Question 409371 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Creating S3 Bucket policy using Pulumi

i am trying to create a s3 bucket and a s3 policy using pulumi and typescript. But when i run the pipeline, in the test stage i am getting the below error.

expect(received).toEqual(expected) // deep equality
- Expected  - 2
+ Received  + 2
@@ -8,12 +8,12 @@
          },
        },
        "Effect": "Deny",
        "Principal": "*",
        "Resource": Array [
-         "app-testsupun-buyapp-bucket-arn",
-         "app-testsupun-buyapp-bucket-arn/*",
+         null,
+         "undefined/*",
        ],
      },
    ],
    "Version": "2012-10-17",
  }
  137 |             Statement: [
  138 |               {
> 139 |                 Effect: 'Deny',
      |                                ^
  140 |                 Principal: '*',
  141 |                 Action: 's3:*',
  142 |                 Resource: ['app-testsupun-buyapp-bucket-arn', 'app-testsupun-buyapp-bucket-arn/*'],
  at infra/resource.unit.ts:139:32
  at node_modules/@pulumi/output.ts:440:31
  at node_modules/@pulumi/pulumi/output.js:21:71
  at Object.<anonymous>.__awaiter (node_modules/@pulumi/pulumi/output.js:17:12)
  at applyHelperAsync (node_modules/@pulumi/pulumi/output.js:257:12)
  at node_modules/@pulumi/output.ts:352:13

this indicate thats null and undefine is receved for the Resource argument. Below is the code i use to create the S3 and S3 Policy.

const appS3 = new s3Bucket.S3Resource('app-testsupun-buyapp-bucket', {
bucketArgOpts: {
  args: {
    bucket: 'app-testsupun-buyapp-bucket',
    tags: {
      application: 'app',
    },
  },
},
  });

const appS3Policy = new aws.s3.BucketPolicy(
'default-testsupun-policy',
{
  bucket: appS3.bucket.bucket,
  policy: {
    Version: '2012-10-17',
    Statement: [
      {
        Effect: 'Deny',
        Principal: '*',
        Action: 's3:*',
        Resource: [
          /* pulumi.output(appS3.bucket.bucket).apply(() => `arn:aws:s3:::${bucketname}/*`), */
          appS3.bucket.arn,
          pulumi.interpolate`${appS3.bucket.arn}/*`,
        ],
        Condition: {
          Bool: {
            'aws:SecureTransport': 'false',
          },
        },
      },
    ],
  },
},
{
  dependsOn: [appS3],
},
);
Tags:

2

Answers


  1. 0

    I think you should change dependsOn from [appS3] to [appS3.bucket].

    It looks like appS3 doesn’t extend from the class Resource and your dependsOn doesn’t work properly. When you apply your changes in test mode Pulimi can’t properly find your dependents between the resources.

    Login or Signup to reply.
  2. 0

    Pulumi’s apply() function to ensure the ARN is properly resolved before it’s used in the policy

    const appS3Policy = new aws.s3.BucketPolicy('default-testsupun-policy', {
  bucket: appS3.bucket.bucket,
  policy: appS3.bucket.arn.apply(arn => JSON.stringify({
    Version: '2012-10-17',
    Statement: [
      {
        Effect: 'Deny',
        Principal: '*',
        Action: 's3:*',
        Resource: [
          arn,
          `${arn}/*`,
        ],
        Condition: {
          Bool: {
            'aws:SecureTransport': 'false',
          },
        },
      },
    ],
  })),
}, {
  dependsOn: [appS3],
});

    This will ensures the ARN is available at runtime when the policy is being created.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search