hey all, just learned about policy documents and how if we don't json.stringify the docs when inlining it in a RolePolicy args, pulumi will do this for you. This has an advantage of allowing you to use Pulumi Input/Output types in policy documents too. However, I don't see any documentation for this, and I was wondering if anyone had seen one or if it's something that was rolled out recently and is in some blog post?

if you’re using typescript (which im guessing you are due to json.stringify reference) you can create an object which is of type iam.PolicyDocument and looks much tidier and easier to work with than json stringify… see example :

const examplePolicyDocument: iam.PolicyDocument = {
  Version: '2012-10-17',
  Statement: [
    {
      Effect: 'Allow',
      Action: ['s3:GetBucketAcl', 's3:ListBucket', 's3:PutObject'],
      Resource: [pulumi.interpolate`${bucket.arn}`, pulumi.interpolate`${bucket.arn}/*`],
    },
  ],
};

and you can use like this:

new iam.RolePolicy(
  'exampleRolePolicy',
  {
    role: exampleRole.id,
    policy: examplePolicyDocument,
  },
);

oh i see its defined as a type, and not a resource in the pulumi/aws lib

FYI @victorious-church-57397: pulumi.interpolate`${bucket.arn}` can be rewritten as

bucket.arn

.

The bucket in question is imported from a different file so had to use interpolate

If

bucket

is an object and

bucket.arn

is an ARN, then you don't need interpolate.

Yeah, aware of that cheers mate but was getting an error suggesting that we used interpolate so just followed the docs! Normally just use the object where I can