Looking for some more guidance on inputs to a resource 🙂 . I’m wanting to create an AWS IAM policy using the

iam.GetPolicyDocument

resource. In the policy statement, I need to provide a federated principle with an identifier value of an ARN provided by resource created earlier in the stack:

myPolicy, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
	Statements: []iam.GetPolicyDocumentStatement{
		{
			Sid:    pulumi.StringRef(""),
			Effect: pulumi.StringRef("Allow"),
			Principals: []iam.GetPolicyDocumentStatementPrincipal{
				{
					Type:        "Federated",
					Identifiers: <ARN>, // <----- this input
				},
			},
.......
})

The field

Identifiers

takes in a slice of strings but I’m needing to provide an ARN value which is not known until earlier stack resources are created and presented in type

pulumi.StringOutput

. Is this possible?

my first instinct would be to try pulumi.StringArray{res.Arn} and if that didn't work try pulumi.StringArray{pulumi.String(pulumi.Sprintf("%v", res.Arn)))

I was thinking along the same lines however when attempting to use a type like

pulumi.StringArray

(or any pulumi custom type which allows a pulumi output) there is a compile error:

cannot use (pulumi.StringArray literal) (value of type pulumi.StringArray) as []string value in struct literal

I believe this indicates I must construct a string slice from pulumi output types in order to configure this resource?

The rule of thumb for me is whenever you have a non-resolved variable of *Output type, there are 2 options: 1. Use variable.ApplyT(...) and in the inner function you'll have that plain value. 2. Use the *Output version of the resource - many if not all resources have it. I.e. in this case iam.GetPolicyDocument accepts only plain resolved inputs, whereas there's also iam.GetPolicyDocumentOutput which accepts Outputs. It can be a hassle to get the right types all together, and it's quite counter-intuitive, at least for me, so I often have to dive into the sdk source code. Long story short, your example can be written as

var arns pulumi.StringArrayOutput = pulumi.ToStringArrayOutput([]pulumi.StringOutput{
        arn1,
        arn2,
    },
    )
    iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
        Statements: iam.GetPolicyDocumentStatementArray{
            iam.GetPolicyDocumentStatementArgs{
                Sid:    pulumi.String(""),
                Effect: pulumi.String("Allow"),
                Principals: iam.GetPolicyDocumentStatementPrincipalArray{
                    iam.GetPolicyDocumentStatementPrincipalArgs{
                        Type:        pulumi.String("Federated"),
                        Identifiers: arns, // <- pulumi.StringArrayOutput here
                    },
                },
            },
        },
    })

it compiles for me, but I didn't test it.

@thousands-train-46386 the following compiles for me:

iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
		Statements: iam.GetPolicyDocumentStatementArray{
			iam.GetPolicyDocumentStatementArgs{
				Sid:    pulumi.String(""),
				Effect: pulumi.String("Allow"),
				Principals: iam.GetPolicyDocumentStatementPrincipalArray{
					iam.GetPolicyDocumentStatementPrincipalArgs{
						Type:        pulumi.String("Federated"),
						Identifiers: pulumi.StringArray{res.Arn},
					},
				},
			},
		},
	})

where iam is version 5: import "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/iam"

@fierce-ability-58936 @little-soccer-5693 thank you both very much for your guidance, I wasn’t aware of the Output versions for resources (jumped right over that detail in the docs) and it’s starting to make more sense to me. I’ve successfully implemented this functionality and am grateful for the insight you both have provided. :thank-you: :thank-you: :thank-you: