tb_pulumi.ci

Patterns related to continuous integration.

class tb_pulumi.ci.AwsAutomationUser(name: str, project: ThunderbirdPulumiProject, user_name: str = None, access_keys: dict = {}, additional_policies: list[str] = [], ecr_repositories: list[str] = None, enable_ecr_image_push: bool = False, enable_fargate_deployments: str = False, enable_full_s3_access: bool = False, enable_legacy_access_key: bool = False, fargate_clusters: list[str] = None, fargate_task_role_arns: list[str] = None, s3_full_access_buckets: list = [], enable_s3_bucket_upload: bool = False, s3_upload_buckets: list[str] = [], opts: ResourceOptions = None, **kwargs)

Bases: ThunderbirdComponentResource

Pulumi Type: tb:ci:AutomationUser

Creates an IAM user, then creates a keypair for it. The keypair data is stored in Secrets Manager. Several options, documented below, exist to provide some common permission sets for build and deployment patterns used in these modules. Additional policies can be added arbitrarily to expand these permissions.

Produces the following resources:

  • user - tb_pulumi.iam.UserWithAccessKey created for automation.

  • ecr_image_push_policy - aws.iam.Policy defining permissions required to push container images to an ECR repository, but only if enable_ecr_image_push is True.

  • s3_upload_policy - aws.iam.Policy defining permissions required to upload files to S3 buckets, but only if enable_s3_bucket_upload is True.

  • s3_full_access_policy - aws.iam.Policy defining complete, unfettered access to S3 buckets and their contents, but only if enable_full_s3_access is True.

  • fargate_deployment_policy - aws.iam.Policy defining permissions needed to deploy images to a Fargate service, but only if enable_fargate_deployments is True.

Parameters:

  • name (str) – Name of the IAM user to create.

  • project (tb_pulumi.ThunderbirdPulumiProject) – The ThunderbirdPulumiProject to add these resources to.

  • user_name (str) – The name to give the IAM user. Defaults to {name}-ci.

  • access_keys

    Dict where the keys are arbitrary names for access keys to create for this user and the values are booleans indicating the key should be “Active” (True) or “Inactive” (False). To rotate an access key, first create a new key set to True. Then update the credentials wherever your implementation requires. Then deactivate the old key by setting its entry to False. If something unexpected breaks, you can still enable it again (set to True). When you’re ready, delete the access key by removing its entry. Here’s an example configuration where a new key (“green”) has been created and an old key (“blue”) is deactivated but not deleted:

    access_keys:

    blue: False green: True

  • additional_policies (list[str], optional) – List of ARNs of IAM policies to additionally attach to the user. Defaults to [].

  • enable_ecr_image_push (bool, optional) – When True, attaches a policy to the user which allows it to push images to ECR repositories. Use this when your CI pipeline involves building a container image and pushing it to an ECR repo. Defaults to False.

  • ecr_repositories (list[str], optional) – When enabled_ecr_image_push is True, permission will be granted to push images to these ECR repositories. Defaults to None.

  • enable_legacy_access_key (bool) – If True, this will create an access key that is tracked outside of the dict of access_keys. This is the way this module used to work, and it will be removed in a future version since it does not allow for cautious key rotation. Use it to migrate off of this feature, and afterward it should be set to False. Defaults to False.

  • enable_fargate_deployments (str, optional) – When True, attaches a policy which allows new task definitions to be deployed to Fargate services. Use this when your CI pipeline needs to deploy new images to Fargate services. Defaults to False.

  • fargate_clusters (list[str], optional) – When enable_fargate_deployments is True, permission will be granted to deploy to this list of clusters. Defaults to None.

  • fargate_task_role_arns (list[str], optional) – When enable_fargate_deployments is True, permission will be granted for the user to authenticate as this list of task roles. This should be a list of ARNs of task execution roles in the clusters you wish to deploy to. Defaults to None.

  • enable_full_s3_access (bool, optional) – When True, allows the user unrestricted access to select S3 buckets. Use this when your CI needs to be able to run Pulumi executions. Those commands will need to run with access to the Pulumi state bucket. Defaults to False.

  • s3_full_access_buckets (list, optional) – When enable_full_s3_access is True, full permission will be granted to this list of buckets and all objects within them. Defaults to [].

  • enable_s3_bucket_upload (bool, optional) – When True, allows the user to upload files into select S3 buckets. Use this when your CI pipeline needs to deploy files to an S3 bucket, such as when using a tb_pulumi.cloudfront.CloudFrontS3Service. Defaults to False.

  • s3_upload_buckets (list, optional) – When enable_s3_bucket_upload is True, allow uploading files to these buckets. Defaults to [].

  • opts (pulumi.ResourceOptions, optional) – Additional pulumi.ResourceOptions to apply to these resources. Defaults to None.

  • kwargs (dict) – Additional arguments will be passed into the tb_pulumi.iam.UserWithAccessKey resource.