Trying to define IAM Policy with dynamic resources Here s wh Pulumi Community #python

Trying to define IAM Policy with dynamic resources...

future-france-34957

06/24/2022, 10:03 PM

Trying to define IAM Policy with dynamic resources. Here’s what I’m trying to do:

Copy code

POLICY = f"""{
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Action": [
                            "ssm:GetParameters"
                        ],
                        "Resource": [
                            "arn:aws:ssm:{aws_region}:{aws_account}:parameter/{env_stack}.api.config-location-s3"
                        ],
                        "Effect": "Allow"
                    }
                ]
            }"""

        # Custom API-Tasks ECS Role Policy
        self.api_tasks_ecs_permissions = iam.RolePolicy(
            resource_name="api-tasks-ecs-permissions",
            role=self.api_tasks_ecs_role.id,
            policy=json.dumps(POLICY)
        )

This fails with

SyntaxError: f-string: expressions nested too deeply

Anyone know how I can achieve this?

billowy-army-68599

06/24/2022, 10:05 PM

Any reasons you're not using json.dumps?

billowy-army-68599

06/24/2022, 10:05 PM

Also, you don't appear to have used an apply, that's gonna cause issues

future-france-34957

06/24/2022, 10:06 PM

I am using

json.dumps(POLICY)

billowy-army-68599

06/24/2022, 10:06 PM

There are examples in github.com/pulumi/examples

billowy-army-68599

06/24/2022, 10:06 PM

Yeah but you're building with an f string rather than an object

future-france-34957

06/24/2022, 10:08 PM

If I do

Copy code

# Custom API-Tasks ECS Role Policy
        self.api_tasks_ecs_permissions = iam.RolePolicy(
            resource_name="api-tasks-ecs-permissions",
            role=self.api_tasks_ecs_role.id,
            policy=json.dumps({
                "Version": "2012-10-17",
                "Statement": [
                    {
                        "Action": [
                            "ssm:GetParameters"
                        ],
                        "Resource": [
                            f"arn:aws:ssm:{aws_region}:{aws_account}:parameter/{env_stack}.api.config-location-s3"
                        ],
                        "Effect": "Allow"
                    }
                ]
            })
        )

It errors with:

Copy code

Error putting IAM role policy api-tasks-ecs-permissions-e425b0b: MalformedPolicyDocument: The policy failed legacy parsing

future-france-34957

06/24/2022, 10:15 PM

I don’t see an example of using dynamic resources in an IAM Policy in http://github.com/pulumi/examples, I just checked all the python examples

future-france-34957

06/24/2022, 10:32 PM

Copy code

POLICY = {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": [
                        "ssm:GetParameters"
                    ],
                    "Resource": [
                        "arn:aws:ssm:" + aws_region + ":" + aws_account +
                        ":parameter/" + env_stack + ".api.config-location-s3"
                    ],
                    "Effect": "Allow"
                }
            ]
        }

        # Custom API-Tasks ECS Role Policy
        self.api_tasks_ecs_permissions = iam.RolePolicy(
            resource_name="api-tasks-ecs-permissions",
            role=self.api_tasks_ecs_role.id,
            policy=json.dumps(POLICY)
        )

Gets

Copy code

TypeError: can only concatenate str (not "AwaitableGetRegionResult") to str

future-france-34957

06/24/2022, 10:36 PM

ohh….

aws_region = aws.get_region()

, it doesn’t return string, my bad Forgot the

.name

29 Views

Open in Slack

Previous Next