1. Use aws.iam.PolicyDocument for type-safe JSON in AWS


    Certainly, you can create a type-safe IAM policy document using aws.iam.PolicyDocument. A PolicyDocument is a statement that defines an AWS IAM policy. It is defined in JSON format and the benefit of using the aws.iam.PolicyDocument object in Pulumi is that it can provide type-safety within your IAM policies.

    Here is a simple demonstration on how you might set up an aws.iam.PolicyDocument:

    import * as pulumi from "@pulumi/pulumi"; import * as aws from "@pulumi/aws"; let readS3BucketPolicyDocument = new aws.iam.PolicyDocument({ // The policy document version version: "2012-10-17", // The policy statements statements: [{ // Manage the actions this statement applies to (s3:GetObject allows read access) actions: ["s3:GetObject"], // Indicate the resource to which this policy applies (RESOURCE ARN, can be pulumi.Output) resources: ["CODE_FOR_RESOURCE_ARN"], // Applying effect to allow action on the resource effect: "Allow", }], }); let policy = new aws.iam.Policy("policy", { description: "A test policy", path: "/", policy: readS3BucketPolicyDocument.json, // policy is a pulumi.Output<string> });

    In this example, the aws.iam.PolicyDocument describes a policy that allows read access (via the s3:GetObject action) to a specified S3 bucket (you have to replace CODE_FOR_RESOURCE_ARN with your specific value).

    This policy document can then be used to create an aws.iam.Policy, which can be attached to users, groups and roles.

    Checkout the documentation on aws.iam.PolicyDocument here and aws.iam.Policy here for more information.