https://pulumi.com logo
Title
m

most-airline-68480

06/06/2022, 9:24 PM
Help with AWS IAM policies. Hi everyone! I’m a bit stuck with IAM policy creation using pulumi AWS. The policy document as described here should be a string, however, if you want to restrict it to a specific resource you created before you need to convert resource ARN to a string. I looked into the examples in the doc but they are not very helpful with that. What are the options here to pass the resource ARN you created to a policy document (or in other words convert
pulumi.StringOutput
to
string
)?
f

fierce-ability-58936

06/07/2022, 2:35 AM
You can wrap it into a helper function (or a lambda), like this
def _make_ecr_policy(repo_arn: str) -> str:
        return json.dumps(
            {
                "Version": "2012-10-17",
                "Statement": [
and then
aws.iam.Policy(
        "repo_access",
        name=f"{pulumi.get_project()}-repo-access",
        policy=repo.arn.apply(_make_ecr_policy),
        opts=pulumi.ResourceOptions(parent=repo),
    )
or use https://www.pulumi.com/registry/packages/aws/api-docs/iam/getpolicydocument/
(Python examples, sorry, but I guess it'll be quite similar in Go)
m

most-airline-68480

06/07/2022, 6:17 AM
Yeah, I can see how it can be used with python, but in the case of golang it seems more complicated and require messing around with reflection because applyT return type is pulumi.StringOutput (I cannot just say return type is string as one of examples in the doc shows).
f

fierce-ability-58936

06/07/2022, 6:27 AM
I have it ugly! Have no idea how canonical it is but this works https://pastebin.com/Bkasv0cq
🙌 1
m

most-airline-68480

06/07/2022, 9:00 PM
Thank you, @fierce-ability-58936! I probably wanted to do it with a slightly different approach. What I’ve learned so far is that I need a bit of a shift in thinking to be more pulumi idiomatic 🙂
f

fierce-ability-58936

06/07/2022, 9:01 PM