hey team I m running into some problems trying to add a Role Pulumi Community #typescript

hey team, I'm running into some problems trying to...

polite-king-94596

05/17/2022, 3:53 AM

hey team, I'm running into some problems trying to add a RolePolicy with S3 permissions to an existing Role. The error comes back with:

Copy code

* Error putting IAM role policy fargate-role-policy: MalformedPolicyDocument: Partition "
        1" is not valid for resource "arn:
        1: o.apply(v => v.toJSON())
        2: o.apply(v => JSON.stringify(v))

Copy code

const fargateTaskRole = fargateTaskDefinition.taskRole;
const fargateTaskRoleId = fargateTaskRole!.id

const fargateRolePolicy = new aws.iam.RolePolicy(
  `fargate-role-policy`,
  {
    role: fargateTaskRoleId,
    policy: JSON.stringify({
      Version: '2012-10-17',
      Statement: [
        {
          Action: ['s3:ListBucket', 's3:PutObject'],
          Effect: 'Allow',
          Resource: [someBucket.bucket.apply(bucket => "arn:aws:s3:::${bucket}/*")],
        },
      ],
    }),
  },
);

Any help appreciated!

little-cartoon-10569

05/17/2022, 4:03 AM

This is happening because you're creating your JSON object at runtime, but the

someBucket.bucket

value isn't available until deploy time.

little-cartoon-10569

05/17/2022, 4:04 AM

The minimal change to fix this is to move the JSON.stringify inside the apply(), so that the value returned from apply() is directly assigned to

policy

little-cartoon-10569

05/17/2022, 4:05 AM

However, this is a very common problem and Pulumi have created a very elegant solution for this case of creating policy documents.

little-cartoon-10569

05/17/2022, 4:05 AM

Instead of creating the JSON string, create an object of type aws.iam.PolicyDocument. This will get turned into JSON later, by Pulumi, magically.

little-cartoon-10569

05/17/2022, 4:06 AM

The properties of PolicyDocument (like the Resource array) can handle Output values. This is so much easier than creating a JSON object, which can't handle Output values.

little-cartoon-10569

05/17/2022, 4:07 AM

Since Typescript knows about Pulumi's types, all you have to do is get rid of

JSON.stringify(

at the beginning, and

at the end. Then check your IDE for validation errors, and all should be well.

🎉 1

🙌 1

polite-king-94596

05/18/2022, 5:10 PM

thanks 🙂

polite-king-94596

05/18/2022, 5:11 PM

is there any more documentation (beyond https://www.pulumi.com/docs/intro/concepts/inputs-outputs/) for this? I'm still confused by the workings by what can/cannot be used as resource arguments

little-cartoon-10569

05/18/2022, 8:37 PM

Probably, but it's not easy to find.. we need more! (And I know that at you're not the only one looking for this sort of doc, it's come up in conversation a few times recently). I had a quick look in https://www.pulumi.com/blog/, https://github.com/pulumiverse/awesome-pulumi and https://github.com/pulumi/pulumi/discussions but nothing jumped out at me. There's definitely a load of threads here in #general and #typescript that answer specific questions. I'd be up for writing (or co-writing) something on topic, though specific to TS.

Open in Slack

Previous Next