tb_pulumi.secrets

Infrastructural patterns related to AWS Secrets Manager.

class tb_pulumi.secrets.PulumiSecretsManager(name: str, project: ThunderbirdPulumiProject, secret_names: list[str] = [], opts: ResourceOptions = None, tags: dict = {}, **kwargs)

Bases: ThunderbirdComponentResource

Pulumi Type: tb:secrets:PulumiSecretsManager

Builds a set of AWS SecretsManager Secrets based on specific secrets in Pulumi’s config.

Produces the following resources:

• secrets - List of tb_pulumi.secrets.SecretsManagerSecret s storing Pulumi config secrets in AWS.

• policy - aws.iam.Policy granting access to the secrets managed by this module. This doesn’t get attached to any entities, but is intended for use in things like CI flows or ECS task execution roles.

Parameters:

• name (str) – A string identifying this set of resources.

• project (ThunderbirdPulumiProject) – The ThunderbirdPulumiProject to add these resources to.

• secret_names (list[str], optional) – A list of secrets as they are known to Pulumi. To get a list of valid values, run pulumi config. For more info on Pulumi secrets, see Working with Secrets.

• opts – Additional pulumi.ResourceOptions to apply to these resources.

• kwargs – Any other keyword arguments which will be passed as inputs to the aws.secretsmanager.Secret resource.

class tb_pulumi.secrets.SecretsManagerSecret(name: str, project: ThunderbirdPulumiProject, secret_name: str, secret_value: Any, exclude_from_project: bool = False, opts: ResourceOptions = None, tags: dict = {}, **kwargs)

Bases: ThunderbirdComponentResource

Pulumi Type: tb:secrets:SecretsManagerSecret

Stores a value as a Secrets Manager secret, which is composed of a “Secret” and a “SecretVersion”.

Produces the following resources:

• secret - aws.secretsmanager.Secret describing secret metadata.

• version - aws.secretsmanager.SecretVersion containing the actual secret data.

Parameters:

• name (Any) – A string identifying this set of resources.

• project (ThunderbirdPulumiProject) – The ThunderbirdPulumiProject to add these resources to.

• exclude_from_project (bool, optional) – When True , this prevents this component resource from being registered directly with the project. This does not prevent the component resource from being discovered by the project’s flatten function, provided that it is nested within some resource that is not excluded from the project.

• secret_name – A slash (“/”) delimited name for the secret in AWS. The last segment of this will be used as the “short name” for abbreviated references.

• secret_value – The secret data to store. This should be a string or some other type that can be serialized with str().

• opts (pulumi.ResourceOptions, optional) – Additional pulumi.ResourceOptions to apply to these resources. Defaults to None.

• tags (dict, optional) – Key/value pairs to merge with the default tags which get applied to all resources in this group. Defaults to {}.

• kwargs – Any other keyword arguments which will be passed as inputs to the aws.secretsmanager.Secret resource.