AbhiOnGithub/pulumi.go

## pulumi.go
package main

import (
 "github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam"
 "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
 pulumi.Run(func(ctx *pulumi.Context) error {
  // Create a policy document that allows access to a specific S3 bucket
  bucketPolicy, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
   Statements: []iam.GetPolicyDocumentStatement{
    iam.GetPolicyDocumentStatement{
     Actions: []string{"s3:GetObject", "s3:PutObject"},
     Resources: []string{
      "arn:aws:s3:::my-bucket/*",
     },
     Effect: "Allow",
    },
   },
  }, nil)
  if err != nil {
   return err
  }

  // Create a policy that uses the policy document
  bucketPolicyResource, err := iam.NewPolicy(ctx, "bucketPolicy", &iam.PolicyArgs{
   Policy: bucketPolicy.Json,
  })
  if err != nil {
   return err
  }

  // Create a role for each tenant that can assume the policy
  tenants := []string{"tenant1", "tenant2", "tenant3"}
  for _, tenant := range tenants {
   // Create a role for the tenant
   tenantRole, err := iam.NewRole(ctx, tenant+"Role", &iam.RoleArgs{
    AssumeRolePolicy: pulumi.String(`{
     "Version": "2012-10-17",
     "Statement": [
      {
       "Action": "sts:AssumeRole",
       "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
       },
       "Effect": "Allow",
       "Sid": ""
      }
     ]
    }`),
   })
   if err != nil {
    return err
   }

   // Attach the policy to the role
   _, err = iam.NewRolePolicyAttachment(ctx, tenant+"PolicyAttachment", &iam.RolePolicyAttachmentArgs{
    Role:      tenantRole.Name,
    PolicyArn: bucketPolicyResource.Arn,
   })
   if err != nil {
    return err
   }
  }

  return nil
 })
}
	package main

	import (
	"github.com/pulumi/pulumi-aws/sdk/v4/go/aws/iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
	)

	func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
	// Create a policy document that allows access to a specific S3 bucket
	bucketPolicy, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
	Statements: []iam.GetPolicyDocumentStatement{
	iam.GetPolicyDocumentStatement{
	Actions: []string{"s3:GetObject", "s3:PutObject"},
	Resources: []string{
	"arn:aws:s3:::my-bucket/*",
	},
	Effect: "Allow",
	},
	},
	}, nil)
	if err != nil {
	return err
	}

	// Create a policy that uses the policy document
	bucketPolicyResource, err := iam.NewPolicy(ctx, "bucketPolicy", &iam.PolicyArgs{
	Policy: bucketPolicy.Json,
	})
	if err != nil {
	return err
	}

	// Create a role for each tenant that can assume the policy
	tenants := []string{"tenant1", "tenant2", "tenant3"}
	for _, tenant := range tenants {
	// Create a role for the tenant
	tenantRole, err := iam.NewRole(ctx, tenant+"Role", &iam.RoleArgs{
	AssumeRolePolicy: pulumi.String(`{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Action": "sts:AssumeRole",
	"Principal": {
	"AWS": "arn:aws:iam::123456789012:root"
	},
	"Effect": "Allow",
	"Sid": ""
	}
	]
	}`),
	})
	if err != nil {
	return err
	}

	// Attach the policy to the role
	_, err = iam.NewRolePolicyAttachment(ctx, tenant+"PolicyAttachment", &iam.RolePolicyAttachmentArgs{
	Role: tenantRole.Name,
	PolicyArn: bucketPolicyResource.Arn,
	})
	if err != nil {
	return err
	}
	}

	return nil
	})
	}