-
Notifications
You must be signed in to change notification settings - Fork 880
/
Copy pathCreateRoleStack.cs
99 lines (83 loc) · 2.95 KB
/
CreateRoleStack.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
using Pulumi;
using Iam = Pulumi.Aws.Iam;
using Log = Pulumi.Log;
using System.Collections.Generic;
class CreateRoleStack : Stack
{
public CreateRoleStack()
{
var config = new Pulumi.Config();
var unprivilegedUsername = config.Require("unprivilegedUsername");
var unprivilegedUser = new Iam.User("unprivilegedUser", new Iam.UserArgs
{
Name = unprivilegedUsername,
});
var unprivilegedUserCreds = new Iam.AccessKey("unprivileged-user-key", new Iam.AccessKeyArgs
{
User = unprivilegedUser.Name,
},
// additional_secret_outputs specify properties that must be encrypted as secrets
// https://www.pulumi.com/docs/intro/concepts/resources/#additionalsecretoutputs
new CustomResourceOptions { AdditionalSecretOutputs = { "secret" } });
AssumeRolePolicyArgs policyArgs = new AssumeRolePolicyArgs(unprivilegedUser.Arn);
var tempPolicy = Output.JsonSerialize<AssumeRolePolicyArgs>(policyArgs);
var allowS3ManagementRole = new Iam.Role("allow-s3-management", new Iam.RoleArgs
{
Description = "Allow management of S3 buckets",
AssumeRolePolicy = tempPolicy
});
var rolePolicy = new Iam.RolePolicy("allow-s3-management-policy", new Iam.RolePolicyArgs
{
Role = allowS3ManagementRole.Name,
Policy =
@"{
""Version"": ""2012-10-17"",
""Statement"": [{
""Effect"": ""Allow"",
""Action"": ""s3:*"",
""Resource"": ""*"",
""Sid"": ""allowS3Access""
}]
}"
},
new CustomResourceOptions { Parent = allowS3ManagementRole }
);
this.roleArn = allowS3ManagementRole.Arn;
this.accessKeyId = unprivilegedUserCreds.Id;
this.secretAccessKey = unprivilegedUserCreds.Secret;
}
public class AssumeRolePolicyArgs
{
public string Version => "2012-10-17";
public StatementArgs Statement { get; private set; }
public AssumeRolePolicyArgs(Input<string> arn)
{
Statement = new StatementArgs(arn);
}
}
public class StatementArgs
{
public string Sid => "AllowAssumeRole";
public string Effect => "Allow";
public PrincipalArgs Principal { get; private set; }
public string Action => "sts:AssumeRole";
public StatementArgs(Input<string> arn)
{
Principal = new PrincipalArgs(arn);
}
}
public class PrincipalArgs
{
public Input<string> AWS { get; private set; }
public PrincipalArgs(Input<string> arn)
{
AWS = arn;
}
}
[Output]
public Output<string> roleArn { get; set; }
[Output]
public Output<string> accessKeyId { get; set; }
[Output]
public Output<string> secretAccessKey { get; set; }
}