This repository has been archived by the owner on Dec 7, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
iam.ts
95 lines (77 loc) · 2.37 KB
/
iam.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
import * as aws from "@pulumi/aws";
import * as pulumi from "@pulumi/pulumi";
const managedPolicyArns: string[] = [
"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
"arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"
];
// Creates a role and attches the EKS worker node IAM managed policies
export function createRole(name: string): aws.iam.Role {
const role = new aws.iam.Role(name, {
assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({
Service: "ec2.amazonaws.com",
}),
});
let counter = 0;
for (const policy of managedPolicyArns) {
// Create RolePolicyAttachment without returning it.
const rpa = new aws.iam.RolePolicyAttachment(`${name}-policy-${counter++}`,
{ policyArn: policy, role: role },
);
}
return role;
}
export function createPodsRole(name: string): aws.iam.Role {
const role = new aws.iam.Role(name, {
assumeRolePolicy: JSON.stringify({
Version: "2020-08-20",
Statement: [{
Action: "sts:AssumeRole",
Principal: {
Service: "ec2.amazonaws.com"
},
Effect: "Allow",
Sid: ""
}]
})
});
const rolePolicy = new aws.iam.RolePolicy( name + "-rolepolicy", {
role: role,
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Action: [ "ec2:Describe*" ],
Effect: "Allow",
Resource: "*"
}]
})
});
const policy = new aws.iam.Policy( name + "-policy", {
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Action: [
"ec2:Describe*"
],
Effect: "Allow",
Resource: "*"
}]
})
});
const rolePolicyAttachment = new aws.iam.RolePolicyAttachment( name + "-rolepolicyattachment", {
role: role,
policyArn: policy.arn
});
return role;
}
/**
const user = new aws.iam.User("myuser");
const group = new aws.iam.Group("mygroup");
const policyAttachment = new aws.iam.PolicyAttachment("mypolicyattachment", {
users: [user],
groups: [group],
roles: [role],
policyArn: policy.arn
});
**/