tessl/generic-pulumi--aws
Comprehensive Amazon Web Services (AWS) infrastructure provider for Pulumi enabling multi-language infrastructure-as-code with 225+ AWS services
—
Pending
security.mddocs/
Security & Identity Services
Comprehensive security and identity management including IAM for access control, KMS for encryption, certificate management, and security monitoring services.
Capabilities
IAM - Identity and Access Management
AWS Identity and Access Management enables secure control of access to AWS services and resources.
/**
* IAM User
*/
class iam.User extends pulumi.CustomResource {
constructor(name: string, args?: iam.UserArgs, opts?: pulumi.CustomResourceOptions);
/** User ARN */
readonly arn: pulumi.Output<string>;
/** User name */
readonly name: pulumi.Output<string>;
/** Unique ID */
readonly uniqueId: pulumi.Output<string>;
/** Path */
readonly path: pulumi.Output<string>;
/** Permissions boundary */
readonly permissionsBoundary: pulumi.Output<string>;
/** Force destroy */
readonly forceDestroy: pulumi.Output<boolean>;
/** Resource tags */
readonly tags: pulumi.Output<{[key: string]: string}>;
}
interface iam.UserArgs {
/** User name */
name?: pulumi.Input<string>;
/** Path for the user */
path?: pulumi.Input<string>;
/** Permissions boundary policy ARN */
permissionsBoundary?: pulumi.Input<string>;
/** Force destroy user on deletion */
forceDestroy?: pulumi.Input<boolean>;
/** Resource tags */
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}
/**
* IAM Role
*/
class iam.Role extends pulumi.CustomResource {
constructor(name: string, args: iam.RoleArgs, opts?: pulumi.CustomResourceOptions);
/** Role ARN */
readonly arn: pulumi.Output<string>;
/** Role name */
readonly name: pulumi.Output<string>;
/** Unique ID */
readonly uniqueId: pulumi.Output<string>;
/** Path */
readonly path: pulumi.Output<string>;
/** Assume role policy document */
readonly assumeRolePolicy: pulumi.Output<string>;
/** Description */
readonly description: pulumi.Output<string>;
/** Maximum session duration */
readonly maxSessionDuration: pulumi.Output<number>;
/** Permissions boundary */
readonly permissionsBoundary: pulumi.Output<string>;
/** Resource tags */
readonly tags: pulumi.Output<{[key: string]: string}>;
}
interface iam.RoleArgs {
/** Assume role policy document (JSON) */
assumeRolePolicy: pulumi.Input<string>;
/** Role name */
name?: pulumi.Input<string>;
/** Path for the role */
path?: pulumi.Input<string>;
/** Description */
description?: pulumi.Input<string>;
/** Maximum session duration in seconds */
maxSessionDuration?: pulumi.Input<number>;
/** Permissions boundary policy ARN */
permissionsBoundary?: pulumi.Input<string>;
/** Force detach policies on deletion */
forceDetachPolicies?: pulumi.Input<boolean>;
/** Resource tags */
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}
/**
* IAM Policy
*/
class iam.Policy extends pulumi.CustomResource {
constructor(name: string, args: iam.PolicyArgs, opts?: pulumi.CustomResourceOptions);
/** Policy ARN */
readonly arn: pulumi.Output<string>;
/** Policy name */
readonly name: pulumi.Output<string>;
/** Policy document */
readonly policy: pulumi.Output<string>;
/** Path */
readonly path: pulumi.Output<string>;
/** Description */
readonly description: pulumi.Output<string>;
/** Resource tags */
readonly tags: pulumi.Output<{[key: string]: string}>;
}
interface iam.PolicyArgs {
/** Policy document (JSON) */
policy: pulumi.Input<string>;
/** Policy name */
name?: pulumi.Input<string>;
/** Path for the policy */
path?: pulumi.Input<string>;
/** Description */
description?: pulumi.Input<string>;
/** Resource tags */
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}
/**
* IAM Instance Profile
*/
class iam.InstanceProfile extends pulumi.CustomResource {
constructor(name: string, args?: iam.InstanceProfileArgs, opts?: pulumi.CustomResourceOptions);
/** Instance profile ARN */
readonly arn: pulumi.Output<string>;
/** Instance profile name */
readonly name: pulumi.Output<string>;
/** Path */
readonly path: pulumi.Output<string>;
/** Role */
readonly role: pulumi.Output<string>;
/** Unique ID */
readonly uniqueId: pulumi.Output<string>;
/** Resource tags */
readonly tags: pulumi.Output<{[key: string]: string}>;
}
/**
* IAM Policy Attachment
*/
class iam.RolePolicyAttachment extends pulumi.CustomResource {
constructor(name: string, args: iam.RolePolicyAttachmentArgs, opts?: pulumi.CustomResourceOptions);
/** Role name */
readonly role: pulumi.Output<string>;
/** Policy ARN */
readonly policyArn: pulumi.Output<string>;
}
interface iam.RolePolicyAttachmentArgs {
/** Role name */
role: pulumi.Input<string>;
/** Policy ARN */
policyArn: pulumi.Input<string>;
}Usage Examples:
// Create IAM role for Lambda function
const lambdaRole = new aws.iam.Role("lambda-role", {
name: "lambda-execution-role",
assumeRolePolicy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Action: "sts:AssumeRole",
Effect: "Allow",
Principal: {
Service: "lambda.amazonaws.com"
}
}]
}),
description: "Execution role for Lambda functions",
tags: {
Name: "LambdaExecutionRole",
Purpose: "lambda-execution"
}
});
// Attach basic execution policy
const lambdaBasicPolicy = new aws.iam.RolePolicyAttachment("lambda-basic", {
role: lambdaRole.name,
policyArn: "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
});
// Create custom policy for S3 access
const s3Policy = new aws.iam.Policy("s3-access", {
name: "S3AccessPolicy",
description: "Policy for S3 bucket access",
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [{
Effect: "Allow",
Action: [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
Resource: `${bucket.arn}/*`
}, {
Effect: "Allow",
Action: [
"s3:ListBucket"
],
Resource: bucket.arn
}]
})
});
// Attach custom policy to role
const s3PolicyAttachment = new aws.iam.RolePolicyAttachment("s3-policy", {
role: lambdaRole.name,
policyArn: s3Policy.arn
});
// Create instance profile for EC2
const instanceProfile = new aws.iam.InstanceProfile("ec2-profile", {
name: "ec2-instance-profile",
role: lambdaRole.name,
tags: {
Name: "EC2InstanceProfile"
}
});
// Create IAM user with programmatic access
const apiUser = new aws.iam.User("api-user", {
name: "api-service-user",
path: "/service-accounts/",
tags: {
Name: "APIServiceUser",
Purpose: "api-access"
}
});
// Create access key for user
const apiUserKey = new aws.iam.AccessKey("api-user-key", {
user: apiUser.name
});KMS - Key Management Service
AWS Key Management Service creates and manages cryptographic keys for data encryption.
/**
* KMS Key
*/
class kms.Key extends pulumi.CustomResource {
constructor(name: string, args?: kms.KeyArgs, opts?: pulumi.CustomResourceOptions);
/** Key ARN */
readonly arn: pulumi.Output<string>;
/** Key ID */
readonly keyId: pulumi.Output<string>;
/** Description */
readonly description: pulumi.Output<string>;
/** Key usage */
readonly keyUsage: pulumi.Output<string>;
/** Key spec */
readonly keySpec: pulumi.Output<string>;
/** Policy */
readonly policy: pulumi.Output<string>;
/** Deletion window in days */
readonly deletionWindowInDays: pulumi.Output<number>;
/** Enable key */
readonly isEnabled: pulumi.Output<boolean>;
/** Enable key rotation */
readonly enableKeyRotation: pulumi.Output<boolean>;
/** Multi-region key */
readonly multiRegion: pulumi.Output<boolean>;
/** Resource tags */
readonly tags: pulumi.Output<{[key: string]: string}>;
}
interface kms.KeyArgs {
/** Description */
description?: pulumi.Input<string>;
/** Key usage (ENCRYPT_DECRYPT, SIGN_VERIFY) */
keyUsage?: pulumi.Input<string>;
/** Key spec */
keySpec?: pulumi.Input<string>;
/** Key policy document (JSON) */
policy?: pulumi.Input<string>;
/** Deletion window in days (7-30) */
deletionWindowInDays?: pulumi.Input<number>;
/** Enable key */
isEnabled?: pulumi.Input<boolean>;
/** Enable automatic key rotation */
enableKeyRotation?: pulumi.Input<boolean>;
/** Multi-region key */
multiRegion?: pulumi.Input<boolean>;
/** Resource tags */
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}
/**
* KMS Alias
*/
class kms.Alias extends pulumi.CustomResource {
constructor(name: string, args: kms.AliasArgs, opts?: pulumi.CustomResourceOptions);
/** Alias ARN */
readonly arn: pulumi.Output<string>;
/** Alias name */
readonly name: pulumi.Output<string>;
/** Target key ID */
readonly targetKeyId: pulumi.Output<string>;
}
interface kms.AliasArgs {
/** Alias name (must start with 'alias/') */
name: pulumi.Input<string>;
/** Target key ID or ARN */
targetKeyId: pulumi.Input<string>;
}
/**
* KMS Grant
*/
class kms.Grant extends pulumi.CustomResource {
constructor(name: string, args: kms.GrantArgs, opts?: pulumi.CustomResourceOptions);
/** Grant ID */
readonly keyId: pulumi.Output<string>;
/** Grantee principal */
readonly granteePrincipal: pulumi.Output<string>;
/** Operations */
readonly operations: pulumi.Output<string[]>;
/** Grant token */
readonly token: pulumi.Output<string>;
}Usage Examples:
// Create KMS key for encryption
const encryptionKey = new aws.kms.Key("encryption-key", {
description: "Key for application data encryption",
keyUsage: "ENCRYPT_DECRYPT",
enableKeyRotation: true,
policy: JSON.stringify({
Version: "2012-10-17",
Statement: [
{
Sid: "Enable IAM User Permissions",
Effect: "Allow",
Principal: {
AWS: `arn:aws:iam::${current.accountId}:root`
},
Action: "kms:*",
Resource: "*"
},
{
Sid: "Allow use of the key",
Effect: "Allow",
Principal: {
AWS: lambdaRole.arn
},
Action: [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
Resource: "*"
}
]
}),
tags: {
Name: "ApplicationEncryptionKey",
Purpose: "data-encryption"
}
});
// Create alias for the key
const keyAlias = new aws.kms.Alias("encryption-key-alias", {
name: "alias/application-encryption",
targetKeyId: encryptionKey.keyId
});
// Create grant for specific operations
const lambdaGrant = new aws.kms.Grant("lambda-grant", {
keyId: encryptionKey.keyId,
granteePrincipal: lambdaRole.arn,
operations: [
"Encrypt",
"Decrypt",
"GenerateDataKey"
]
});ACM - Certificate Manager
AWS Certificate Manager provisions and manages SSL/TLS certificates for AWS services.
/**
* ACM Certificate
*/
class acm.Certificate extends pulumi.CustomResource {
constructor(name: string, args: acm.CertificateArgs, opts?: pulumi.CustomResourceOptions);
/** Certificate ARN */
readonly arn: pulumi.Output<string>;
/** Domain name */
readonly domainName: pulumi.Output<string>;
/** Subject alternative names */
readonly subjectAlternativeNames: pulumi.Output<string[]>;
/** Validation method */
readonly validationMethod: pulumi.Output<string>;
/** Domain validation options */
readonly domainValidationOptions: pulumi.Output<acm.CertificateDomainValidationOption[]>;
/** Status */
readonly status: pulumi.Output<string>;
/** Resource tags */
readonly tags: pulumi.Output<{[key: string]: string}>;
}
interface acm.CertificateArgs {
/** Domain name */
domainName: pulumi.Input<string>;
/** Subject alternative names */
subjectAlternativeNames?: pulumi.Input<pulumi.Input<string>[]>;
/** Validation method (DNS or EMAIL) */
validationMethod?: pulumi.Input<string>;
/** Lifecycle rule */
lifecycle?: pulumi.Input<acm.CertificateLifecycle>;
/** Resource tags */
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}
/**
* ACM Certificate Validation
*/
class acm.CertificateValidation extends pulumi.CustomResource {
constructor(name: string, args: acm.CertificateValidationArgs, opts?: pulumi.CustomResourceOptions);
/** Certificate ARN */
readonly certificateArn: pulumi.Output<string>;
/** Validation record FQDNs */
readonly validationRecordFqdns: pulumi.Output<string[]>;
}
interface acm.CertificateValidationArgs {
/** Certificate ARN */
certificateArn: pulumi.Input<string>;
/** Validation record FQDNs */
validationRecordFqdns?: pulumi.Input<pulumi.Input<string>[]>;
/** Timeout */
timeouts?: pulumi.Input<acm.CertificateValidationTimeouts>;
}Usage Examples:
// Request SSL certificate with DNS validation
const certificate = new aws.acm.Certificate("ssl-cert", {
domainName: "example.com",
subjectAlternativeNames: ["*.example.com"],
validationMethod: "DNS",
lifecycle: {
createBeforeDestroy: true
},
tags: {
Name: "ExampleSSLCert",
Environment: "production"
}
});
// Create validation DNS records
const certValidationRecords = certificate.domainValidationOptions.apply(options =>
options.map(option =>
new aws.route53.Record(`cert-validation-${option.domainName}`, {
zoneId: zone.zoneId,
name: option.resourceRecordName,
type: option.resourceRecordType,
records: [option.resourceRecordValue],
ttl: 60
})
)
);
// Validate certificate
const certificateValidation = new aws.acm.CertificateValidation("cert-validation", {
certificateArn: certificate.arn,
validationRecordFqdns: certValidationRecords.apply(records =>
records.map(record => record.fqdn)
)
});Secrets Manager
AWS Secrets Manager securely stores and manages sensitive information like API keys and database passwords.
/**
* Secrets Manager Secret
*/
class secretsmanager.Secret extends pulumi.CustomResource {
constructor(name: string, args?: secretsmanager.SecretArgs, opts?: pulumi.CustomResourceOptions);
/** Secret ARN */
readonly arn: pulumi.Output<string>;
/** Secret name */
readonly name: pulumi.Output<string>;
/** Description */
readonly description: pulumi.Output<string>;
/** KMS key ID */
readonly kmsKeyId: pulumi.Output<string>;
/** Recovery window in days */
readonly recoveryWindowInDays: pulumi.Output<number>;
/** Resource tags */
readonly tags: pulumi.Output<{[key: string]: string}>;
}
interface secretsmanager.SecretArgs {
/** Secret name */
name?: pulumi.Input<string>;
/** Description */
description?: pulumi.Input<string>;
/** KMS key ID for encryption */
kmsKeyId?: pulumi.Input<string>;
/** Recovery window in days (0-30) */
recoveryWindowInDays?: pulumi.Input<number>;
/** Force overwrite of replica secret */
forceOverwriteReplicaSecret?: pulumi.Input<boolean>;
/** Resource tags */
tags?: pulumi.Input<{[key: string]: pulumi.Input<string>}>;
}
/**
* Secret Version
*/
class secretsmanager.SecretVersion extends pulumi.CustomResource {
constructor(name: string, args: secretsmanager.SecretVersionArgs, opts?: pulumi.CustomResourceOptions);
/** Secret ID */
readonly secretId: pulumi.Output<string>;
/** Secret string */
readonly secretString: pulumi.Output<string>;
/** Secret binary */
readonly secretBinary: pulumi.Output<string>;
/** Version ID */
readonly versionId: pulumi.Output<string>;
/** Version stages */
readonly versionStages: pulumi.Output<string[]>;
}
interface secretsmanager.SecretVersionArgs {
/** Secret ID or ARN */
secretId: pulumi.Input<string>;
/** Secret string value */
secretString?: pulumi.Input<string>;
/** Secret binary value */
secretBinary?: pulumi.Input<string>;
/** Version stages */
versionStages?: pulumi.Input<pulumi.Input<string>[]>;
}Usage Examples:
// Create secret for database password
const dbSecret = new aws.secretsmanager.Secret("db-password", {
name: "prod/database/password",
description: "Database password for production environment",
kmsKeyId: encryptionKey.arn,
tags: {
Name: "DatabasePassword",
Environment: "production"
}
});
// Set secret value
const dbSecretVersion = new aws.secretsmanager.SecretVersion("db-password-version", {
secretId: dbSecret.id,
secretString: JSON.stringify({
username: "dbadmin",
password: "super-secure-password",
host: database.endpoint,
port: database.port,
dbname: database.dbName
})
});
// Create secret for API keys
const apiSecret = new aws.secretsmanager.Secret("api-keys", {
name: "prod/api/keys",
description: "API keys for external services",
tags: {
Name: "APIKeys",
Environment: "production"
}
});
const apiSecretVersion = new aws.secretsmanager.SecretVersion("api-keys-version", {
secretId: apiSecret.id,
secretString: JSON.stringify({
stripeKey: "sk_live_...",
twilioKey: "AC...",
googleMapsKey: "AIza..."
})
});Install with Tessl CLI
npx tessl i tessl/generic-pulumi--aws