I m attempting to create an AWS IAM policy and provide the r Pulumi Community #golang

I’m attempting to create an AWS IAM policy and pro...

thousands-train-46386

12/06/2022, 3:29 PM

I’m attempting to create an AWS IAM policy and provide the resulting ARN to a Role. Using Go + Pulumi it seems I must write custom code to take the Pulumi output value from one resource so it can be provided as an input to another resource which expects Go native types. The same scenario seems to exist for values I extract with the

ApplyT

method on previously created resources. Am I headed in the right direction or is there a simpler way?

little-soccer-5693

12/06/2022, 6:54 PM

usually the outputs will have an Arn() and/or ID() helper functions to facilitate this, and there is also the handy pulumi.Sprintf() when you need to combine output strings into something else. I tend to prefer those where possible, but there are sometimes situations where that's not possible and using Apply() directly is the only way to go.

little-soccer-5693

12/06/2022, 6:58 PM

e.g. here's a code block i have for setting up a lambda permission for api gateway:

Copy code

permissionArgs := &lambda.PermissionArgs{
                Action:    pulumi.String("lambda:InvokeFunction"),
                Function:  lambdaFunc.Arn,
                Principal: pulumi.String("<http://apigateway.amazonaws.com|apigateway.amazonaws.com>"),
                SourceArn: pulumi.Sprintf("arn:aws:execute-api:%v:%v:%v/*",
                        region, accountId, apiGw.ID()),
        }
        _, err = lambda.NewPermission(ctx, "lambda-perm", permissionArgs)
        if err != nil {
                return err
        }

where lambdaFunc and apiGw were outputs from earlier pulumi operations.

fierce-ability-58936

12/06/2022, 8:17 PM

I think PolicyArns in piam.RoleArgs should expect a

pulumi.StringArrayOutput

The

pulumi.ToStringArray

requires plain strings, yes, but there's also an Output version of it that expects an array of StringOutput. So this should work:

Copy code

...
	PolicyArns: pulumi.ToStringArrayOutput(
			[]pulumi.StringOutput{acmeDNS01Policy.Arn}),
	}
...

thousands-train-46386

12/07/2022, 1:51 PM

@fierce-ability-58936 Thank you for that advice, that does seem to have helped as I’m no longer getting compile errors. When I attempt to provision the stack though I’m now receiving an error:

Copy code

error: an unhandled error occurred: waiting for RPCs: rpc error: code = Unknown desc = setting args: copying input "role": expected destination type to implement pulumi.Input or pulumi.Output, got utils.RoleArgs

I’ve attempt to change my code according to what the error is reporting:

Copy code

_, err = piam.NewAssumableRoleWithOIDC(ctx, eksID+"-cert-manager", &piam.AssumableRoleWithOIDCArgs{
	Role: piam.RolePtr(
		&piam.RoleArgs{
			Name:       pulumi.String(eksID + "-cert-manager"),
			PolicyArns: pulumi.ToStringArrayOutput([]pulumi.StringOutput{acmeDNS01Policy.Arn}),
		}),
	ProviderUrls: pulumi.ToStringArrayOutput([]pulumi.StringOutput{oidcPolicyURL}),
	Tags: pulumi.StringMap{
		"Owner":       pulumi.String(event.User),
		"EKS cluster": pulumi.String(eksID),
    },
}, pulumi.DependsOn([]pulumi.Resource{eksCluster}))

I’m really struggling with this resource and have not been able to find an other examples other than what is provided in the resource docs

fierce-ability-58936

12/07/2022, 7:33 PM

Can't test right now but the doc says

Copy code

Role: iam.RoleArgs{
                Name:       pulumi.String("oidc-role"),
                PolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"}),
            },

So there's no extra RolePtr, maybe that causes the issue.

thousands-train-46386

12/07/2022, 8:29 PM

I added

RolePtr

because I was getting that error. FWIW, I get the same error both ways 🤷

191 Views

Open in Slack

Previous Next