@@ -40,6 +40,17 @@ class AwsAutomationUser(tb_pulumi.ThunderbirdComponentResource):
4040 :param user_name: The name to give the IAM user. Defaults to ``{name}-ci``.
4141 :type user_name: str
4242
43+ :param access_keys: Dict where the keys are arbitrary names for access keys to create for this user and the values
44+ are booleans indicating the key should be "Active" (True) or "Inactive" (False). To rotate an access key, first
45+ create a new key set to True. Then update the credentials wherever your implementation requires. Then deactivate
46+ the old key by setting its entry to False. If something unexpected breaks, you can still enable it again (set to
47+ True). When you're ready, delete the access key by removing its entry. Here's an example configuration where a
48+ new key ("green") has been created and an old key ("blue") is deactivated but not deleted:
49+
50+ access_keys:
51+ blue: False
52+ green: True
53+
4354 :param additional_policies: List of ARNs of IAM policies to additionally attach to the user. Defaults to [].
4455 :type additional_policies: list[str], optional
4556
@@ -52,6 +63,12 @@ class AwsAutomationUser(tb_pulumi.ThunderbirdComponentResource):
5263 these ECR repositories. Defaults to None.
5364 :type ecr_repositories: list[str], optional
5465
66+ :param enable_legacy_access_key: If ``True``, this will create an access key that is tracked outside of the dict of
67+ ``access_keys``. This is the way this module used to work, and it will be removed in a future version since it
68+ does not allow for cautious key rotation. Use it to migrate off of this feature, and afterward it should be set
69+ to False. Defaults to False.
70+ :type enable_legacy_access_key: bool
71+
5572 :param enable_fargate_deployments: When True, attaches a policy which allows new task definitions to be deployed
5673 to Fargate services. Use this when your CI pipeline needs to deploy new images to Fargate services. Defaults
5774 to False.
@@ -96,13 +113,15 @@ def __init__(
96113 name : str ,
97114 project : tb_pulumi .ThunderbirdPulumiProject ,
98115 user_name : str = None ,
116+ access_keys : dict = {},
99117 additional_policies : list [str ] = [],
100- enable_ecr_image_push : bool = False ,
101118 ecr_repositories : list [str ] = None ,
119+ enable_ecr_image_push : bool = False ,
102120 enable_fargate_deployments : str = False ,
121+ enable_full_s3_access : bool = False ,
122+ enable_legacy_access_key : bool = False ,
103123 fargate_clusters : list [str ] = None ,
104124 fargate_task_role_arns : list [str ] = None ,
105- enable_full_s3_access : bool = False ,
106125 s3_full_access_buckets : list = [],
107126 enable_s3_bucket_upload : bool = False ,
108127 s3_upload_buckets : list [str ] = [],
@@ -282,6 +301,8 @@ def __init__(
282301 user = tb_pulumi .iam .UserWithAccessKey (
283302 f'{ name } -iamuser' ,
284303 project = self .project ,
304+ access_keys = access_keys ,
305+ enable_legacy_access_key = enable_legacy_access_key ,
285306 exclude_from_project = True ,
286307 user_name = user_name ,
287308 policies = policies ,
0 commit comments