tb_pulumi.ci

Patterns related to continuous integration.

class tb_pulumi.ci.AwsAutomationUser(name: str, project: ThunderbirdPulumiProject, active_stack: str = 'stage', additional_policies: list[str] = [], enable_ecr_image_push: bool = False, ecr_repositories: list[str] = None, enable_fargate_deployments: str = False, fargate_clusters: list[str] = None, fargate_task_role_arns: list[str] = None, enable_full_s3_access: bool = False, s3_full_access_buckets: list = [], enable_s3_bucket_upload: bool = False, s3_upload_buckets: list[str] = [], opts: ResourceOptions = None, **kwargs)

Bases: ThunderbirdComponentResource

Pulumi Type: tb:ci:AutomationUser

Creates an IAM user, then creates a keypair for it. The keypair data is stored in Secrets Manager. Several options, documented below, exist to provide some common permission sets for build and deployment patterns used in these modules. Additional policies can be added arbitrarily to expand these permissions.

Because CI processes affect resources built across multiple environments (which can also be interpreted as multiple Pulumi stacks), these items are only created in a single stack.

Produces the following resources:

  • user - aws.iam.User to run CI operations.

  • access_key - aws.iam.AccessKey for that user’s authentication.

  • secret - tb_pulumi.secrets.SecretsManagerSecret where the access key data is stored.

  • ecr_image_push_policy - aws.iam.Policy defining permissions required to push container images to an ECR repository, but only if enable_ecr_image_push is True.

  • s3_upload_policy - aws.iam.Policy defining permissions required to upload files to S3 buckets, but only if enable_s3_bucket_upload is True.

  • s3_full_access_policy - aws.iam.Policy defining complete, unfettered access to S3 buckets and their contents, but only if enable_full_s3_access is True.

  • fargate_deployment_policy - aws.iam.Policy defining permissions needed to deploy images to a Fargate service, but only if enable_fargate_deployments is True.

Parameters:

  • name (str) – Name of the IAM user to create.

  • project (tb_pulumi.ThunderbirdPulumiProject) – The ThunderbirdPulumiProject to add these resources to.

  • active_stack (str, optional) – The name of the stack to manage these single-stack resources in. Defaults to ‘stage’. You should always set this to a stack you expect to be a permanent fixture in your infrastructure.

  • additional_policies (list[str], optional) – List of ARNs of IAM policies to additionally attach to the user. Defaults to [].

  • enable_ecr_image_push (bool, optional) – When True, attaches a policy to the user which allows it to push images to ECR repositories. Use this when your CI pipeline involves building a container image and pushing it to an ECR repo. Defaults to False.

  • ecr_repositories (list[str], optional) – When enabled_ecr_image_push is True, permission will be granted to push images to these ECR repositories. Defaults to None.

  • enable_fargate_deployments (str, optional) – When True, attaches a policy which allows new task definitions to be deployed to Fargate services. Use this when your CI pipeline needs to deploy new images to Fargate services. Defaults to False.

  • fargate_clusters (list[str], optional) – When enable_fargate_deployments is True, permission will be granted to deploy to this list of clusters. Defaults to None.

  • fargate_task_role_arns (list[str], optional) – When enable_fargate_deployments is True, permission will be granted for the user to authenticate as this list of task roles. This should be a list of ARNs of task execution roles in the clusters you wish to deploy to. Defaults to None.

  • enable_full_s3_access (bool, optional) – When True, allows the user unrestricted access to select S3 buckets. Use this when your CI needs to be able to run Pulumi executions. Those commands will need to run with access to the Pulumi state bucket. Defaults to False.

  • s3_full_access_buckets (list, optional) – When enable_full_s3_access is True, full permission will be granted to this list of buckets and all objects within them. Defaults to [].

  • enable_s3_bucket_upload (bool, optional) – When True, allows the user to upload files into select S3 buckets. Use this when your CI pipeline needs to deploy files to an S3 bucket, such as when using a tb_pulumi.cloudfront.CloudFrontS3Service. Defaults to False.

  • s3_upload_buckets (list, optional) – When enable_s3_bucket_upload is True, allow uploading files to these buckets. Defaults to [].

  • opts (pulumi.ResourceOptions, optional) – Additional pulumi.ResourceOptions to apply to these resources. Defaults to None.