UNPKG

@pulumi/aws

Version:

A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources.

pulumi.io

pulumi/pulumi-aws

152 lines (151 loc) 6.92 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
import * as pulumi from "@pulumi/pulumi"; import { Group, Role, User } from "./index"; /** * Attaches a Managed IAM Policy to user(s), role(s), and/or group(s) * * !> **WARNING:** The aws.iam.PolicyAttachment resource creates **exclusive** attachments of IAM policies. Across the entire AWS account, all of the users/roles/groups to which a single policy is attached must be declared by a single aws.iam.PolicyAttachment resource. This means that even any users/roles/groups that have the attached policy via any other mechanism (including other resources managed by this provider) will have that attached policy revoked by this resource. Consider `aws.iam.RolePolicyAttachment`, `aws.iam.UserPolicyAttachment`, or `aws.iam.GroupPolicyAttachment` instead. These resources do not enforce exclusive attachment of an IAM policy. * * > **NOTE:** The usage of this resource conflicts with the `aws.iam.GroupPolicyAttachment`, `aws.iam.RolePolicyAttachment`, and `aws.iam.UserPolicyAttachment` resources and will permanently show a difference if both are defined. * * > **NOTE:** For a given role, this resource is incompatible with using the `aws.iam.Role` resource `managedPolicyArns` argument. When using that argument and this resource, both will attempt to manage the role's managed policy attachments and the provider will show a permanent difference. * * > **NOTE:** To ensure Pulumi correctly manages dependencies during updates, use a reference to the IAM resource when defining the `policyArn` for `aws.iam.PolicyAttachment`, rather than constructing the ARN directly. For example, use `policyArn = aws_iam_policy.example.arn` instead of `policyArn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/Example"`. Failing to do so may lead to errors like `DeleteConflict: Cannot delete a policy attached to entities` or `NoSuchEntity`. * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as aws from "@pulumi/aws"; * * const user = new aws.iam.User("user", {name: "test-user"}); * const assumeRole = aws.iam.getPolicyDocument({ * statements: [{ * effect: "Allow", * principals: [{ * type: "Service", * identifiers: ["ec2.amazonaws.com"], * }], * actions: ["sts:AssumeRole"], * }], * }); * const role = new aws.iam.Role("role", { * name: "test-role", * assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json), * }); * const group = new aws.iam.Group("group", {name: "test-group"}); * const policy = aws.iam.getPolicyDocument({ * statements: [{ * effect: "Allow", * actions: ["ec2:Describe*"], * resources: ["*"], * }], * }); * const policyPolicy = new aws.iam.Policy("policy", { * name: "test-policy", * description: "A test policy", * policy: policy.then(policy => policy.json), * }); * const test_attach = new aws.iam.PolicyAttachment("test-attach", { * name: "test-attachment", * users: [user.name], * roles: [role.name], * groups: [group.name], * policyArn: policyPolicy.arn, * }); * ``` */ export declare class PolicyAttachment extends pulumi.CustomResource { /** * Get an existing PolicyAttachment resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input<pulumi.ID>, state?: PolicyAttachmentState, opts?: pulumi.CustomResourceOptions): PolicyAttachment; /** * Returns true if the given object is an instance of PolicyAttachment. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is PolicyAttachment; /** * Group(s) the policy should be applied to. */ readonly groups: pulumi.Output<string[] | undefined>; /** * Name of the attachment. This cannot be an empty string. */ readonly name: pulumi.Output<string>; /** * ARN of the policy you want to apply. Typically this should be a reference to the ARN of another resource to ensure dependency ordering, such as `aws_iam_policy.example.arn`. */ readonly policyArn: pulumi.Output<string>; /** * Role(s) the policy should be applied to. */ readonly roles: pulumi.Output<string[] | undefined>; /** * User(s) the policy should be applied to. */ readonly users: pulumi.Output<string[] | undefined>; /** * Create a PolicyAttachment resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: PolicyAttachmentArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering PolicyAttachment resources. */ export interface PolicyAttachmentState { /** * Group(s) the policy should be applied to. */ groups?: pulumi.Input<pulumi.Input<string | Group>[]>; /** * Name of the attachment. This cannot be an empty string. */ name?: pulumi.Input<string>; /** * ARN of the policy you want to apply. Typically this should be a reference to the ARN of another resource to ensure dependency ordering, such as `aws_iam_policy.example.arn`. */ policyArn?: pulumi.Input<string>; /** * Role(s) the policy should be applied to. */ roles?: pulumi.Input<pulumi.Input<string | Role>[]>; /** * User(s) the policy should be applied to. */ users?: pulumi.Input<pulumi.Input<string | User>[]>; } /** * The set of arguments for constructing a PolicyAttachment resource. */ export interface PolicyAttachmentArgs { /** * Group(s) the policy should be applied to. */ groups?: pulumi.Input<pulumi.Input<string | Group>[]>; /** * Name of the attachment. This cannot be an empty string. */ name?: pulumi.Input<string>; /** * ARN of the policy you want to apply. Typically this should be a reference to the ARN of another resource to ensure dependency ordering, such as `aws_iam_policy.example.arn`. */ policyArn: pulumi.Input<string>; /** * Role(s) the policy should be applied to. */ roles?: pulumi.Input<pulumi.Input<string | Role>[]>; /** * User(s) the policy should be applied to. */ users?: pulumi.Input<pulumi.Input<string | User>[]>; }