policy

package
v0.0.0-...-2f67538 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 17, 2023 License: MIT Imports: 5 Imported by: 0

Documentation

Overview

Package policy provides a helper type for generating JSON AWS policy documents.

See the AWS documentation for policy elements used here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html

Policies can be created by passing configuration arguments to New that build statements, add resources, actions, effects, etc.

Most elements accept strings, string slices, Pulumi StringOutputs or StringArrayOutputs. Slices and arrays are flattened into a single list while building the final output which can save some work slicing them elsewhere. 

bucketPolicy, err := s3.NewBucketPolicy(ctx, "bucket-policy", &s3.BucketPolicyArgs{
    Bucket: newBucket.Bucket,
    Policy: policy.New("my-bucket-policy",
       policy.Statement("cross-account-access",
           policy.Effect(policy.Allow),
           policy.Action(
               "s3:GetObject",
               "s3:PutObject",
           ),
           policy.Principal("AWS", account1Arn, account2Arn),
           policy.Principal("AWS", otherArns),
           policy.Resource(
               pulumi.Sprintf("%s/*", newBucket.BucketArn),
           ),
       ),
       policy.Statement("cloudfront-access",
           policy.Effect(policy.Allow),
           policy.Action("s3:GetObject"),
           policy.Principal("AWS", cloudfrontOAI.IamARN),
           policy.Resource(
               pulumi.Sprintf("%s/*", newBucket.BucketArn),
           ),
        ),
     ).ToStringOutput(),
  })

Index

Examples

Constants

This section is empty.

Variables

View Source 
var (
	ErrInvalidPolicy    = errors.New("invalid policy")
	ErrInvalidStatement = errors.New("invalid statement")
)

Package errors returned during validation of policies and statements.

Functions

This section is empty.

Types

type EffectType 

type EffectType string

EffectType is used with the Effect element of a Statement. 

const (
	Allow EffectType = "Allow"
	Deny  EffectType = "Deny"
)

Valid effects for use with Statements.

type Opt 

type Opt func(*Policy)

Opt is implemented by functions that can be passed to New.

func Statement 

func Statement(sid string, opts ...StatementOpt) Opt

Statement defines a single policy statement that can be passed to New.

type Policy 

type Policy struct {
	Version   string
	ID        string `json:"Id"`
	Statement Stmts
}

Policy defines an IAM policy that can be converted to a JSON StringOutput.

It accepts strings or StringInputs for parameters and will use ApplyT to resolve any dependent inputs before generating the JSON.

func New 

func New(id string, opts ...Opt) *Policy

New creates a new Policy with the supplied ID. It should supply at least a single Statement as an argument.

Example 
package main

import (
	"fmt"
	"sync"

	"github.com/gwatts/pulutil/policy"
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/s3"
	"github.com/pulumi/pulumi/sdk/v3/go/common/resource"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

type mocks int

func (mocks) NewResource(args pulumi.MockResourceArgs) (string, resource.PropertyMap, error) {
	return args.Name + "_id", args.Inputs, nil
}

func (mocks) Call(args pulumi.MockCallArgs) (resource.PropertyMap, error) {
	return args.Args, nil
}

func main() {
	var wg sync.WaitGroup
	_ = pulumi.RunErr(func(ctx *pulumi.Context) error {
		// bucketArn might be an output from a prior bucket creation
		bucketArn := pulumi.String("arn:aws:s3:::my-test-bucket-1234abcd")

		// Create a BucketPolicy using the above policy definition
		bp, _ := s3.NewBucketPolicy(ctx, "test-policy", &s3.BucketPolicyArgs{
			Bucket: pulumi.String("my-test-bucket-1234abcd"),
			Policy: policy.New("my-policy",
				policy.Statement("statement-one",
					policy.Effect(policy.Allow),
					policy.Action(
						"s3:GetObject",
						"s3:PutObject",
					),
					policy.Principal("AWS",
						"arn:aws:iam::12345:root",
					),
					policy.Resource(
						pulumi.Sprintf("%s/*", bucketArn),
					),
				),
			).ToStringOutput(),
		})

		// Print out the JSON that was computed
		wg.Add(1)
		bp.Policy.ApplyT(func(bp string) int {
			fmt.Println(bp)
			wg.Done()
			return 0
		})
		return nil
	}, pulumi.WithMocks("project", "stack", mocks(0)))
	wg.Wait()
}

Output:

{
    "Version": "2012-10-17",
    "Id": "my-policy",
    "Statement": [
        {
            "Sid": "statement-one",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::12345:root"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::my-test-bucket-1234abcd/*"
        }
    ]
}

func (Policy) ToStringOutput 

func (p Policy) ToStringOutput() pulumi.StringOutput

ToStringOutput generates a formatted JSON policy as a suitable input for various AWS objects that require one.

func (Policy) ToStringOutputWithContext 

func (p Policy) ToStringOutputWithContext(ctx context.Context) pulumi.StringOutput

ToStringOutputWithContext generates a formatted JSON policy as a suitable input for various AWS objects that require one.

func (Policy) Validate 

func (p Policy) Validate() error

Validate performs a basic structural check of the Policy.

type StatementOpt 

type StatementOpt func(*Stmt)

StatementOpt is implemented by functions that can be passed to Statement.

func Action 

func Action(action ...interface{}) StatementOpt

Action adds one or more entries to the Action element of a Statement. It can be called multiple times to add additional actions.

action arguments may be string, []string, StringInput or StrayArrayInput slices and arrays will be flattened into a single list.

func Condition 

func Condition(conditionOp, conditionKey string, conditionValue ...interface{}) StatementOpt

Condition adds an entry to the Condition element of a Statemment. It can be called multiple times to add additional resources.

See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html for examples of condition operators, keys and values.

conditionValues arguments may be string, []string, StringInput or StrayArrayInput.

func Effect 

func Effect(effect EffectType) StatementOpt

Effect specifies whether a Statement has an Allow or Deny effect.

func NotAction 

func NotAction(action ...interface{}) StatementOpt

NotAction adds one or more entries to the NotAction element of a Statement. It can be called multiple times to add additional actions.

action arguments may be string, []string, StringInput or StrayArrayInput slices and arrays will be flattened into a single list.

func NotPrincipal 

func NotPrincipal(principalType string, principalID ...interface{}) StatementOpt

NotPrincipal adds one or more principals to the NotPrincipal element of a Statement. It can be called multiple times to add additional principals.

principalType should be one of "AWS", "CanonicalUser", etc. prinicpalID arguments may be string, []string, StringInput or StrayArrayInput slices and arrays will be flattened into a single list.

func NotResource 

func NotResource(resource ...interface{}) StatementOpt

NotResource adds one or more entries to the NotResource element of a Statement. It can be called multiple times to add additional resources.

resource arguments may be string, []string, StringInput or StrayArrayInput slices and arrays will be flattened into a single list.

func Principal 

func Principal(principalType string, principalID ...interface{}) StatementOpt

Principal adds one or more principals to the Principal element of a Statement. It can be called multiple times to add additional principals.

principalType should be one of "AWS", "CanonicalUser", etc. prinicpalID arguments may be string, []string, StringInput or StrayArrayInput slices and arrays will be flattened into a single list.

func Resource 

func Resource(resource ...interface{}) StatementOpt

Resource adds one or more entries to the Resource element of a Statement. It can be called multiple times to add additional resources.

resource arguments may be string, []string, StringInput or StrayArrayInput slices and arrays will be flattened into a single list.

type Stmt 

type Stmt struct {
	Sid          string `json:",omitempty"`
	Effect       EffectType
	Principal    map[string]Strings            `json:",omitempty"`
	NotPrincipal map[string]Strings            `json:",omitempty"`
	Action       Strings                       `json:",omitempty"`
	NotAction    Strings                       `json:",omitempty"`
	Resource     Strings                       `json:",omitempty"`
	NotResource  Strings                       `json:",omitempty"`
	Condition    map[string]map[string]Strings `json:",omitempty"`
}

Stmt define a single policy statement.

func (Stmt) Validate 

func (s Stmt) Validate() error

Validate does some very basic checks to ensure required fields are present.

type Stmts 

type Stmts []Stmt

Stmts holds an ordered group of statements.

type Strings 

type Strings []interface{}

Strings is a convenience helper that marshals its entries either to a JSON array, or a single string if only one item is in the list.

func (Strings) MarshalJSON 

func (s Strings) MarshalJSON() ([]byte, error)

MarshalJSON implements json.Marshaler.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.