AWS v7.10.0 published on Friday, Oct 24, 2025 by Pulumi
aws.amp.ResourcePolicy
Manages an Amazon Managed Service for Prometheus (AMP) Resource Policy.
Resource-based policies allow you to grant permissions to other AWS accounts or services to access your Prometheus workspace. This enables cross-account access and fine-grained permissions for workspace sharing.
Example Usage
Basic Resource Policy
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleWorkspace = new aws.amp.Workspace("example", {alias: "example-workspace"});
const current = aws.getCallerIdentity({});
const example = pulumi.all([current, exampleWorkspace.arn]).apply(([current, arn]) => aws.iam.getPolicyDocumentOutput({
statements: [{
effect: "Allow",
principals: [{
type: "AWS",
identifiers: [current.accountId],
}],
actions: [
"aps:RemoteWrite",
"aps:QueryMetrics",
"aps:GetSeries",
"aps:GetLabels",
"aps:GetMetricMetadata",
],
resources: [arn],
}],
}));
const exampleResourcePolicy = new aws.amp.ResourcePolicy("example", {
workspaceId: exampleWorkspace.id,
policyDocument: example.apply(example => example.json),
});
import pulumi
import pulumi_aws as aws
example_workspace = aws.amp.Workspace("example", alias="example-workspace")
current = aws.get_caller_identity()
example = example_workspace.arn.apply(lambda arn: aws.iam.get_policy_document(statements=[{
"effect": "Allow",
"principals": [{
"type": "AWS",
"identifiers": [current.account_id],
}],
"actions": [
"aps:RemoteWrite",
"aps:QueryMetrics",
"aps:GetSeries",
"aps:GetLabels",
"aps:GetMetricMetadata",
],
"resources": [arn],
}]))
example_resource_policy = aws.amp.ResourcePolicy("example",
workspace_id=example_workspace.id,
policy_document=example.json)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/amp"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleWorkspace, err := amp.NewWorkspace(ctx, "example", &.WorkspaceArgs{
Alias: pulumi.String("example-workspace"),
})
if err != nil {
return err
}
current, err := aws.GetCallerIdentity(ctx, &aws.GetCallerIdentityArgs{
}, nil);
if err != nil {
return err
}
example := exampleWorkspace.Arn.ApplyT(func(arn string) (iam.GetPolicyDocumentResult, error) {
return iam.GetPolicyDocumentResult(iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef(pulumi.String(pulumi.StringRef("Allow"))),
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Type: "AWS",
Identifiers: interface{}{
current.AccountId,
},
},
},
Actions: []string{
"aps:RemoteWrite",
"aps:QueryMetrics",
"aps:GetSeries",
"aps:GetLabels",
"aps:GetMetricMetadata",
},
Resources: []string{
arn,
},
},
},
}, nil)), nil
}).(iam.GetPolicyDocumentResultOutput)
_, err = amp.NewResourcePolicy(ctx, "example", &.ResourcePolicyArgs{
WorkspaceId: exampleWorkspace.ID(),
PolicyDocument: pulumi.String(example.Json),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleWorkspace = new Aws.Amp.Workspace("example", new()
{
Alias = "example-workspace",
});
var current = Aws.GetCallerIdentity.Invoke();
var example = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "AWS",
Identifiers = new[]
{
current.Apply(getCallerIdentityResult => getCallerIdentityResult.AccountId),
},
},
},
Actions = new[]
{
"aps:RemoteWrite",
"aps:QueryMetrics",
"aps:GetSeries",
"aps:GetLabels",
"aps:GetMetricMetadata",
},
Resources = new[]
{
exampleWorkspace.Arn,
},
},
},
});
var exampleResourcePolicy = new Aws.Amp.ResourcePolicy("example", new()
{
WorkspaceId = exampleWorkspace.Id,
PolicyDocument = example.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.amp.Workspace;
import com.pulumi.aws.amp.WorkspaceArgs;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetCallerIdentityArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.amp.ResourcePolicy;
import com.pulumi.aws.amp.ResourcePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleWorkspace = new Workspace("exampleWorkspace", WorkspaceArgs.builder()
.alias("example-workspace")
.build());
final var current = AwsFunctions.getCallerIdentity(GetCallerIdentityArgs.builder()
.build());
final var example = exampleWorkspace.arn().applyValue(_arn -> IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("AWS")
.identifiers(current.accountId())
.build())
.actions(
"aps:RemoteWrite",
"aps:QueryMetrics",
"aps:GetSeries",
"aps:GetLabels",
"aps:GetMetricMetadata")
.resources(_arn)
.build())
.build()));
var exampleResourcePolicy = new ResourcePolicy("exampleResourcePolicy", ResourcePolicyArgs.builder()
.workspaceId(exampleWorkspace.id())
.policyDocument(example.json())
.build());
}
}
resources:
exampleWorkspace:
type: aws:amp:Workspace
name: example
properties:
alias: example-workspace
exampleResourcePolicy:
type: aws:amp:ResourcePolicy
name: example
properties:
workspaceId: ${exampleWorkspace.id}
policyDocument: ${example.json}
variables:
current:
fn::invoke:
function: aws:getCallerIdentity
arguments: {}
example:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- effect: Allow
principals:
- type: AWS
identifiers:
- ${current.accountId}
actions:
- aps:RemoteWrite
- aps:QueryMetrics
- aps:GetSeries
- aps:GetLabels
- aps:GetMetricMetadata
resources:
- ${exampleWorkspace.arn}
Cross-Account Access
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.amp.Workspace("example", {alias: "example-workspace"});
const crossAccount = aws.iam.getPolicyDocumentOutput({
statements: [{
effect: "Allow",
principals: [{
type: "AWS",
identifiers: ["arn:aws:iam::123456789012:root"],
}],
actions: [
"aps:RemoteWrite",
"aps:QueryMetrics",
],
resources: [example.arn],
}],
});
const crossAccountResourcePolicy = new aws.amp.ResourcePolicy("cross_account", {
workspaceId: example.id,
policyDocument: crossAccount.apply(crossAccount => crossAccount.json),
});
import pulumi
import pulumi_aws as aws
example = aws.amp.Workspace("example", alias="example-workspace")
cross_account = aws.iam.get_policy_document_output(statements=[{
"effect": "Allow",
"principals": [{
"type": "AWS",
"identifiers": ["arn:aws:iam::123456789012:root"],
}],
"actions": [
"aps:RemoteWrite",
"aps:QueryMetrics",
],
"resources": [example.arn],
}])
cross_account_resource_policy = aws.amp.ResourcePolicy("cross_account",
workspace_id=example.id,
policy_document=cross_account.json)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/amp"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := amp.NewWorkspace(ctx, "example", &.WorkspaceArgs{
Alias: pulumi.String("example-workspace"),
})
if err != nil {
return err
}
crossAccount := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
Statements: iam.GetPolicyDocumentStatementArray{
&iam.GetPolicyDocumentStatementArgs{
Effect: pulumi.String("Allow"),
Principals: iam.GetPolicyDocumentStatementPrincipalArray{
&iam.GetPolicyDocumentStatementPrincipalArgs{
Type: pulumi.String("AWS"),
Identifiers: pulumi.StringArray{
pulumi.String("arn:aws:iam::123456789012:root"),
},
},
},
Actions: pulumi.StringArray{
pulumi.String("aps:RemoteWrite"),
pulumi.String("aps:QueryMetrics"),
},
Resources: pulumi.StringArray{
example.Arn,
},
},
},
}, nil)
_, err = amp.NewResourcePolicy(ctx, "cross_account", &.ResourcePolicyArgs{
WorkspaceId: example.ID(),
PolicyDocument: pulumi.String(crossAccount.ApplyT(func(crossAccount iam.GetPolicyDocumentResult) (*string, error) {
return &crossAccount.Json, nil
}).(pulumi.StringPtrOutput)),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Amp.Workspace("example", new()
{
Alias = "example-workspace",
});
var crossAccount = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "AWS",
Identifiers = new[]
{
"arn:aws:iam::123456789012:root",
},
},
},
Actions = new[]
{
"aps:RemoteWrite",
"aps:QueryMetrics",
},
Resources = new[]
{
example.Arn,
},
},
},
});
var crossAccountResourcePolicy = new Aws.Amp.ResourcePolicy("cross_account", new()
{
WorkspaceId = example.Id,
PolicyDocument = crossAccount.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.amp.Workspace;
import com.pulumi.aws.amp.WorkspaceArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.amp.ResourcePolicy;
import com.pulumi.aws.amp.ResourcePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Workspace("example", WorkspaceArgs.builder()
.alias("example-workspace")
.build());
final var crossAccount = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("AWS")
.identifiers("arn:aws:iam::123456789012:root")
.build())
.actions(
"aps:RemoteWrite",
"aps:QueryMetrics")
.resources(example.arn())
.build())
.build());
var crossAccountResourcePolicy = new ResourcePolicy("crossAccountResourcePolicy", ResourcePolicyArgs.builder()
.workspaceId(example.id())
.policyDocument(crossAccount.applyValue(_crossAccount -> _crossAccount.json()))
.build());
}
}
resources:
example:
type: aws:amp:Workspace
properties:
alias: example-workspace
crossAccountResourcePolicy:
type: aws:amp:ResourcePolicy
name: cross_account
properties:
workspaceId: ${example.id}
policyDocument: ${crossAccount.json}
variables:
crossAccount:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- effect: Allow
principals:
- type: AWS
identifiers:
- arn:aws:iam::123456789012:root
actions:
- aps:RemoteWrite
- aps:QueryMetrics
resources:
- ${example.arn}
Service-Specific Access
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.amp.Workspace("example", {alias: "example-workspace"});
const serviceAccess = aws.iam.getPolicyDocumentOutput({
statements: [{
effect: "Allow",
principals: [{
type: "Service",
identifiers: ["grafana.amazonaws.com"],
}],
actions: [
"aps:QueryMetrics",
"aps:GetSeries",
"aps:GetLabels",
"aps:GetMetricMetadata",
],
resources: [example.arn],
}],
});
const serviceAccessResourcePolicy = new aws.amp.ResourcePolicy("service_access", {
workspaceId: example.id,
policyDocument: serviceAccess.apply(serviceAccess => serviceAccess.json),
});
import pulumi
import pulumi_aws as aws
example = aws.amp.Workspace("example", alias="example-workspace")
service_access = aws.iam.get_policy_document_output(statements=[{
"effect": "Allow",
"principals": [{
"type": "Service",
"identifiers": ["grafana.amazonaws.com"],
}],
"actions": [
"aps:QueryMetrics",
"aps:GetSeries",
"aps:GetLabels",
"aps:GetMetricMetadata",
],
"resources": [example.arn],
}])
service_access_resource_policy = aws.amp.ResourcePolicy("service_access",
workspace_id=example.id,
policy_document=service_access.json)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/amp"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := amp.NewWorkspace(ctx, "example", &.WorkspaceArgs{
Alias: pulumi.String("example-workspace"),
})
if err != nil {
return err
}
serviceAccess := iam.GetPolicyDocumentOutput(ctx, iam.GetPolicyDocumentOutputArgs{
Statements: iam.GetPolicyDocumentStatementArray{
&iam.GetPolicyDocumentStatementArgs{
Effect: pulumi.String("Allow"),
Principals: iam.GetPolicyDocumentStatementPrincipalArray{
&iam.GetPolicyDocumentStatementPrincipalArgs{
Type: pulumi.String("Service"),
Identifiers: pulumi.StringArray{
pulumi.String("grafana.amazonaws.com"),
},
},
},
Actions: pulumi.StringArray{
pulumi.String("aps:QueryMetrics"),
pulumi.String("aps:GetSeries"),
pulumi.String("aps:GetLabels"),
pulumi.String("aps:GetMetricMetadata"),
},
Resources: pulumi.StringArray{
example.Arn,
},
},
},
}, nil)
_, err = amp.NewResourcePolicy(ctx, "service_access", &.ResourcePolicyArgs{
WorkspaceId: example.ID(),
PolicyDocument: pulumi.String(serviceAccess.ApplyT(func(serviceAccess iam.GetPolicyDocumentResult) (*string, error) {
return &serviceAccess.Json, nil
}).(pulumi.StringPtrOutput)),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Amp.Workspace("example", new()
{
Alias = "example-workspace",
});
var serviceAccess = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "Service",
Identifiers = new[]
{
"grafana.amazonaws.com",
},
},
},
Actions = new[]
{
"aps:QueryMetrics",
"aps:GetSeries",
"aps:GetLabels",
"aps:GetMetricMetadata",
},
Resources = new[]
{
example.Arn,
},
},
},
});
var serviceAccessResourcePolicy = new Aws.Amp.ResourcePolicy("service_access", new()
{
WorkspaceId = example.Id,
PolicyDocument = serviceAccess.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.amp.Workspace;
import com.pulumi.aws.amp.WorkspaceArgs;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.amp.ResourcePolicy;
import com.pulumi.aws.amp.ResourcePolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Workspace("example", WorkspaceArgs.builder()
.alias("example-workspace")
.build());
final var serviceAccess = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("grafana.amazonaws.com")
.build())
.actions(
"aps:QueryMetrics",
"aps:GetSeries",
"aps:GetLabels",
"aps:GetMetricMetadata")
.resources(example.arn())
.build())
.build());
var serviceAccessResourcePolicy = new ResourcePolicy("serviceAccessResourcePolicy", ResourcePolicyArgs.builder()
.workspaceId(example.id())
.policyDocument(serviceAccess.applyValue(_serviceAccess -> _serviceAccess.json()))
.build());
}
}
resources:
example:
type: aws:amp:Workspace
properties:
alias: example-workspace
serviceAccessResourcePolicy:
type: aws:amp:ResourcePolicy
name: service_access
properties:
workspaceId: ${example.id}
policyDocument: ${serviceAccess.json}
variables:
serviceAccess:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- effect: Allow
principals:
- type: Service
identifiers:
- grafana.amazonaws.com
actions:
- aps:QueryMetrics
- aps:GetSeries
- aps:GetLabels
- aps:GetMetricMetadata
resources:
- ${example.arn}
Supported Actions
The following actions are supported in resource policies for Prometheus workspaces:
aps:RemoteWrite- Allows writing metrics to the workspaceaps:QueryMetrics- Allows querying metrics from the workspaceaps:GetSeries- Allows retrieving time series dataaps:GetLabels- Allows retrieving label names and valuesaps:GetMetricMetadata- Allows retrieving metric metadata
Notes
- Only Prometheus-compatible APIs can be used for workspace sharing. Non-Prometheus-compatible APIs added to the policy will be ignored.
- If your workspace uses customer-managed KMS keys for encryption, you must grant the principals in your resource-based policy access to those KMS keys through KMS grants.
- The resource ARN in the policy document must match the workspace ARN that the policy is being attached to.
- Resource policies enable cross-account access and fine-grained permissions for Prometheus workspaces.
Create ResourcePolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ResourcePolicy(name: string, args: ResourcePolicyArgs, opts?: CustomResourceOptions);@overload
def ResourcePolicy(resource_name: str,
args: ResourcePolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def ResourcePolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
policy_document: Optional[str] = None,
workspace_id: Optional[str] = None,
region: Optional[str] = None,
revision_id: Optional[str] = None,
timeouts: Optional[ResourcePolicyTimeoutsArgs] = None)func NewResourcePolicy(ctx *Context, name string, args ResourcePolicyArgs, opts ...ResourceOption) (*ResourcePolicy, error)public ResourcePolicy(string name, ResourcePolicyArgs args, CustomResourceOptions? opts = null)
public ResourcePolicy(String name, ResourcePolicyArgs args)
public ResourcePolicy(String name, ResourcePolicyArgs args, CustomResourceOptions options)
type: aws:amp:ResourcePolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ResourcePolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ResourcePolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ResourcePolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ResourcePolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ResourcePolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var resourcePolicyResource = new Aws.Amp.ResourcePolicy("resourcePolicyResource", new()
{
PolicyDocument = "string",
WorkspaceId = "string",
Region = "string",
RevisionId = "string",
Timeouts = new Aws.Amp.Inputs.ResourcePolicyTimeoutsArgs
{
Create = "string",
Delete = "string",
Update = "string",
},
});
example, err := amp.NewResourcePolicy(ctx, "resourcePolicyResource", &.ResourcePolicyArgs{
PolicyDocument: pulumi.String("string"),
WorkspaceId: pulumi.String("string"),
Region: pulumi.String("string"),
RevisionId: pulumi.String("string"),
Timeouts: &.ResourcePolicyTimeoutsArgs{
Create: pulumi.String("string"),
Delete: pulumi.String("string"),
Update: pulumi.String("string"),
},
})
var resourcePolicyResource = new com.pulumi.aws.amp.ResourcePolicy("resourcePolicyResource", com.pulumi.aws.amp.ResourcePolicyArgs.builder()
.policyDocument("string")
.workspaceId("string")
.region("string")
.revisionId("string")
.timeouts(ResourcePolicyTimeoutsArgs.builder()
.create("string")
.delete("string")
.update("string")
.build())
.build());
resource_policy_resource = aws.amp.ResourcePolicy("resourcePolicyResource",
policy_document="string",
workspace_id="string",
region="string",
revision_id="string",
timeouts={
"create": "string",
"delete": "string",
"update": "string",
})
const resourcePolicyResource = new aws.amp.ResourcePolicy("resourcePolicyResource", {
policyDocument: "string",
workspaceId: "string",
region: "string",
revisionId: "string",
timeouts: {
create: "string",
"delete": "string",
update: "string",
},
});
type: aws:amp:ResourcePolicy
properties:
policyDocument: string
region: string
revisionId: string
timeouts:
create: string
delete: string
update: string
workspaceId: string
ResourcePolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The ResourcePolicy resource accepts the following input properties:
- Policy
Document string The JSON policy document to use as the resource-based policy. This policy defines the permissions that other AWS accounts or services have to access your workspace.
The following arguments are optional:
- Workspace
Id string - The ID of the workspace to attach the resource-based policy to.
- Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- Revision
Id string - The revision ID of the current resource-based policy.
- Timeouts
Resource
Policy Timeouts
- Policy
Document string The JSON policy document to use as the resource-based policy. This policy defines the permissions that other AWS accounts or services have to access your workspace.
The following arguments are optional:
- Workspace
Id string - The ID of the workspace to attach the resource-based policy to.
- Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- Revision
Id string - The revision ID of the current resource-based policy.
- Timeouts
Resource
Policy Timeouts Args
- policy
Document String The JSON policy document to use as the resource-based policy. This policy defines the permissions that other AWS accounts or services have to access your workspace.
The following arguments are optional:
- workspace
Id String - The ID of the workspace to attach the resource-based policy to.
- region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- revision
Id String - The revision ID of the current resource-based policy.
- timeouts
Resource
Policy Timeouts
- policy
Document string The JSON policy document to use as the resource-based policy. This policy defines the permissions that other AWS accounts or services have to access your workspace.
The following arguments are optional:
- workspace
Id string - The ID of the workspace to attach the resource-based policy to.
- region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- revision
Id string - The revision ID of the current resource-based policy.
- timeouts
Resource
Policy Timeouts
- policy_
document str The JSON policy document to use as the resource-based policy. This policy defines the permissions that other AWS accounts or services have to access your workspace.
The following arguments are optional:
- workspace_
id str - The ID of the workspace to attach the resource-based policy to.
- region str
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- revision_
id str - The revision ID of the current resource-based policy.
- timeouts
Resource
Policy Timeouts Args
- policy
Document String The JSON policy document to use as the resource-based policy. This policy defines the permissions that other AWS accounts or services have to access your workspace.
The following arguments are optional:
- workspace
Id String - The ID of the workspace to attach the resource-based policy to.
- region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- revision
Id String - The revision ID of the current resource-based policy.
- timeouts Property Map
Outputs
All input properties are implicitly available as output properties. Additionally, the ResourcePolicy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing ResourcePolicy Resource
Get an existing ResourcePolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ResourcePolicyState, opts?: CustomResourceOptions): ResourcePolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
policy_document: Optional[str] = None,
region: Optional[str] = None,
revision_id: Optional[str] = None,
timeouts: Optional[ResourcePolicyTimeoutsArgs] = None,
workspace_id: Optional[str] = None) -> ResourcePolicyfunc GetResourcePolicy(ctx *Context, name string, id IDInput, state *ResourcePolicyState, opts ...ResourceOption) (*ResourcePolicy, error)public static ResourcePolicy Get(string name, Input<string> id, ResourcePolicyState? state, CustomResourceOptions? opts = null)public static ResourcePolicy get(String name, Output<String> id, ResourcePolicyState state, CustomResourceOptions options)resources: _: type: aws:amp:ResourcePolicy get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Policy
Document string The JSON policy document to use as the resource-based policy. This policy defines the permissions that other AWS accounts or services have to access your workspace.
The following arguments are optional:
- Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- Revision
Id string - The revision ID of the current resource-based policy.
- Timeouts
Resource
Policy Timeouts - Workspace
Id string - The ID of the workspace to attach the resource-based policy to.
- Policy
Document string The JSON policy document to use as the resource-based policy. This policy defines the permissions that other AWS accounts or services have to access your workspace.
The following arguments are optional:
- Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- Revision
Id string - The revision ID of the current resource-based policy.
- Timeouts
Resource
Policy Timeouts Args - Workspace
Id string - The ID of the workspace to attach the resource-based policy to.
- policy
Document String The JSON policy document to use as the resource-based policy. This policy defines the permissions that other AWS accounts or services have to access your workspace.
The following arguments are optional:
- region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- revision
Id String - The revision ID of the current resource-based policy.
- timeouts
Resource
Policy Timeouts - workspace
Id String - The ID of the workspace to attach the resource-based policy to.
- policy
Document string The JSON policy document to use as the resource-based policy. This policy defines the permissions that other AWS accounts or services have to access your workspace.
The following arguments are optional:
- region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- revision
Id string - The revision ID of the current resource-based policy.
- timeouts
Resource
Policy Timeouts - workspace
Id string - The ID of the workspace to attach the resource-based policy to.
- policy_
document str The JSON policy document to use as the resource-based policy. This policy defines the permissions that other AWS accounts or services have to access your workspace.
The following arguments are optional:
- region str
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- revision_
id str - The revision ID of the current resource-based policy.
- timeouts
Resource
Policy Timeouts Args - workspace_
id str - The ID of the workspace to attach the resource-based policy to.
- policy
Document String The JSON policy document to use as the resource-based policy. This policy defines the permissions that other AWS accounts or services have to access your workspace.
The following arguments are optional:
- region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- revision
Id String - The revision ID of the current resource-based policy.
- timeouts Property Map
- workspace
Id String - The ID of the workspace to attach the resource-based policy to.
Supporting Types
ResourcePolicyTimeouts, ResourcePolicyTimeoutsArgs
- Create string
- A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
- Delete string
- A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
- Update string
- A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
- Create string
- A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
- Delete string
- A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
- Update string
- A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
- create String
- A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
- delete String
- A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
- update String
- A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
- create string
- A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
- delete string
- A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
- update string
- A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
- create str
- A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
- delete str
- A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
- update str
- A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
- create String
- A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
- delete String
- A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.
- update String
- A string that can be parsed as a duration consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours).
Import
Using pulumi import, import AMP Resource Policies using the workspace ID. For example:
$ pulumi import aws:amp/resourcePolicy:ResourcePolicy example ws-12345678-90ab-cdef-1234-567890abcdef
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.
