This repository has been archived by the owner on Oct 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Replace IAM role shell script with pulumi typescript program
- Loading branch information
Lucas Rodriguez
committed
Oct 12, 2023
1 parent
fe59a0f
commit 10c9973
Showing
14 changed files
with
2,393 additions
and
106 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,6 @@ | ||
# Ignore node_modules and Pepr build artifacts | ||
node_modules | ||
dist | ||
insecure* | ||
coverage | ||
|
||
# Ignore build/ directory | ||
build | ||
Pulumi.**.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
name: iam | ||
runtime: nodejs | ||
description: IaC to provision IAM resources for IRSA authentication in CI |
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
import { Output } from "@pulumi/pulumi"; | ||
import { | ||
createPolicy, | ||
createRole, | ||
attachPolicyToRole, | ||
getAccountId, | ||
getClusterId, | ||
} from "./utils"; | ||
|
||
// Resource names | ||
const webhookRoleName = "ecr-webhook-role"; | ||
const webhookPolicyName = "ecr-webhook-policy"; | ||
const credentialHelperRoleName = "ecr-credential-helper-role"; | ||
const credentialHelperPolicyName = "ecr-credential-helper-policy"; | ||
|
||
// File names for IAM resources | ||
const webhookPolicyPath = "ecr-webhook-policy.json"; | ||
const webhookRolePath = "ecr-webhook-role.json"; | ||
const credentialHelperPolicyPath = "ecr-credential-helper-policy.json"; | ||
const credentialHelperRolePath = "ecr-credential-helper-role.json"; | ||
|
||
const main = async () => { | ||
const clusterId = await getClusterId(); | ||
const accountId = await getAccountId(); | ||
|
||
// Create webhook IAM policy | ||
const webhookPolicy = createPolicy(webhookPolicyPath, webhookPolicyName); | ||
|
||
// Create webhook IAM role | ||
const webhookRole = createRole( | ||
webhookRolePath, | ||
webhookRoleName, | ||
accountId, | ||
clusterId as string, | ||
); | ||
|
||
// Create credential helper IAM policy | ||
const credentialHelperPolicy = createPolicy( | ||
credentialHelperPolicyPath, | ||
credentialHelperPolicyName, | ||
); | ||
|
||
// Create credential helper IAM role | ||
const credentialHelperRole = createRole( | ||
credentialHelperRolePath, | ||
credentialHelperRoleName, | ||
accountId, | ||
clusterId as string, | ||
); | ||
|
||
// Attach webhook policy to role | ||
attachPolicyToRole( | ||
"ecr-webhook-policy-attachment", | ||
webhookRole.name as unknown as string, | ||
webhookPolicy.arn as unknown as string, | ||
); | ||
|
||
// Attach credential helper policy to role | ||
attachPolicyToRole( | ||
"ecr-credential-helper-policy-attachment", | ||
credentialHelperRole.name as unknown as string, | ||
credentialHelperPolicy.arn as unknown as string, | ||
); | ||
|
||
const webhookRoleArn = webhookRole.arn; | ||
const credentialHelperRoleArn = credentialHelperRole.arn; | ||
|
||
return [webhookRoleArn, credentialHelperRoleArn]; | ||
}; | ||
|
||
const outputs = main(); | ||
|
||
export const webhookRoleArn: Promise<Output<string>> = outputs.then( | ||
result => result[0], | ||
); | ||
export const credentialHelperRoleArn: Promise<Output<string>> = outputs.then( | ||
result => result[1], | ||
); |
Oops, something went wrong.