Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
944 lines (707 sloc) 17.9 KB

Global Resources

Global Resources are defined in the top-level resource/ directory. They define cloud resources which do not belong to an environment or other logical grouping.

CloudTrail

The resource/cloudtrail.yaml file contains CloudTrails.

paco provision resource.cloudtrail

CodeCommit

The resource/codecommit.yaml file manages CodeCommit repositories and users. The top-level of the file is CodeCommitRepositoryGroups, and each group contains a set of CodeCommit Repositories.

Provision CodeCommit repos and users with:

paco provision resource.codecommit

Be sure to save the AWS SSH key ID for each user after your provision their key. You can also see the SSH keys in the AWS Console in the IAM Users if you lose them.

Visit the CodeCommit service in the AWS Console to see the SSH Url for a Git repo.

To authenticate, if you are using your default public SSH key, you can embed the AWS SSH key ID as the user in SSH Url:

git clone ssh://APKAV........63ICK@server/project.git

Or add the AWS SSH key Id to your ~/.ssh/config file. This is the easiest way, especially if you have to deal with multiple SSH keys on your workstation:

Host git-codecommit.*.amazonaws.com
  User APKAV........63ICK
  IdentityFile ~/.ssh/my_pubilc_key_rsa

CodeCommit

Container for CodeCommitRepositoryGroup objects.

:guilabel:`CodeCommit`|bars| Container<CodeCommitRepositoryGroup>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

CodeCommitRepositoryGroup

Container for CodeCommitRepository objects.

:guilabel:`CodeCommitRepositoryGroup`|bars| Container<CodeCommitRepository>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

CodeCommitRepository

CodeCommit Repository

:guilabel:`CodeCommitRepository`
Field name Type Purpose Constraints Default
account PacoReference |star| Account this repo belongs to. Paco Reference to Account.  
description String Repository Description    
external_resource Boolean Boolean indicating whether the CodeCommit repository already exists or not   False
region String AWS Region    
repository_name String Repository Name    
users Container<CodeCommitUser> CodeCommit Users    

Base Schemas Deployable, Named, Title

CodeCommitUser

CodeCommit User

:guilabel:`CodeCommitUser`
Field name Type Purpose Constraints Default
public_ssh_key String CodeCommit User Public SSH Key    
username String CodeCommit Username    

EC2 Keypairs

The resource/ec2.yaml file manages AWS EC2 Keypairs.

paco provision resource.ec2.keypairs # all keypairs
paco provision resource.ec2.keypairs.devnet_usw2 # single keypair

EC2KeyPair

EC2 SSH Key Pair

:guilabel:`EC2KeyPair`
Field name Type Purpose Constraints Default
account PacoReference AWS Account the key pair belongs to Paco Reference to Account.  
keypair_name String |star| The name of the EC2 KeyPair    
region String |star| AWS Region Must be a valid AWS Region name no-region-set

Base Schemas Named, Title

IAM

The resource/iam.yaml file contains IAM Users. Each user account can be given different levels of access a set of AWS accounts. For more information on how IAM Users can be managed, see Managing IAM Users with Paco.

paco provision resource.iam.users

IAMResource

IAM Resource contains IAM Users who can login and have different levels of access to the AWS Console and API.

:guilabel:`IAMResource`
Field name Type Purpose Constraints Default
users Container<IAMUsers> IAM Users    

Base Schemas Named, Title

IAMUsers

Container for IAMUser objects.

:guilabel:`IAMUsers`|bars| Container<IAMUser>
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

IAMUser

IAM User represents a user that will exist in one account, but can also have delegate IAM Roles in other accounts that they are allowed to assume.

:guilabel:`IAMUser`
Field name Type Purpose Constraints Default
account PacoReference |star| Paco account reference to install this user Paco Reference to Account.  
account_whitelist CommaList Comma separated list of Paco AWS account names this user has access to    
console_access_enabled Boolean |star| Console Access Boolean    
description String IAM User Description    
permissions Container<IAMUserPermissions> Paco IAM User Permissions    
programmatic_access Object<IAMUserProgrammaticAccess> Programmatic Access    
username String IAM Username    

Base Schemas Deployable, Named, Title

IAMUserProgrammaticAccess

IAM User Programmatic Access Configuration

:guilabel:`IAMUserProgrammaticAccess`
Field name Type Purpose Constraints Default
access_key_1_version Int Access key version id   0
access_key_2_version Int Access key version id   0

Base Schemas Deployable

IAMUserPermissions

Container for IAM User Permission objects.

:guilabel:`IAMUserPermissions`
Field name Type Purpose Constraints Default
         

Base Schemas Named, Title

Role

:guilabel:`Role`
Field name Type Purpose Constraints Default
assume_role_policy Object<AssumeRolePolicy> Assume role policy    
global_role_name Boolean Role name is globally unique and will not be hashed   False
instance_profile Boolean Instance profile   False
managed_policy_arns List<String> Managed policy ARNs    
max_session_duration Int Maximum session duration The maximum session duration (in seconds) 3600
path String Path   /
permissions_boundary String Permissions boundary ARN Must be valid ARN  
policies List<Policy> Policies    
role_name String Role name    

Base Schemas Deployable, Named, Title

AssumeRolePolicy

:guilabel:`AssumeRolePolicy`
Field name Type Purpose Constraints Default
aws List<String> List of AWS Principles    
effect String Effect    
service List<String> Service    

Policy

:guilabel:`Policy`
Field name Type Purpose Constraints Default
name String Policy name    
statement List<Statement> Statements    

Statement

:guilabel:`Statement`
Field name Type Purpose Constraints Default
action List<String> Action(s)    
effect String Effect Must be one of: 'Allow', 'Deny'  
resource List<String> Resrource(s)    

Base Schemas Named, Title

Route 53

Route53Resource

The resource/route53.yaml file manages AWS Route 53 hosted zones.

Provision Route 53 with:

paco provision resource.route53
:guilabel:`Route53Resource`
Field name Type Purpose Constraints Default
hosted_zones Container<Route53HostedZone> Hosted Zones    

Base Schemas Named, Title

Route53HostedZone

Route53 Hosted Zone

:guilabel:`Route53HostedZone`
Field name Type Purpose Constraints Default
account PacoReference |star| Account this Hosted Zone belongs to Paco Reference to Account.  
domain_name String |star| Domain Name    
external_resource Object<Route53HostedZoneExternalResource> External HostedZone Id Configuration    
parent_zone String Parent Hozed Zone name    
record_sets List<Route53RecordSet> |star| List of Record Sets    

Base Schemas Deployable, Named, Title

Route53HostedZoneExternalResource

Existing Hosted Zone configuration

:guilabel:`Route53HostedZoneExternalResource`
Field name Type Purpose Constraints Default
hosted_zone_id String |star| ID of an existing Hosted Zone    
nameservers List<String> |star| List of the Hosted Zones Nameservers    

Base Schemas Deployable, Named, Title

Route53RecordSet

Route53 Record Set

:guilabel:`Route53RecordSet`
Field name Type Purpose Constraints Default
record_name String |star| Record Set Full Name    
resource_records List<String> |star| Record Set Values    
ttl Int Record TTL   300
type String |star| Record Set Type    

SNS Topics

The resource/snstopics.yaml file manages AWS Simple Notification Service (SNS) resources. SNS has only two resources: SNS Topics and SNS Subscriptions.

paco provision resource.snstopics

Prescribed Automation

cross_account_access: Creates an SNS Topic Policy which will grant all of the AWS Accounts in this Paco Project access to the sns.Publish permission for this SNS Topic.

You will need this if you want to send CloudWatch Alarms from multiple accounts to the same SNS Topic(s) in one account.

You can’t perform that action at this time.