converting aws assume-role to go, add README.md, and the test for it

ChaturvediSulabh · Jul 2, 2020 · 47f586c · 47f586c
1 parent 07d80a0
commit 47f586c
Show file tree

Hide file tree

Showing 11 changed files with 810 additions and 1 deletion.
diff --git a/aws-go-assume-role/README.md b/aws-go-assume-role/README.md
@@ -0,0 +1,63 @@
+# AWS Resources Using AssumeRole
+
+This example shows how to use the AssumeRole functionality of the AWS provider to create resources in the security context of an IAM Role assumed by the IAM User running the Pulumi programs.
+
+## Deploying the Example
+
+### Part 1: Privileged Components
+
+The Pulumi program in `create-role` requires credentials with permissions to create an IAM User, an IAM Role, and assign
+an AWS Access Key to the user. The program creates a new, unprivileged user with no policies attached, and a role which
+specifies a trust policy allowing assumption by the unprivileged user. The role allows the `s3:*` actions on all 
+resources.
+
+You'll need to set the `create-role:unprivilegedUsername` configuration variable to the name of the unprivilged user, as
+well as the AWS region in which to operate.
+
+```bash
+$ cd create-role
+$ pulumi stack init assume-role-create
+$ pulumi config set create-role:unprivilegedUsername [email protected]
+$ pulumi config set aws:region us-east-1
+$ pulumi up
+```
+
+The program can then be run with `pulumi up`. The outputs of the program tell you the ARN of the Role, and the Access 
+Key ID and Secret associated with the User:
+
+```
+$ pulumi stack output --json
+{
+ "accessKeyId": "AKIAI7JE74TLY2LOEIJA",
+ "secretAccessKey": "<redacted>",
+ "roleArn": "arn:aws:iam::<redacted>:role/allow-s3-management-ad477e6"
+}
+```
+
+### Part 2: Assuming the Role
+
+The Pulumi program in `assume-role` creates an S3 bucket after assuming the Role created in Part 1. It should be run
+with the unprivileged user credentials created in Part 1. This can be configured as follows, from the `assume-role`
+directory, replacing `{YOUR_STACK_PATH/assume-role-create}` with the full name of your stack from Part 1. Full name of your stack is available at [`app.pulumi.com`][app]
+
+```bash
+$ cd assume-role
+$ npm install
+$ export AWS_ACCESS_KEY_ID="$(pulumi stack output --stack {YOUR_STACK_PATH/assume-role-create} accessKeyId)"
+$ export AWS_SECRET_ACCESS_KEY="$(pulumi stack output --stack {YOUR_STACK_PATH/assume-role-create} secretAccessKey)"
+```
+
+The configuration variable `roleToAssumeARN` must be set to the ARN of the role allowing S3 access, and the AWS region
+must be set to the region in which you wish to operate:
+
+```bash
+$ pulumi stack init assume-role-assume
+$ pulumi config set roleToAssumeARN "$(pulumi stack output --stack assume-role-create roleArn)"
+$ pulumi config set aws:region us-east-1
+```
+
+The program can then be run with `pulumi up`. You can verify that the role is indeed assumed by looking at the 
+CloudTrail logs of the bucket creation operation, or by commenting out the `assumeRole` configuration in the provider
+and ensuring creation is not successful.
+
+[app]: https://app.pulumi.com/
diff --git a/aws-go-assume-role/assume-role/Pulumi.yaml b/aws-go-assume-role/assume-role/Pulumi.yaml
@@ -0,0 +1,3 @@
+name: assume-role
+runtime: go
+description: Demonstrate use of AWS AssumeRole Functionality
diff --git a/aws-go-assume-role/assume-role/go.mod b/aws-go-assume-role/assume-role/go.mod
@@ -0,0 +1,9 @@
+module assume-role
+
+go 1.14
+
+require (
+ github.com/pulumi/pulumi-aws/sdk v1.31.0
+ github.com/pulumi/pulumi-aws/sdk/v2 v2.11.0
+ github.com/pulumi/pulumi/sdk/v2 v2.2.1
+)
diff --git a/aws-go-assume-role/assume-role/go.sum b/aws-go-assume-role/assume-role/go.sum
diff --git a/aws-go-assume-role/assume-role/main.go b/aws-go-assume-role/assume-role/main.go
@@ -0,0 +1,50 @@
+package main
+
+import (
+ "github.com/pulumi/pulumi-aws/sdk/v2/go/aws"
+ "github.com/pulumi/pulumi-aws/sdk/v2/go/aws/s3"
+ "github.com/pulumi/pulumi/sdk/v2/go/pulumi"
+ "github.com/pulumi/pulumi/sdk/v2/go/pulumi/config"
+)
+
+func GetRegion(ctx *pulumi.Context) string {
+ v, err := config.Try(ctx, "aws:region")
+ if err == nil {
+ return v
+ } else {
+ return err.Error()
+ }
+}
+
+func main() {
+ pulumi.Run(func(ctx *pulumi.Context) error {
+
+ config := config.New(ctx, "")
+ roleToAssumeARN := config.Require("roleToAssumeARN")
+
+ region := GetRegion(ctx)
+
+ provider, err := aws.NewProvider(ctx, "privileged", &aws.ProviderArgs{
+ AssumeRole: &aws.ProviderAssumeRoleArgs{
+ RoleArn: pulumi.StringPtr(roleToAssumeARN),
+ SessionName: pulumi.String("PulumiSession"),
+ ExternalId: pulumi.String("PulumiApplication"),
+ },
+ Region: pulumi.String(region),
+ })
+
+ if err != nil {
+ return err
+ }
+
+ // Create an AWS resource (S3 Bucket)
+ bucket, err := s3.NewBucket(ctx, "my-bucket", nil, pulumi.Provider(provider))
+ if err != nil {
+ return err
+ }
+
+ // Export the name of the bucket
+ ctx.Export("bucketName", bucket.BucketDomainName)
+ return nil
+ })
+}
diff --git a/aws-go-assume-role/create-role/Pulumi.yaml b/aws-go-assume-role/create-role/Pulumi.yaml
@@ -0,0 +1,3 @@
+name: create-role
+runtime: go
+description: Demonstrate use of AWS AssumeRole Functionality
diff --git a/aws-go-assume-role/create-role/go.mod b/aws-go-assume-role/create-role/go.mod
@@ -0,0 +1,8 @@
+module create-role
+
+go 1.14
+
+require (
+ github.com/pulumi/pulumi-aws/sdk/v2 v2.11.0
+ github.com/pulumi/pulumi/sdk/v2 v2.5.0
+)