aws

package
v0.0.0-...-9b31343 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 2, 2026 License: MIT Imports: 39 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ProfileEnvVar         = "AWS_PROFILE"
	AccessKeyIdEnvVar     = "AWS_ACCESS_KEY_ID"
	SecretAccessKeyEnvVar = "AWS_SECRET_ACCESS_KEY"
	SessionTokenEnvVar    = "AWS_SESSION_TOKEN"
)
View Source 
const (
	SSMStartSSHSessionDocumentName = "AWS-StartSSHSession"
	SSMRunShellDocumentName        = "AWS-RunShellScript"
	SessionManagerPluginDir        = "/usr/local/bin"
)
View Source 
const (
	WILDCARD = "*"
)

Variables

View Source 
var ErrECRDeprecated = errors.New("ECR functionality has been removed; images are now pulled from public Docker Hub")

ErrECRDeprecated is returned when ECR functionality is accessed. ECR has been removed in favor of public Docker Hub images.

Functions

func BucketExists 

func BucketExists(ctx context.Context, c *Credentials, region string, bucketName string) bool

func CreateAdminPolicyIfNotExists 

func CreateAdminPolicyIfNotExists(ctx context.Context, c *Credentials, region string, accountID string, policyName string) error

CreateAdminPolicyIfNotExists creates the PositTeamDedicatedAdmin IAM policy if it doesn't already exist. This policy is used as both a permissions boundary and attached managed policy for PTD roles. It's particularly important for workloads using custom_role where the standard admin setup doesn't automatically create the policy.

Returns nil if the policy already exists or was successfully created. Returns an error if:

  • The custom role lacks permission to check for or create policies (AccessDenied)
  • Network or transient AWS API errors occur (AWS SDK handles retries automatically)
  • Policy document marshaling fails

func CreateBucket 

func CreateBucket(ctx context.Context, c *Credentials, region string, bucketName string) error

func CreateKmsKey 

func CreateKmsKey(ctx context.Context, c *Credentials, region string, keyAlias string, description string) (string, error)

func GetCallerIdentity 

func GetCallerIdentity(ctx context.Context) (out *sts.GetCallerIdentityOutput, err error)

GetCallerIdentity returns the caller's identity

func GetClusterEndpoint 

func GetClusterEndpoint(ctx context.Context, c *Credentials, region string, clusterName string) (string, error)

func GetClusterInfo 

func GetClusterInfo(ctx context.Context, c *Credentials, region string, clusterName string) (endpoint string, caCert string, err error)

GetClusterInfo retrieves the endpoint and certificate authority data for an EKS cluster

func GetEKSToken 

func GetEKSToken(ctx context.Context, c *Credentials, region string, clusterName string) (string, error)

GetEKSToken generates an EKS-compatible token using STS presigned URLs

func IamPermissionBoundaryCondition 

func IamPermissionBoundaryCondition() yaml.Node

IamPermissionBoundaryCondition returns a CloudFormation-compatible YAML condition node that enforces the PositTeamDedicatedAdmin policy as a permissions boundary. This condition is used in IAM policy statements to ensure that any IAM role or user created by PTD must have the admin policy set as their permissions boundary.

The returned YAML node structure represents: 

Condition:
  StringEquals:
    iam:PermissionsBoundary:
      - !Sub 'arn:aws:iam::${AWS::AccountId}:policy/PositTeamDedicatedAdmin'

This prevents privilege escalation by ensuring created principals cannot exceed the permissions defined in the admin policy.

func IamResourceWildcards 

func IamResourceWildcards() []yaml.Node

IamResourceWildcards returns the IAM resource wildcards

func KmsKeyExists 

func KmsKeyExists(ctx context.Context, c *Credentials, region string, keyId string) bool

func S3ResourceAccountCondition 

func S3ResourceAccountCondition() yaml.Node

S3ResourceAccountCondition returns the condition for S3 resource account

func SsmSendCommand 

func SsmSendCommand(ctx context.Context, c *Credentials, region string, instanceId string, command []string) error

Types

type Action 

type Action struct {
	Action                     string
	SupportsResourceLimit      bool // is the action able to be limited by the aws:ResourceAccount value of the request
	SupportsManagedByCondition bool // is the action able to be limited by the aws:ResourceTag/posit.team/managed-by value of the request
}

func AcmActions 

func AcmActions() []Action

AcmActions returns ACM-related actions

func BedrockActions 

func BedrockActions() []Action

BedrockActions returns bedrock-related actions

func BillingActions 

func BillingActions() []Action

BillingActions returns billing-related actions

func CloudwatchActions 

func CloudwatchActions() []Action

CloudwatchActions returns CloudWatch-related actions

func ComputeOptimizerActions 

func ComputeOptimizerActions() []Action

ComputeOptimizerActions returns Compute Optimizer-related actions

func DirectoryServiceActions 

func DirectoryServiceActions() []Action

DirectoryServiceActions returns Directory Service-related actions

func Ec2Actions 

func Ec2Actions() []Action

Ec2Actions returns EC2-related actions

func EcrActions 

func EcrActions() []Action

EcrActions returns ECR-related actions

func EcsActions 

func EcsActions() []Action

EcsActions returns ECS-related actions

func EfsActions 

func EfsActions() []Action

EfsActions returns EFS-related actions

func EksActions 

func EksActions() []Action

EksActions returns EKS-related actions

func ElbActions 

func ElbActions() []Action

ElbActions returns ELB-related actions

func EventsActions 

func EventsActions() []Action

EventsActions returns EventBridge-related actions

func FirehoseActions 

func FirehoseActions() []Action

FirehoseActions returns Firehose-related actions

func FsxActions 

func FsxActions() []Action

FsxActions returns FSx-related actions

func IamWildcardActions 

func IamWildcardActions() []Action

IamWildcardActions returns IAM wildcard actions

func KmsActions 

func KmsActions() []Action

KmsActions returns KMS-related actions

func LogActions 

func LogActions() []Action

LogActions returns CloudWatch Logs-related actions

func OrganizationActions 

func OrganizationActions() []Action

OrganizationActions returns AWS Organizations-related actions

func PricingActions 

func PricingActions() []Action

PricingActions returns Pricing-related actions

func RdsActions 

func RdsActions() []Action

RdsActions returns RDS-related actions

func ResourceExplorerActions 

func ResourceExplorerActions() []Action

ResourceExplorerActions returns Resource Explorer-related actions

func Route53Actions 

func Route53Actions() []Action

Route53Actions returns Route53-related actions

func SecretsManagerActions 

func SecretsManagerActions() []Action

SecretsManagerActions returns Secrets Manager-related actions

func ShieldActions 

func ShieldActions() []Action

ShieldActions returns Shield-related actions

func SqsActions 

func SqsActions() []Action

SqsActions returns SQS-related actions

func SsmActions 

func SsmActions() []Action

SsmActions returns SSM-related actions

func StsActions 

func StsActions() []Action

StsActions returns STS-related actions

func TagActions 

func TagActions() []Action

TagActions returns tag-related actions

func Wafv2Actions 

func Wafv2Actions() []Action

Wafv2Actions returns WAFv2-related actions

func (Action) MarshalYAML 

func (a Action) MarshalYAML() (interface{}, error)

func (Action) RequiresRequestTagKeys 

func (a Action) RequiresRequestTagKeys() bool

func (Action) SupportsGlobalResourceCondition 

func (a Action) SupportsGlobalResourceCondition() bool

type Credentials 

type Credentials struct {
	// contains filtered or unexported fields
}

func NewCredentials 

func NewCredentials(accountID string, profile string, customRoleArn string, externalID string) (c *Credentials)

func OnlyAwsCredentials 

func OnlyAwsCredentials(c types.Credentials) (*Credentials, error)

func (*Credentials) AccountID 

func (c *Credentials) AccountID() string

func (*Credentials) EnvVars 

func (c *Credentials) EnvVars() map[string]string

func (*Credentials) Expired 

func (c *Credentials) Expired() bool

func (*Credentials) Identity 

func (c *Credentials) Identity() string

func (*Credentials) Refresh 

func (c *Credentials) Refresh(ctx context.Context) error

type ManagedPolicy 

type ManagedPolicy struct {
	ManagedPolicyName string         `yaml:"ManagedPolicyName"`
	PolicyDocument    PolicyDocument `yaml:"PolicyDocument"`
}

type Policy 

type Policy struct {
	PolicyName     string         `yaml:"PolicyName"`
	PolicyDocument PolicyDocument `yaml:"PolicyDocument"`
}

type PolicyDocument 

type PolicyDocument struct {
	Version   string            `yaml:"Version"`
	Statement []PolicyStatement `yaml:"Statement"`
}

func BuildCompleteAdminPolicyDocument 

func BuildCompleteAdminPolicyDocument() PolicyDocument

BuildCompleteAdminPolicyDocument constructs the complete PositTeamDedicatedAdmin IAM policy document. This policy contains all AWS service actions needed for PTD operations, including:

  • Self-constraining statements (permissions boundary enforcement)
  • IAM, S3, ECR, EKS, EC2, and other AWS service permissions
  • Resource account and tag-based conditions to limit scope

The policy is used both as a permissions boundary and as an attached managed policy for PTD-created IAM roles to ensure they cannot escalate beyond PTD's allowed permissions.

Returns a PolicyDocument that can be marshaled to JSON for AWS IAM API calls or YAML for CloudFormation templates.

func NewAdminPolicyDocument 

func NewAdminPolicyDocument() PolicyDocument

func (*PolicyDocument) AddActions 

func (pd *PolicyDocument) AddActions(actions []Action)

func (*PolicyDocument) AddStatements 

func (pd *PolicyDocument) AddStatements(statements []PolicyStatement)

func (*PolicyDocument) GetStatementBySid 

func (pd *PolicyDocument) GetStatementBySid(sid string) *PolicyStatement

func (PolicyDocument) SubstituteCloudFormationRefs 

func (pd PolicyDocument) SubstituteCloudFormationRefs(accountID string) PolicyDocument

SubstituteCloudFormationRefs returns a new PolicyDocument with CloudFormation intrinsic function references replaced with actual values. This is needed when using the policy with direct IAM API calls (not CloudFormation).

Substitutions performed:

  • "AWS::AccountId" -> accountID (from !Ref AWS::AccountId)
  • "${AWS::AccountId}" -> accountID (from !Sub templates)

type PolicyRef 

type PolicyRef string

func (PolicyRef) MarshalYAML 

func (p PolicyRef) MarshalYAML() (interface{}, error)

type PolicyStatement 

type PolicyStatement struct {
	Effect    string      `yaml:"Effect"`
	Action    []string    `yaml:"Action"`
	Sid       string      `yaml:"Sid,omitempty"`
	Principal Principal   `yaml:"Principal,omitempty" json:"Principal,omitempty"`
	Resource  []yaml.Node `yaml:"Resource,omitempty" json:"Resource,omitempty"`
	Condition yaml.Node   `yaml:"Condition,omitempty" json:"Condition,omitempty"`
}

PolicyStatement defines a statement in a policy document.

func EcrAwsAccountStatements 

func EcrAwsAccountStatements() []PolicyStatement

EcrAwsAccountStatements returns ECR cross-account policy statements

func IamStatements 

func IamStatements() []PolicyStatement

IamStatements returns IAM-related policy statements

func S3Statements 

func S3Statements() []PolicyStatement

S3Statements returns S3-related policy statements

func SelfConstrainingStatements 

func SelfConstrainingStatements() []PolicyStatement

SelfConstrainingStatements returns self-constraining policy statements

func (*PolicyStatement) AddAction 

func (ps *PolicyStatement) AddAction(a string)

func (PolicyStatement) MarshalJSON 

func (ps PolicyStatement) MarshalJSON() ([]byte, error)

MarshalJSON implements custom JSON marshaling for PolicyStatement. This converts yaml.Node fields (Resource, Condition) to simple types for the IAM API, while still preserving yaml.Node for YAML/CloudFormation template generation.

type Principal 

type Principal map[string]map[string]string

type ProxySession 

type ProxySession struct {
	// contains filtered or unexported fields
}

func NewProxySession 

func NewProxySession(t Target, awsCliPath string, localPort string, file string) *ProxySession

func (*ProxySession) Preflight 

func (p *ProxySession) Preflight() (active bool, err error)

func (*ProxySession) Start 

func (p *ProxySession) Start(ctx context.Context) error

func (*ProxySession) Stop 

func (p *ProxySession) Stop() error

func (*ProxySession) Wait 

func (p *ProxySession) Wait()

type Registry 

type Registry struct {
	// contains filtered or unexported fields
}

func NewRegistry 

func NewRegistry(accountID string, region string) *Registry

func (Registry) GetAuthForCredentials 

func (r Registry) GetAuthForCredentials(ctx context.Context, c types.Credentials) (username string, password string, err error)

GetAuthForCredentials is deprecated - ECR is no longer used. Images are now pulled from public Docker Hub.

func (Registry) GetLatestDigestForRepository 

func (r Registry) GetLatestDigestForRepository(ctx context.Context, c types.Credentials, repository string) (string, error)

GetLatestDigestForRepository is deprecated - ECR is no longer used. Images are now pulled from public Docker Hub.

func (Registry) GetLatestImageForRepository 

func (r Registry) GetLatestImageForRepository(ctx context.Context, c types.Credentials, repository string) (details types.ImageDetails, err error)

GetLatestImageForRepository is deprecated - ECR is no longer used. Images are now pulled from public Docker Hub.

func (Registry) Region 

func (r Registry) Region() string

func (Registry) RegistryURI 

func (r Registry) RegistryURI() string

type Role 

type Role struct {
	RoleName                 string              `yaml:"RoleName"`
	ManagedPolicyArns        []PolicyRef         `yaml:"ManagedPolicyArns"`
	RolePolicyList           []Policy            `yaml:"Policies"`
	AssumeRolePolicyDocument PolicyDocument      `yaml:"AssumeRolePolicyDocument"`
	PermissionsBoundary      PolicyRef           `yaml:"PermissionsBoundary,omitempty"`
	Path                     string              `yaml:"Path"`
	Tags                     []map[string]string `yaml:"Tags"`
}

func NewRole 

func NewRole(name string) Role

func (*Role) AddPolicy 

func (r *Role) AddPolicy(p Policy)

type SecretStore 

type SecretStore struct {
	// contains filtered or unexported fields
}

func NewSecretStore 

func NewSecretStore(region string) *SecretStore

func (*SecretStore) CreateSecret 

func (s *SecretStore) CreateSecret(ctx context.Context, c types.Credentials, secretName string, secretString string) error

func (*SecretStore) CreateSecretIfNotExists 

func (s *SecretStore) CreateSecretIfNotExists(ctx context.Context, c types.Credentials, secretName string, secret any) (err error)

func (*SecretStore) EnsureWorkloadSecret 

func (s *SecretStore) EnsureWorkloadSecret(ctx context.Context, c types.Credentials, workloadName string, secret any) (err error)

func (*SecretStore) GetSecretValue 

func (s *SecretStore) GetSecretValue(ctx context.Context, c types.Credentials, secretName string) (string, error)

func (*SecretStore) PutSecretValue 

func (s *SecretStore) PutSecretValue(ctx context.Context, c types.Credentials, secretName string, secretString string) error

func (*SecretStore) SecretExists 

func (s *SecretStore) SecretExists(ctx context.Context, c types.Credentials, secretName string) bool

type Target 

type Target struct {

	// clusters is currently only relevant/supported for aws.
	Clusters map[string]types.AWSWorkloadClusterConfig
	// contains filtered or unexported fields
}

func NewTarget 

func NewTarget(targetName string, accountID string, profile string, customRole *types.CustomRoleConfig, region string, isControlRoom bool, tailscaleEnabled bool, createAdminPolicyAsResource bool, sites map[string]types.SiteConfig, clusters map[string]types.AWSWorkloadClusterConfig) Target

func (Target) BastionId 

func (t Target) BastionId(ctx context.Context) (string, error)

func (Target) CloudProvider 

func (t Target) CloudProvider() types.CloudProvider

func (Target) ControlRoom 

func (t Target) ControlRoom() bool

func (Target) CreateAdminPolicyAsResource 

func (t Target) CreateAdminPolicyAsResource() bool

func (Target) Credentials 

func (t Target) Credentials(ctx context.Context) (types.Credentials, error)

func (Target) HashName 

func (t Target) HashName() string

HashName returns an obfuscated name for the target that can be used as a unique identifier.

func (Target) Name 

func (t Target) Name() string

func (Target) PulumiBackendUrl 

func (t Target) PulumiBackendUrl() string

func (Target) PulumiSecretsProviderKey 

func (t Target) PulumiSecretsProviderKey() string

func (Target) Region 

func (t Target) Region() string

func (Target) Registry 

func (t Target) Registry() types.Registry

func (Target) SecretStore 

func (t Target) SecretStore() types.SecretStore

func (Target) Sites 

func (t Target) Sites() map[string]types.SiteConfig

func (Target) StateBucketName 

func (t Target) StateBucketName() string

func (Target) TailscaleEnabled 

func (t Target) TailscaleEnabled() bool

func (Target) Type 

func (t Target) Type() types.TargetType

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.