From 827cccf8777f5a2a128da2204c82c58a45c37316 Mon Sep 17 00:00:00 2001 From: Ryan Jung Date: Tue, 11 Feb 2025 14:51:14 -0700 Subject: [PATCH] Update docs to include resources; remove outputs --- tb_pulumi/__init__.py | 4 ++-- tb_pulumi/ci.py | 29 +++++++++++++---------- tb_pulumi/cloudfront.py | 45 ++++++++++++++++++------------------ tb_pulumi/cloudwatch.py | 45 +++++++++++++++++++++--------------- tb_pulumi/ec2.py | 35 ++++++++++++++++++++++------ tb_pulumi/fargate.py | 40 ++++++++++++++++++++++++++++---- tb_pulumi/monitoring.py | 20 +++++++--------- tb_pulumi/network.py | 51 +++++++++++++++++++++++++++++++++-------- tb_pulumi/rds.py | 38 +++++++++++++++++++++++++----- tb_pulumi/secrets.py | 21 ++++++++++++++--- 10 files changed, 232 insertions(+), 96 deletions(-) diff --git a/tb_pulumi/__init__.py b/tb_pulumi/__init__.py index c396174..e1d50d4 100644 --- a/tb_pulumi/__init__.py +++ b/tb_pulumi/__init__.py @@ -17,8 +17,8 @@ #: Type alias representing valid types to be found among a ThunderbirdPulumiProject's resources type Flattenable = dict | list | ThunderbirdComponentResource | pulumi.Output | pulumi.Resource -FINISH_OUTPUTS_DEPRECATION_MESSAGE = """Calling ThunderbirdComponentResource.finish with the "outputs" parameter is DEPRECATED. This parameter will be - removed in a future version.""" +FINISH_OUTPUTS_DEPRECATION_MESSAGE = """Calling ThunderbirdComponentResource.finish with the "outputs" parameter is + DEPRECATED. This parameter will be removed in a future version.""" class ThunderbirdPulumiProject: diff --git a/tb_pulumi/ci.py b/tb_pulumi/ci.py index 9d796c8..35dcead 100644 --- a/tb_pulumi/ci.py +++ b/tb_pulumi/ci.py @@ -16,18 +16,23 @@ class AwsAutomationUser(tb_pulumi.ThunderbirdComponentResource): Produces the following ``resources``: - - *user* - `aws.iam.User `_ to run CI operations. - - *access_key* - `aws.iam.AccessKey `_ for - that user's authentication. - - *secret* - :py:class:`tb_pulumi.secrets.SecretsManagerSecret` where the access key data is stored. - - *ecr_image_push_policy* - `aws.iam.Policy `_ - defining permissions required to push container images to an ECR repository. - - *s3_upload_policy* - `aws.iam.Policy `_ - defining permissions required to upload files to S3 buckets. - - *s3_full_access_policy* - `aws.iam.Policy `_ - defining complete, unfettered access to S3 buckets and their contents. - - *fargate_deployment_policy* - `aws.iam.Policy `_ - defining permissions needed to deploy images to a Fargate service. + - *user* - `aws.iam.User `_ to run CI + operations. + - *access_key* - `aws.iam.AccessKey `_ for + that user's authentication. + - *secret* - :py:class:`tb_pulumi.secrets.SecretsManagerSecret` where the access key data is stored. + - *ecr_image_push_policy* - `aws.iam.Policy `_ + defining permissions required to push container images to an ECR repository, but only if + ``enable_ecr_image_push`` is ``True``. + - *s3_upload_policy* - `aws.iam.Policy `_ + defining permissions required to upload files to S3 buckets, but only if ``enable_s3_bucket_upload`` is + ``True``. + - *s3_full_access_policy* - `aws.iam.Policy + `_ defining complete, unfettered access to + S3 buckets and their contents, but only if ``enable_full_s3_access`` is ``True``. + - *fargate_deployment_policy* - `aws.iam.Policy + `_ defining permissions needed to deploy + images to a Fargate service, but only if ``enable_fargate_deployments`` is ``True``. :param name: Name of the IAM user to create. diff --git a/tb_pulumi/cloudfront.py b/tb_pulumi/cloudfront.py index acc7c67..d84db9a 100644 --- a/tb_pulumi/cloudfront.py +++ b/tb_pulumi/cloudfront.py @@ -18,28 +18,29 @@ class CloudFrontS3Service(tb_pulumi.ThunderbirdComponentResource): Produces the following ``resources``: - - *service_bucket* - `aws.s3.Bucket `_ in which to - store the static content to be served over the CloudFront Distribution. - - *logging_bucket* - `aws.s3.Bucket `_ in which to - store the access logs for the service bucket. - - *logging_bucket_ownership* - `aws.s3.BucketOwnershipControls - `_ which allow CloudFront to - upload logs into the logging bucket. - - *logging_bucket_acl* - `aws.s3.BucketAclV2 - `_ allowing CloudFront to control the - logging bucket via the AWS account's canonical user. - - *origin_access_control* - `aws.cloudfront.OriginAccessControl - `_ allowing the CloudFront - Distribution to service the service bucket's content via CDN. - - *cloudfront_distribution* - `aws.cloudfront.Distribution - `_ that serves the service bucket - content over a CDN and produces output logs in the logging bucket. - - *service_bucket_policy* - `aws.s3.BucketPolicy - `_ allowing the CloudFront Distribution - read access to the objects in the service bucket. - - *invalidation_policy* - `aws.iam.Policy `_ - that allows an IAM entity to create cache invalidations in the CloudFront Distribution, which must be done when - the contents of the service bucket are updated. + - *service_bucket* - `aws.s3.Bucket `_ in + which to store the static content to be served over the CloudFront Distribution. + - *logging_bucket* - `aws.s3.Bucket `_ in + which to store the access logs for the service bucket. + - *logging_bucket_ownership* - `aws.s3.BucketOwnershipControls + `_ which allow CloudFront + to upload logs into the logging bucket. + - *logging_bucket_acl* - `aws.s3.BucketAclV2 + `_ allowing CloudFront to control the + logging bucket via the AWS account's canonical user. + - *origin_access_control* - `aws.cloudfront.OriginAccessControl + `_ allowing the + CloudFront Distribution to serve the service bucket's content via CDN. + - *cloudfront_distribution* - `aws.cloudfront.Distribution + `_ that serves the service + bucket content over a CDN and produces output logs in the logging bucket. + - *service_bucket_policy* - `aws.s3.BucketPolicy + `_ allowing the CloudFront + Distribution read access to the objects in the service bucket. + - *invalidation_policy* - `aws.iam.Policy `_ + that allows an IAM entity to create cache invalidations in the CloudFront Distribution, which must be done + when the contents of the service bucket are updated. This is not attached to any entities; it exists for + developer use when setting up CI flows. :param name: A string identifying this set of resources. :type name: str diff --git a/tb_pulumi/cloudwatch.py b/tb_pulumi/cloudwatch.py index 4323735..be39f80 100644 --- a/tb_pulumi/cloudwatch.py +++ b/tb_pulumi/cloudwatch.py @@ -9,8 +9,18 @@ class CloudWatchMonitoringGroup(tb_pulumi.monitoring.MonitoringGroup): - """A ``MonitoringGroup`` that monitors AWS-based resources using AWS's CloudWatch service. This creates an SNS topic - to send its alarms on. + """A ``MonitoringGroup`` that monitors AWS-based resources using AWS's CloudWatch service and sends alerts using + SNS-to-email. + + Produces the following ``resources``: + + - *sns_topic* - `aws.sns.Topic `_ to notify + when an alarm in this monitoring group is triggered. + - *sns_subscriptions* - A list of `aws.sns.TopicSubscription + `_s, one for each entry in + ``notify_emails``. + - *alarms* - A list of alarms contained in this monitoring group. These may be any kind of alarm in the + `aws.cloudwatch `_ library. :param name: The name of the ``CloudWatchMonitoringGroup`` resource. :type name: str @@ -101,7 +111,6 @@ def monitor(self, outputs): ) self.finish( - outputs={'sns_topic_arn': sns_topic.arn}, resources={'sns_topic': sns_topic, 'sns_subscriptions': subscriptions, 'alarms': alarms}, ) @@ -164,15 +173,15 @@ class AlbAlarmGroup(tb_pulumi.monitoring.AlarmGroup): """A set of alarms for Application Load Balancers. Contains the following configurable alarms: - ``alb_5xx``: Alarms on the number of HTTP responses sourced within the load balancer with status codes in the - 500-599 range, indicating a count of internal server errors. This metric concerns the load balancer itself, - and does not contain any response codes generated by the targets. Defaults to alarming on 10 errors in 1 - minute. + 500-599 range, indicating a count of internal server errors. This metric concerns the load balancer itself, + and does not contain any response codes generated by the targets. Defaults to alarming on 10 errors in 1 + minute. - ``target_5xx``: Alarms on the number of HTTP responses sourced within the load balancer's targets with status - codes in the 500-599 range, indicating a count of internal server errors. This metric concerns the - applications the load balancer points to, and does not contain any response codes generated by the load - balancer itself. Defaults to alarming on 10 errors in 1 minute. + codes in the 500-599 range, indicating a count of internal server errors. This metric concerns the + applications the load balancer points to, and does not contain any response codes generated by the load + balancer itself. Defaults to alarming on 10 errors in 1 minute. - ``response_time``: Alarms on the average response time of HTTP requests. Defaults to alarming if the average - response time over a minute is longer than 1 second. + response time over a minute is longer than 1 second. Further detail on these metrics and others can be found within `Amazon's ALB metrics documentation `_. @@ -306,7 +315,7 @@ class AlbTargetGroupAlarmGroup(tb_pulumi.monitoring.AlarmGroup): """A set of alarms for ALB target groups. Contains the following configurable alarms: - ``unhealthy_hosts``: Alarms on the number of unhealthy hosts in a target group. Defaults to alarm when the - average of unhealthy hosts is over 1 in 1 minute. + average of unhealthy hosts is over 1 in 1 minute. Further detail on these metrics and others can be found within `Amazon's Target Group metric documentation `_. @@ -422,8 +431,8 @@ class CloudFrontDistributionAlarmGroup(tb_pulumi.monitoring.AlarmGroup): """A set of alarms for CloudFront distributions. Contains the following configurable alarms: - ``distro_4xx``: Alarms on the rate of HTTP responses with status codes in the 400-499 range, indicating an - elevated number of calls to invalid files. This value is reported as a percentage of all responses. Defaults - to alarm on at least 10% 4xx codes in 1 minute. + elevated number of calls to invalid files. This value is reported as a percentage of all responses. Defaults + to alarm on at least 10% 4xx codes in 1 minute. Further details about these metrics and more can be found in `Amazon's CloudFront distribution documentation `_. @@ -498,9 +507,9 @@ def __init__( class CloudFrontFunctionAlarmGroup(tb_pulumi.monitoring.AlarmGroup): """A set of alarms for CloudFront functions. Contains the following configurable alarms: - - ``cpu_utilization``: Alarms when the function's compute utilization is excessive. This value is reported as a - percentage of its allotted CPU. Defaults to alarm when the function's CPU usage has been over 80% on average for - 1 minute. + - ``cpu_utilization``: Alarms when the function's compute utilization is excessive. This value is reported as a + percentage of its allotted CPU. Defaults to alarm when the function's CPU usage has been over 80% on average + for 1 minute. Further details about these metrics and more can be found in `Amazon's CloudFront Functions documentation `_. @@ -578,9 +587,9 @@ class EcsServiceAlarmGroup(tb_pulumi.monitoring.AlarmGroup): """A set of alarms for ECS services. Contains the following configurable alarms: - ``cpu_utilization``: Alarms on the overall CPU usage of the entire service, all tasks combined. Threshold is a - percentage. + percentage. - ``memory_utilization``: Alarms on the overall memory usage of the entire service, all tasks combined. - Threshold is a percentage. + Threshold is a percentage. Further detail on these metrics and more can be found on `Amazon's documentation _`. diff --git a/tb_pulumi/ec2.py b/tb_pulumi/ec2.py index 848df8e..56ca3cf 100644 --- a/tb_pulumi/ec2.py +++ b/tb_pulumi/ec2.py @@ -17,6 +17,20 @@ class NetworkLoadBalancer(tb_pulumi.ThunderbirdComponentResource): """Construct a NetworkLoadBalancer to route TCP traffic to a collection of backends. This targets backend services by IP address, connecting a frontend listening port to a backend port on the round-robin load balanced targets. + Produces the following ``resources``: + + - *security_group_with_rules* - :py:class:`tb_pulumi.network.SecurityGroupWithRules` defining ingress and egress + rules for the NLB. + - *nlb* - `aws.lb.LoadBalancer `_ with a + ``load_balancer_type`` of ``network``. + - *target_group* - `aws.lb.TargetGroup `_ + containing the IPs the NLB is balancing. + - *target_group_attachments* - List of `aws.lb.TargetGroupAttachments + `_, one for each IP address + registered with the NLB. + - *listener* - `aws.lb.Listener `_ for the + NLB. + :param name: A string identifying this set of resources. :type name: str @@ -178,7 +192,6 @@ def __init__( ) self.finish( - outputs={'dns_name': nlb.dns_name}, resources={ 'security_group_with_rules': security_group_with_rules, 'nlb': nlb, @@ -192,6 +205,13 @@ def __init__( class SshableInstance(tb_pulumi.ThunderbirdComponentResource): """Builds an EC2 instance which can be accessed with SSH from somewhere on the Internet. + Produces the following ``resources``: + + - *instance* - The `aws.ec2.Instance `_. + - *keypair* - :py:class:`tb_pulumi.ec2.SshKeyPair` used for authenticating to the instance. + - *security_group* - :py:class:`tb_pulumi.network.SecurityGroupWithRules` defining network access to the + instance. + :param name: A string identifying this set of resources. :type name: str @@ -302,10 +322,6 @@ def __init__( ) self.finish( - outputs={ - 'instance_dns': instance.public_dns, - 'instance_ip': instance.public_ip, - }, resources={ 'instance': instance, 'keypair': keypair, @@ -322,6 +338,13 @@ class SshKeyPair(tb_pulumi.ThunderbirdComponentResource): ONE TIME. Each ``pulumi up/preview`` command generates a new keypair, which generates new secret versions (and if this is attached to an instance downstream, it triggers the recreation of that instance). + Produces the following ``resources``: + + - *keypair* - `aws.ec2.KeyPair `_ containing + the keypair content. + - *private_key_secret* :py:class:`tb_pulumi.secrets.SecretsManagerSecret` containing the private key data. + - *public_key_secret* :py:class:`tb_pulumi.secrets.SecretsManagerSecret` containing the public key data. + :param name: A string identifying this set of resources. :type name: str @@ -404,9 +427,7 @@ def __init__( ) self.finish( - outputs={'keypair': keypair.id}, resources={ - 'private_key': private_key if not public_key else None, 'keypair': keypair, 'private_key_secret': private_key_secret if not public_key else None, 'public_key_secret': public_key_secret if not public_key else None, diff --git a/tb_pulumi/fargate.py b/tb_pulumi/fargate.py index 67339d2..da03f51 100644 --- a/tb_pulumi/fargate.py +++ b/tb_pulumi/fargate.py @@ -13,6 +13,27 @@ class FargateClusterWithLogging(tb_pulumi.ThunderbirdComponentResource): """Builds a Fargate cluster running a variable number of tasks. Logs from these tasks will be sent to CloudWatch. + Produces the following ``resources``: + + - *cluster* - The `aws.ecs.Cluster `_. + - *log_group* - `aws.cloudwatch.LogGroup + `_ where these tasks send their + logs. + - *log_key* - `aws.kms.Key `_ used to encrypt + log contents. + - *fargate_service_alb* - :py:class:`tb_pulumi.fargate.FargateServiceAlb` balancing traffic between these tasks. + - *policy_exec* - `aws.iam.Policy `_ allowing + the service access to other resources needed to launch tasks. + - *policy_log_sending* - `aws.iam.Policy `_ + allowing tasks to send logs to their log group. + - *service* - `aws.ecs.Service `_ managing + the tasks. + - *task_role* - `aws.iam.Role `_ used for + executing tasks in this cluster. + - *task_definition* - `aws.ecs.TaskDefinition + `_ describing the properties of the + tasks being managed. + :param name: A string identifying this set of resources. :type name: str @@ -303,10 +324,6 @@ def __init__( ) self.finish( - outputs={ - 'cluster_id': cluster.id, - 'service_id': service.id, - }, resources={ 'cluster': cluster, 'log_group': log_group, @@ -392,6 +409,19 @@ class FargateServiceAlb(tb_pulumi.ThunderbirdComponentResource): services. ECS does not allow reuse of a single ALB with multiple listeners, so if there are multiple services, multiple ALBs will be constructed. + Produces the following ``resources``: + + - *albs* - Dict where the keys match the keys of the ``services`` parameter and the values are the + `aws.lb.LoadBalancers `_ created for + those services. + - *listeners* - Dict where the keys match the keys of the ``services`` parameter and the values are the + `aws.lb.Listeners `_ created for the + load balancers for those services. + - *target_groups* - Dict where the keys match the keys of the ``services`` parameter and the values are the + `aws.lb.TargetGroups `_ created for the + listeners for those services. Importantly, Fargate services manage their own targets, so this module does not + track any target group attachments. + :param name: A string identifying this set of resources. :type name: str @@ -518,4 +548,4 @@ def __init__( opts=pulumi.ResourceOptions(parent=self, depends_on=[albs[svc_name]]), ) - self.finish(outputs={}, resources={'albs': albs, 'listeners': listeners, 'target_groups': target_groups}) + self.finish(resources={'albs': albs, 'listeners': listeners, 'target_groups': target_groups}) diff --git a/tb_pulumi/monitoring.py b/tb_pulumi/monitoring.py index 6a5a731..31be6a0 100644 --- a/tb_pulumi/monitoring.py +++ b/tb_pulumi/monitoring.py @@ -29,21 +29,17 @@ class MonitoringGroup(tb_pulumi.ThunderbirdComponentResource): :param config: A configuration dictionary. The specific format and content of this dictionary is defined in part by classes extending this class. However, the dictionary should be configured in the following broad way, with - downstream monitoring groups defining the specifics of the monitor configs: + downstream monitoring groups defining the specifics of the monitor configs (shown here as YAML): - .. code-block:: javascript + .. code-block:: yaml :linenos: - { - "alarms": { - "name-of-the-resource-being-monitored": { - "monitor_name": { - "enabled": False - // Downstream monitoring groups tell you what else goes right here - } - } - } - } + --- + alarms: + name-of-the-resource-being-monitored: + monitor_name: + enabled: False + # Downstream monitoring groups tell you what else goes right here This config defines override settings for alarms whose default configurations are insufficient for a specific use case. Since each resource can have multiple alarms associated with it, the ``"alarm"`` dict's keys should be diff --git a/tb_pulumi/network.py b/tb_pulumi/network.py index 9c80b37..e866d25 100644 --- a/tb_pulumi/network.py +++ b/tb_pulumi/network.py @@ -8,6 +8,35 @@ class MultiCidrVpc(tb_pulumi.ThunderbirdComponentResource): """Builds a VPC with configurable network space. + Produces the following ``resources``: + + - *endpoint_sg* - If the ``endpoint_interfaces`` or ``endpoint_gateways`` parameters are provided, this is a + :py:class:`tb_pulumi.network.SecurityGroupWithRules` used to define traffic through these endpoints. + - *gateways* - If there are any ``endpoint_gateways`` defined, this is a list of `aws.ec2.VpcEndpoints + `_ with a ``vpc_endpoint_type`` of + ``Gateway``. + - *interfaces* - If there are any ``endpoint_interfaces`` defined, this is a list of `aws.ec2.VpcEndpoints + `_ with a ``vpc_endpoint_type`` of + ``Interface``. + - *internet_gateway* - If ``enable_internet_gateway`` is ``True``, this is the `aws.ec2.InternetGateway + `_. + - *nat_eip* - If ``enable_nat_gateway`` is ``True``, this is the `aws.ec2.Eip + `_ used for the NAT Gateway. + - *nat_gateway* - If ``enable_nat_gateway`` is ``True``, this is the `aws.ec2.NatGateway + `_. + - *route_table_subnet_associations* - List of `aws.ec2.RouteTableAssociations + `_ associating the subnets + to the VPC's default route table, enabling traffic among those subnets. + - *subnets* - List of `aws.ec2.Subnets `_ in + this VPC. + - *subnet_ig_route* - If ``enable_internet_gateway`` and ``egress_via_internet_gateway`` are both ``True``, + this is the `aws.ec2.Route `_ that enables + outbound traffic through the Internet Gateway. + - *subnet_ng_route* - If ``enable_nat_gateway`` and ``egress_via_nat_gateway`` are both ``True``, this is the + `aws.ec2.Route `_ that enables outbound + traffic through the NAT Gateway. + - *vpc* - The `aws.ec2.Vpc `_. + :param name: A string identifying this set of resources. :type name: str @@ -235,10 +264,6 @@ def __init__( ) self.finish( - outputs={ - 'subnets': [subnet.id for subnet in subnet_rs], - 'vpc': vpc.id, - }, resources={ 'endpoint_sg': endpoint_sg if len(endpoint_interfaces + endpoint_gateways) > 0 else None, 'gateways': gateways, @@ -258,6 +283,15 @@ def __init__( class SecurityGroupWithRules(tb_pulumi.ThunderbirdComponentResource): """Builds a security group and sets rules for it. + Produces the following ``resources``: + + - *egress_rules* - List of `aws.ec2.SecurityGroupRules + `_ describing outbound traffic. + - *ingress_rules* - List of `aws.ec2.SecurityGroupRules + `_ describing inbound traffic. + - *sg* - The `aws.ec2.SecurityGroup `_ + containing these rules. + :param name: A string identifying this set of resources. :type name: str @@ -319,29 +353,28 @@ def __init__( egress_rules = [] ingress_ruledefs = rules['ingress'] - for idx, rule in enumerate(ingress_ruledefs): + for rule in ingress_ruledefs: rule.update({'type': 'ingress', 'security_group_id': sg.id}) ingress_rules.append( aws.ec2.SecurityGroupRule( - f'{name}-ingress-{idx}', + f'{name}-ingress-{rule["to_port"]}', opts=pulumi.ResourceOptions(parent=self, depends_on=[sg]), **rule, ) ) egress_ruledefs = rules['egress'] - for idx, rule in enumerate(egress_ruledefs): + for rule in egress_ruledefs: rule.update({'type': 'egress', 'security_group_id': sg.id}) egress_rules.append( aws.ec2.SecurityGroupRule( - f'{name}-egress-{idx}', + f'{name}-egress-{rule["to_port"]}', opts=pulumi.ResourceOptions(parent=self, depends_on=[sg]), **rule, ) ) self.finish( - outputs={'sg': sg.id}, resources={ 'egress_rules': egress_rules, 'ingress_rules': ingress_rules, diff --git a/tb_pulumi/rds.py b/tb_pulumi/rds.py index 758eb40..cc7c093 100644 --- a/tb_pulumi/rds.py +++ b/tb_pulumi/rds.py @@ -16,6 +16,37 @@ class RdsDatabaseGroup(tb_pulumi.ThunderbirdComponentResource): """Using RDS, construct a primary database and zero or more read replicas. A Network Load Balancer (NLB) is created to spread load across the read replicas. + Produces the following ``resources``: + + - *instances* - A list of `aws.rds.Instances + `_ in the group. The zeroth index will + always be the primary/writer instance. If there are any replica/reader instances, those will follow. + - *jumphost* - If ``build_jumphost`` is ``True``, this is the :py:class:`tb_pulumi.ec2.SshableInstance` to be + used to access the DBs. + - *key* - `aws.kms.Key `_ used to encrypt + database storage. + - *load_balancer* - :py:class:`tb_pulumi.ec2.NetworkLoadBalancer` routing traffic to the read databases. + - *parameter_group* - `aws.rds.ParameterGroup + `_ defining how these databases + operate. + - *password* - `pulumi_random.RandomPassword + `_ for the database. + - *secret* - :py:class:`tb_pulumi.secrets.SecretsManagerSecret` storing the password within AWS. + - *security_group* - :py:class:`tb_pulumi.network.SecurityGroupWithRules` defining access to the database. + - *ssm_param_db_name* - `aws.ssm.Parameter + `_ containing the database name. + - *ssm_param_db_write_host* - `aws.ssm.Parameter + `_ containing the write instance's + hostname. + - *ssm_param_port* - `aws.ssm.Parameter + `_ containing the database port. + - *ssm_param_read_host* - `aws.ssm.Parameter + `_ containing the hostname of the read + traffic load balancer. + - *subnet_group* - `aws.rds.SubnetGroup + `_, a logical grouping of subnets in + which to build database instances. + :param name: A string identifying this set of resources. :type name: str @@ -452,11 +483,6 @@ def __init__( ) self.finish( - outputs={ - 'password_secret': password.id, - 'primary_address': primary.address, - 'replica_addresses': [inst.address for inst in instances[1:]], - }, resources={ 'instances': instances, 'jumphost': jumphost if build_jumphost else None, @@ -474,7 +500,7 @@ def __init__( }, ) - def __ssm_param(self, name, param_name, value, depends_on: list[pulumi.Output] = None): + def __ssm_param(self, name, param_name, value, depends_on: list[pulumi.Output] = None) -> aws.ssm.Parameter: """Build an SSM Parameter.""" return aws.ssm.Parameter( name, diff --git a/tb_pulumi/secrets.py b/tb_pulumi/secrets.py index 133bea2..b6260a2 100644 --- a/tb_pulumi/secrets.py +++ b/tb_pulumi/secrets.py @@ -9,7 +9,15 @@ class SecretsManagerSecret(tb_pulumi.ThunderbirdComponentResource): - """Stores a value as a Secrets Manager secret. + """Stores a value as a Secrets Manager secret, which is composed of a "Secret" and a "SecretVersion". + + Produces the following ``resources``: + + - *secret* - `aws.secretsmanager.Secret + `_ describing secret metadata. + - *version* - `aws.secretsmanager.SecretVersion + `_ containing the actual + secret data. :param name: A string identifying this set of resources. :type name: str @@ -72,12 +80,20 @@ def __init__( opts=pulumi.ResourceOptions(parent=self, depends_on=[secret]), ) - self.finish(outputs={'secret_id': secret.id}, resources={'secret': secret, 'version': version}) + self.finish(resources={'secret': secret, 'version': version}) class PulumiSecretsManager(tb_pulumi.ThunderbirdComponentResource): """Builds a set of AWS SecretsManager Secrets based on specific secrets in Pulumi's config. + Produces the following ``resources``: + + - *secrets* - List of :py:class:`tb_pulumi.secrets.SecretsManagerSecret` s storing Pulumi config secrets in AWS. + - *policy* - `aws.iam.Policy + `_ granting access to the + secrets managed by this module. This doesn't get attached to any entities, but is intended for use in things + like CI flows or ECS task execution roles. + :param name: A string identifying this set of resources. :type name: str @@ -156,6 +172,5 @@ def __init__( ) self.finish( - outputs={'policy_id': policy.policy_id, 'secret_ids': [secret.id for secret in secrets]}, resources={'secrets': secrets, 'policy': policy}, )