tb_pulumi.iam¶
Infrastrucutural patterns related to AWS IAM.
- class tb_pulumi.iam.StackAccessPolicies(name: str, project: ThunderbirdPulumiProject, opts: ResourceOptions = None, tags: dict = {}, **kwargs)¶
Bases:
ProjectResourceGroup
Creates two IAM policies granting read-only and full admin access to all resources in this project.
- build_policies(arns: list[str])¶
Defines the IAM policies which govern access to the given list of resources.
- Parameters:
arns (list[str]) – List of resource ARNs to build policies around. This is automatically provided by the
ready()
function when a stack’s state has been achieved in a Pulumi run.
- ready(outputs: list[Resource])¶
This function is called by the
tb_pulumi.ProjectResourceGroup
after all outputs in the project have been resolved into values. Here, we go through every resource to get an exhaustive list of resource ARNs. Those are used to determine a list of AWS services in use by the project. An IAM policy is produced that has read-only access to those resources.
- class tb_pulumi.iam.UserWithAccessKey(name: str, project: ThunderbirdPulumiProject, user_name: str, groups: list[Group] = [], policies: list[Policy] = [], exclude_from_project: bool = False, opts: ResourceOptions = None, tags: dict = {}, **kwargs)¶
Bases:
ThunderbirdComponentResource
Pulumi Type:
tb:iam:UserWithAccessKey
Builds an IAM user with a set of access key credentials, stores those values in a Secrets Manager secret, and creates an IAM policy granting access to that secret. The IAM user gets that policy attached as well as any additional policies provided.
Produces the following
resources
:access_key - An aws.iam.AccessKey the user can authenticate with.
group_membership - An aws.iam.UserGroupMembership representing this user’s membership in the provided groups.
policy - An aws.iam.Policy granting the ability to retrieve this secret and its metadata.
policy_attachments A list of aws.iam.PolicyAttachments to include the
policy
created here and any additional policies provided wiht thepolicies
parameter.secret - A
tb_pulumi.secrets.SecretsManagerSecret
containing the secret authentication details.user - The aws.iam.User.
- Parameters:
name (str) – A string identifying this set of resources.
project (tb_pulumi.ThunderbirdPulumiProject) – The ThunderbirdPulumiProject to add these resources to.
user_name (str) – Name to give the IAM user.
groups (list[aws.iam.Group]) – List of aws.iam.Group s to make this user a member of.
policies (list[aws.iam.Policy], optional) –
List of aws.iam.Policy resources to attach to the user. Defaults to [].
opts (pulumi.ResourceOptions, optional) – Additional pulumi.ResourceOptions to apply to these resources. Defaults to None.
tags (dict, optional) – Key/value pairs to merge with the default tags which get applied to all resources in this group. Defaults to {}.
kwargs –
Any other keyword arguments which will be passed as inputs to the aws.iam.User resource.