I am using Pulumi (Python) and trying to create a bucket for AWS CloudTrail logs. I based my code off this example. I keep getting the following error: Error putting S3 policy: MalformedPolicy: Policy has invalid resource
import pulumi
import pulumi_aws as aws
# create a bucket to store CloudTrail logs
cloudtrail_bucket = aws.s3.Bucket("CloudTrailLogs")
# assign policy to bucket
aws_account_id = aws.get_caller_identity().account_id
bucket_policy = aws.s3.BucketPolicy(
"CloudTrailLogsBucketPolicy",
bucket=cloudtrail_bucket.id,
policy=pulumi.Output.all(cloudtrail_bucket.id).apply(
lambda bucket_id: f"""{{
"Version": "2012-10-17",
"Statement": [
{{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {{"Service": "cloudtrail.amazonaws.com"}},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::{bucket_id}"
}},
{{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {{"Service": "cloudtrail.amazonaws.com"}},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{bucket_id}/AWSLogs/{aws_account_id}/*",
"Condition": {{
"StringEquals": {{"s3:x-amz-acl": "bucket-owner-full-control"}}
}}
}}
]
}}
"""
),
)
Does anyone know what the issue could be?
My current environment is using the following:
pulumi==3.9.1
pulumi-aws==4.15.0
You're referencing the account ID without making it part of the apply/all statement.
Try this instead:
policy=pulumi.Output.all(cloudtrail_bucket.id, aws_account_id).apply(
lambda args: f"""{{
"Version": "2012-10-17",
"Statement": [
{{
"Sid": "AWSCloudTrailAclCheck20150319",
"Effect": "Allow",
"Principal": {{"Service": "cloudtrail.amazonaws.com"}},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::{args[0]}"
}},
{{
"Sid": "AWSCloudTrailWrite20150319",
"Effect": "Allow",
"Principal": {{"Service": "cloudtrail.amazonaws.com"}},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::{args[0]}/AWSLogs/{args[1]}/*",
"Condition": {{
"StringEquals": {{"s3:x-amz-acl": "bucket-owner-full-control"}}
}}
}}
]
}}
"""
)