Exemplo n.º 1
0
    public MyStack()
    {
        var dlmLifecycleRole = new Aws.Iam.Role("dlmLifecycleRole", new Aws.Iam.RoleArgs
        {
            AssumeRolePolicy = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {
      ""Action"": ""sts:AssumeRole"",
      ""Principal"": {
        ""Service"": ""dlm.amazonaws.com""
      },
      ""Effect"": ""Allow"",
      ""Sid"": """"
    }
  ]
}

",
        });
        var dlmLifecycle = new Aws.Iam.RolePolicy("dlmLifecycle", new Aws.Iam.RolePolicyArgs
        {
            Policy = @"{
   ""Version"": ""2012-10-17"",
   ""Statement"": [
      {
         ""Effect"": ""Allow"",
         ""Action"": [
            ""ec2:CreateSnapshot"",
            ""ec2:DeleteSnapshot"",
            ""ec2:DescribeVolumes"",
            ""ec2:DescribeSnapshots""
         ],
         ""Resource"": ""*""
      },
      {
         ""Effect"": ""Allow"",
         ""Action"": [
            ""ec2:CreateTags""
         ],
         ""Resource"": ""arn:aws:ec2:*::snapshot/*""
      }
   ]
}

",
            Role   = dlmLifecycleRole.Id,
        });
        var example = new Aws.Dlm.LifecyclePolicy("example", new Aws.Dlm.LifecyclePolicyArgs
        {
            Description      = "example DLM lifecycle policy",
            ExecutionRoleArn = dlmLifecycleRole.Arn,
            PolicyDetails    = new Aws.Dlm.Inputs.LifecyclePolicyPolicyDetailsArgs
            {
                ResourceTypes =
                {
                    "VOLUME",
                },
Exemplo n.º 2
0
 public MyStack()
 {
     var aWSCloudFormationStackSetExecutionRoleAssumeRolePolicy = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
     {
         Statements =
         {
             new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
             {
                 Actions =
                 {
                     "sts:AssumeRole",
                 },
                 Effect     = "Allow",
                 Principals =
                 {
                     new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
                     {
                         Identifiers =
                         {
                             aws_iam_role.AWSCloudFormationStackSetAdministrationRole.Arn,
                         },
                         Type = "AWS",
                     },
                 },
             },
         },
     }));
     var aWSCloudFormationStackSetExecutionRole = new Aws.Iam.Role("aWSCloudFormationStackSetExecutionRole", new Aws.Iam.RoleArgs
     {
         AssumeRolePolicy = aWSCloudFormationStackSetExecutionRoleAssumeRolePolicy.Apply(aWSCloudFormationStackSetExecutionRoleAssumeRolePolicy => aWSCloudFormationStackSetExecutionRoleAssumeRolePolicy.Json),
     });
     var aWSCloudFormationStackSetExecutionRoleMinimumExecutionPolicyPolicyDocument = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
     {
         Statements =
         {
             new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
             {
                 Actions =
                 {
                     "cloudformation:*",
                     "s3:*",
                     "sns:*",
                 },
                 Effect    = "Allow",
                 Resources =
                 {
                     "*",
                 },
             },
         },
     }));
     var aWSCloudFormationStackSetExecutionRoleMinimumExecutionPolicyRolePolicy = new Aws.Iam.RolePolicy("aWSCloudFormationStackSetExecutionRoleMinimumExecutionPolicyRolePolicy", new Aws.Iam.RolePolicyArgs
     {
         Policy = aWSCloudFormationStackSetExecutionRoleMinimumExecutionPolicyPolicyDocument.Apply(aWSCloudFormationStackSetExecutionRoleMinimumExecutionPolicyPolicyDocument => aWSCloudFormationStackSetExecutionRoleMinimumExecutionPolicyPolicyDocument.Json),
         Role   = aWSCloudFormationStackSetExecutionRole.Name,
     });
 }
Exemplo n.º 3
0
    public MyStack()
    {
        var rule = new Aws.Cfg.Rule("rule", new Aws.Cfg.RuleArgs
        {
            Source = new Aws.Cfg.Inputs.RuleSourceArgs
            {
                Owner            = "AWS",
                SourceIdentifier = "S3_BUCKET_VERSIONING_ENABLED",
            },
        }, new CustomResourceOptions
        {
            DependsOn =
            {
                "aws_config_configuration_recorder.foo",
            },
        });
        var role = new Aws.Iam.Role("role", new Aws.Iam.RoleArgs
        {
            AssumeRolePolicy = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {
      ""Action"": ""sts:AssumeRole"",
      ""Principal"": {
        ""Service"": ""config.amazonaws.com""
      },
      ""Effect"": ""Allow"",
      ""Sid"": """"
    }
  ]
}

",
        });
        var foo = new Aws.Cfg.Recorder("foo", new Aws.Cfg.RecorderArgs
        {
            RoleArn = role.Arn,
        });
        var rolePolicy = new Aws.Iam.RolePolicy("rolePolicy", new Aws.Iam.RolePolicyArgs
        {
            Policy = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {
        ""Action"": ""config:Put*"",
        ""Effect"": ""Allow"",
        ""Resource"": ""*""

    }
  ]
}

",
            Role   = role.Id,
        });
    }
Exemplo n.º 4
0
    public CreateRoleStack()
    {
        var config = new Pulumi.Config();
        var unprivilegedUsername = config.Require("unprivilegedUsername");

        var unprivilegedUser = new Iam.User("unprivilegedUser", new Iam.UserArgs
        {
            Name = unprivilegedUsername,
        });

        var unprivilegedUserCreds = new Iam.AccessKey("unprivileged-user-key", new Iam.AccessKeyArgs
        {
            User = unprivilegedUser.Name,
        },
                                                      // additional_secret_outputs specify properties that must be encrypted as secrets
                                                      // https://www.pulumi.com/docs/intro/concepts/programming-model/#additionalsecretoutputs
                                                      new CustomResourceOptions {
            AdditionalSecretOutputs = { "secret" }
        });

        var tempPolicy = unprivilegedUser.Arn.Apply((string arn) =>
        {
            AssumeRolePolicyArgs policyArgs = new AssumeRolePolicyArgs(arn);
            return(JsonSerializer.Serialize <AssumeRolePolicyArgs>(policyArgs));
        });

        var allowS3ManagementRole = new Iam.Role("allow-s3-management", new Iam.RoleArgs
        {
            Description      = "Allow management of S3 buckets",
            AssumeRolePolicy = tempPolicy
        });

        var rolePolicy = new Iam.RolePolicy("allow-s3-management-policy", new Iam.RolePolicyArgs
        {
            Role   = allowS3ManagementRole.Name,
            Policy =
                @"{
                ""Version"": ""2012-10-17"",
                ""Statement"": [{
                    ""Effect"": ""Allow"",
                    ""Action"": ""s3:*"",
                    ""Resource"": ""*"",
                    ""Sid"": ""allowS3Access""
                }]
            }"
        },
                                            new CustomResourceOptions {
            Parent = allowS3ManagementRole
        }
                                            );

        this.roleArn         = allowS3ManagementRole.Arn;
        this.accessKeyId     = unprivilegedUserCreds.Id;
        this.secretAccessKey = unprivilegedUserCreds.Secret;
    }
Exemplo n.º 5
0
    public MyStack()
    {
        var app = new Aws.Pinpoint.App("app", new Aws.Pinpoint.AppArgs
        {
        });
        var identity = new Aws.Ses.DomainIdentity("identity", new Aws.Ses.DomainIdentityArgs
        {
            Domain = "example.com",
        });
        var role = new Aws.Iam.Role("role", new Aws.Iam.RoleArgs
        {
            AssumeRolePolicy = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {
      ""Action"": ""sts:AssumeRole"",
      ""Principal"": {
        ""Service"": ""pinpoint.amazonaws.com""
      },
      ""Effect"": ""Allow"",
      ""Sid"": """"
    }
  ]
}

",
        });
        var email = new Aws.Pinpoint.EmailChannel("email", new Aws.Pinpoint.EmailChannelArgs
        {
            ApplicationId = app.ApplicationId,
            FromAddress   = "*****@*****.**",
            Identity      = identity.Arn,
            RoleArn       = role.Arn,
        });
        var rolePolicy = new Aws.Iam.RolePolicy("rolePolicy", new Aws.Iam.RolePolicyArgs
        {
            Policy = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": {
    ""Action"": [
      ""mobileanalytics:PutEvents"",
      ""mobileanalytics:PutItems""
    ],
    ""Effect"": ""Allow"",
    ""Resource"": [
      ""*""
    ]
  }
}

",
            Role   = role.Id,
        });
    }
Exemplo n.º 6
0
    public MyStack()
    {
        var exampleLogGroup = new Aws.CloudWatch.LogGroup("exampleLogGroup", new Aws.CloudWatch.LogGroupArgs
        {
        });
        var exampleRole = new Aws.Iam.Role("exampleRole", new Aws.Iam.RoleArgs
        {
            AssumeRolePolicy = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {
      ""Sid"": """",
      ""Effect"": ""Allow"",
      ""Principal"": {
        ""Service"": ""vpc-flow-logs.amazonaws.com""
      },
      ""Action"": ""sts:AssumeRole""
    }
  ]
}

",
        });
        var exampleFlowLog = new Aws.Ec2.FlowLog("exampleFlowLog", new Aws.Ec2.FlowLogArgs
        {
            IamRoleArn     = exampleRole.Arn,
            LogDestination = exampleLogGroup.Arn,
            TrafficType    = "ALL",
            VpcId          = aws_vpc.Example.Id,
        });
        var exampleRolePolicy = new Aws.Iam.RolePolicy("exampleRolePolicy", new Aws.Iam.RolePolicyArgs
        {
            Policy = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {
      ""Action"": [
        ""logs:CreateLogGroup"",
        ""logs:CreateLogStream"",
        ""logs:PutLogEvents"",
        ""logs:DescribeLogGroups"",
        ""logs:DescribeLogStreams""
      ],
      ""Effect"": ""Allow"",
      ""Resource"": ""*""
    }
  ]
}

",
            Role   = exampleRole.Id,
        });
    }
Exemplo n.º 7
0
    public MyStack()
    {
        var app = new Aws.Pinpoint.App("app", new Aws.Pinpoint.AppArgs
        {
        });
        var testStream = new Aws.Kinesis.Stream("testStream", new Aws.Kinesis.StreamArgs
        {
            ShardCount = 1,
        });
        var testRole = new Aws.Iam.Role("testRole", new Aws.Iam.RoleArgs
        {
            AssumeRolePolicy = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {
      ""Action"": ""sts:AssumeRole"",
      ""Principal"": {
        ""Service"": ""pinpoint.us-east-1.amazonaws.com""
      },
      ""Effect"": ""Allow"",
      ""Sid"": """"
    }
  ]
}

",
        });
        var stream = new Aws.Pinpoint.EventStream("stream", new Aws.Pinpoint.EventStreamArgs
        {
            ApplicationId        = app.ApplicationId,
            DestinationStreamArn = testStream.Arn,
            RoleArn = testRole.Arn,
        });
        var testRolePolicy = new Aws.Iam.RolePolicy("testRolePolicy", new Aws.Iam.RolePolicyArgs
        {
            Policy = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": {
    ""Action"": [
      ""kinesis:PutRecords"",
      ""kinesis:DescribeStream""
    ],
    ""Effect"": ""Allow"",
    ""Resource"": [
      ""arn:aws:kinesis:us-east-1:*:*/*""
    ]
  }
}

",
            Role   = testRole.Id,
        });
    }
Exemplo n.º 8
0
    public MyStack()
    {
        var cloudwatchRole = new Aws.Iam.Role("cloudwatchRole", new Aws.Iam.RoleArgs
        {
            AssumeRolePolicy = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {
      ""Sid"": """",
      ""Effect"": ""Allow"",
      ""Principal"": {
        ""Service"": ""apigateway.amazonaws.com""
      },
      ""Action"": ""sts:AssumeRole""
    }
  ]
}

",
        });
        var demo = new Aws.ApiGateway.Account("demo", new Aws.ApiGateway.AccountArgs
        {
            CloudwatchRoleArn = cloudwatchRole.Arn,
        });
        var cloudwatchRolePolicy = new Aws.Iam.RolePolicy("cloudwatchRolePolicy", new Aws.Iam.RolePolicyArgs
        {
            Policy = @"{
    ""Version"": ""2012-10-17"",
    ""Statement"": [
        {
            ""Effect"": ""Allow"",
            ""Action"": [
                ""logs:CreateLogGroup"",
                ""logs:CreateLogStream"",
                ""logs:DescribeLogGroups"",
                ""logs:DescribeLogStreams"",
                ""logs:PutLogEvents"",
                ""logs:GetLogEvents"",
                ""logs:FilterLogEvents""
            ],
            ""Resource"": ""*""
        }
    ]
}

",
            Role   = cloudwatchRole.Id,
        });
    }
Exemplo n.º 9
0
    public MyStack()
    {
        var testRole = new Aws.Iam.Role("testRole", new Aws.Iam.RoleArgs
        {
            AssumeRolePolicy = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {
      ""Action"": ""sts:AssumeRole"",
      ""Principal"": {
        ""Service"": ""ec2.amazonaws.com""
      },
      ""Effect"": ""Allow"",
      ""Sid"": """"
    }
  ]
}
",
        });
        var testPolicy = new Aws.Iam.RolePolicy("testPolicy", new Aws.Iam.RolePolicyArgs
        {
            Role   = testRole.Id,
            Policy = @"{
  ""Version"": ""2012-10-17"",
  ""Statement"": [
    {
      ""Action"": [
        ""ec2:Describe*""
      ],
      ""Effect"": ""Allow"",
      ""Resource"": ""*""
    }
  ]
}
",
        });
    }
Exemplo n.º 10
0
    public MyStack()
    {
        var aWSCloudFormationStackSetAdministrationRoleAssumeRolePolicy = Output.Create(Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
        {
            Statements =
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Actions =
                    {
                        "sts:AssumeRole",
                    },
                    Effect     = "Allow",
                    Principals =
                    {
                        new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalArgs
                        {
                            Identifiers =
                            {
                                "cloudformation.amazonaws.com",
                            },
                            Type = "Service",
                        },
                    },
                },
            },
        }));
        var aWSCloudFormationStackSetAdministrationRole = new Aws.Iam.Role("aWSCloudFormationStackSetAdministrationRole", new Aws.Iam.RoleArgs
        {
            AssumeRolePolicy = aWSCloudFormationStackSetAdministrationRoleAssumeRolePolicy.Apply(aWSCloudFormationStackSetAdministrationRoleAssumeRolePolicy => aWSCloudFormationStackSetAdministrationRoleAssumeRolePolicy.Json),
        });
        var example = new Aws.CloudFormation.StackSet("example", new Aws.CloudFormation.StackSetArgs
        {
            AdministrationRoleArn = aWSCloudFormationStackSetAdministrationRole.Arn,
            Parameters            =
            {
                { "VPCCidr", "10.0.0.0/16" },
            },
            TemplateBody = @"{
  ""Parameters"" : {
    ""VPCCidr"" : {
      ""Type"" : ""String"",
      ""Default"" : ""10.0.0.0/16"",
      ""Description"" : ""Enter the CIDR block for the VPC. Default is 10.0.0.0/16.""
    }
  },
  ""Resources"" : {
    ""myVpc"": {
      ""Type"" : ""AWS::EC2::VPC"",
      ""Properties"" : {
        ""CidrBlock"" : { ""Ref"" : ""VPCCidr"" },
        ""Tags"" : [
          {""Key"": ""Name"", ""Value"": ""Primary_CF_VPC""}
        ]
      }
    }
  }
}

",
        });
        var aWSCloudFormationStackSetAdministrationRoleExecutionPolicyPolicyDocument = example.ExecutionRoleName.Apply(executionRoleName => Aws.Iam.GetPolicyDocument.InvokeAsync(new Aws.Iam.GetPolicyDocumentArgs
        {
            Statements =
            {
                new Aws.Iam.Inputs.GetPolicyDocumentStatementArgs
                {
                    Actions =
                    {
                        "sts:AssumeRole",
                    },
                    Effect    = "Allow",
                    Resources =
                    {
                        $"arn:aws:iam::*:role/{executionRoleName}",
                    },
                },
            },
        }));
        var aWSCloudFormationStackSetAdministrationRoleExecutionPolicyRolePolicy = new Aws.Iam.RolePolicy("aWSCloudFormationStackSetAdministrationRoleExecutionPolicyRolePolicy", new Aws.Iam.RolePolicyArgs
        {
            Policy = aWSCloudFormationStackSetAdministrationRoleExecutionPolicyPolicyDocument.Apply(aWSCloudFormationStackSetAdministrationRoleExecutionPolicyPolicyDocument => aWSCloudFormationStackSetAdministrationRoleExecutionPolicyPolicyDocument.Json),
            Role   = aWSCloudFormationStackSetAdministrationRole.Name,
        });
    }