Thread
#typescript
    p

    polite-king-94596

    4 months ago
    hey team, I'm running into some problems trying to add a RolePolicy with S3 permissions to an existing Role. The error comes back with:
    * Error putting IAM role policy fargate-role-policy: MalformedPolicyDocument: Partition "
            1" is not valid for resource "arn:
            1: o.apply(v => v.toJSON())
            2: o.apply(v => JSON.stringify(v))
    const fargateTaskRole = fargateTaskDefinition.taskRole;
    const fargateTaskRoleId = fargateTaskRole!.id
    
    const fargateRolePolicy = new aws.iam.RolePolicy(
      `fargate-role-policy`,
      {
        role: fargateTaskRoleId,
        policy: JSON.stringify({
          Version: '2012-10-17',
          Statement: [
            {
              Action: ['s3:ListBucket', 's3:PutObject'],
              Effect: 'Allow',
              Resource: [someBucket.bucket.apply(bucket => "arn:aws:s3:::${bucket}/*")],
            },
          ],
        }),
      },
    );
    Any help appreciated!
    l

    little-cartoon-10569

    4 months ago
    This is happening because you're creating your JSON object at runtime, but the
    someBucket.bucket
    value isn't available until deploy time.
    The minimal change to fix this is to move the JSON.stringify inside the apply(), so that the value returned from apply() is directly assigned to
    policy
    .
    However, this is a very common problem and Pulumi have created a very elegant solution for this case of creating policy documents.
    Instead of creating the JSON string, create an object of type aws.iam.PolicyDocument. This will get turned into JSON later, by Pulumi, magically.
    The properties of PolicyDocument (like the Resource array) can handle Output values. This is so much easier than creating a JSON object, which can't handle Output values.
    Since Typescript knows about Pulumi's types, all you have to do is get rid of
    JSON.stringify(
    at the beginning, and
    )
    at the end. Then check your IDE for validation errors, and all should be well.
    p

    polite-king-94596

    4 months ago
    thanks 🙂
    is there any more documentation (beyond https://www.pulumi.com/docs/intro/concepts/inputs-outputs/) for this? I'm still confused by the workings by what can/cannot be used as resource arguments
    l

    little-cartoon-10569

    4 months ago
    Probably, but it's not easy to find.. we need more! (And I know that at you're not the only one looking for this sort of doc, it's come up in conversation a few times recently). I had a quick look in https://www.pulumi.com/blog/, https://github.com/pulumiverse/awesome-pulumi and https://github.com/pulumi/pulumi/discussions but nothing jumped out at me. There's definitely a load of threads here in #general and #typescript that answer specific questions. I'd be up for writing (or co-writing) something on topic, though specific to TS.