

<@U012UJTT55M> and <@UDWGK72BY> Thanks for the help.  We appreciate it.

We also discovered that it always comes in as a `string` and we can do the parsing <@UDWGK72BY> suggested.

Thanks again.