best-summer-38252
02/22/2023, 11:52 PMconst appServiceAccount = new gcp.serviceaccount.Account(camelcase(APP_NAME + "-SA"), {
accountId: kebabcase(APP_NAME),
displayName: startcase(APP_NAME),
});
const appAuthz = gcp.organizations.getIAMPolicy({
bindings: [
{
role: "roles/workflows.invoker",
members: [`${appServiceAccount.email}`],
},
],
});
const appIAM = new gcp.serviceaccount.IAMPolicy("appSAIAM", {
serviceAccountId: appServiceAccount.name,
policyData: appAuthz.then((admin) => admin.policyData),
});
Ive tried, serviceAccountId: appServiceAccount.name.apply((n) => ${n}
) and ``${appServiceAccount.name}`` etc. What am I missing?little-cartoon-10569
02/22/2023, 11:56 PMappServiceAccount.name
is an output, and handles it accordingly. You have to do the same.console.log(appServiceAccount.name.apply((n) => `${n}`)
You need to do your work inside the apply:
appServiceAccount.name.apply((n) => console.log(`${n}`))
best-summer-38252
02/23/2023, 12:03 AMlittle-cartoon-10569
02/23/2023, 12:24 AMbest-summer-38252
02/23/2023, 12:43 AMconst appIAM = new gcp.serviceaccount.IAMPolicy("appSAIAM", {
serviceAccountId: appServiceAccount.name,
policyData: appAuthz.then((admin) => admin.policyData),
});
The example's code:
const admin_account_iam = new gcp.serviceaccount.IAMPolicy("admin-account-iam", {
serviceAccountId: sa.name,
policyData: admin.then(admin => admin.policyData),
});
little-cartoon-10569
02/23/2023, 1:05 AMadmin.then(...)
is returning a Promise. I'm guessing that appAuthz's policyData property is an Output? If it is, then you're setting the policyData property to be a value of type Promise<Output<string>
. I'm not certain on this, but I think that Pulumi's magic lifting capabilities don't work on Promises, so the value resolved for policyData is of type Output<string>
, instead of string
.
If I'm right, the best fixes are either to not use a Promise at all (change to an Input or Output), or change appAuthz.policyData
to return a string. Assuming that this latter is impossible (it probably is), then the easiest fix is this:
const appIAM = new gcp.serviceaccount.IAMPolicy("appSAIAM", {
serviceAccountId: appServiceAccount.name,
policyData: pulumi.output(appAuthz).policyData,
});
best-summer-38252
02/23/2023, 1:11 AMlittle-cartoon-10569
02/23/2023, 1:20 AMbest-summer-38252
02/23/2023, 1:27 AMgcp.serviceaccount.IAMPolicy
but the getIAMPolicy
const appAuthz = gcp.organizations.getIAMPolicy({
bindings: [
{
role: "roles/workflows.invoker",
members: appServiceAccount.email.apply(email => [`serviceAccount:${email}`]),
},
],
});
And I cant just do the entire bindings array in the apply() scope nor whole args object:
const appAuthz = gcp.organizations.getIAMPolicy(
appServiceAccount.email.apply(email => ({
bindings: [{
role: "roles/workflows.invoker",
members: [`serviceAccount:${email}`]
}]
}))
);
little-cartoon-10569
02/23/2023, 8:52 PMconst appAuthz = gcp.organizations.getIAMPolicy(
appServiceAccount.email.apply(email => ({
bindings: [{
role: "roles/workflows.invoker",
members: [`serviceAccount:${email}`]
}]
}))
);
To this:
const appAuthz = appServiceAccount.email.apply(email => {
return gcp.organizations.getIAMPolicy(
{
bindings: [{
role: "roles/workflows.invoker",
members: [`serviceAccount:${email}`]
}]
});
});
(Or something like that; code not checked, compiled, linted or anythiing 🙂 )