https://pulumi.com logo
#typescript
Title
# typescript
p

polite-king-94596

05/17/2022, 3:53 AM
hey team, I'm running into some problems trying to add a RolePolicy with S3 permissions to an existing Role. The error comes back with:
Copy code
* Error putting IAM role policy fargate-role-policy: MalformedPolicyDocument: Partition "
        1" is not valid for resource "arn:
        1: o.apply(v => v.toJSON())
        2: o.apply(v => JSON.stringify(v))
Copy code
const fargateTaskRole = fargateTaskDefinition.taskRole;
const fargateTaskRoleId = fargateTaskRole!.id

const fargateRolePolicy = new aws.iam.RolePolicy(
  `fargate-role-policy`,
  {
    role: fargateTaskRoleId,
    policy: JSON.stringify({
      Version: '2012-10-17',
      Statement: [
        {
          Action: ['s3:ListBucket', 's3:PutObject'],
          Effect: 'Allow',
          Resource: [someBucket.bucket.apply(bucket => "arn:aws:s3:::${bucket}/*")],
        },
      ],
    }),
  },
);
Any help appreciated!
l

little-cartoon-10569

05/17/2022, 4:03 AM
This is happening because you're creating your JSON object at runtime, but the
someBucket.bucket
value isn't available until deploy time.
The minimal change to fix this is to move the JSON.stringify inside the apply(), so that the value returned from apply() is directly assigned to
policy
.
However, this is a very common problem and Pulumi have created a very elegant solution for this case of creating policy documents.
Instead of creating the JSON string, create an object of type aws.iam.PolicyDocument. This will get turned into JSON later, by Pulumi, magically.
The properties of PolicyDocument (like the Resource array) can handle Output values. This is so much easier than creating a JSON object, which can't handle Output values.
Since Typescript knows about Pulumi's types, all you have to do is get rid of
JSON.stringify(
at the beginning, and
)
at the end. Then check your IDE for validation errors, and all should be well.
🎉 1
🙌 1
p

polite-king-94596

05/18/2022, 5:10 PM
thanks 🙂
is there any more documentation (beyond https://www.pulumi.com/docs/intro/concepts/inputs-outputs/) for this? I'm still confused by the workings by what can/cannot be used as resource arguments
l

little-cartoon-10569

05/18/2022, 8:37 PM
Probably, but it's not easy to find.. we need more! (And I know that at you're not the only one looking for this sort of doc, it's come up in conversation a few times recently). I had a quick look in https://www.pulumi.com/blog/, https://github.com/pulumiverse/awesome-pulumi and https://github.com/pulumi/pulumi/discussions but nothing jumped out at me. There's definitely a load of threads here in #general and #typescript that answer specific questions. I'd be up for writing (or co-writing) something on topic, though specific to TS.