Documentation ¶
Overview ¶
Package policy provides a helper type for generating JSON AWS policy documents.
See the AWS documentation for policy elements used here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html
Policies can be created by passing configuration arguments to New that build statements, add resources, actions, effects, etc.
Most elements accept strings, string slices, Pulumi StringOutputs or StringArrayOutputs. Slices and arrays are flattened into a single list while building the final output which can save some work slicing them elsewhere.
bucketPolicy, err := s3.NewBucketPolicy(ctx, "bucket-policy", &s3.BucketPolicyArgs{ Bucket: newBucket.Bucket, Policy: policy.New("my-bucket-policy", policy.Statement("cross-account-access", policy.Effect(policy.Allow), policy.Action( "s3:GetObject", "s3:PutObject", ), policy.Principal("AWS", account1Arn, account2Arn), policy.Principal("AWS", otherArns), policy.Resource( pulumi.Sprintf("%s/*", newBucket.BucketArn), ), ), policy.Statement("cloudfront-access", policy.Effect(policy.Allow), policy.Action("s3:GetObject"), policy.Principal("AWS", cloudfrontOAI.IamARN), policy.Resource( pulumi.Sprintf("%s/*", newBucket.BucketArn), ), ), ).ToStringOutput(), })
Index ¶
- Variables
- type EffectType
- type Opt
- type Policy
- type StatementOpt
- func Action(action ...interface{}) StatementOpt
- func Condition(conditionOp, conditionKey string, conditionValue ...interface{}) StatementOpt
- func Effect(effect EffectType) StatementOpt
- func NotAction(action ...interface{}) StatementOpt
- func NotPrincipal(principalType string, principalID ...interface{}) StatementOpt
- func NotResource(resource ...interface{}) StatementOpt
- func Principal(principalType string, principalID ...interface{}) StatementOpt
- func Resource(resource ...interface{}) StatementOpt
- type Stmt
- type Stmts
- type Strings
Examples ¶
Constants ¶
This section is empty.
Variables ¶
var ( ErrInvalidPolicy = errors.New("invalid policy") ErrInvalidStatement = errors.New("invalid statement") )
Package errors returned during validation of policies and statements.
Functions ¶
This section is empty.
Types ¶
type EffectType ¶
type EffectType string
EffectType is used with the Effect element of a Statement.
const ( Allow EffectType = "Allow" Deny EffectType = "Deny" )
Valid effects for use with Statements.
type Opt ¶
type Opt func(*Policy)
Opt is implemented by functions that can be passed to New.
func Statement ¶
func Statement(sid string, opts ...StatementOpt) Opt
Statement defines a single policy statement that can be passed to New.
type Policy ¶
Policy defines an IAM policy that can be converted to a JSON StringOutput.
It accepts strings or StringInputs for parameters and will use ApplyT to resolve any dependent inputs before generating the JSON.
func New ¶
New creates a new Policy with the supplied ID. It should supply at least a single Statement as an argument.
Example ¶
package main import ( "fmt" "sync" "github.com/gwatts/pulutil/policy" "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/s3" "github.com/pulumi/pulumi/sdk/v3/go/common/resource" "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) type mocks int func (mocks) NewResource(args pulumi.MockResourceArgs) (string, resource.PropertyMap, error) { return args.Name + "_id", args.Inputs, nil } func (mocks) Call(args pulumi.MockCallArgs) (resource.PropertyMap, error) { return args.Args, nil } func main() { var wg sync.WaitGroup _ = pulumi.RunErr(func(ctx *pulumi.Context) error { // bucketArn might be an output from a prior bucket creation bucketArn := pulumi.String("arn:aws:s3:::my-test-bucket-1234abcd") // Create a BucketPolicy using the above policy definition bp, _ := s3.NewBucketPolicy(ctx, "test-policy", &s3.BucketPolicyArgs{ Bucket: pulumi.String("my-test-bucket-1234abcd"), Policy: policy.New("my-policy", policy.Statement("statement-one", policy.Effect(policy.Allow), policy.Action( "s3:GetObject", "s3:PutObject", ), policy.Principal("AWS", "arn:aws:iam::12345:root", ), policy.Resource( pulumi.Sprintf("%s/*", bucketArn), ), ), ).ToStringOutput(), }) // Print out the JSON that was computed wg.Add(1) bp.Policy.ApplyT(func(bp string) int { fmt.Println(bp) wg.Done() return 0 }) return nil }, pulumi.WithMocks("project", "stack", mocks(0))) wg.Wait() }
Output: { "Version": "2012-10-17", "Id": "my-policy", "Statement": [ { "Sid": "statement-one", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::12345:root" }, "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::my-test-bucket-1234abcd/*" } ] }
func (Policy) ToStringOutput ¶
func (p Policy) ToStringOutput() pulumi.StringOutput
ToStringOutput generates a formatted JSON policy as a suitable input for various AWS objects that require one.
func (Policy) ToStringOutputWithContext ¶
func (p Policy) ToStringOutputWithContext(ctx context.Context) pulumi.StringOutput
ToStringOutputWithContext generates a formatted JSON policy as a suitable input for various AWS objects that require one.
type StatementOpt ¶
type StatementOpt func(*Stmt)
StatementOpt is implemented by functions that can be passed to Statement.
func Action ¶
func Action(action ...interface{}) StatementOpt
Action adds one or more entries to the Action element of a Statement. It can be called multiple times to add additional actions.
action arguments may be string, []string, StringInput or StrayArrayInput slices and arrays will be flattened into a single list.
func Condition ¶
func Condition(conditionOp, conditionKey string, conditionValue ...interface{}) StatementOpt
Condition adds an entry to the Condition element of a Statemment. It can be called multiple times to add additional resources.
See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html for examples of condition operators, keys and values.
conditionValues arguments may be string, []string, StringInput or StrayArrayInput.
func Effect ¶
func Effect(effect EffectType) StatementOpt
Effect specifies whether a Statement has an Allow or Deny effect.
func NotAction ¶
func NotAction(action ...interface{}) StatementOpt
NotAction adds one or more entries to the NotAction element of a Statement. It can be called multiple times to add additional actions.
action arguments may be string, []string, StringInput or StrayArrayInput slices and arrays will be flattened into a single list.
func NotPrincipal ¶
func NotPrincipal(principalType string, principalID ...interface{}) StatementOpt
NotPrincipal adds one or more principals to the NotPrincipal element of a Statement. It can be called multiple times to add additional principals.
principalType should be one of "AWS", "CanonicalUser", etc. prinicpalID arguments may be string, []string, StringInput or StrayArrayInput slices and arrays will be flattened into a single list.
func NotResource ¶
func NotResource(resource ...interface{}) StatementOpt
NotResource adds one or more entries to the NotResource element of a Statement. It can be called multiple times to add additional resources.
resource arguments may be string, []string, StringInput or StrayArrayInput slices and arrays will be flattened into a single list.
func Principal ¶
func Principal(principalType string, principalID ...interface{}) StatementOpt
Principal adds one or more principals to the Principal element of a Statement. It can be called multiple times to add additional principals.
principalType should be one of "AWS", "CanonicalUser", etc. prinicpalID arguments may be string, []string, StringInput or StrayArrayInput slices and arrays will be flattened into a single list.
func Resource ¶
func Resource(resource ...interface{}) StatementOpt
Resource adds one or more entries to the Resource element of a Statement. It can be called multiple times to add additional resources.
resource arguments may be string, []string, StringInput or StrayArrayInput slices and arrays will be flattened into a single list.
type Stmt ¶
type Stmt struct { Sid string `json:",omitempty"` Effect EffectType Principal map[string]Strings `json:",omitempty"` NotPrincipal map[string]Strings `json:",omitempty"` Action Strings `json:",omitempty"` NotAction Strings `json:",omitempty"` Resource Strings `json:",omitempty"` NotResource Strings `json:",omitempty"` Condition map[string]map[string]Strings `json:",omitempty"` }
Stmt define a single policy statement.