Update resource after another one created.

[ixti]

Hi,

I'm struggling to get my head around updating the resource after another one was created. Here's an example:

import * as aws from "@pulumi/aws";
import * as awsNative from "@pulumi/aws-native";
import * as snowflake from "@pulumi/snowflake";

const snowpipeRole = new aws.iam.Role("snowpipe-role", {
  assumeRolePolicy: {
    Version: "2012-10-17",
    Statement: [
      {
        Effect: "Allow",
        Action: "sts:AssumeRole",
        Principal: { AWS: "arn:aws:iam::********:user/*******" }
      }
    ]
  }
});

const reportsBucket = new awsNative.s3.Bucket("reports-bucket", {
  publicAccessBlockConfiguration: {
    blockPublicAcls: true,
    blockPublicPolicy: true,
    ignorePublicAcls: true,
    restrictPublicBuckets: true
  }
});

const storageIntegration = new StorageIntegration("storage-integration", {
  enabled: true,
  storageProvider: "S3",
  storageAllowedLocations: [pulumi.interpolate `s3://${reportsBucket.id}/`],
  storageAwsRoleArn: snowpipeRole,
}, {
  dependsOn: reportsBucket
});

// after both storageIntegration and snowpipeRole are created,
// I want to tighten up the security of snowpipeRole to only allow
// specific external IDs. Here's an example of what I'm trying to achieve:

updateAssumeRolePolicy(snowpipeRole, {
  Version: "2012-10-17",
  Statement: [
    {
      Effect: "Allow",
      Action: "sts:AssumeRole",
      Principal: { AWS: "arn:aws:iam::********:user/*******" }
      Condition: {
        StringEquals: {
          "sts:ExternalId": [storageIntegration.storageAwsExternalId]
        }
      }
    }
  ]
}, {
  dependsOn: storageIntegration
});