No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Is there a better way to write json iam policies than using a bunch of []map[string]interface{}{ everywhere and pull it together with json.Marshal?

Look for examples of iam.GetPolicyDocument

Oof that isn't much better. I think I'll create it manually for now and pull it using LookupInstanceProfile, and then try to figure it out later

i wrote a helper that made it a bit less painful to build policies.. end up with code like this:
```Policy: policy.New("my-policy",
          policy.Statement("statement-one",
                  policy.Effect(policy.Allow),
                  policy.Action(
                          "s3:GetObject",
                          "s3:PutObject",
                  ),
                  policy.Principal("AWS",
                          "arn:aws:iam::12345:root",
                  ),
                  policy.Resource(
                          pulumi.Sprintf("%s/*", bucketArn),
                  ),
          ),
  ).ToStringOutput(),```

i could probably push the helper up to github if useful

ok let me see what state that code is in and i’ll upload it.. could probably still use some love though :wink:

Here is my example. I don't find this that bad?

```source, err := iam.GetPolicyDocument(ctx, &amp;iam.GetPolicyDocumentArgs{```
			Statements: []iam.GetPolicyDocumentStatement{
				// Allow AssumeRole - we allow to assume any role,
				// but that role will have to have been granted permissions
				// to be assumable by this role.
				{
					Actions: []string{
						"sts:AssumeRole",
					},
					Resources: []string{
						"*",
					},
					Effect: &amp;allow,
				},
				// Some base bucket policies
				{
					Actions: []string{
						"s3:HeadBucket",
					},
					Resources: []string{
						bucketArn,
					},
					Effect: &amp;allow,
				},

<https://github.com/gwatts/pulutil/blob/main/policy/example_test.go>

does that only accept strings though?  what happens if you want to reference resources etc that aren’t yet resolved?

Also Hi Gareth - it's been a minute :grinning:

I believe it does only accept strings - if you need unresolved references you'd do this inside an ApplyT, which is what I've always done.

it has indeed been a few minutes!  Hope you’re doing well :slightly_smiling_face:

yeah i wrote my little hack to avoid having to put more things inside an ApplyT in my main scripts.. tucks it out of the way instead

Understood. In my case I usually need it anyway for some other things so it works out OK.

<@U012H5R25PX> this helper repo is _awesome_ :heart:

can you DM me your email? i want to send you some swag as a thanks