https://pulumi.com logo
Title
b

billowy-needle-56870

01/12/2023, 10:29 PM
Hi. I am trying to create an acs policy for a service, and I need to give it access to a role I am creating also in the same pulumi template. How can I make it so that when creating a policy it uses the ARN of an element?
s3Bucket, err := s3.NewBucket(ctx, "demo", &s3.BucketArgs{})
		iam.NewPolicy(ctx, "demo", &iam.PolicyArgs{
			Policy: pulumi.Sprintf(`{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": s3Bucket.ARN
        }
    ]
}`),
b

billowy-army-68599

01/12/2023, 10:38 PM
try:
s3Bucket, err := s3.NewBucket(ctx, "demo", &s3.BucketArgs{})
		iam.NewPolicy(ctx, "demo", &iam.PolicyArgs{
			Policy: pulumi.Sprintf(`{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": %s
        }
    ]
}`, s3Bucket.Arn),
b

billowy-needle-56870

01/13/2023, 2:53 PM
I have tested it and it seems to be wrong,
policy := pulumi.JSONMarshal(map[string]interface{}{
			"Id":      "demo-policy",
			"Version": "2012-10-17",
			"Statement": []interface{}{
				map[string]interface{}{
					"Sid": "Enable IAM User Permissions",
					"Principal": map[string]interface{}{
						"AWS": pulumi.Sprintf("arn:aws:iam::%s:root", current.AccountId),
					},
					"Action": "ec2:*",
					"Effect": "Allow",
				},
			},
		})
The policy is some like this
"Principal": {
        "AWS": "arn:aws:iam::%!d(string=123123123131):root"
      },
b

billowy-army-68599

01/13/2023, 3:47 PM
you’re trying to interpolate an int as a string. use %d instead
b

billowy-needle-56870

01/13/2023, 3:48 PM
Thanks!
Typical of being obsessed with looking for the needle in the haystack.
g

gifted-fall-44000

01/14/2023, 9:29 PM
I would highly suggest making use of iam.GetPolicyDocument instead of trying to format a string within your code.
Avoids having to do the JSONMarshal stuff as well
b

billowy-needle-56870

01/17/2023, 3:39 PM
I am testing it and the truth is that although for the example that is in the documentation I see it well, for simple things, I see that it is complicated in excess for some cases. In most of the times, you have to be always checking if an error has occurred, but if you do it in the JSON Marshall way, it wasn’t necessary.
g

gifted-fall-44000

01/17/2023, 4:12 PM
Generally speaking you should be handling your errors if you didn't want to maybe golang wasn't the right choice.