https://pulumi.com logo
#python
Title
# python
f

future-france-34957

06/24/2022, 10:03 PM
Trying to define IAM Policy with dynamic resources. Here’s what I’m trying to do:
Copy code
POLICY = f"""{
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Action": [
                            "ssm:GetParameters"
                        ],
                        "Resource": [
                            "arn:aws:ssm:{aws_region}:{aws_account}:parameter/{env_stack}.api.config-location-s3"
                        ],
                        "Effect": "Allow"
                    }
                ]
            }"""

        # Custom API-Tasks ECS Role Policy
        self.api_tasks_ecs_permissions = iam.RolePolicy(
            resource_name="api-tasks-ecs-permissions",
            role=self.api_tasks_ecs_role.id,
            policy=json.dumps(POLICY)
        )
This fails with
SyntaxError: f-string: expressions nested too deeply
Anyone know how I can achieve this?
b

billowy-army-68599

06/24/2022, 10:05 PM
Any reasons you're not using json.dumps?
Also, you don't appear to have used an apply, that's gonna cause issues
f

future-france-34957

06/24/2022, 10:06 PM
I am using
json.dumps(POLICY)
b

billowy-army-68599

06/24/2022, 10:06 PM
There are examples in github.com/pulumi/examples
Yeah but you're building with an f string rather than an object
f

future-france-34957

06/24/2022, 10:08 PM
If I do
Copy code
# Custom API-Tasks ECS Role Policy
        self.api_tasks_ecs_permissions = iam.RolePolicy(
            resource_name="api-tasks-ecs-permissions",
            role=self.api_tasks_ecs_role.id,
            policy=json.dumps({
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Action": [
                            "ssm:GetParameters"
                        ],
                        "Resource": [
                            f"arn:aws:ssm:{aws_region}:{aws_account}:parameter/{env_stack}.api.config-location-s3"
                        ],
                        "Effect": "Allow"
                    }
                ]
            })
        )
It errors with:
Copy code
Error putting IAM role policy api-tasks-ecs-permissions-e425b0b: MalformedPolicyDocument: The policy failed legacy parsing
I don’t see an example of using dynamic resources in an IAM Policy in http://github.com/pulumi/examples, I just checked all the python examples
Copy code
POLICY = {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": [
                        "ssm:GetParameters"
                    ],
                    "Resource": [
                        "arn:aws:ssm:" + aws_region + ":" + aws_account +
                        ":parameter/" + env_stack + ".api.config-location-s3"
                    ],
                    "Effect": "Allow"
                }
            ]
        }

        # Custom API-Tasks ECS Role Policy
        self.api_tasks_ecs_permissions = iam.RolePolicy(
            resource_name="api-tasks-ecs-permissions",
            role=self.api_tasks_ecs_role.id,
            policy=json.dumps(POLICY)
        )
Gets
Copy code
TypeError: can only concatenate str (not "AwaitableGetRegionResult") to str
ohh….
aws_region = aws.get_region()
, it doesn’t return string, my bad Forgot the
.name
15 Views