diff --git a/apps/bedrock/Pulumi.prod.yaml b/apps/bedrock/Pulumi.prod.yaml index 2659d8ef4..b0685c567 100644 --- a/apps/bedrock/Pulumi.prod.yaml +++ b/apps/bedrock/Pulumi.prod.yaml @@ -1,5 +1,7 @@ config: + aws:profile: withglyph aws:defaultTags: tags: pulumi.withglyph.io/project: bedrock pulumi.withglyph.io/stack: prod + kubernetes:context: arn:aws:eks:ap-northeast-2:721144421085:cluster/penxle diff --git a/apps/bedrock/pulumi/aws/cloudtrail.ts b/apps/bedrock/pulumi/aws/cloudtrail.ts deleted file mode 100644 index ff31f83d0..000000000 --- a/apps/bedrock/pulumi/aws/cloudtrail.ts +++ /dev/null @@ -1,67 +0,0 @@ -import * as aws from '@pulumi/aws'; -import * as pulumi from '@pulumi/pulumi'; - -const bucket = new aws.s3.Bucket('cloudtrail', { - bucket: 'penxle-cloudtrail', - - lifecycleRules: [{ enabled: true, expiration: { days: 365 } }], -}); - -const policy = new aws.s3.BucketPolicy('cloudtrail', { - bucket: bucket.bucket, - policy: { - Version: '2012-10-17', - Statement: [ - { - Effect: 'Allow', - Principal: { Service: 'cloudtrail.amazonaws.com' }, - Action: ['s3:GetBucketAcl', 's3:PutObject'], - Resource: [bucket.arn, pulumi.interpolate`${bucket.arn}/*`], - }, - ], - }, -}); - -const accessAnalyzer = new aws.iam.Role('access-analyzer@aws', { - name: 'access-analyzer@aws', - assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ - Service: 'access-analyzer.amazonaws.com', - }), -}); - -new aws.iam.RolePolicy('access-analyzer@aws', { - role: accessAnalyzer.name, - policy: { - Version: '2012-10-17', - Statement: [ - { - Effect: 'Allow', - Action: 'cloudtrail:GetTrail', - Resource: '*', - }, - { - Effect: 'Allow', - Action: ['iam:GenerateServiceLastAccessedDetails', 'iam:GetServiceLastAccessedDetails'], - Resource: '*', - }, - { - Effect: 'Allow', - Action: ['s3:GetObject', 's3:ListBucket'], - Resource: [bucket.arn, pulumi.interpolate`${bucket.arn}/*`], - }, - ], - }, -}); - -new aws.cloudtrail.Trail( - 'management-events', - { - name: 'management-events', - - s3BucketName: bucket.bucket, - - enableLogFileValidation: true, - isMultiRegionTrail: true, - }, - { dependsOn: [policy] }, -); diff --git a/apps/bedrock/pulumi/aws/iam.ts b/apps/bedrock/pulumi/aws/iam.ts index 1d85ef702..6c4739223 100644 --- a/apps/bedrock/pulumi/aws/iam.ts +++ b/apps/bedrock/pulumi/aws/iam.ts @@ -61,6 +61,27 @@ new aws.iam.GroupPolicy('team', { }, }); +const adminRole = new aws.iam.Role('admin@team', { + name: 'admin@team', + assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ + AWS: '886436942314', + }), +}); + +new aws.iam.RolePolicy('admin@team', { + role: adminRole.name, + policy: { + Version: '2012-10-17', + Statement: [ + { + Effect: 'Allow', + Action: '*', + Resource: '*', + }, + ], + }, +}); + const datadogIntegration = new aws.iam.Role('integration@datadog', { name: 'integration@datadog', assumeRolePolicy: aws.iam.assumeRolePolicyForPrincipal({ diff --git a/apps/bedrock/pulumi/aws/providers.ts b/apps/bedrock/pulumi/aws/providers.ts index 7edc9f3cb..8e8daba04 100644 --- a/apps/bedrock/pulumi/aws/providers.ts +++ b/apps/bedrock/pulumi/aws/providers.ts @@ -2,4 +2,5 @@ import * as aws from '@pulumi/aws'; export const usEast1 = new aws.Provider('us-east-1', { region: 'us-east-1', + profile: 'withglyph', });