I’m attempting to create an AWS IAM policy and pro...
# golang
t
I’m attempting to create an AWS IAM policy and provide the resulting ARN to a Role. Using Go + Pulumi it seems I must write custom code to take the Pulumi output value from one resource so it can be provided as an input to another resource which expects Go native types. The same scenario seems to exist for values I extract with the
ApplyT
method on previously created resources. Am I headed in the right direction or is there a simpler way?
l
usually the outputs will have an Arn() and/or ID() helper functions to facilitate this, and there is also the handy pulumi.Sprintf() when you need to combine output strings into something else. I tend to prefer those where possible, but there are sometimes situations where that's not possible and using Apply() directly is the only way to go.
e.g. here's a code block i have for setting up a lambda permission for api gateway:
Copy code
permissionArgs := &lambda.PermissionArgs{
                Action:    pulumi.String("lambda:InvokeFunction"),
                Function:  lambdaFunc.Arn,
                Principal: pulumi.String("<http://apigateway.amazonaws.com|apigateway.amazonaws.com>"),
                SourceArn: pulumi.Sprintf("arn:aws:execute-api:%v:%v:%v/*",
                        region, accountId, apiGw.ID()),
        }
        _, err = lambda.NewPermission(ctx, "lambda-perm", permissionArgs)
        if err != nil {
                return err
        }
where lambdaFunc and apiGw were outputs from earlier pulumi operations.
f
I think PolicyArns in piam.RoleArgs should expect a
pulumi.StringArrayOutput
The
pulumi.ToStringArray
requires plain strings, yes, but there's also an Output version of it that expects an array of StringOutput. So this should work:
Copy code
...
	PolicyArns: pulumi.ToStringArrayOutput(
			[]pulumi.StringOutput{acmeDNS01Policy.Arn}),
	}
...
t
@fierce-ability-58936 Thank you for that advice, that does seem to have helped as I’m no longer getting compile errors. When I attempt to provision the stack though I’m now receiving an error:
Copy code
error: an unhandled error occurred: waiting for RPCs: rpc error: code = Unknown desc = setting args: copying input "role": expected destination type to implement pulumi.Input or pulumi.Output, got utils.RoleArgs
I’ve attempt to change my code according to what the error is reporting:
Copy code
_, err = piam.NewAssumableRoleWithOIDC(ctx, eksID+"-cert-manager", &piam.AssumableRoleWithOIDCArgs{
	Role: piam.RolePtr(
		&piam.RoleArgs{
			Name:       pulumi.String(eksID + "-cert-manager"),
			PolicyArns: pulumi.ToStringArrayOutput([]pulumi.StringOutput{acmeDNS01Policy.Arn}),
		}),
	ProviderUrls: pulumi.ToStringArrayOutput([]pulumi.StringOutput{oidcPolicyURL}),
	Tags: pulumi.StringMap{
		"Owner":       pulumi.String(event.User),
		"EKS cluster": pulumi.String(eksID),
    },
}, pulumi.DependsOn([]pulumi.Resource{eksCluster}))
I’m really struggling with this resource and have not been able to find an other examples other than what is provided in the resource docs
f
Can't test right now but the doc says
Copy code
Role: iam.RoleArgs{
                Name:       pulumi.String("oidc-role"),
                PolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"}),
            },
So there's no extra RolePtr, maybe that causes the issue.
t
I added
RolePtr
because I was getting that error. FWIW, I get the same error both ways 🤷
176 Views