UNPKG

@pulumi/aws

Version:

A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources.

pulumi/pulumi-aws

222 lines • 10.6 kB

JavaScript

"use strict"; // *** WARNING: this file was generated by pulumi-language-nodejs. *** // *** Do not edit by hand unless you're certain you know what you are doing! *** Object.defineProperty(exports, "__esModule", { value: true }); exports.getPrincipalPolicySimulationOutput = exports.getPrincipalPolicySimulation = void 0; const pulumi = require("@pulumi/pulumi"); const utilities = require("../utilities"); /** * Runs a simulation of the IAM policies of a particular principal against a given hypothetical request. * * You can use this data source in conjunction with * Preconditions and Postconditions so that your configuration can test either whether it should have sufficient access to do its own work, or whether policies your configuration declares itself are sufficient for their intended use elsewhere. * * > **Note:** Correctly using this data source requires familiarity with various details of AWS Identity and Access Management, and how various AWS services integrate with it. For general information on the AWS IAM policy simulator, see [Testing IAM policies with the IAM policy simulator](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html). This data source wraps the `iam:SimulatePrincipalPolicy` API action described on that page. * * ## Example Usage * * ### Self Access-checking Example * * The following example raises an error if the credentials passed to the AWS provider do not have access to perform the three actions `s3:GetObject`, `s3:PutObject`, and `s3:DeleteObject` on the S3 bucket with the given ARN. * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const current = aws.getCallerIdentity({}); * const s3ObjectAccess = current.then(current => aws.iam.getPrincipalPolicySimulation({ * actionNames: [ * "s3:GetObject", * "s3:PutObject", * "s3:DeleteObject", * ], * policySourceArn: current.arn, * resourceArns: ["arn:aws:s3:::my-test-bucket"], * })); * ``` * * If you intend to use this data source to quickly raise an error when the given credentials are insufficient then you must use `dependsOn` inside any resource which would require those credentials, to ensure that the policy check will run first: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const example = new aws.s3.BucketObjectv2("example", {bucket: "my-test-bucket"}, { * dependsOn: [s3ObjectAccess], * }); * ``` * * ### Testing the Effect of a Declared Policy * * The following example declares an S3 bucket and a user that should have access to the bucket, and then uses `aws.iam.getPrincipalPolicySimulation` to verify that the user does indeed have access to perform needed operations against the bucket. * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const current = aws.getCallerIdentity({}); * const example = new aws.iam.User("example", {name: "example"}); * const exampleBucket = new aws.s3.Bucket("example", {bucket: "my-test-bucket"}); * const s3Access = new aws.iam.UserPolicy("s3_access", { * name: "example_s3_access", * user: example.name, * policy: pulumi.jsonStringify({ * Version: "2012-10-17", * Statement: [{ * Action: "s3:GetObject", * Effect: "Allow", * Resource: exampleBucket.arn, * }], * }), * }); * const accountAccess = new aws.s3.BucketPolicy("account_access", { * bucket: exampleBucket.bucket, * policy: pulumi.jsonStringify({ * Version: "2012-10-17", * Statement: [{ * Action: "s3:*", * Effect: "Allow", * Principal: { * AWS: current.then(current => current.accountId), * }, * Resource: [ * exampleBucket.arn, * pulumi.interpolate`${exampleBucket.arn}/*`, * ], * }], * }), * }); * const s3ObjectAccess = aws.iam.getPrincipalPolicySimulationOutput({ * actionNames: ["s3:GetObject"], * policySourceArn: example.arn, * resourceArns: [exampleBucket.arn], * resourcePolicyJson: accountAccess.policy, * }); * ``` * * When using `aws.iam.getPrincipalPolicySimulation` to test the effect of a policy declared elsewhere in the same configuration, it's important to use `dependsOn` to make sure that the needed policy has been fully created or updated before running the simulation. */ function getPrincipalPolicySimulation(args, opts) { opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {}); return pulumi.runtime.invoke("aws:iam/getPrincipalPolicySimulation:getPrincipalPolicySimulation", { "actionNames": args.actionNames, "additionalPoliciesJsons": args.additionalPoliciesJsons, "callerArn": args.callerArn, "contexts": args.contexts, "permissionsBoundaryPoliciesJsons": args.permissionsBoundaryPoliciesJsons, "policySourceArn": args.policySourceArn, "resourceArns": args.resourceArns, "resourceHandlingOption": args.resourceHandlingOption, "resourceOwnerAccountId": args.resourceOwnerAccountId, "resourcePolicyJson": args.resourcePolicyJson, }, opts); } exports.getPrincipalPolicySimulation = getPrincipalPolicySimulation; /** * Runs a simulation of the IAM policies of a particular principal against a given hypothetical request. * * You can use this data source in conjunction with * Preconditions and Postconditions so that your configuration can test either whether it should have sufficient access to do its own work, or whether policies your configuration declares itself are sufficient for their intended use elsewhere. * * > **Note:** Correctly using this data source requires familiarity with various details of AWS Identity and Access Management, and how various AWS services integrate with it. For general information on the AWS IAM policy simulator, see [Testing IAM policies with the IAM policy simulator](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html). This data source wraps the `iam:SimulatePrincipalPolicy` API action described on that page. * * ## Example Usage * * ### Self Access-checking Example * * The following example raises an error if the credentials passed to the AWS provider do not have access to perform the three actions `s3:GetObject`, `s3:PutObject`, and `s3:DeleteObject` on the S3 bucket with the given ARN. * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const current = aws.getCallerIdentity({}); * const s3ObjectAccess = current.then(current => aws.iam.getPrincipalPolicySimulation({ * actionNames: [ * "s3:GetObject", * "s3:PutObject", * "s3:DeleteObject", * ], * policySourceArn: current.arn, * resourceArns: ["arn:aws:s3:::my-test-bucket"], * })); * ``` * * If you intend to use this data source to quickly raise an error when the given credentials are insufficient then you must use `dependsOn` inside any resource which would require those credentials, to ensure that the policy check will run first: * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const example = new aws.s3.BucketObjectv2("example", {bucket: "my-test-bucket"}, { * dependsOn: [s3ObjectAccess], * }); * ``` * * ### Testing the Effect of a Declared Policy * * The following example declares an S3 bucket and a user that should have access to the bucket, and then uses `aws.iam.getPrincipalPolicySimulation` to verify that the user does indeed have access to perform needed operations against the bucket. * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const current = aws.getCallerIdentity({}); * const example = new aws.iam.User("example", {name: "example"}); * const exampleBucket = new aws.s3.Bucket("example", {bucket: "my-test-bucket"}); * const s3Access = new aws.iam.UserPolicy("s3_access", { * name: "example_s3_access", * user: example.name, * policy: pulumi.jsonStringify({ * Version: "2012-10-17", * Statement: [{ * Action: "s3:GetObject", * Effect: "Allow", * Resource: exampleBucket.arn, * }], * }), * }); * const accountAccess = new aws.s3.BucketPolicy("account_access", { * bucket: exampleBucket.bucket, * policy: pulumi.jsonStringify({ * Version: "2012-10-17", * Statement: [{ * Action: "s3:*", * Effect: "Allow", * Principal: { * AWS: current.then(current => current.accountId), * }, * Resource: [ * exampleBucket.arn, * pulumi.interpolate`${exampleBucket.arn}/*`, * ], * }], * }), * }); * const s3ObjectAccess = aws.iam.getPrincipalPolicySimulationOutput({ * actionNames: ["s3:GetObject"], * policySourceArn: example.arn, * resourceArns: [exampleBucket.arn], * resourcePolicyJson: accountAccess.policy, * }); * ``` * * When using `aws.iam.getPrincipalPolicySimulation` to test the effect of a policy declared elsewhere in the same configuration, it's important to use `dependsOn` to make sure that the needed policy has been fully created or updated before running the simulation. */ function getPrincipalPolicySimulationOutput(args, opts) { opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {}); return pulumi.runtime.invokeOutput("aws:iam/getPrincipalPolicySimulation:getPrincipalPolicySimulation", { "actionNames": args.actionNames, "additionalPoliciesJsons": args.additionalPoliciesJsons, "callerArn": args.callerArn, "contexts": args.contexts, "permissionsBoundaryPoliciesJsons": args.permissionsBoundaryPoliciesJsons, "policySourceArn": args.policySourceArn, "resourceArns": args.resourceArns, "resourceHandlingOption": args.resourceHandlingOption, "resourceOwnerAccountId": args.resourceOwnerAccountId, "resourcePolicyJson": args.resourcePolicyJson, }, opts); } exports.getPrincipalPolicySimulationOutput = getPrincipalPolicySimulationOutput; //# sourceMappingURL=getPrincipalPolicySimulation.js.map