Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
p
polite-king-94596
05/17/2022, 3:53 AMhey team, I'm running into some problems trying to add a RolePolicy with S3 permissions to an existing Role.
The error comes back with:
* Error putting IAM role policy fargate-role-policy: MalformedPolicyDocument: Partition "
1" is not valid for resource "arn:
1: o.apply(v => v.toJSON())
2: o.apply(v => JSON.stringify(v))const fargateTaskRole = fargateTaskDefinition.taskRole;
const fargateTaskRoleId = fargateTaskRole!.id
const fargateRolePolicy = new aws.iam.RolePolicy(
`fargate-role-policy`,
{
role: fargateTaskRoleId,
policy: JSON.stringify({
Version: '2012-10-17',
Statement: [
{
Action: ['s3:ListBucket', 's3:PutObject'],
Effect: 'Allow',
Resource: [someBucket.bucket.apply(bucket => "arn:aws:s3:::${bucket}/*")],
},
],
}),
},
);l
little-cartoon-10569
05/17/2022, 4:03 AMThis is happening because you're creating your JSON object at runtime, but the
someBucket.bucketThe minimal change to fix this is to move the JSON.stringify inside the apply(), so that the value returned from apply() is directly assigned to
policyHowever, this is a very common problem and Pulumi have created a very elegant solution for this case of creating policy documents.
Instead of creating the JSON string, create an object of type aws.iam.PolicyDocument. This will get turned into JSON later, by Pulumi, magically.
The properties of PolicyDocument (like the Resource array) can handle Output values. This is so much easier than creating a JSON object, which can't handle Output values.
Since Typescript knows about Pulumi's types, all you have to do is get rid of
JSON.stringify()🎉 1
🙌 1
p
polite-king-94596
05/18/2022, 5:10 PMthanks 🙂
is there any more documentation (beyond https://www.pulumi.com/docs/intro/concepts/inputs-outputs/) for this? I'm still confused by the workings by what can/cannot be used as resource arguments
l
little-cartoon-10569
05/18/2022, 8:37 PMProbably, but it's not easy to find.. we need more! (And I know that at you're not the only one looking for this sort of doc, it's come up in conversation a few times recently). I had a quick look in https://www.pulumi.com/blog/, https://github.com/pulumiverse/awesome-pulumi and https://github.com/pulumi/pulumi/discussions but nothing jumped out at me. There's definitely a load of threads here in #general and #typescript that answer specific questions. I'd be up for writing (or co-writing) something on topic, though specific to TS.