tb_pulumi.iam

Infrastrucutural patterns related to AWS IAM.

class tb_pulumi.iam.StackAccessPolicies(name: str, project: ThunderbirdPulumiProject, opts: ResourceOptions = None, tags: dict = {}, **kwargs)

Bases: ProjectResourceGroup

Creates two IAM policies granting read-only and full admin access to all resources in this project.

build_policies(arns: list[str])

Defines the IAM policies which govern access to the given list of resources.

Parameters:

arns (list[str]) – List of resource ARNs to build policies around. This is automatically provided by the ready() function when a stack’s state has been achieved in a Pulumi run.

ready(outputs: list[Resource])

This function is called by the tb_pulumi.ProjectResourceGroup after all outputs in the project have been resolved into values. Here, we go through every resource to get an exhaustive list of resource ARNs. Those are used to determine a list of AWS services in use by the project. An IAM policy is produced that has read-only access to those resources.

class tb_pulumi.iam.UserWithAccessKey(name: str, project: ThunderbirdPulumiProject, user_name: str, groups: list[Group] = [], policies: list[Policy] = [], exclude_from_project: bool = False, opts: ResourceOptions = None, tags: dict = {}, **kwargs)

Bases: ThunderbirdComponentResource

Pulumi Type: tb:iam:UserWithAccessKey

Builds an IAM user with a set of access key credentials, stores those values in a Secrets Manager secret, and creates an IAM policy granting access to that secret. The IAM user gets that policy attached as well as any additional policies provided.

Produces the following resources:

• access_key - An aws.iam.AccessKey the user can authenticate with.

• group_membership - An aws.iam.UserGroupMembership representing this user’s membership in the provided groups.

• policy - An aws.iam.Policy granting the ability to retrieve this secret and its metadata.

• policy_attachments A list of aws.iam.PolicyAttachments to include the policy created here and any additional policies provided wiht the policies parameter.

• secret - A tb_pulumi.secrets.SecretsManagerSecret containing the secret authentication details.

• user - The aws.iam.User.

Parameters:

• name (str) – A string identifying this set of resources.

• project (tb_pulumi.ThunderbirdPulumiProject) – The ThunderbirdPulumiProject to add these resources to.

• user_name (str) – Name to give the IAM user.

• groups (list[aws.iam.Group]) – List of aws.iam.Group s to make this user a member of.

• policies (list[aws.iam.Policy], optional) –

  List of aws.iam.Policy resources to attach to the user. Defaults to [].

• opts (pulumi.ResourceOptions, optional) – Additional pulumi.ResourceOptions to apply to these resources. Defaults to None.

• tags (dict, optional) – Key/value pairs to merge with the default tags which get applied to all resources in this group. Defaults to {}.

• kwargs –

  Any other keyword arguments which will be passed as inputs to the aws.iam.User resource.