aws-iam logo
AWS IAM v0.0.3, Jun 1 22

AWS IAM

You can use the Pulumi AWS IAM Component to help you create AWS IAM roles in all supported Pulumi Languages. The code below will show you examples of each resources supported in this Component, but please refer to the API Docs for more detailed descriptions and information about each resource.

This Component was heavily inspired by the Terraform AWS IAM Module and should provide users with equal functionality.

Examples

import * as iam from "@pulumi/aws-iam";

// Account
export const account = new iam.Account("account", {
    accountAlias: "cool-alias",
    passwordPolicy: {
        minimumLength: 37,
        requireNumbers: false,
        allowUsersToChange: true,
        hardExpiry: true,
        requireSymbols: true,
        requireLowercaseCharacters: true,
        requireUppercaseCharacters: true,
    },
});

// User
export const user = new iam.User("aws-iam-example-user", {
    name: "pulumipus",
    forceDestroy: true,
    pgpKey: "keybase:test",
    passwordResetRequired: false,
});

// Assumable Role
export const assumableRole = new iam.AssumableRole("aws-iam-example-assumable-role", {
    trustedRoleArns: [ "arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus" ],
    role: {
        name: "custom",
        requiresMfa: true,
        policyArns: [ "arn:aws:iam::aws:policy/AmazonCognitoReadOnly","arn:aws:iam::aws:policy/AlexaForBusinessFullAccess" ],
    },
});

// // Assumable Role With OIDC
export const assumableRoleWithOidc = new iam.AssumableRoleWithOIDC("aws-iam-example-assumable-role-with-oidc", {
    providerUrls: ["oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"],
    role: {
        name: "oidc-role",
        policyArns: [ "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" ],
    },
    tags: {
        Role: "oidc-role",
    },
});

// // Assumable Role With SAML
export const assumableRoleWithSaml = new iam.AssumableRoleWithSAML("aws-iam-example-assumable-role-with-saml", {
    providerIds: [ "arn:aws:iam::235367859851:saml-provider/idp_saml" ],
    role: {
        name: "saml-role",
        policyArns: [ "arn:aws:iam::aws:policy/ReadOnlyAccess" ],
    },
    tags: {
        Role: "saml-role",
    },
});

// // Assumable Roles
export const assumableRoles = new iam.AssumableRoles("aws-iam-example-assumable-roles", {
    trustedRoleArns: [ "arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus" ],
    admin: {},
    poweruser: {
        name: "developer",
    },
    readonly: {
        requiresMfa: true,
    },
});

// // Assumable Roles With SAML
export const assumableRolesWithSaml = new iam.AssumableRolesWithSAML("aws-iam-example-assumable-role-with-saml", {
    providerIds: [ "arn:aws:iam::235367859851:saml-provider/idp_saml" ],
    admin: {},
    poweruser: {
        name: "developer",
    },
    readonly: {},
});

// // EKS Role
export const eksRole = new iam.EKSRole("aws-iam-example-eks-role", {
    role: {
        name: "eks-role",
        policyArns: [ "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" ],
    },
    tags: {
        Name: "eks-role",
    },
    clusterServiceAccounts: {
        "cluster1": [ "default:my-app" ],
        "cluster2": [ "default:my-app", "canary:my-app" ],
    },
});

// // Group With Assumable Roles Policy
export const groupWithAssumableRolesPolicy = new iam.GroupWithAssumableRolesPolicy("aws-iam-example-group-with-assumable-roles-policy", {
    name: "production-readonly",
    assumableRoles: [ "arn:aws:iam::835367859855:role/readonly" ],
    groupUsers: [ "pulumipus" ],
}, { dependsOn: [user] });

// // Group With Policies
export const groupWithPolicies = new iam.GroupWithPolicies("aws-iam-example-group-with-policies", {
    name: "superadmins",
    groupUsers: [ "pulumipus" ],
    attachIamSelfManagementPolicy: true,
    customGroupPolicyArns: [ "arn:aws:iam::aws:policy/AdministratorAccess" ],
    customGroupPolicies: [{
        "name": "AllowS3Listing",
        "policy": "{}",
    }],
}, { dependsOn: [user] });

// // Policy
export const policy = new iam.Policy("aws-iam-example-policy", {
    name: "aws-iam-example-policy",
    path: "/",
    description: "My example policy",
    policyDocument: `{
        "Version": "2012-10-17",
        "Statement": [
          {
            "Action": [
              "ec2:Describe*"
            ],
            "Effect": "Allow",
            "Resource": "*"
          }
        ]
    }`,
});

// // Read Only Policy
export const readOnlyPolicy = new iam.ReadOnlyPolicy("aws-iam-example-read-only-policy", {
    name: "aws-iam-example-read-only",
    path: "/",
    description: "My example read only policy",
    allowedServices: [ "rds", "dynamodb" ],
});

// // Role For Service Accounts EKS
export const roleForServiceAccountsEks = new iam.RoleForServiceAccountsEks("aws-iam-example-role-for-service-accounts-eks", {
    role: {
        name: "vpc-cni"
    },
    tags: {
        Name: "vpc-cni-irsa",
    },
    oidcProviders: {
        main: {
            providerArn: "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D",
            namespaceServiceAccounts: ["default:my-app", "canary:my-app"],
        }
    },
    policies: {
        vpnCni: {
            attach: true,
            enableIpv4: true,
        },
    },
});
"""An AWS Python Pulumi program"""

import json
import pulumi
from pulumi_aws import s3
import pulumi_aws_iam as iam

# Account
account = iam.Account(
    'account',
    account_alias='cool-alias',
    password_policy=iam.AccountPasswordPolicyArgs(
        minimum_length=37,
        require_numbers=False,
        allow_users_to_change=True,
        hard_expiry=True,
        require_symbols=True,
        require_lowercase_characters=True,
        require_uppercase_characters=True,
    )
)

pulumi.export('account', account)

# Assumable Role
assumable_role = iam.AssumableRole(
    'assumable_role',
    trusted_role_arns=['arn:aws:iam::307990089504:root','arn:aws:iam::835367859851:user/pulumipus'],
    role=iam.RoleWithMFAArgs(
        name='custom',
        requires_mfa=True,
        policy_arns=['arn:aws:iam::aws:policy/AmazonCognitoReadOnly','arn:aws:iam::aws:policy/AlexaForBusinessFullAccess'],
    ),
)

pulumi.export('assumable_role', assumable_role)

# Assumable Role With OIDC
assumable_role_with_oidc = iam.AssumableRoleWithOIDC(
    'assumable_role_with_oidc',
    role=iam.RoleArgs(
        name='oidc-role',
        policy_arns=['arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy']
    ),
    tags={
        'Role': 'oidc-role',
    },
    provider_urls=['oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8']
)

pulumi.export('assumable_role_with_oidc', assumable_role_with_oidc)

# Assumable Role With SAML
assumable_role_with_saml = iam.AssumableRoleWithSAML(
    'assumable_role_with_saml',
    role=iam.RoleArgs(
        name='saml-role',
        policy_arns=['arn:aws:iam::aws:policy/ReadOnlyAccess'],
    ),
    tags={
        'Role': 'saml-role',
    },
    provider_ids=['arn:aws:iam::235367859851:saml-provider/idp_saml']
)

pulumi.export('assumable_role_with_saml', assumable_role_with_saml)

# Assumable Roles
assumable_roles = iam.AssumableRoles(
    'assumable_roles',
    trusted_role_arns=['arn:aws:iam::307990089504:root','arn:aws:iam::835367859851:user/pulumipus'],
    admin=iam.AdminRoleArgs(),
    poweruser=iam.PoweruserRoleArgs(
        name='developer',
    ),
    readonly=iam.ReadonlyRoleWithMFAArgs(
        requires_mfa=True,
    ),
)

pulumi.export('assumable_roles', assumable_roles)

# Assumable Roles With SAML
assumable_roles_with_saml = iam.AssumableRolesWithSAML(
    'assumable_roles_with_saml',
    provider_ids=['arn:aws:iam::235367859851:saml-provider/idp_saml'],
    admin=iam.AdminRoleArgs(),
    readonly=iam.ReadonlyRoleArgs(),
    poweruser=iam.PoweruserRoleArgs(
        name='developer',
    ),
)

pulumi.export('assumable_roles_with_saml', assumable_roles_with_saml)

# EKS Role
eks_role = iam.EKSRole(
    'eks_role',
    role=iam.RoleArgs(
        name='eks-role',
        policy_arns=['arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy'],
    ),
    tags={
        'Name': 'eks-role',
    },
    # cluster_service_acccounts={
    #     'cluster1': [ 'default:my-app' ],
    #     'cluster2': [ 'default:my-app', 'canary:my-app' ],
    # },
)

pulumi.export('eks_role', eks_role)

# Group With Assumable Roles Policy
group_with_assume_roles_policy = iam.GroupWithAssumableRolesPolicy(
    'group_with_assume_roles_policy',
    name='production-readonly',
    assumable_roles=['arn:aws:iam::835367859855:role/readonly'],
    group_users=['user1','user2'],
)

pulumi.export('group_with_assume_roles_policy', group_with_assume_roles_policy)

# Group With Policies
group_with_policies = iam.GroupWithPolicies(
    'group_with_policies',
    name='superadmins',
    group_users=['user1','user2'],
    attach_iam_self_management_policy=True,
    custom_group_policy_arns=['arn:aws:iam::aws:policy/AdministratorAccess'],
    custom_group_policies=[{
        'name': 'AllowS3Listing',
        'policy': '{}',
    }],
)

pulumi.export('group_with_policies', group_with_policies)

# Policy
policy = iam.Policy(
    'policy',
    name='example',
    path='/',
    description='My example policy',
    policy_document=json.dumps({
        "Version": "2012-10-17",
        "Statement": [
          {
            "Action": [
              "ec2:Describe*"
            ],
            "Effect": "Allow",
            "Resource": "*"
          }
        ]
    })
)

pulumi.export('policy', policy)

# Read Only Policy
read_only_policy = iam.ReadOnlyPolicy(
    'read_only_policy',
    name='example',
    path='/',
    description='My example read only policy',
    allowed_services=['rds','dynamo'],
)

pulumi.export('read_only_policy', read_only_policy)

# Role For Service Accounts EKS
role_for_service_account_eks = iam.RoleForServiceAccountsEks(
    'role_for_service_account_eks',
    role=iam.RoleArgs(
        name='vpc-cni'
    ),
    tags={
        'Name': 'vpc-cni-irsa',
    },
    oidc_providers={
        'main': iam.OIDCProviderArgs(
            provider_arn='arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D',
            namespace_service_accounts=['default:my-app', 'canary:my-app'],
        ),
    },
    policies=iam.EKSRolePoliciesArgs(
        vpn_cni=iam.EKSVPNCNIPolicyArgs(
            attach=True,
            enable_ipv4=True,
        ),
    ),
)

pulumi.export('role_for_service_account_eks', role_for_service_account_eks)

# User
user = iam.User(
    'user',
    name='pulumipus',
    force_destroy=True,
    pgp_key='keybase:test',
    password_reset_required=False,
)

pulumi.export('user', user)
package main

import (
	"encoding/json"

	iam "github.com/pulumi/pulumi-aws-iam/sdk/go/aws-iam"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		// Account
		account, err := iam.NewAccount(ctx, "account", &iam.AccountArgs{
			AccountAlias: pulumi.String("cool-alias"),
			PasswordPolicy: iam.AccountPasswordPolicyArgs{
				MinimumLength:              pulumi.IntPtr(37),
				RequireNumbers:             pulumi.Bool(false),
				AllowUsersToChange:         pulumi.Bool(true),
				HardExpiry:                 pulumi.Bool(true),
				RequireSymbols:             pulumi.Bool(true),
				RequireLowercaseCharacters: pulumi.Bool(true),
				RequireUppercaseCharacters: pulumi.Bool(true),
			},
		})
		if err != nil {
			return err
		}

		ctx.Export("account", account)

		// Assumable Role
		assumableRole, err := iam.NewAssumableRole(ctx, "assumable-role", &iam.AssumableRoleArgs{
			TrustedRoleArns: pulumi.ToStringArray([]string{"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"}),
			Role: &iam.RoleWithMFAArgs{
				Name:        pulumi.String("custom"),
				RequiresMfa: pulumi.BoolPtr(true),
				PolicyArns:  pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AmazonCognitoReadOnly", "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"}),
			},
		})
		if err != nil {
			return err
		}

		ctx.Export("assumableRole", assumableRole)

		// Assumable Role With OIDC
		assumableRoleWithOIDC, err := iam.NewAssumableRoleWithOIDC(ctx, "assumable-role-with-oidc", &iam.AssumableRoleWithOIDCArgs{
			Role: iam.RoleArgs{
				Name:       pulumi.String("oidc-role"),
				PolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"}),
			},
			Tags: pulumi.ToStringMap(map[string]string{
				"Role": "oidc-role",
			}),
			ProviderUrls: pulumi.ToStringArray([]string{"oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"}),
		})
		if err != nil {
			return err
		}

		ctx.Export("assumableRoleWithOIDC", assumableRoleWithOIDC)

		// Assumable Role With SAML
		assumableRoleWithSAML, err := iam.NewAssumableRoleWithSAML(ctx, "assumable-role-with-saml", &iam.AssumableRoleWithSAMLArgs{
			Role: iam.RoleArgs{
				Name:       pulumi.String("saml-role"),
				PolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/ReadOnlyAccess"}),
			},
			Tags: pulumi.ToStringMap(map[string]string{
				"Role": "saml-role",
			}),
			ProviderIds: pulumi.ToStringArray([]string{"arn:aws:iam::235367859851:saml-provider/idp_saml"}),
		})
		if err != nil {
			return err
		}

		ctx.Export("assumableRoleWithSAML", assumableRoleWithSAML)

		// Assumable Roles
		assumableRoles, err := iam.NewAssumableRoles(ctx, "assumable-roles", &iam.AssumableRolesArgs{
			TrustedRoleArns: pulumi.ToStringArray([]string{"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"}),
			Admin:           iam.AdminRoleWithMFAArgs{},
			Poweruser: iam.PoweruserRoleWithMFAArgs{
				Name: pulumi.String("developer"),
			},
			Readonly: iam.ReadonlyRoleWithMFAArgs{
				RequiresMfa: pulumi.BoolPtr(true),
			},
		})
		if err != nil {
			return err
		}

		ctx.Export("assumableRoles", assumableRoles)

		// Assumable Roles With SAML
		assumableRolesWithSAML, err := iam.NewAssumableRolesWithSAML(ctx, "assumable-roles-with-saml", &iam.AssumableRolesWithSAMLArgs{
			ProviderIds: pulumi.ToStringArray([]string{"arn:aws:iam::235367859851:saml-provider/idp_saml"}),
			Admin:       iam.AdminRoleArgs{},
			Readonly:    iam.ReadonlyRoleArgs{},
			Poweruser: iam.PoweruserRoleArgs{
				Name: pulumi.String("developer"),
			},
		})
		if err != nil {
			return err
		}

		ctx.Export("assumableRolesWithSAML", assumableRolesWithSAML)

		// EKS Role
		eksRole, err := iam.NewEKSRole(ctx, "eks-role", &iam.EKSRoleArgs{
			Role: iam.RoleArgs{
				Name:       pulumi.String("eks-role"),
				PolicyArns: pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"}),
			},
			Tags: pulumi.ToStringMap(map[string]string{
				"Role": "eks-role",
			}),
			// Uncomment the below and replace actual cluster values.
			// ClusterServiceAccounts: pulumi.ToStringArrayMap(map[string][]string{
			// 	"cluster1": {"default:my-app"},
			// 	"cluster2": {"default:my-app", "canary:my-app"},
			// }),
		})
		if err != nil {
			return err
		}

		ctx.Export("eksRole", eksRole)

		// Group With Assumable Roles Policy
		groupWithAssumableRolesPolicy, err := iam.NewGroupWithAssumableRolesPolicy(ctx, "group-with-assumable-roles-policy", &iam.GroupWithAssumableRolesPolicyArgs{
			Name:           pulumi.String("production-readonly"),
			AssumableRoles: pulumi.ToStringArray([]string{"arn:aws:iam::835367859855:role/readonly"}),
			GroupUsers:     pulumi.ToStringArray([]string{"user1", "user2"}),
		})
		if err != nil {
			return err
		}

		ctx.Export("groupWithAssumableRolesPolicy", groupWithAssumableRolesPolicy)

		// Group With Policies
		groupWithPolicies, err := iam.NewGroupWithPolicies(ctx, "group-with-policies", &iam.GroupWithPoliciesArgs{
			Name:                          pulumi.String("superadmins"),
			GroupUsers:                    pulumi.ToStringArray([]string{"user1", "user2"}),
			AttachIamSelfManagementPolicy: pulumi.BoolPtr(true),
			CustomGroupPolicyArns:         pulumi.ToStringArray([]string{"arn:aws:iam::aws:policy/AdministratorAccess"}),
			CustomGroupPolicies: pulumi.ToStringMapArray([]map[string]string{
				{
					"name":   "AllowS3Listing",
					"policy": "{}",
				},
			}),
		})
		if err != nil {
			return err
		}

		ctx.Export("groupWithPolicies", groupWithPolicies)

		// Policy
		policyJSON, err := json.Marshal(map[string]interface{}{
			"Version": "2012-10-17",
			"Statement": []interface{}{
				map[string]interface{}{
					"Effect":   "Allow",
					"Action":   []string{"ec2:Describe"},
					"Resource": []string{"*"},
				},
			},
		})
		if err != nil {
			return err
		}

		policy, err := iam.NewPolicy(ctx, "policy", &iam.PolicyArgs{
			Name:           pulumi.String("example"),
			Path:           pulumi.String("/"),
			Description:    pulumi.String("My example policy"),
			PolicyDocument: pulumi.String(string(policyJSON)),
		})
		if err != nil {
			return err
		}

		ctx.Export("policy", policy)

		// Read Only Policy
		readOnlyPolicy, err := iam.NewReadOnlyPolicy(ctx, "read-only-policy", &iam.ReadOnlyPolicyArgs{
			Name:            pulumi.String("example"),
			Path:            pulumi.String("/"),
			Description:     pulumi.String("My example policy"),
			AllowedServices: pulumi.ToStringArray([]string{"rds", "dynamo"}),
		})
		if err != nil {
			return err
		}

		ctx.Export("readOnlyPolicy", readOnlyPolicy)

		// Role For Service Accounts EKS
		roleForServiceAccountsEKS, err := iam.NewRoleForServiceAccountsEks(ctx, "role-for-service-accounts-eks", &iam.RoleForServiceAccountsEksArgs{
			Role: iam.EKSServiceAccountRolePtr(&iam.EKSServiceAccountRoleArgs{
				Name: pulumi.String("vpc-cni"),
			}),
			Tags: pulumi.ToStringMap(map[string]string{
				"Name": "vpc-cni-irsa",
			}),
			OidcProviders: iam.OIDCProviderMap{
				"main": iam.OIDCProviderArgs{
					ProviderArn:              pulumi.String("arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"),
					NamespaceServiceAccounts: pulumi.ToStringArray([]string{"default:my-app", "canary:my-app"}),
				},
			},
			Policies: iam.EKSRolePoliciesPtr(&iam.EKSRolePoliciesArgs{
				VpnCni: iam.EKSVPNCNIPolicyPtr(&iam.EKSVPNCNIPolicyArgs{
					Attach:     pulumi.Bool(true),
					EnableIpv4: pulumi.BoolPtr(true),
				}),
			}),
		})
		if err != nil {
			return err
		}

		ctx.Export("roleForServiceAccountsEKS", roleForServiceAccountsEKS)

		// User
		user, err := iam.NewUser(ctx, "user", &iam.UserArgs{
			Name:                  pulumi.String("pulumipus"),
			ForceDestroy:          pulumi.BoolPtr(true),
			PgpKey:                pulumi.String("keybase:test"),
			PasswordResetRequired: pulumi.BoolPtr(false),
		})
		if err != nil {
			return err
		}

		ctx.Export("user", user)

		return nil
	})
}
using Pulumi;
using Pulumi.AwsIam;
using Pulumi.AwsIam.Inputs;
using System.Collections.Immutable;

class MyStack : Stack
{
    public MyStack()
    {
        // Account
        var account = new Account("account", new AccountArgs
        {
            AccountAlias = "cool-alias",
            PasswordPolicy=new AccountPasswordPolicyArgs
            {
                MinimumLength = 37,
                RequireNumbers = false,
                AllowUsersToChange = true,
                HardExpiry = true,
                RequireSymbols = true,
                RequireLowercaseCharacters = true,
                RequireUppercaseCharacters = true,
            }

        });

        this.Account = Output.Create<Account>(account);

        // Assumable Role
        var assumableRole = new AssumableRole("assumable-role", new AssumableRoleArgs
        {
            TrustedRoleArns = {"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"},
            Role = new RoleWithMFAArgs
            {
                Name = "custom",
                RequiresMfa = true,
                PolicyArns = {"arn:aws:iam::aws:policy/AmazonCognitoReadOnly","arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"},
            },
        });

        this.AssumableRole = Output.Create<AssumableRole>(assumableRole);

        // Assumable Role With OIDC
        var assumableRoleWithOidc = new AssumableRoleWithOIDC("assumable-role-with-oidc", new AssumableRoleWithOIDCArgs
        {
            Role = new RoleArgs
            {
                Name = "oidc-role",
                PolicyArns = {"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"},
            },
            Tags = new InputMap<string>
            {
                {"Role", "odic-role"},
            },
            ProviderUrls = {"oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"},
        });

        this.AssumableRoleWithOidc = Output.Create<AssumableRoleWithOIDC>(assumableRoleWithOidc);

        // Assumable Role With SAML
        var assumableRoleWithSaml = new AssumableRoleWithSAML("assumable-role-with-saml", new AssumableRoleWithSAMLArgs
        {
            Role = new RoleArgs
            {
                Name = "saml-role",
                PolicyArns = {"arn:aws:iam::aws:policy/ReadOnlyAccess"},
            },
            Tags = new InputMap<string>
            {
                {"Role", "saml-role"},
            },
            ProviderIds = {"arn:aws:iam::235367859851:saml-provider/idp_saml"},
        });

        this.AssumableRoleWithSaml = Output.Create<AssumableRoleWithSAML>(assumableRoleWithSaml);

        // Assumable Roles
        var assumableRoles = new AssumableRoles("assumable-roles", new AssumableRolesArgs
        {
            TrustedRoleArns = {"arn:aws:iam::307990089504:root", "arn:aws:iam::835367859851:user/pulumipus"},
            Admin = new AdminRoleWithMFAArgs(),
            Poweruser = new PoweruserRoleWithMFAArgs
            {
                Name = "developer",
            },
            Readonly = new ReadonlyRoleWithMFAArgs
            {
                RequiresMfa = true,
            },
        });

        this.AssumableRoles = Output.Create<AssumableRoles>(assumableRoles);

        // Assumable Roles With SAML
        var assumableRolesWithSaml = new AssumableRolesWithSAML("assumable-roles-with-saml", new AssumableRolesWithSAMLArgs
        {
            ProviderIds = {"arn:aws:iam::235367859851:saml-provider/idp_saml"},
            Admin = new AdminRoleArgs(),
            Readonly = new ReadonlyRoleArgs(),
            Poweruser = new PoweruserRoleArgs
            {
                Name = "developer",
            },
        });

        this.AssumableRolesWithSaml = Output.Create<AssumableRolesWithSAML>(assumableRolesWithSaml);

        // EKS Role
        var eksRole = new EKSRole("eks-role", new EKSRoleArgs
        {
            Role = new RoleArgs
            {
                Name = "eks-role",
                PolicyArns = {"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"},
            },
            Tags = new InputMap<string>
            {
                {"Name", "eks-role"},
            },
            // Uncomment the below and replace actual cluster values.
            // ClusterServiceAccounts = {
            //     {"cluster1", ImmutableArray.Create<string>(new string[] {"default:my-app"})},
            //     {"cluster2", ImmutableArray.Create<string>(new string[] {"default:my-app", "canary:my-app"})}
            // },
        });

        this.EksRole = Output.Create<EKSRole>(eksRole);

        // Group With Assumable Roles Policy
        var groupWithAssumableRolePolicy = new GroupWithAssumableRolesPolicy("group-with-assumable-roles-policy", new GroupWithAssumableRolesPolicyArgs
        {
            Name = "production-readonly",
            AssumableRoles = {"arn:aws:iam::835367859855:role/readonly"},
            GroupUsers = {"user1", "user2"},
        });

        this.GroupWithAssumableRolesPolicy = Output.Create<GroupWithAssumableRolesPolicy>(groupWithAssumableRolePolicy);

        // Group With Policies
        var groupWithPolicies = new GroupWithPolicies("group-with-policies", new GroupWithPoliciesArgs
        {
            Name = "superadmins",
            GroupUsers = {"user1", "user2"},
            AttachIamSelfManagementPolicy = true,
            CustomGroupPolicyArns = {"arn:aws:iam::aws:policy/AdministratorAccess"},
            CustomGroupPolicies = new InputList<ImmutableDictionary<string, string>>
            {
                ImmutableDictionary.Create<string, string>()
                    .Add("name", "AllowS3Listing")
                    .Add("policy", "{}"),
            },
        });

        this.GroupWithPolicies = Output.Create<GroupWithPolicies>(groupWithPolicies);

        // Policy
        var policy = new Policy("policy", new PolicyArgs
        {
            Name = "example",
            Path = "/",
            Description = "My example policy",
            PolicyDocument =
                @"{
                ""Version"": ""2012-10-17"",
                ""Statement"": [
                {
                    ""Action"": [
                    ""ec2:Describe*""
                    ],
                    ""Effect"": ""Allow"",
                    ""Resource"": ""*""
                }
                ]
            }"
        });

        this.Policy = Output.Create<Policy>(policy);

        // Read Only Policy
        var readOnlyPolicy = new ReadOnlyPolicy("read-only-policy", new ReadOnlyPolicyArgs
        {
            Name = "example",
            Path = "/",
            Description = "My example read only policy",
            AllowedServices = {"rds", "dynamo"},
        });

        this.ReadOnlyPolicy = Output.Create<ReadOnlyPolicy>(readOnlyPolicy);

        // Role For Service Accounts EKS
        var roleForServiceAccountEks = new RoleForServiceAccountsEks("role-for-service-account-eks", new RoleForServiceAccountsEksArgs
        {
            Role = new EKSServiceAccountRoleArgs
            {
                Name = "vpn-cni",
            },
            Tags = {
                {"Name", "vpc-cni-irsa"},
            },
            OidcProviders = {
                {"main", new OIDCProviderArgs
                {
                    ProviderArn = "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D",
                    NamespaceServiceAccounts = {"default:my-app", "canary:my-app"},
                }},
            },
            Policies = new EKSRolePoliciesArgs
            {
                VpnCni = new EKSVPNCNIPolicyArgs
                {
                    Attach = true,
                    EnableIpv4 = true,
                },
            },
        });

        this.RoleForServiceAccountEks = Output.Create<RoleForServiceAccountsEks>(roleForServiceAccountEks);

        // User
        var user = new User("user", new UserArgs
        {
            Name = "pulumipus",
            ForceDestroy = true,
            PgpKey = "keybase:test",
            PasswordResetRequired = false,
        });

        this.User = Output.Create<User>(user);
    }

    [Output]
    public Output<Account> Account { get; set; }

    [Output]
    public Output<AssumableRole> AssumableRole { get; set; }

    [Output]
    public Output<AssumableRoleWithOIDC> AssumableRoleWithOidc { get; set; }

    [Output]
    public Output<AssumableRoleWithSAML> AssumableRoleWithSaml { get; set; }

    [Output]
    public Output<AssumableRoles> AssumableRoles { get; set; }

    [Output]
    public Output<AssumableRolesWithSAML> AssumableRolesWithSaml { get; set; }

    [Output]
    public Output<EKSRole> EksRole { get; set; }

    [Output]
    public Output<GroupWithAssumableRolesPolicy> GroupWithAssumableRolesPolicy { get; set; }

    [Output]
    public Output<GroupWithPolicies> GroupWithPolicies { get; set; }

    [Output]
    public Output<Policy> Policy { get; set; }

    [Output]
    public Output<ReadOnlyPolicy> ReadOnlyPolicy { get; set; }

    [Output]
    public Output<RoleForServiceAccountsEks> RoleForServiceAccountEks { get; set; }

    [Output]
    public Output<User> User { get; set; }
}
name: awsiam-yaml
runtime: yaml
resources:
    account:
        type: "aws-iam:index:Account"
        properties:
            accountAlias: "cool-alias"
            passwordPolicy:
                minimumLength: 37
                requireNumbers: false
                allowUsersToChange: true
                hardExpiry: true
                requireSymbols: true
                requireLowercaseCharacters: true
                requireUppercaseCharacters: true

    assumableRole:
        type: "aws-iam:index:AssumableRole"
        properties:
            trustedRoleArns:
                - "arn:aws:iam::307990089504:root"
                - "arn:aws:iam::835367859851:user/pulumipus"
            role:
                name: "custom"
                requiresMfa: true
                policyArns:
                    - "arn:aws:iam::aws:policy/AmazonCognitoReadOnly"
                    - "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess"

    assumableRoleWithOidc:
        type: "aws-iam:index:AssumableRoleWithOIDC"
        properties:
            role:
                name: "oidc-role"
                policyArns:
                    - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
            tags:
                Role: "oidc-role"
            providerUrls:
                - "oidc.eks.eu-west-1.amazonaws.com/id/BA9E170D464AF7B92084EF72A69B9DC8"

    assumableRoleWithSaml:
        type: "aws-iam:index:AssumableRoleWithSAML"
        properties:
            role:
                name: "saml-role"
                policyArns:
                    - "arn:aws:iam::aws:policy/ReadOnlyAccess"
            tags:
                Role: "saml-role"
            providerIds:
                - "arn:aws:iam::235367859851:saml-provider/idp_saml"

    assumableRoles:
        type: "aws-iam:index:AssumableRoles"
        properties:
            trustedRoleArns:
                - "arn:aws:iam::307990089504:root"
                - "arn:aws:iam::835367859851:user/pulumipus"
            poweruser:
                name: "developer"
            readonly:
                requiresMfa: true

    assumableRolesWithSaml:
        type: "aws-iam:index:AssumableRolesWithSAML"
        properties:
            providerIds:
                - "arn:aws:iam::235367859851:saml-provider/idp_saml"
            poweruser:
                name: "developer"

    eksRole:
        type: "aws-iam:index:EKSRole"
        properties:
            role:
                name: "eks-role"
                policyArns:
                    - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
            tags:
                Name: "eks-role"
            # Uncomment the below and replace actual cluster values.
            # clusterServiceAccounts:
            #     cluster1:
            #         - "default:my-app"
            #     cluster2:
            #         - "default:my-app"
            #         - "canary:my-app"

    groupWithAssumableRolesPolicy:
        type: "aws-iam:index:GroupWithAssumableRolesPolicy"
        properties:
            name: "production-readonly"
            assumableRoles:
                - "arn:aws:iam::835367859855:role/readonly"
            groupUsers:
                - "user1"
                - "user2"

    groupWithPolicies:
        type: "aws-iam:index:GroupWithPolicies"
        properties:
            name: "superadmins"
            groupUsers:
                - "user1"
                - "user2"
            attachIamSelfManagementPolicy: true
            customGroupPolicyArns:
                - "arn:aws:iam::aws:policy/AdministratorAccess"
            customGroupPolicies:
                - name: "AllowS3Listing"
                  policy: "{}"

    policy:
        type: "aws-iam:index:Policy"
        properties:
            name: "example"
            path: "/"
            description: "My example policy"
            policyDocument: |
                {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Action": [
                                "ec2:Describe*"
                            ],
                            "Effect": "Allow",
                            "Resource": "*"
                        }
                    ]
                }                

    readOnlyPolicy:
        type: "aws-iam:index:ReadOnlyPolicy"
        properties:
            name: "example"
            path: "/"
            description: "My example read only policy"
            allowedServices:
                - "rds"
                - "dynamodb"

    roleForServiceAccountsEks:
        type: "aws-iam:index:RoleForServiceAccountsEks"
        properties:
            role:
                name: "vpc-cni"
            tags:
                Name: "vpc-cni-irsa"
            oidcProviders:
                main:
                    providerArn: "arn:aws:iam::012345678901:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/5C54DDF35ER19312844C7333374CC09D"
                    namespaceServiceAccounts:
                        - "default:my-app"
                        - "canary:my-app"
            policies:
                vpnCni:
                    attach: true
                    enableIpv4: true

    user:
        type: "aws-iam:index:User"
        properties:
            name: "pulumipus"
            forceDestroy: true
            pgpKey: "keybase:test"
            passwordResetRequired: false

outputs:
    account: ${account}
    assumableRole: ${assumableRole}
    assumableRoleWithOidc: ${assumableRoleWithOidc}
    assumableRoleWithSaml: ${assumableRoleWithSaml}
    assumableRoles: ${assumableRoles}
    assumableRolesWithSaml: ${assumableRolesWithSaml}
    eksRole: ${eksRole}
    groupWithAssumableRolesPolicy: ${groupWithAssumableRolesPolicy}
    groupWithPolicies: ${groupWithPolicies}
    policy: ${policy}
    readOnlyPolicy: ${readOnlyPolicy}
    roleForServiceAccountsEks: ${roleForServiceAccountsEks}
    user: ${user}