Skip to content

Commit 9b835b6

Browse files
committed
Support access key rotation in CI user
1 parent 081facc commit 9b835b6

1 file changed

Lines changed: 23 additions & 2 deletions

File tree

tb_pulumi/ci.py

Lines changed: 23 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,17 @@ class AwsAutomationUser(tb_pulumi.ThunderbirdComponentResource):
4040
:param user_name: The name to give the IAM user. Defaults to ``{name}-ci``.
4141
:type user_name: str
4242
43+
:param access_keys: Dict where the keys are arbitrary names for access keys to create for this user and the values
44+
are booleans indicating the key should be "Active" (True) or "Inactive" (False). To rotate an access key, first
45+
create a new key set to True. Then update the credentials wherever your implementation requires. Then deactivate
46+
the old key by setting its entry to False. If something unexpected breaks, you can still enable it again (set to
47+
True). When you're ready, delete the access key by removing its entry. Here's an example configuration where a
48+
new key ("green") has been created and an old key ("blue") is deactivated but not deleted:
49+
50+
access_keys:
51+
blue: False
52+
green: True
53+
4354
:param additional_policies: List of ARNs of IAM policies to additionally attach to the user. Defaults to [].
4455
:type additional_policies: list[str], optional
4556
@@ -52,6 +63,12 @@ class AwsAutomationUser(tb_pulumi.ThunderbirdComponentResource):
5263
these ECR repositories. Defaults to None.
5364
:type ecr_repositories: list[str], optional
5465
66+
:param enable_legacy_access_key: If ``True``, this will create an access key that is tracked outside of the dict of
67+
``access_keys``. This is the way this module used to work, and it will be removed in a future version since it
68+
does not allow for cautious key rotation. Use it to migrate off of this feature, and afterward it should be set
69+
to False. Defaults to False.
70+
:type enable_legacy_access_key: bool
71+
5572
:param enable_fargate_deployments: When True, attaches a policy which allows new task definitions to be deployed
5673
to Fargate services. Use this when your CI pipeline needs to deploy new images to Fargate services. Defaults
5774
to False.
@@ -96,13 +113,15 @@ def __init__(
96113
name: str,
97114
project: tb_pulumi.ThunderbirdPulumiProject,
98115
user_name: str = None,
116+
access_keys: dict = {},
99117
additional_policies: list[str] = [],
100-
enable_ecr_image_push: bool = False,
101118
ecr_repositories: list[str] = None,
119+
enable_ecr_image_push: bool = False,
102120
enable_fargate_deployments: str = False,
121+
enable_full_s3_access: bool = False,
122+
enable_legacy_access_key: bool = False,
103123
fargate_clusters: list[str] = None,
104124
fargate_task_role_arns: list[str] = None,
105-
enable_full_s3_access: bool = False,
106125
s3_full_access_buckets: list = [],
107126
enable_s3_bucket_upload: bool = False,
108127
s3_upload_buckets: list[str] = [],
@@ -282,6 +301,8 @@ def __init__(
282301
user = tb_pulumi.iam.UserWithAccessKey(
283302
f'{name}-iamuser',
284303
project=self.project,
304+
access_keys=access_keys,
305+
enable_legacy_access_key=enable_legacy_access_key,
285306
exclude_from_project=True,
286307
user_name=user_name,
287308
policies=policies,

0 commit comments

Comments
 (0)