Use aws.iam.PolicyDocument for type-safe JSON in AWS

Question

Pulumi · Accepted Answer

Certainly, you can create a type-safe IAM policy document using `aws.iam.PolicyDocument`. A PolicyDocument is a statement that defines an AWS IAM policy. It is defined in JSON format and the benefit of using the `aws.iam.PolicyDocument` object in Pulumi is that it can provide type-safety within your IAM policies.

Here is a simple demonstration on how you might set up an `aws.iam.PolicyDocument`:

```typescript
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

let readS3BucketPolicyDocument = new aws.iam.PolicyDocument({
    // The policy document version
    version: "2012-10-17",

// The policy statements
    statements: [{
        // Manage the actions this statement applies to (s3:GetObject allows read access)
        actions: ["s3:GetObject"],
        // Indicate the resource to which this policy applies (RESOURCE ARN, can be pulumi.Output)
        resources: ["CODE_FOR_RESOURCE_ARN"],
        // Applying effect to allow action on the resource
        effect: "Allow",
    }],
});

let policy = new aws.iam.Policy("policy", {
    description: "A test policy",
    path: "/",
    policy: readS3BucketPolicyDocument.json,  // policy is a pulumi.Output<string>
});
```
In this example, the `aws.iam.PolicyDocument` describes a policy that allows read access (via the `s3:GetObject` action) to a specified S3 bucket (you have to replace `CODE_FOR_RESOURCE_ARN` with your specific value).

This policy document can then be used to create an `aws.iam.Policy`, which can be attached to users, groups and roles.

Checkout the documentation on `aws.iam.PolicyDocument` [here](https://www.pulumi.com/registry/packages/aws/api-docs/iam/policydocument/) and `aws.iam.Policy` [here](https://www.pulumi.com/registry/packages/aws/api-docs/iam/policy/) for more information.