tb_pulumi.iam

Infrastrucutural patterns related to AWS IAM.

class tb_pulumi.iam.StackAccessPolicies(name: str, project: ThunderbirdPulumiProject, opts: ResourceOptions = None, tags: dict = {}, **kwargs)

Bases: ProjectResourceGroup

Creates two IAM policies granting read-only and full admin access to all resources in this project.

build_policies(arns: list[str])

Defines the IAM policies which govern access to the given list of resources.

Parameters:

arns (list[str]) – List of resource ARNs to build policies around. This is automatically provided by the ready() function when a stack’s state has been achieved in a Pulumi run.

ready(outputs: list[Resource])

This function is called by the tb_pulumi.ProjectResourceGroup after all outputs in the project have been resolved into values. Here, we go through every resource to get an exhaustive list of resource ARNs. Those are used to determine a list of AWS services in use by the project. An IAM policy is produced that has read-only access to those resources.

tb_pulumi.iam.UserWithAccessKey

alias of UserWithAccessKeys

class tb_pulumi.iam.UserWithAccessKeys(name: str, project: ThunderbirdPulumiProject, access_keys: dict, user_name: str, enable_legacy_access_key: bool = False, groups: list[Group] = [], policies: list[Policy] = [], exclude_from_project: bool = False, opts: ResourceOptions = None, tags: dict = {}, **kwargs)

Bases: ThunderbirdComponentResource

Pulumi Type: tb:iam:UserWithAccessKeys

Builds an IAM user with a set of access key credentials, stores those values in a Secrets Manager secret, and creates an IAM policy granting access to that secret. The IAM user gets that policy attached as well as any additional policies provided.

Produces the following resources:

  • access_key - An aws.iam.AccessKey the user can authenticate with. This is a “legacy” feature kept around to accomodate the transition to the access_keys feature.

  • access_keys - A dict where the values are the names of the configured access keys and the values are the aws.iam.AccessKey s produced.

  • access_key_secrets - A dict where the values are the names of the configured access keys and the values are tb_pulumi.secrets.SecretsManagerSecret s.

  • group_membership - An aws.iam.UserGroupMembership representing this user’s membership in the provided groups.

  • policy - An aws.iam.Policy granting the ability to retrieve this secret and its metadata.

  • policy_attachments A list of aws.iam.PolicyAttachments to include the policy created here and any additional policies provided wiht the policies parameter.

  • secret - A tb_pulumi.secrets.SecretsManagerSecret containing the secret authentication details of the “legacy” access_key. This feature accomodates the transition to the access_keys feature, which produces the access_key_secrets resource.

  • user - The aws.iam.User.

Parameters:

  • name (str) – A string identifying this set of resources.

  • project (tb_pulumi.ThunderbirdPulumiProject) – The ThunderbirdPulumiProject to add these resources to.

  • access_keys

    Dict where the keys are arbitrary names for access keys to create for this user and the values are booleans indicating the key should be “Active” (True) or “Inactive” (False). To rotate an access key, first create a new key set to True. Then update the credentials wherever your implementation requires. Then deactivate the old key by setting its entry to False. If something unexpected breaks, you can still enable it again (set to True). When you’re ready, delete the access key by removing its entry. Here’s an example configuration where a new key (“green”) has been created and an old key (“blue”) is deactivated but not deleted:

    access_keys:

    blue: False green: True

  • user_name (str) – Name to give the IAM user.

  • enable_legacy_access_key (bool) – If True, this will create an access key that is tracked outside of the dict of access_keys. This is the way this module used to work, and it will be removed in a future version since it does not allow for cautious key rotation. Use it to migrate off of this feature, and afterward it should be set to False. Defaults to False.

  • groups (list[aws.iam.Group]) – List of aws.iam.Group s to make this user a member of.

  • policies (list[aws.iam.Policy], optional) –

    List of aws.iam.Policy resources to attach to the user. Defaults to [].

  • opts (pulumi.ResourceOptions, optional) – Additional pulumi.ResourceOptions to apply to these resources. Defaults to None.

  • tags (dict, optional) – Key/value pairs to merge with the default tags which get applied to all resources in this group. Defaults to {}.

  • kwargs

    Any other keyword arguments which will be passed as inputs to the aws.iam.User resource.