-
Notifications
You must be signed in to change notification settings - Fork 16
/
pulumi_aws.saas.txt
246 lines (202 loc) · 12.6 KB
/
pulumi_aws.saas.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
PULUMI_AWS
@pulumi/aws #CW. "AWS classic". Component PACKAGE
#PACKAGE 'aws'
#Version 6.13.2
@pulumi/aws-native #NW. Native PACKAGE, using AWS Cloud Control
#PACKAGE 'aws-native'
#Pro:
# - more up-to-date with recent AWS releases
# - closer to AWS API shape
#Cons:
# - fewer PROV_RPROPS|REZs
# - sometimes less dev-friendly
#Prefer CW most of the time, unless it is a missing a given SERVICE|REZ
#Version 0.90.0
@pulumi/awsx #XW. "Pulumi CrossWalk for AWS".
#PACKAGE 'awsx'
#KREZs on top of @pulumi/aws
#Only for a few SERVICEs
#Not very useful, as the additional abstraction:
# - restrict features, e.g. RPROPs
# - does not bring much value except for fewer lines of code
#Version 2.3.0
/=+===============================+=\
/ : : \
)==: CONFIG :==(
\ :_______________________________: /
\=+===============================+=/
CW|NW.config #C|NPROV_RPROPS
ENVVAR AWS_*
ENVVAR HTTP[S]_PROXY
~/.aws/config #Can be used
C|NPROV_RPROPS #PROV_RPROPS of CW|NW
CPROV_RPROPS.sharedConfigFiles
CPROV_RPROPS
.sharedCredentialsFiles
NPROV_RPROPS
.sharedCredentialsFile
C|NPROV_RPROPS.profile
C|NPROV_RPROPS.accessKey
C|NPROV_RPROPS.secretKey
C|NPROV_RPROPS.token
C|NPROV_RPROPS.region
C|NPROV_RPROPS.maxRetries
CPROV_RPROPS.useFipsEndpoint
CPROV_RPROPS.useDualstackEndpoint
CPROV_RPROPS.customCaBundle
CPROV_RPROPS.s3UsePathStyle
CPROV_RPROPS
.ec2MetadataServiceEndpoint[Mode]#Like AWS CONFIG.*
CPROV_RPROPS.insecure
CPROV_RPROPS.httpProxy #Like AWS CLI --*
CPROV_RPROPS
.assumeRoleWithWebIdentity.* #Only with CW
C|NPROV_RPROPS
.assumeRole[WithWebIdentity]
.roleArn|sessionName
C|NPROV_RPROPS.assumeRole
.externalId
CPROV_RPROPS
.assumeRole[WithWebIdentity]
.duration
NPROV_RPROPS.assumeRole
.durationSeconds
CPROV_RPROPS
.assumeRoleWithWebIdentity
.webIdentityToken[File] #Like AWS CONFIG.*
C|NPROV_RPROPS
.assumeRole[WithWebIdentity]
.policy #'POLICY_DOC' to attach to the ROLE
C|NPROV_RPROPS
.assumeRole[WithWebIdentity]
.policyArns #Same as POLICY_ARN_ARR
CPROV_RPROPS.assumeRole
.sourceIdentity #ASSUMED_ROLE_REQ.SourceIdentity
C|NPROV_RPROPS.assumeRole
.tags|transitiveTagKeys #ASSUMED_ROLE_REQ.Tags|TransitiveTagKeys
NPROV_RPROPS.roleArn #ROLE_ARN used to list SERVICEs with Cloud Control
#Not used for the actual operations
#Def: same as main ROLE
CPROV_RPROPS
.skipMetadataApiCheck #BOOL. If true (def), cannot authenticate using EC2 instance metadata.
C|NPROV_RPROPS
.allowed|forbiddenAccountIds #'ACCOUNT_ID'_ARR that can [not] be used (def: all|none)
CPROV_RPROPS.stsRegion #'REGION'
CPROV_RPROPS.endpoints.SERVICE #'SERVICE_FULL_DOMAIN' (def: auto)
CPROV_RPROPS #BOOL (def: false). Still attempt request even without STS credentials.
.skipCredentialsValidation #Mostly useful for specific edge cases, e.g. using LocalStack
CPROV_RPROPS
.skipRegionValidation #BOOL (def: false). Allow unknown 'REGION'. Only for edge cases
CPROV_RPROPS
.skipRequestingAccountId #BOOL (def: false). Do not retrieve the 'ACCOUNT_ID'. Only for edge cases
/=+===============================+=\
/ : : \
)==: GENERAL :==(
\ :_______________________________: /
\=+===============================+=/
NW.getAccountId()->>OBJ2 #OBJ2: accountId 'ACCOUNT_ID'
CW.getArn('ARN')->>OBJ #Parse ARN into OBJ:
# - arn 'ARN'
# - partition 'PARTITION'
# - service 'SERVICE'
# - region 'REGION'|undefined
# - account 'ACCOUNT_ID'|undefined
# - resource '[RESOURCE_TYPE:][NAMEPATH/]NAME'
CW|NW.getPartition([OBJ])->>OBJ2 #Get PARTITION.
#OBJ:
# - id 'PARTITION' (def: current)
#OBJ2:
# - partition 'PARTITION'
# - dnsSuffix 'amazonaws.com[.cn]'
# - reverseDnsPrefix '[cn.]com.amazonaws' (only CW)
NW.getURLSuffix()->>OBJ2 #OBJ2: urlSuffix 'amazonaws.com[.cn]'
CW|NW.Region.USEast1|... #'REGION', e.g. 'us-east-1'
NW.getRegion()->>OBJ2 #OBJ2: name 'REGION'
CW.getRegion([OBJ])->>OBJ2 #OBJ[2]:
# - name 'REGION' (def: current)
# - endpoint 'SERVICE_DOMAIN'
#OBJ2:
# - description STR
CW.getRegions([OBJ])->>OBJ2 #OBJ:
# - allRegions BOOL (def: false): include disabled ones
# - filters OBJ_ARR
# - name 'endpoint|opt-in-status|region-name'
# - values STR_ARR
#OBJ2:
# - names 'REGION'_ARR
#Uses EC2 DescribeRegions()
CW.getService([OBJ])->>OBJ2 #OBJ[2]:
# - serviceId 'SERVICE'
# - dnsName 'SERVICE.REGION.amazonaws.com'
# - reverseDnsName 'com.amazonaws.REGION.SERVICE'
# - reverseDnsPrefix '[cn.]com.amazonaws'
# - region 'REGION'
#OBJ2:
# - partition 'PARTITION'
# - supported BOOL: in the REGION + PARTITION
/=+===============================+=\
/ : : \
)==: RESOURCES :==(
\ :_______________________________: /
\=+===============================+=/
MODULE #Name of the SERVICE
#Sometimes differ between CW and NW
#Some SERVICEs are present only in either CW or NW
REZ #NW has fewer
#Sub-resources are sometimes merged onto their parent (e.g. S3 ACCELERATE is configured in BUCKET)
REZ.id #'ARN'|NAME|MID|other
ARN ==> #Sometimes, if a RPROP value is 'ARN', it also accepts REZ directly
RPROPS.*Prefix #Sometimes used. Like RPROPS.* but appends random suffix
RPROPS|OUTPUTS #Some are sometimes missing
#CW is sometimes less close to AWS API to be more dev-friendly:
# - more convenient type, e.g. ASSET|ARCHIVE
# - additional ones
'RPROP|OUTPUT' #Same name, but camelCase
#Sometimes CW name slightly different from AWS
TRIGGER ==> #When an RPROP cannot be updated by an AWS ACTION
#CW also adds REZ.triggers sometimes
REZ_CLASS.get(...) #Only with CW
MODULE.getREZ(RPROPS)->>}OBJ{ #Similar to REZ_CLASS.get(...)
#Has fewer RPROPS: usually only ones for REZ.id
#For most REZ, but not all
REZ.skipDestroy #BOOL (def: false) on some REZ
#Does retainOnDelete.
#Useful for REZs purposely versioned, e.g. Lambda LAYER_VERSION
#Only with CW
/=+===============================+=\
/ : : \
)==: TAGS :==(
\ :_______________________________: /
\=+===============================+=/
CPROV_RPROPS.defaultTags #TAGS applied to all REZs
CPROV_RPROPS.ignoreTags.keys #'TAG'_ARR to ignore on all REZs, for both req|res
#Should add those to ROPTS.ignoreChanges too, to avoid perpetual diff
C|NPROV_RPROPS
.ignoreTags.keyPrefixes #Same with STR_ARR prefixes
CW.getDefaultTags([OBJ])->>OBJ2 #OBJ[2]: tags TAGS
REZ.tags[All] #With CW: OBJ
#With NW: OBJ_ARR: name|value
REZ.tagsAll #Like REZ.tags, but includes defaultTags
/=+===============================+=\
/ : : \
)==: AWSGUARD :==(
\ :_______________________________: /
\=+===============================+=/
@pulumi/awsguard #Version 0.4.0
new AwsGuard #Adds new PolicyPack() with predefined POLICYs for AWS
(['POLICY_PACK', ][OPTS]) #Def 'POLICY_PACK': 'pulumi-awsguard'
#OPTS.POLICY: PPCONF
#Can set enforcementLevel STR:
# - on OPTS.enforcementLevel: all POLICYs
# - or OPTS.POLICY.enforcementLevel: specific POLICY
# - OPTS.POLICY STR: shortcut when no PPCONF
# - def: 'advisory'
# - can set to 'disabled' to opt-in instead of opt-out
#POLICY and their PPCONF
# - only for a few SERVICEs
# - multiple per SERVICE
# - documented in their respective SERVICE
#OPTS.POLICY is camelCase, namespaced by SERVICE
# - but 'POLICY' is dasherize-lowercase, without SERVICE namespace