diff --git a/themes/default/content/registry/packages/aws-iam/_index.md b/themes/default/content/registry/packages/aws-iam/_index.md deleted file mode 100644 index 0db8d1fca8..0000000000 --- a/themes/default/content/registry/packages/aws-iam/_index.md +++ /dev/null @@ -1,1120 +0,0 @@ ---- -title: AWS IAM -meta_desc: Use Pulumi's Component for creating an AWS IAM resources using infrastructure as code. -layout: package ---- - -You can use the Pulumi AWS IAM Component to help you create AWS IAM roles in all supported Pulumi Languages. The code below -will show you examples of each resources supported in this Component, but please refer to the API Docs for more detailed -descriptions and information about each resource. - -This Component was heavily inspired by the [Terraform AWS IAM Module](https://github.com/terraform-aws-modules/terraform-aws-iam/) and -should provide users with equal functionality. - -## Examples - -{{< chooser language "typescript,python,go,csharp,yaml" >}} - -{{% choosable language typescript %}} - -```typescript -import * as iam from "@pulumi/aws-iam"; - -// Account -export const account = new iam.Account("account", { - accountAlias: "cool-alias", - passwordPolicy: { - minimumLength: 37, - requireNumbers: false, - allowUsersToChange: true, - hardExpiry: true, - requireSymbols: true, - requireLowercaseCharacters: true, - requireUppercaseCharacters: true, - }, -}); - -// User -export const user = new iam.User("aws-iam-example-user", { - name: "pulumipus", - forceDestroy: true, - pgpKey: "keybase:test", - passwordResetRequired: false, -}); - -// Assumable Role -export const assumableRole = new iam.AssumableRole("aws-iam-example-assumable-role", { - trustedRoleArns: [ "arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus" ], - role: { - name: "custom", - requiresMfa: true, - policyArns: [ "arn:aws:iam::aws:policy/AmazonCognitoReadOnly","arn:aws:iam::aws:policy/AlexaForBusinessFullAccess" ], - }, -}); - -// // Assumable Role With OIDC -export const assumableRoleWithOidc = new iam.AssumableRoleWithOIDC("aws-iam-example-assumable-role-with-oidc", { - providerUrls: ["oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"], - role: { - name: "oidc-role", - policyArns: [ "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" ], - }, - tags: { - Role: "oidc-role", - }, -}); - -// // Assumable Role With SAML -export const assumableRoleWithSaml = new iam.AssumableRoleWithSAML("aws-iam-example-assumable-role-with-saml", { - providerIds: [ "arn:aws:iam::235367859851:saml-provider/idp_saml" ], - role: { - name: "saml-role", - policyArns: [ "arn:aws:iam::aws:policy/ReadOnlyAccess" ], - }, - tags: { - Role: "saml-role", - }, -}); - -// // Assumable Roles -export const assumableRoles = new iam.AssumableRoles("aws-iam-example-assumable-roles", { - trustedRoleArns: [ "arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus" ], - admin: {}, - poweruser: { - name: "developer", - }, - readonly: { - requiresMfa: true, - }, -}); - -// // Assumable Roles With SAML -export const assumableRolesWithSaml = new iam.AssumableRolesWithSAML("aws-iam-example-assumable-role-with-saml", { - providerIds: [ "arn:aws:iam::235367859851:saml-provider/idp_saml" ], - admin: {}, - poweruser: { - name: "developer", - }, - readonly: {}, -}); - -// // EKS Role -export const eksRole = new iam.EKSRole("aws-iam-example-eks-role", { - role: { - name: "eks-role", - policyArns: [ "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" ], - }, - tags: { - Name: "eks-role", - }, - clusterServiceAccounts: { - "cluster1": [ "default:my-app" ], - "cluster2": [ "default:my-app", "canary:my-app" ], - }, -}); - -// // Group With Assumable Roles Policy -export const groupWithAssumableRolesPolicy = new iam.GroupWithAssumableRolesPolicy("aws-iam-example-group-with-assumable-roles-policy", { - name: "production-readonly", - assumableRoles: [ "arn:aws:iam::835367859855:role/readonly" ], - groupUsers: [ "pulumipus" ], -}, { dependsOn: [user] }); - -// // Group With Policies -export const groupWithPolicies = new iam.GroupWithPolicies("aws-iam-example-group-with-policies", { - name: "superadmins", - groupUsers: [ "pulumipus" ], - attachIamSelfManagementPolicy: true, - customGroupPolicyArns: [ "arn:aws:iam::aws:policy/AdministratorAccess" ], - customGroupPolicies: [{ - "name": "AllowS3Listing", - "policy": "{}", - }], -}, { dependsOn: [user] }); - -// // Policy -export const policy = new iam.Policy("aws-iam-example-policy", { - name: "aws-iam-example-policy", - path: "/", - description: "My example policy", - policyDocument: `{ - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "ec2:Describe*" - ], - "Effect": "Allow", - "Resource": "*" - } - ] - }`, -}); - -// // Read Only Policy -export const readOnlyPolicy = new iam.ReadOnlyPolicy("aws-iam-example-read-only-policy", { - name: "aws-iam-example-read-only", - path: "/", - description: "My example read only policy", - allowedServices: [ "rds", "dynamodb" ], -}); - -// // Role For Service Accounts EKS -export const roleForServiceAccountsEks = new iam.RoleForServiceAccountsEks("aws-iam-example-role-for-service-accounts-eks", { - role: { - name: "vpc-cni" - }, - tags: { - Name: "vpc-cni-irsa", - }, - oidcProviders: { - main: { - providerArn: "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D", - namespaceServiceAccounts: ["default:my-app", "canary:my-app"], - } - }, - policies: { - vpnCni: { - attach: true, - enableIpv4: true, - }, - }, -}); - -``` - -{{% /choosable %}} - -{{% choosable language python %}} - -```python -"""An AWS Python Pulumi program""" - -import json -import pulumi -from pulumi_aws import s3 -import pulumi_aws_iam as iam - -# Account -account = iam.Account( - 'account', - account_alias='cool-alias', - password_policy=iam.AccountPasswordPolicyArgs( - minimum_length=37, - require_numbers=False, - allow_users_to_change=True, - hard_expiry=True, - require_symbols=True, - require_lowercase_characters=True, - require_uppercase_characters=True, - ) -) - -pulumi.export('account', account) - -# Assumable Role -assumable_role = iam.AssumableRole( - 'assumable_role', - trusted_role_arns=['arn:aws:iam::307990089504:root','arn:aws:iam::835367859851:user/pulumipus'], - role=iam.RoleWithMFAArgs( - name='custom', - requires_mfa=True, - policy_arns=['arn:aws:iam::aws:policy/AmazonCognitoReadOnly','arn:aws:iam::aws:policy/AlexaForBusinessFullAccess'], - ), -) - -pulumi.export('assumable_role', assumable_role) - -# Assumable Role With OIDC -assumable_role_with_oidc = iam.AssumableRoleWithOIDC( - 'assumable_role_with_oidc', - role=iam.RoleArgs( - name='oidc-role', - policy_arns=['arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy'] - ), - tags={ - 'Role': 'oidc-role', - }, - provider_urls=['oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8'] -) - -pulumi.export('assumable_role_with_oidc', assumable_role_with_oidc) - -# Assumable Role With SAML -assumable_role_with_saml = iam.AssumableRoleWithSAML( - 'assumable_role_with_saml', - role=iam.RoleArgs( - name='saml-role', - policy_arns=['arn:aws:iam::aws:policy/ReadOnlyAccess'], - ), - tags={ - 'Role': 'saml-role', - }, - provider_ids=['arn:aws:iam::235367859851:saml-provider/idp_saml'] -) - -pulumi.export('assumable_role_with_saml', assumable_role_with_saml) - -# Assumable Roles -assumable_roles = iam.AssumableRoles( - 'assumable_roles', - trusted_role_arns=['arn:aws:iam::307990089504:root','arn:aws:iam::835367859851:user/pulumipus'], - admin=iam.AdminRoleArgs(), - poweruser=iam.PoweruserRoleArgs( - name='developer', - ), - readonly=iam.ReadonlyRoleWithMFAArgs( - requires_mfa=True, - ), -) - -pulumi.export('assumable_roles', assumable_roles) - -# Assumable Roles With SAML -assumable_roles_with_saml = iam.AssumableRolesWithSAML( - 'assumable_roles_with_saml', - provider_ids=['arn:aws:iam::235367859851:saml-provider/idp_saml'], - admin=iam.AdminRoleArgs(), - readonly=iam.ReadonlyRoleArgs(), - poweruser=iam.PoweruserRoleArgs( - name='developer', - ), -) - -pulumi.export('assumable_roles_with_saml', assumable_roles_with_saml) - -# EKS Role -eks_role = iam.EKSRole( - 'eks_role', - role=iam.RoleArgs( - name='eks-role', - policy_arns=['arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy'], - ), - tags={ - 'Name': 'eks-role', - }, - # cluster_service_acccounts={ - # 'cluster1': [ 'default:my-app' ], - # 'cluster2': [ 'default:my-app', 'canary:my-app' ], - # }, -) - -pulumi.export('eks_role', eks_role) - -# Group With Assumable Roles Policy -group_with_assume_roles_policy = iam.GroupWithAssumableRolesPolicy( - 'group_with_assume_roles_policy', - name='production-readonly', - assumable_roles=['arn:aws:iam::835367859855:role/readonly'], - group_users=['user1','user2'], -) - -pulumi.export('group_with_assume_roles_policy', group_with_assume_roles_policy) - -# Group With Policies -group_with_policies = iam.GroupWithPolicies( - 'group_with_policies', - name='superadmins', - group_users=['user1','user2'], - attach_iam_self_management_policy=True, - custom_group_policy_arns=['arn:aws:iam::aws:policy/AdministratorAccess'], - custom_group_policies=[{ - 'name': 'AllowS3Listing', - 'policy': '{}', - }], -) - -pulumi.export('group_with_policies', group_with_policies) - -# Policy -policy = iam.Policy( - 'policy', - name='example', - path='/', - description='My example policy', - policy_document=json.dumps({ - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "ec2:Describe*" - ], - "Effect": "Allow", - "Resource": "*" - } - ] - }) -) - -pulumi.export('policy', policy) - -# Read Only Policy -read_only_policy = iam.ReadOnlyPolicy( - 'read_only_policy', - name='example', - path='/', - description='My example read only policy', - allowed_services=['rds','dynamo'], -) - -pulumi.export('read_only_policy', read_only_policy) - -# Role For Service Accounts EKS -role_for_service_account_eks = iam.RoleForServiceAccountsEks( - 'role_for_service_account_eks', - role=iam.RoleArgs( - name='vpc-cni' - ), - tags={ - 'Name': 'vpc-cni-irsa', - }, - oidc_providers={ - 'main': iam.OIDCProviderArgs( - provider_arn='arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D', - namespace_service_accounts=['default:my-app', 'canary:my-app'], - ), - }, - policies=iam.EKSRolePoliciesArgs( - vpn_cni=iam.EKSVPNCNIPolicyArgs( - attach=True, - enable_ipv4=True, - ), - ), -) - -pulumi.export('role_for_service_account_eks', role_for_service_account_eks) - -# User -user = iam.User( - 'user', - name='pulumipus', - force_destroy=True, - pgp_key='keybase:test', - password_reset_required=False, -) - -pulumi.export('user', user) -``` - -{{% /choosable %}} - -{{% choosable language go %}} - -```go -package main - -import ( - "encoding/json" - - iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam" - "github.com/pulumi/pulumi/sdk/v3/go/pulumi" -) - -func main() { - pulumi.Run(func(ctx *pulumi.Context) error { - // Account - account, err := iam.NewAccount(ctx, "account", &iam.AccountArgs{ - AccountAlias: pulumi.String("cool-alias"), - PasswordPolicy: iam.AccountPasswordPolicyArgs{ - MinimumLength: pulumi.IntPtr(37), - RequireNumbers: pulumi.Bool(false), - AllowUsersToChange: pulumi.Bool(true), - HardExpiry: pulumi.Bool(true), - RequireSymbols: pulumi.Bool(true), - RequireLowercaseCharacters: pulumi.Bool(true), - RequireUppercaseCharacters: pulumi.Bool(true), - }, - }) - if err != nil { - return err - } - - ctx.Export("account", account) - - // Assumable Role - assumableRole, err := iam.NewAssumableRole(ctx, "assumable-role", &iam.AssumableRoleArgs{ - TrustedRoleArns: pulumi.ToStringArray([]string{"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"}), - Role: &iam.RoleWithMFAArgs{ - Name: pulumi.String("custom"), - RequiresMfa: pulumi.BoolPtr(true), - PolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AmazonCognitoReadOnly", "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"}), - }, - }) - if err != nil { - return err - } - - ctx.Export("assumableRole", assumableRole) - - // Assumable Role With OIDC - assumableRoleWithOIDC, err := iam.NewAssumableRoleWithOIDC(ctx, "assumable-role-with-oidc", &iam.AssumableRoleWithOIDCArgs{ - Role: iam.RoleArgs{ - Name: pulumi.String("oidc-role"), - PolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"}), - }, - Tags: pulumi.ToStringMap(map[string]string{ - "Role": "oidc-role", - }), - ProviderUrls: pulumi.ToStringArray([]string{"oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"}), - }) - if err != nil { - return err - } - - ctx.Export("assumableRoleWithOIDC", assumableRoleWithOIDC) - - // Assumable Role With SAML - assumableRoleWithSAML, err := iam.NewAssumableRoleWithSAML(ctx, "assumable-role-with-saml", &iam.AssumableRoleWithSAMLArgs{ - Role: iam.RoleArgs{ - Name: pulumi.String("saml-role"), - PolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/ReadOnlyAccess"}), - }, - Tags: pulumi.ToStringMap(map[string]string{ - "Role": "saml-role", - }), - ProviderIds: pulumi.ToStringArray([]string{"arn:aws:iam::235367859851:saml-provider/idp_saml"}), - }) - if err != nil { - return err - } - - ctx.Export("assumableRoleWithSAML", assumableRoleWithSAML) - - // Assumable Roles - assumableRoles, err := iam.NewAssumableRoles(ctx, "assumable-roles", &iam.AssumableRolesArgs{ - TrustedRoleArns: pulumi.ToStringArray([]string{"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"}), - Admin: iam.AdminRoleWithMFAArgs{}, - Poweruser: iam.PoweruserRoleWithMFAArgs{ - Name: pulumi.String("developer"), - }, - Readonly: iam.ReadonlyRoleWithMFAArgs{ - RequiresMfa: pulumi.BoolPtr(true), - }, - }) - if err != nil { - return err - } - - ctx.Export("assumableRoles", assumableRoles) - - // Assumable Roles With SAML - assumableRolesWithSAML, err := iam.NewAssumableRolesWithSAML(ctx, "assumable-roles-with-saml", &iam.AssumableRolesWithSAMLArgs{ - ProviderIds: pulumi.ToStringArray([]string{"arn:aws:iam::235367859851:saml-provider/idp_saml"}), - Admin: iam.AdminRoleArgs{}, - Readonly: iam.ReadonlyRoleArgs{}, - Poweruser: iam.PoweruserRoleArgs{ - Name: pulumi.String("developer"), - }, - }) - if err != nil { - return err - } - - ctx.Export("assumableRolesWithSAML", assumableRolesWithSAML) - - // EKS Role - eksRole, err := iam.NewEKSRole(ctx, "eks-role", &iam.EKSRoleArgs{ - Role: iam.RoleArgs{ - Name: pulumi.String("eks-role"), - PolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"}), - }, - Tags: pulumi.ToStringMap(map[string]string{ - "Role": "eks-role", - }), - // Uncomment the below and replace actual cluster values. - // ClusterServiceAccounts: pulumi.ToStringArrayMap(map[string][]string{ - // "cluster1": {"default:my-app"}, - // "cluster2": {"default:my-app", "canary:my-app"}, - // }), - }) - if err != nil { - return err - } - - ctx.Export("eksRole", eksRole) - - // Group With Assumable Roles Policy - groupWithAssumableRolesPolicy, err := iam.NewGroupWithAssumableRolesPolicy(ctx, "group-with-assumable-roles-policy", &iam.GroupWithAssumableRolesPolicyArgs{ - Name: pulumi.String("production-readonly"), - AssumableRoles: pulumi.ToStringArray([]string{"arn:aws:iam::835367859855:role/readonly"}), - GroupUsers: pulumi.ToStringArray([]string{"user1", "user2"}), - }) - if err != nil { - return err - } - - ctx.Export("groupWithAssumableRolesPolicy", groupWithAssumableRolesPolicy) - - // Group With Policies - groupWithPolicies, err := iam.NewGroupWithPolicies(ctx, "group-with-policies", &iam.GroupWithPoliciesArgs{ - Name: pulumi.String("superadmins"), - GroupUsers: pulumi.ToStringArray([]string{"user1", "user2"}), - AttachIamSelfManagementPolicy: pulumi.BoolPtr(true), - CustomGroupPolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AdministratorAccess"}), - CustomGroupPolicies: pulumi.ToStringMapArray([]map[string]string{ - { - "name": "AllowS3Listing", - "policy": "{}", - }, - }), - }) - if err != nil { - return err - } - - ctx.Export("groupWithPolicies", groupWithPolicies) - - // Policy - policyJSON, err := json.Marshal(map[string]interface{}{ - "Version": "2012-10-17", - "Statement": []interface{}{ - map[string]interface{}{ - "Effect": "Allow", - "Action": []string{"ec2:Describe"}, - "Resource": []string{"*"}, - }, - }, - }) - if err != nil { - return err - } - - policy, err := iam.NewPolicy(ctx, "policy", &iam.PolicyArgs{ - Name: pulumi.String("example"), - Path: pulumi.String("/"), - Description: pulumi.String("My example policy"), - PolicyDocument: pulumi.String(string(policyJSON)), - }) - if err != nil { - return err - } - - ctx.Export("policy", policy) - - // Read Only Policy - readOnlyPolicy, err := iam.NewReadOnlyPolicy(ctx, "read-only-policy", &iam.ReadOnlyPolicyArgs{ - Name: pulumi.String("example"), - Path: pulumi.String("/"), - Description: pulumi.String("My example policy"), - AllowedServices: pulumi.ToStringArray([]string{"rds", "dynamo"}), - }) - if err != nil { - return err - } - - ctx.Export("readOnlyPolicy", readOnlyPolicy) - - // Role For Service Accounts EKS - roleForServiceAccountsEKS, err := iam.NewRoleForServiceAccountsEks(ctx, "role-for-service-accounts-eks", &iam.RoleForServiceAccountsEksArgs{ - Role: iam.EKSServiceAccountRolePtr(&iam.EKSServiceAccountRoleArgs{ - Name: pulumi.String("vpc-cni"), - }), - Tags: pulumi.ToStringMap(map[string]string{ - "Name": "vpc-cni-irsa", - }), - OidcProviders: iam.OIDCProviderMap{ - "main": iam.OIDCProviderArgs{ - ProviderArn: pulumi.String("arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"), - NamespaceServiceAccounts: pulumi.ToStringArray([]string{"default:my-app", "canary:my-app"}), - }, - }, - Policies: iam.EKSRolePoliciesPtr(&iam.EKSRolePoliciesArgs{ - VpnCni: iam.EKSVPNCNIPolicyPtr(&iam.EKSVPNCNIPolicyArgs{ - Attach: pulumi.Bool(true), - EnableIpv4: pulumi.BoolPtr(true), - }), - }), - }) - if err != nil { - return err - } - - ctx.Export("roleForServiceAccountsEKS", roleForServiceAccountsEKS) - - // User - user, err := iam.NewUser(ctx, "user", &iam.UserArgs{ - Name: pulumi.String("pulumipus"), - ForceDestroy: pulumi.BoolPtr(true), - PgpKey: pulumi.String("keybase:test"), - PasswordResetRequired: pulumi.BoolPtr(false), - }) - if err != nil { - return err - } - - ctx.Export("user", user) - - return nil - }) -} -``` - -{{% /choosable %}} - -{{% choosable language csharp %}} - -```csharp -using Pulumi; -using Pulumi.AwsIam; -using Pulumi.AwsIam.Inputs; -using System.Collections.Immutable; - -class MyStack : Stack -{ - public MyStack() - { - // Account - var account = new Account("account", new AccountArgs - { - AccountAlias = "cool-alias", - PasswordPolicy=new AccountPasswordPolicyArgs - { - MinimumLength = 37, - RequireNumbers = false, - AllowUsersToChange = true, - HardExpiry = true, - RequireSymbols = true, - RequireLowercaseCharacters = true, - RequireUppercaseCharacters = true, - } - - }); - - this.Account = Output.Create(account); - - // Assumable Role - var assumableRole = new AssumableRole("assumable-role", new AssumableRoleArgs - { - TrustedRoleArns = {"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"}, - Role = new RoleWithMFAArgs - { - Name = "custom", - RequiresMfa = true, - PolicyArns = {"arn:aws:iam::aws:policy/AmazonCognitoReadOnly","arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"}, - }, - }); - - this.AssumableRole = Output.Create(assumableRole); - - // Assumable Role With OIDC - var assumableRoleWithOidc = new AssumableRoleWithOIDC("assumable-role-with-oidc", new AssumableRoleWithOIDCArgs - { - Role = new RoleArgs - { - Name = "oidc-role", - PolicyArns = {"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"}, - }, - Tags = new InputMap - { - {"Role", "odic-role"}, - }, - ProviderUrls = {"oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"}, - }); - - this.AssumableRoleWithOidc = Output.Create(assumableRoleWithOidc); - - // Assumable Role With SAML - var assumableRoleWithSaml = new AssumableRoleWithSAML("assumable-role-with-saml", new AssumableRoleWithSAMLArgs - { - Role = new RoleArgs - { - Name = "saml-role", - PolicyArns = {"arn:aws:iam::aws:policy/ReadOnlyAccess"}, - }, - Tags = new InputMap - { - {"Role", "saml-role"}, - }, - ProviderIds = {"arn:aws:iam::235367859851:saml-provider/idp_saml"}, - }); - - this.AssumableRoleWithSaml = Output.Create(assumableRoleWithSaml); - - // Assumable Roles - var assumableRoles = new AssumableRoles("assumable-roles", new AssumableRolesArgs - { - TrustedRoleArns = {"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"}, - Admin = new AdminRoleWithMFAArgs(), - Poweruser = new PoweruserRoleWithMFAArgs - { - Name = "developer", - }, - Readonly = new ReadonlyRoleWithMFAArgs - { - RequiresMfa = true, - }, - }); - - this.AssumableRoles = Output.Create(assumableRoles); - - // Assumable Roles With SAML - var assumableRolesWithSaml = new AssumableRolesWithSAML("assumable-roles-with-saml", new AssumableRolesWithSAMLArgs - { - ProviderIds = {"arn:aws:iam::235367859851:saml-provider/idp_saml"}, - Admin = new AdminRoleArgs(), - Readonly = new ReadonlyRoleArgs(), - Poweruser = new PoweruserRoleArgs - { - Name = "developer", - }, - }); - - this.AssumableRolesWithSaml = Output.Create(assumableRolesWithSaml); - - // EKS Role - var eksRole = new EKSRole("eks-role", new EKSRoleArgs - { - Role = new RoleArgs - { - Name = "eks-role", - PolicyArns = {"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"}, - }, - Tags = new InputMap - { - {"Name", "eks-role"}, - }, - // Uncomment the below and replace actual cluster values. - // ClusterServiceAccounts = { - // {"cluster1", ImmutableArray.Create(new string[] {"default:my-app"})}, - // {"cluster2", ImmutableArray.Create(new string[] {"default:my-app", "canary:my-app"})} - // }, - }); - - this.EksRole = Output.Create(eksRole); - - // Group With Assumable Roles Policy - var groupWithAssumableRolePolicy = new GroupWithAssumableRolesPolicy("group-with-assumable-roles-policy", new GroupWithAssumableRolesPolicyArgs - { - Name = "production-readonly", - AssumableRoles = {"arn:aws:iam::835367859855:role/readonly"}, - GroupUsers = {"user1", "user2"}, - }); - - this.GroupWithAssumableRolesPolicy = Output.Create(groupWithAssumableRolePolicy); - - // Group With Policies - var groupWithPolicies = new GroupWithPolicies("group-with-policies", new GroupWithPoliciesArgs - { - Name = "superadmins", - GroupUsers = {"user1", "user2"}, - AttachIamSelfManagementPolicy = true, - CustomGroupPolicyArns = {"arn:aws:iam::aws:policy/AdministratorAccess"}, - CustomGroupPolicies = new InputList> - { - ImmutableDictionary.Create() - .Add("name", "AllowS3Listing") - .Add("policy", "{}"), - }, - }); - - this.GroupWithPolicies = Output.Create(groupWithPolicies); - - // Policy - var policy = new Policy("policy", new PolicyArgs - { - Name = "example", - Path = "/", - Description = "My example policy", - PolicyDocument = - @"{ - ""Version"": ""2012-10-17"", - ""Statement"": [ - { - ""Action"": [ - ""ec2:Describe*"" - ], - ""Effect"": ""Allow"", - ""Resource"": ""*"" - } - ] - }" - }); - - this.Policy = Output.Create(policy); - - // Read Only Policy - var readOnlyPolicy = new ReadOnlyPolicy("read-only-policy", new ReadOnlyPolicyArgs - { - Name = "example", - Path = "/", - Description = "My example read only policy", - AllowedServices = {"rds", "dynamo"}, - }); - - this.ReadOnlyPolicy = Output.Create(readOnlyPolicy); - - // Role For Service Accounts EKS - var roleForServiceAccountEks = new RoleForServiceAccountsEks("role-for-service-account-eks", new RoleForServiceAccountsEksArgs - { - Role = new EKSServiceAccountRoleArgs - { - Name = "vpn-cni", - }, - Tags = { - {"Name", "vpc-cni-irsa"}, - }, - OidcProviders = { - {"main", new OIDCProviderArgs - { - ProviderArn = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D", - NamespaceServiceAccounts = {"default:my-app", "canary:my-app"}, - }}, - }, - Policies = new EKSRolePoliciesArgs - { - VpnCni = new EKSVPNCNIPolicyArgs - { - Attach = true, - EnableIpv4 = true, - }, - }, - }); - - this.RoleForServiceAccountEks = Output.Create(roleForServiceAccountEks); - - // User - var user = new User("user", new UserArgs - { - Name = "pulumipus", - ForceDestroy = true, - PgpKey = "keybase:test", - PasswordResetRequired = false, - }); - - this.User = Output.Create(user); - } - - [Output] - public Output Account { get; set; } - - [Output] - public Output AssumableRole { get; set; } - - [Output] - public Output AssumableRoleWithOidc { get; set; } - - [Output] - public Output AssumableRoleWithSaml { get; set; } - - [Output] - public Output AssumableRoles { get; set; } - - [Output] - public Output AssumableRolesWithSaml { get; set; } - - [Output] - public Output EksRole { get; set; } - - [Output] - public Output GroupWithAssumableRolesPolicy { get; set; } - - [Output] - public Output GroupWithPolicies { get; set; } - - [Output] - public Output Policy { get; set; } - - [Output] - public Output ReadOnlyPolicy { get; set; } - - [Output] - public Output RoleForServiceAccountEks { get; set; } - - [Output] - public Output User { get; set; } -} -``` - -{{% /choosable %}} - -{{% choosable language yaml %}} - -```yaml -name: awsiam-yaml -runtime: yaml -resources: - account: - type: "aws-iam:index:Account" - properties: - accountAlias: "cool-alias" - passwordPolicy: - minimumLength: 37 - requireNumbers: false - allowUsersToChange: true - hardExpiry: true - requireSymbols: true - requireLowercaseCharacters: true - requireUppercaseCharacters: true - - assumableRole: - type: "aws-iam:index:AssumableRole" - properties: - trustedRoleArns: - - "arn:aws:iam::307990089504:root" - - "arn:aws:iam::835367859851:user/pulumipus" - role: - name: "custom" - requiresMfa: true - policyArns: - - "arn:aws:iam::aws:policy/AmazonCognitoReadOnly" - - "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess" - - assumableRoleWithOidc: - type: "aws-iam:index:AssumableRoleWithOIDC" - properties: - role: - name: "oidc-role" - policyArns: - - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" - tags: - Role: "oidc-role" - providerUrls: - - "oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8" - - assumableRoleWithSaml: - type: "aws-iam:index:AssumableRoleWithSAML" - properties: - role: - name: "saml-role" - policyArns: - - "arn:aws:iam::aws:policy/ReadOnlyAccess" - tags: - Role: "saml-role" - providerIds: - - "arn:aws:iam::235367859851:saml-provider/idp_saml" - - assumableRoles: - type: "aws-iam:index:AssumableRoles" - properties: - trustedRoleArns: - - "arn:aws:iam::307990089504:root" - - "arn:aws:iam::835367859851:user/pulumipus" - poweruser: - name: "developer" - readonly: - requiresMfa: true - - assumableRolesWithSaml: - type: "aws-iam:index:AssumableRolesWithSAML" - properties: - providerIds: - - "arn:aws:iam::235367859851:saml-provider/idp_saml" - poweruser: - name: "developer" - - eksRole: - type: "aws-iam:index:EKSRole" - properties: - role: - name: "eks-role" - policyArns: - - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" - tags: - Name: "eks-role" - # Uncomment the below and replace actual cluster values. - # clusterServiceAccounts: - # cluster1: - # - "default:my-app" - # cluster2: - # - "default:my-app" - # - "canary:my-app" - - groupWithAssumableRolesPolicy: - type: "aws-iam:index:GroupWithAssumableRolesPolicy" - properties: - name: "production-readonly" - assumableRoles: - - "arn:aws:iam::835367859855:role/readonly" - groupUsers: - - "user1" - - "user2" - - groupWithPolicies: - type: "aws-iam:index:GroupWithPolicies" - properties: - name: "superadmins" - groupUsers: - - "user1" - - "user2" - attachIamSelfManagementPolicy: true - customGroupPolicyArns: - - "arn:aws:iam::aws:policy/AdministratorAccess" - customGroupPolicies: - - name: "AllowS3Listing" - policy: "{}" - - policy: - type: "aws-iam:index:Policy" - properties: - name: "example" - path: "/" - description: "My example policy" - policyDocument: | - { - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "ec2:Describe*" - ], - "Effect": "Allow", - "Resource": "*" - } - ] - } - - readOnlyPolicy: - type: "aws-iam:index:ReadOnlyPolicy" - properties: - name: "example" - path: "/" - description: "My example read only policy" - allowedServices: - - "rds" - - "dynamodb" - - roleForServiceAccountsEks: - type: "aws-iam:index:RoleForServiceAccountsEks" - properties: - role: - name: "vpc-cni" - tags: - Name: "vpc-cni-irsa" - oidcProviders: - main: - providerArn: "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D" - namespaceServiceAccounts: - - "default:my-app" - - "canary:my-app" - policies: - vpnCni: - attach: true - enableIpv4: true - - user: - type: "aws-iam:index:User" - properties: - name: "pulumipus" - forceDestroy: true - pgpKey: "keybase:test" - passwordResetRequired: false - -outputs: - account: ${account} - assumableRole: ${assumableRole} - assumableRoleWithOidc: ${assumableRoleWithOidc} - assumableRoleWithSaml: ${assumableRoleWithSaml} - assumableRoles: ${assumableRoles} - assumableRolesWithSaml: ${assumableRolesWithSaml} - eksRole: ${eksRole} - groupWithAssumableRolesPolicy: ${groupWithAssumableRolesPolicy} - groupWithPolicies: ${groupWithPolicies} - policy: ${policy} - readOnlyPolicy: ${readOnlyPolicy} - roleForServiceAccountsEks: ${roleForServiceAccountsEks} - user: ${user} -``` - -{{% /choosable %}} - -{{< /chooser >}} diff --git a/themes/default/content/registry/packages/aws-iam/installation-configuration.md b/themes/default/content/registry/packages/aws-iam/installation-configuration.md deleted file mode 100644 index 713a0db628..0000000000 --- a/themes/default/content/registry/packages/aws-iam/installation-configuration.md +++ /dev/null @@ -1,18 +0,0 @@ ---- -title: AWS IAM Installation & Configuration -meta_desc: Information on how to set up credentials to use the Pulumi AWS IAM component. -layout: package ---- - -{{< aws-resource-note >}} - -To provision an AWS IAM Roles with this Component, you need to have AWS credentials configured. Use the instructions on the [AWS provider's installation & configuration](/registry/packages/aws/installation-configuration) to configure your credentials. Your AWS credentials are never sent to Pulumi.com. Pulumi uses the AWS SDK and the credentials in your environment to authenticate requests from your computer to AWS. - -## Installation - -The AWS IAM Component is available as a package in: - -* JavaScript/TypeScript: [`@pulumi/aws-iam`](https://www.npmjs.com/package/@pulumi/aws-iam) -* Python: [`pulumi-aws-iam`](https://pypi.org/project/pulumi-aws-iam/) -* Go: [`github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam`](https://github.com/pulumi/pulumi-aws-iam) -* .NET: [`Pulumi.AwsIam`](https://www.nuget.org/packages/Pulumi.AwsIam) diff --git a/themes/default/data/registry/packages/aws-iam.yaml b/themes/default/data/registry/packages/aws-iam.yaml deleted file mode 100644 index 978a95c91d..0000000000 --- a/themes/default/data/registry/packages/aws-iam.yaml +++ /dev/null @@ -1,14 +0,0 @@ -category: Cloud -component: true -description: "A Pulumi component to deploy a static website to AWS" -featured: false -logo_url: "" -name: aws-iam -native: false -package_status: public_preview -publisher: Pulumi -repo_url: https://github.com/pulumi/pulumi-aws-iam -schema_file_path: schema.yaml -title: AWS IAM -updated_on: 1654121492 -version: v0.0.3