From 56217dcbe061c6be41959516696794f50d722171 Mon Sep 17 00:00:00 2001 From: Iaroslav Titov Date: Tue, 21 Jan 2025 11:37:07 -0700 Subject: [PATCH] Creating OIDC Issuer resource (#484) ### Summary - Fixes: https://github.com/pulumi/pulumi-pulumiservice/issues/349 - Adding new OIDC Issuer resource - Adding OIDC client - Adding standard diff logic, to reuse in most (if not all!) resources - this would be used in https://github.com/pulumi/pulumi-pulumiservice/issues/481 - @glena , please take a look, since I only know the basics when it comes to how OIDC works, let me know if this makes sense ### Testing - Adding examples/integ tests in C#, TS, yaml - I had to add `service-provider-test-org2` and `service-provider-test-org3`, since otherwise examples would collide with each other --- CHANGELOG.md | 5 + examples/cs-oidc-issuer/.gitignore | 353 +++++++++++ examples/cs-oidc-issuer/MyStack.cs | 90 +++ examples/cs-oidc-issuer/Program.cs | 7 + examples/cs-oidc-issuer/Pulumi.yaml | 3 + examples/cs-oidc-issuer/cs-teams.csproj | 14 + examples/examples_dotnet_test.go | 9 + examples/examples_nodejs_test.go | 10 + examples/examples_yaml_test.go | 7 + examples/ts-oidc-issuer/.gitignore | 2 + examples/ts-oidc-issuer/Pulumi.yaml | 3 + examples/ts-oidc-issuer/index.ts | 75 +++ examples/ts-oidc-issuer/package.json | 9 + examples/ts-oidc-issuer/tsconfig.json | 18 + examples/yaml-oidc-issuer/Pulumi.yaml | 56 ++ examples/yaml-webhooks/Pulumi.yaml | 2 +- .../pulumi-resource-pulumiservice/schema.json | 174 ++++++ .../pkg/internal/pulumiapi/oidc_issuer.go | 126 ++++ provider/pkg/provider/oidc_issuer.go | 484 +++++++++++++++ provider/pkg/provider/provider.go | 3 + provider/pkg/provider/resource_util.go | 49 ++ sdk/dotnet/Enums.cs | 110 ++++ sdk/dotnet/Inputs/AuthPolicyDefinitionArgs.cs | 74 +++ sdk/dotnet/OidcIssuer.cs | 157 +++++ sdk/dotnet/Outputs/AuthPolicyDefinition.cs | 70 +++ sdk/go/pulumiservice/init.go | 2 + sdk/go/pulumiservice/oidcIssuer.go | 281 +++++++++ sdk/go/pulumiservice/pulumiEnums.go | 566 ++++++++++++++++++ sdk/go/pulumiservice/pulumiTypes.go | 155 +++++ sdk/nodejs/index.ts | 7 + sdk/nodejs/oidcIssuer.ts | 134 +++++ sdk/nodejs/tsconfig.json | 1 + sdk/nodejs/types/enums/index.ts | 47 ++ sdk/nodejs/types/input.ts | 31 + sdk/nodejs/types/output.ts | 31 + sdk/python/pulumi_pulumiservice/__init__.py | 2 + sdk/python/pulumi_pulumiservice/_enums.py | 44 ++ sdk/python/pulumi_pulumiservice/_inputs.py | 151 +++++ .../pulumi_pulumiservice/oidc_issuer.py | 277 +++++++++ sdk/python/pulumi_pulumiservice/outputs.py | 114 ++++ 40 files changed, 3752 insertions(+), 1 deletion(-) create mode 100644 examples/cs-oidc-issuer/.gitignore create mode 100644 examples/cs-oidc-issuer/MyStack.cs create mode 100644 examples/cs-oidc-issuer/Program.cs create mode 100644 examples/cs-oidc-issuer/Pulumi.yaml create mode 100644 examples/cs-oidc-issuer/cs-teams.csproj create mode 100644 examples/ts-oidc-issuer/.gitignore create mode 100644 examples/ts-oidc-issuer/Pulumi.yaml create mode 100644 examples/ts-oidc-issuer/index.ts create mode 100644 examples/ts-oidc-issuer/package.json create mode 100644 examples/ts-oidc-issuer/tsconfig.json create mode 100644 examples/yaml-oidc-issuer/Pulumi.yaml create mode 100644 provider/pkg/internal/pulumiapi/oidc_issuer.go create mode 100644 provider/pkg/provider/oidc_issuer.go create mode 100644 provider/pkg/provider/resource_util.go create mode 100644 sdk/dotnet/Inputs/AuthPolicyDefinitionArgs.cs create mode 100644 sdk/dotnet/OidcIssuer.cs create mode 100644 sdk/dotnet/Outputs/AuthPolicyDefinition.cs create mode 100644 sdk/go/pulumiservice/oidcIssuer.go create mode 100644 sdk/nodejs/oidcIssuer.ts create mode 100644 sdk/python/pulumi_pulumiservice/oidc_issuer.py diff --git a/CHANGELOG.md b/CHANGELOG.md index c3133b6c..fa858df1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,11 @@ CHANGELOG ========= +## 0.28.0 (WIP) + +### Improvements +- Added OIDC Issuer resource [#349](https://github.com/pulumi/pulumi-pulumiservice/issues/349) + ## 0.27.4 ### Improvements diff --git a/examples/cs-oidc-issuer/.gitignore b/examples/cs-oidc-issuer/.gitignore new file mode 100644 index 00000000..e6452706 --- /dev/null +++ b/examples/cs-oidc-issuer/.gitignore @@ -0,0 +1,353 @@ +## Ignore Visual Studio temporary files, build results, and +## files generated by popular Visual Studio add-ons. +## +## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore + +# User-specific files +*.rsuser +*.suo +*.user +*.userosscache +*.sln.docstates + +# User-specific files (MonoDevelop/Xamarin Studio) +*.userprefs + +# Mono auto generated files +mono_crash.* + +# Build results +[Dd]ebug/ +[Dd]ebugPublic/ +[Rr]elease/ +[Rr]eleases/ +x64/ +x86/ +[Aa][Rr][Mm]/ +[Aa][Rr][Mm]64/ +bld/ +[Bb]in/ +[Oo]bj/ +[Ll]og/ +[Ll]ogs/ + +# Visual Studio 2015/2017 cache/options directory +.vs/ +# Uncomment if you have tasks that create the project's static files in wwwroot +#wwwroot/ + +# Visual Studio 2017 auto generated files +Generated\ Files/ + +# MSTest test Results +[Tt]est[Rr]esult*/ +[Bb]uild[Ll]og.* + +# NUnit +*.VisualState.xml +TestResult.xml +nunit-*.xml + +# Build Results of an ATL Project +[Dd]ebugPS/ +[Rr]eleasePS/ +dlldata.c + +# Benchmark Results +BenchmarkDotNet.Artifacts/ + +# .NET Core +project.lock.json +project.fragment.lock.json +artifacts/ + +# StyleCop +StyleCopReport.xml + +# Files built by Visual Studio +*_i.c +*_p.c +*_h.h +*.ilk +*.meta +*.obj +*.iobj +*.pch +*.pdb +*.ipdb +*.pgc +*.pgd +*.rsp +*.sbr +*.tlb +*.tli +*.tlh +*.tmp +*.tmp_proj +*_wpftmp.csproj +*.log +*.vspscc +*.vssscc +.builds +*.pidb +*.svclog +*.scc + +# Chutzpah Test files +_Chutzpah* + +# Visual C++ cache files +ipch/ +*.aps +*.ncb +*.opendb +*.opensdf +*.sdf +*.cachefile +*.VC.db +*.VC.VC.opendb + +# Visual Studio profiler +*.psess +*.vsp +*.vspx +*.sap + +# Visual Studio Trace Files +*.e2e + +# TFS 2012 Local Workspace +$tf/ + +# Guidance Automation Toolkit +*.gpState + +# ReSharper is a .NET coding add-in +_ReSharper*/ +*.[Rr]e[Ss]harper +*.DotSettings.user + +# JustCode is a .NET coding add-in +.JustCode + +# TeamCity is a build add-in +_TeamCity* + +# DotCover is a Code Coverage Tool +*.dotCover + +# AxoCover is a Code Coverage Tool +.axoCover/* +!.axoCover/settings.json + +# Visual Studio code coverage results +*.coverage +*.coveragexml + +# NCrunch +_NCrunch_* +.*crunch*.local.xml +nCrunchTemp_* + +# MightyMoose +*.mm.* +AutoTest.Net/ + +# Web workbench (sass) +.sass-cache/ + +# Installshield output folder +[Ee]xpress/ + +# DocProject is a documentation generator add-in +DocProject/buildhelp/ +DocProject/Help/*.HxT +DocProject/Help/*.HxC +DocProject/Help/*.hhc +DocProject/Help/*.hhk +DocProject/Help/*.hhp +DocProject/Help/Html2 +DocProject/Help/html + +# Click-Once directory +publish/ + +# Publish Web Output +*.[Pp]ublish.xml +*.azurePubxml +# Note: Comment the next line if you want to checkin your web deploy settings, +# but database connection strings (with potential passwords) will be unencrypted +*.pubxml +*.publishproj + +# Microsoft Azure Web App publish settings. Comment the next line if you want to +# checkin your Azure Web App publish settings, but sensitive information contained +# in these scripts will be unencrypted +PublishScripts/ + +# NuGet Packages +*.nupkg +# NuGet Symbol Packages +*.snupkg +# The packages folder can be ignored because of Package Restore +**/[Pp]ackages/* +# except build/, which is used as an MSBuild target. +!**/[Pp]ackages/build/ +# Uncomment if necessary however generally it will be regenerated when needed +#!**/[Pp]ackages/repositories.config +# NuGet v3's project.json files produces more ignorable files +*.nuget.props +*.nuget.targets + +# Microsoft Azure Build Output +csx/ +*.build.csdef + +# Microsoft Azure Emulator +ecf/ +rcf/ + +# Windows Store app package directories and files +AppPackages/ +BundleArtifacts/ +Package.StoreAssociation.xml +_pkginfo.txt +*.appx +*.appxbundle +*.appxupload + +# Visual Studio cache files +# files ending in .cache can be ignored +*.[Cc]ache +# but keep track of directories ending in .cache +!?*.[Cc]ache/ + +# Others +ClientBin/ +~$* +*~ +*.dbmdl +*.dbproj.schemaview +*.jfm +*.pfx +*.publishsettings +orleans.codegen.cs + +# Including strong name files can present a security risk +# (https://github.com/github/gitignore/pull/2483#issue-259490424) +#*.snk + +# Since there are multiple workflows, uncomment next line to ignore bower_components +# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) +#bower_components/ + +# RIA/Silverlight projects +Generated_Code/ + +# Backup & report files from converting an old project file +# to a newer Visual Studio version. Backup files are not needed, +# because we have git ;-) +_UpgradeReport_Files/ +Backup*/ +UpgradeLog*.XML +UpgradeLog*.htm +ServiceFabricBackup/ +*.rptproj.bak + +# SQL Server files +*.mdf +*.ldf +*.ndf + +# Business Intelligence projects +*.rdl.data +*.bim.layout +*.bim_*.settings +*.rptproj.rsuser +*- [Bb]ackup.rdl +*- [Bb]ackup ([0-9]).rdl +*- [Bb]ackup ([0-9][0-9]).rdl + +# Microsoft Fakes +FakesAssemblies/ + +# GhostDoc plugin setting file +*.GhostDoc.xml + +# Node.js Tools for Visual Studio +.ntvs_analysis.dat +node_modules/ + +# Visual Studio 6 build log +*.plg + +# Visual Studio 6 workspace options file +*.opt + +# Visual Studio 6 auto-generated workspace file (contains which files were open etc.) +*.vbw + +# Visual Studio LightSwitch build output +**/*.HTMLClient/GeneratedArtifacts +**/*.DesktopClient/GeneratedArtifacts +**/*.DesktopClient/ModelManifest.xml +**/*.Server/GeneratedArtifacts +**/*.Server/ModelManifest.xml +_Pvt_Extensions + +# Paket dependency manager +.paket/paket.exe +paket-files/ + +# FAKE - F# Make +.fake/ + +# CodeRush personal settings +.cr/personal + +# Python Tools for Visual Studio (PTVS) +__pycache__/ +*.pyc + +# Cake - Uncomment if you are using it +# tools/** +# !tools/packages.config + +# Tabs Studio +*.tss + +# Telerik's JustMock configuration file +*.jmconfig + +# BizTalk build output +*.btp.cs +*.btm.cs +*.odx.cs +*.xsd.cs + +# OpenCover UI analysis results +OpenCover/ + +# Azure Stream Analytics local run output +ASALocalRun/ + +# MSBuild Binary and Structured Log +*.binlog + +# NVidia Nsight GPU debugger configuration file +*.nvuser + +# MFractors (Xamarin productivity tool) working folder +.mfractor/ + +# Local History for Visual Studio +.localhistory/ + +# BeatPulse healthcheck temp database +healthchecksdb + +# Backup folder for Package Reference Convert tool in Visual Studio 2017 +MigrationBackup/ + +# Ionide (cross platform F# VS Code tools) working folder +.ionide/ diff --git a/examples/cs-oidc-issuer/MyStack.cs b/examples/cs-oidc-issuer/MyStack.cs new file mode 100644 index 00000000..a601c389 --- /dev/null +++ b/examples/cs-oidc-issuer/MyStack.cs @@ -0,0 +1,90 @@ +using Pulumi; +using Pulumi.PulumiService; +using Pulumi.PulumiService.Inputs; +using System.Collections.Generic; + +class MyStack : Pulumi.Stack +{ + public MyStack() + { + var serviceOrg = "service-provider-test-org3"; + + // A Pulumi OIDC Issuer with a basic policy + var pulumiOidcIssuer = new OidcIssuer("pulumi_issuer", new OidcIssuerArgs + { + Organization = serviceOrg, + Name = "pulumi_issuer", + Url = "https://api.pulumi.com/oidc", + Thumbprints = { + "df749a0f34ed673f8b0ec898445910c29c170d01d7d34073bd882235974a8a53" + }, + Policies = { + new AuthPolicyDefinitionArgs + { + Decision = AuthPolicyDecision.Allow, + Rules = new Dictionary { + { "aud", "urn:pulumi:org:"+serviceOrg }, + { "sub", "pulumi:deploy:org:myTestOrg:project:myTestProject:*" }, + }, + UserLogin = "pulumipus", + TokenType = AuthPolicyTokenType.Personal, + } + } + }); + + // A Github OIDC Issuer with all types of policies and TLS certificate thumbprint + var githubOidcIssuer = new OidcIssuer("github_issuer", new OidcIssuerArgs + { + Organization = serviceOrg, + Name = "github_issuer", + Url = "https://token.actions.githubusercontent.com", + Thumbprints = { + "ac476cca46ea95a04518f08e1e4bd3b010e50587f57706be7e259fd81817f1e1" + }, + Policies = { + new AuthPolicyDefinitionArgs + { + Decision = AuthPolicyDecision.Deny, + Rules = new Dictionary { + { "aud", "urn:pulumi:org:"+serviceOrg }, + { "sub", "repo:organization/repo:*" }, + }, + UserLogin = "pulumipus", + TokenType = AuthPolicyTokenType.Personal + }, + new AuthPolicyDefinitionArgs + { + Decision = AuthPolicyDecision.Allow, + Rules = new Dictionary { + { "aud", "urn:pulumi:org:"+serviceOrg }, + { "sub", "repo:organization/repo:*" }, + }, + AuthorizedPermissions = { + AuthPolicyPermissionLevel.Admin + }, + TokenType = AuthPolicyTokenType.Organization + }, + new AuthPolicyDefinitionArgs + { + Decision = AuthPolicyDecision.Deny, + Rules = new Dictionary { + { "aud", "urn:pulumi:org:"+serviceOrg }, + { "sub", "repo:organization/repo:*" }, + }, + TeamName = "dream-team", + TokenType = AuthPolicyTokenType.Team + }, + new AuthPolicyDefinitionArgs + { + Decision = AuthPolicyDecision.Allow, + Rules = new Dictionary { + { "aud", "urn:pulumi:org:"+serviceOrg }, + { "sub", "repo:organization/repo:*" }, + }, + RunnerID = "1234-5678-ABCD-XYZD", + TokenType = AuthPolicyTokenType.Runner + } + } + }); + } +} diff --git a/examples/cs-oidc-issuer/Program.cs b/examples/cs-oidc-issuer/Program.cs new file mode 100644 index 00000000..b5c1d038 --- /dev/null +++ b/examples/cs-oidc-issuer/Program.cs @@ -0,0 +1,7 @@ +using System.Threading.Tasks; +using Pulumi; + +class Program +{ + static Task Main() => Deployment.RunAsync(); +} diff --git a/examples/cs-oidc-issuer/Pulumi.yaml b/examples/cs-oidc-issuer/Pulumi.yaml new file mode 100644 index 00000000..0cecee9f --- /dev/null +++ b/examples/cs-oidc-issuer/Pulumi.yaml @@ -0,0 +1,3 @@ +name: cs-oidc-issuer +runtime: dotnet +description: A minimal C# Pulumi OIDC Issuer Example diff --git a/examples/cs-oidc-issuer/cs-teams.csproj b/examples/cs-oidc-issuer/cs-teams.csproj new file mode 100644 index 00000000..58022a18 --- /dev/null +++ b/examples/cs-oidc-issuer/cs-teams.csproj @@ -0,0 +1,14 @@ + + + + Exe + netcoreapp8.0 + enable + + + + + + + + diff --git a/examples/examples_dotnet_test.go b/examples/examples_dotnet_test.go index 634d5e7c..83aaecf6 100644 --- a/examples/examples_dotnet_test.go +++ b/examples/examples_dotnet_test.go @@ -45,3 +45,12 @@ func TestDotnetEnvironmentsExamples(t *testing.T) { }, }) } + +func TestDotnetOidcIssuerExamples(t *testing.T) { + integration.ProgramTest(t, &integration.ProgramTestOptions{ + Dir: path.Join(getCwd(t), "cs-oidc-issuer"), + Dependencies: []string{ + "Pulumi.PulumiService", + }, + }) +} diff --git a/examples/examples_nodejs_test.go b/examples/examples_nodejs_test.go index d1a6f2fd..17a0e118 100644 --- a/examples/examples_nodejs_test.go +++ b/examples/examples_nodejs_test.go @@ -144,3 +144,13 @@ func TestNodejsEnvironmentsFileAssetExample(t *testing.T) { }, }) } + +func TestNodejsOidcIssuerExample(t *testing.T) { + cwd := getCwd(t) + integration.ProgramTest(t, &integration.ProgramTestOptions{ + Dir: path.Join(cwd, ".", "ts-oidc-issuer"), + Dependencies: []string{ + "@pulumi/pulumiservice", + }, + }) +} diff --git a/examples/examples_yaml_test.go b/examples/examples_yaml_test.go index 4cb78743..96b2291a 100644 --- a/examples/examples_yaml_test.go +++ b/examples/examples_yaml_test.go @@ -406,6 +406,13 @@ func TestYamlTemplateSourcesExample(t *testing.T) { }) } +func TestYamlOidcIssuerExample(t *testing.T) { + cwd := getCwd(t) + integration.ProgramTest(t, &integration.ProgramTestOptions{ + Dir: path.Join(cwd, ".", "yaml-oidc-issuer"), + }) +} + func writePulumiYaml(t *testing.T, yamlContents interface{}) string { tmpdir := t.TempDir() b, err := yaml.Marshal(yamlContents) diff --git a/examples/ts-oidc-issuer/.gitignore b/examples/ts-oidc-issuer/.gitignore new file mode 100644 index 00000000..c6958891 --- /dev/null +++ b/examples/ts-oidc-issuer/.gitignore @@ -0,0 +1,2 @@ +/bin/ +/node_modules/ diff --git a/examples/ts-oidc-issuer/Pulumi.yaml b/examples/ts-oidc-issuer/Pulumi.yaml new file mode 100644 index 00000000..06f039a7 --- /dev/null +++ b/examples/ts-oidc-issuer/Pulumi.yaml @@ -0,0 +1,3 @@ +name: pulumi-service-oidc-issuer-example-ts +runtime: nodejs +description: A minimal TypeScript Pulumi program diff --git a/examples/ts-oidc-issuer/index.ts b/examples/ts-oidc-issuer/index.ts new file mode 100644 index 00000000..9ccb6343 --- /dev/null +++ b/examples/ts-oidc-issuer/index.ts @@ -0,0 +1,75 @@ +import * as service from "@pulumi/pulumiservice"; + +const serviceOrg = "service-provider-test-org2"; + +// A Pulumi OIDC Issuer with a basic policy +const pulumiOidcIssuer = new service.OidcIssuer("pulumi_issuer", { + organization: serviceOrg, + name: "pulumi_issuer", + url: "https://api.pulumi.com/oidc", + thumbprints: [ + "df749a0f34ed673f8b0ec898445910c29c170d01d7d34073bd882235974a8a53" + ], + policies: [ + { + decision: "allow", + rules: { + "aud": "urn:pulumi:org:"+serviceOrg, + "sub": "pulumi:deploy:org:myTestOrg:project:myTestProject:*" + }, + userLogin: "pulumipus", + tokenType: "personal" + } + ] +}) + +// A Github OIDC Issuer with all types of policies and TLS certificate thumbprint +const githubOidcIssuer = new service.OidcIssuer("github_issuer", { + organization: serviceOrg, + name: "github_issuer", + url: "https://token.actions.githubusercontent.com", + thumbprints: [ + "ac476cca46ea95a04518f08e1e4bd3b010e50587f57706be7e259fd81817f1e1" + ], + policies: [ + { + decision: "deny", + rules: { + "aud": "urn:pulumi:org:"+serviceOrg, + "sub": "repo:organization/repo:*" + }, + userLogin: "pulumipus", + tokenType: "personal" + }, + { + decision: "allow", + rules: { + "aud": "urn:pulumi:org:"+serviceOrg, + "sub": "repo:organization/repo:*" + }, + authorizedPermissions: [ + "admin" + ], + tokenType: "organization" + }, + { + decision: "deny", + rules: { + "aud": "urn:pulumi:org:"+serviceOrg, + "sub": "repo:organization/repo:*" + }, + teamName: "dream-team", + tokenType: "team" + }, + { + decision: "allow", + rules: { + "aud": "urn:pulumi:org:"+serviceOrg, + "sub": "repo:organization/repo:*" + }, + runnerID: "1234-5678-ABCD-XYZD", + tokenType: "runner" + } + ] +}) + diff --git a/examples/ts-oidc-issuer/package.json b/examples/ts-oidc-issuer/package.json new file mode 100644 index 00000000..67ada002 --- /dev/null +++ b/examples/ts-oidc-issuer/package.json @@ -0,0 +1,9 @@ +{ + "name": "pulumi-service-oidc-issuer-example-ts", + "devDependencies": { + "@types/node": "^14" + }, + "dependencies": { + "@pulumi/pulumi": "^3.0.0" + } +} diff --git a/examples/ts-oidc-issuer/tsconfig.json b/examples/ts-oidc-issuer/tsconfig.json new file mode 100644 index 00000000..ab65afa6 --- /dev/null +++ b/examples/ts-oidc-issuer/tsconfig.json @@ -0,0 +1,18 @@ +{ + "compilerOptions": { + "strict": true, + "outDir": "bin", + "target": "es2016", + "module": "commonjs", + "moduleResolution": "node", + "sourceMap": true, + "experimentalDecorators": true, + "pretty": true, + "noFallthroughCasesInSwitch": true, + "noImplicitReturns": true, + "forceConsistentCasingInFileNames": true + }, + "files": [ + "index.ts" + ] +} diff --git a/examples/yaml-oidc-issuer/Pulumi.yaml b/examples/yaml-oidc-issuer/Pulumi.yaml new file mode 100644 index 00000000..ea04c928 --- /dev/null +++ b/examples/yaml-oidc-issuer/Pulumi.yaml @@ -0,0 +1,56 @@ +name: yaml-oidc-issuer +runtime: yaml +description: A minimal example of provisioning OIDC Issuer via Pulumi YAML + +resources: +# A Pulumi OIDC Issuer with a basic policy + pulumi_issuer: + type: pulumiservice:index:OidcIssuer + properties: + organization: service-provider-test-org + name: pulumi_issuer + url: https://api.pulumi.com/oidc + thumbprints: + - df749a0f34ed673f8b0ec898445910c29c170d01d7d34073bd882235974a8a53 + policies: + - decision: allow + rules: + aud: urn:pulumi:org:service-provider-test-org + sub: pulumi:deploy:org:myTestOrg:project:myTestProject:* + userLogin: pulumipus + tokenType: personal +# A Github OIDC Issuer with all types of policies and TLS certificate thumbprint + github_issuer: + type: pulumiservice:index:OidcIssuer + properties: + organization: service-provider-test-org + name: github_issuer + url: https://token.actions.githubusercontent.com + thumbprints: + - ac476cca46ea95a04518f08e1e4bd3b010e50587f57706be7e259fd81817f1e1 + policies: + - decision: deny + rules: + aud: urn:pulumi:org:service-provider-test-org + sub: repo:organization/repo:* + userLogin: pulumipus + tokenType: personal + - decision: allow + rules: + aud: urn:pulumi:org:service-provider-test-org + sub: repo:organization/repo:* + authorizedPermissions: + - admin + tokenType: organization + - decision: deny + rules: + aud: urn:pulumi:org:service-provider-test-org + sub: repo:organization/repo:* + teamName: dream-team + tokenType: team + - decision: allow + rules: + aud: urn:pulumi:org:service-provider-test-org + sub: repo:organization/repo:* + runnerID: 1234-5678-ABCD-XYZD, + tokenType: runner \ No newline at end of file diff --git a/examples/yaml-webhooks/Pulumi.yaml b/examples/yaml-webhooks/Pulumi.yaml index 428a9457..c89d53e2 100644 --- a/examples/yaml-webhooks/Pulumi.yaml +++ b/examples/yaml-webhooks/Pulumi.yaml @@ -1,6 +1,6 @@ name: yaml-webhooks runtime: yaml -description: A minimal example of provisioning access token via Pulumi YAML +description: A minimal example of provisioning webhooks via Pulumi YAML resources: webhook: diff --git a/provider/cmd/pulumi-resource-pulumiservice/schema.json b/provider/cmd/pulumi-resource-pulumiservice/schema.json index 1eab36cf..564e9026 100644 --- a/provider/cmd/pulumi-resource-pulumiservice/schema.json +++ b/provider/cmd/pulumi-resource-pulumiservice/schema.json @@ -598,6 +598,97 @@ "description": "Destination URL that gets filled in on new project creation." } } + }, + "pulumiservice:index:AuthPolicyDefinition": { + "type": "object", + "properties": { + "decision": { + "$ref": "#/types/pulumiservice:index:AuthPolicyDecision", + "description": "The rule type of this policy definition" + }, + "tokenType": { + "$ref": "#/types/pulumiservice:index:AuthPolicyTokenType", + "description": "The token type for this policy definition" + }, + "teamName": { + "type": "string", + "description": "The team name for team tokens." + }, + "userLogin": { + "type": "string", + "description": "The user login for personal tokens." + }, + "runnerID": { + "type": "string", + "description": "The runner ID for deployment runner tokens." + }, + "authorizedPermissions": { + "description": "The permission level for organization tokens.", + "type": "array", + "items": { + "$ref": "#/types/pulumiservice:index:AuthPolicyPermissionLevel" + } + }, + "rules": { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "description": "OIDC rules to set for this policy." + } + }, + "required": [ + "decision", + "tokenType", + "rules" + ] + }, + "pulumiservice:index:AuthPolicyDecision": { + "type": "string", + "enum": [ + { + "description": "A deny rule for Oidc Issuer Policy.", + "value": "deny" + }, + { + "description": "An allow rule for Oidc Issuer Policy.", + "value": "allow" + } + ] + }, + "pulumiservice:index:AuthPolicyTokenType": { + "type": "string", + "enum": [ + { + "description": "Personal Pulumi token. Requires userLogin field to be filled.", + "value": "personal" + }, + { + "description": "Team Pulumi token. Requires teamName field to be filled.", + "value": "team" + }, + { + "description": "Organization Pulumi token. Requires authorizedPermissions field to be filled.", + "value": "organization" + }, + { + "description": "Deployment Runner Pulumi token. Requires runnerID field to be filled.", + "value": "runner" + } + ] + }, + "pulumiservice:index:AuthPolicyPermissionLevel": { + "type": "string", + "enum": [ + { + "description": "Standard level of permissions.", + "value": "standard" + }, + { + "description": "Admin level of permissions.", + "value": "admin" + } + ] } }, "resources": { @@ -1644,6 +1735,89 @@ "sourceName", "sourceURL" ] + }, + "pulumiservice:index:OidcIssuer": { + "description": "An OIDC issuer registration with Pulumi.", + "properties": { + "organization": { + "description": "Organization name.", + "type": "string", + "replaceOnChanges": true + }, + "name": { + "description": "Issuer name.", + "type": "string" + }, + "url": { + "description": "The OIDC issuer URL.", + "type": "string", + "replaceOnChanges": true + }, + "maxExpirationSeconds": { + "description": "The maximum duration of the Pulumi access token working after an exchange, specified in seconds.", + "type": "integer" + }, + "thumbprints": { + "type": "array", + "items": { + "type": "string" + }, + "description": "The thumbprints of issuer's TLS certificates. By default, Pulumi will store the thumbprint of the certificate used to serve the OpenID configuration. If the provider uses multiple certificates to serve content, it is required to manually configure these." + }, + "policies": { + "type": "array", + "items": { + "$ref": "#/types/pulumiservice:index:AuthPolicyDefinition" + }, + "description": "The authorization policies for this Oidc Issuer." + } + }, + "required": [ + "organization", + "name", + "url", + "thumbprints", + "policies" + ], + "inputProperties": { + "organization": { + "description": "Organization name.", + "type": "string", + "replaceOnChanges": true + }, + "name": { + "description": "Issuer name.", + "type": "string" + }, + "url": { + "description": "The OIDC issuer URL.", + "type": "string", + "replaceOnChanges": true + }, + "maxExpirationSeconds": { + "description": "The maximum duration of the Pulumi access token working after an exchange, specified in seconds.", + "type": "integer" + }, + "thumbprints": { + "type": "array", + "items": { + "type": "string" + }, + "description": "The thumbprints of issuer's TLS certificates. By default, Pulumi will store the thumbprint of the certificate used to serve the OpenID configuration. If the provider uses multiple certificates to serve content, it is required to manually configure these." + }, + "policies": { + "type": "array", + "items": { + "$ref": "#/types/pulumiservice:index:AuthPolicyDefinition" + }, + "description": "The auth policies for this Oidc Issuer." + } + }, + "requiredInputs": [ + "organization", + "name", + "url" + ] } }, "language": { diff --git a/provider/pkg/internal/pulumiapi/oidc_issuer.go b/provider/pkg/internal/pulumiapi/oidc_issuer.go new file mode 100644 index 00000000..a98ab957 --- /dev/null +++ b/provider/pkg/internal/pulumiapi/oidc_issuer.go @@ -0,0 +1,126 @@ +package pulumiapi + +import ( + "context" + "fmt" + "net/http" + "path" +) + +type OidcClient interface { + RegisterOidcIssuer(ctx context.Context, organization string, request OidcIssuerRegistrationRequest) (*OidcIssuerRegistrationResponse, error) + UpdateOidcIssuer(ctx context.Context, organization string, issuerId string, request OidcIssuerUpdateRequest) (*OidcIssuerRegistrationResponse, error) + GetOidcIssuer(ctx context.Context, organization string, issuerId string) (*OidcIssuerRegistrationResponse, error) + DeleteOidcIssuer(ctx context.Context, organization string, issuerId string) error + GetAuthPolicies(ctx context.Context, organization string, issuerId string) (*AuthPolicy, error) + UpdateAuthPolicies(ctx context.Context, organization string, policyId string, request AuthPolicyUpdateRequest) (*AuthPolicy, error) +} + +type OidcIssuerRegistrationRequest struct { + Name string `json:"name"` + URL string `json:"url"` + Thumbprints []string `json:"thumbprints,omitempty"` + MaxExpiration *int64 `json:"maxExpiration,omitempty"` +} + +type OidcIssuerUpdateRequest struct { + Name *string `json:"name,omitempty"` + Thumbprints *[]string `json:"thumbprints,omitempty"` + MaxExpiration *int64 `json:"maxExpiration,omitempty"` +} + +type OidcIssuerRegistrationResponse struct { + ID string `json:"id"` + Name string `json:"name"` + URL string `json:"url"` + Issuer string `json:"issuer"` + Thumbprints []string `json:"thumbprints,omitempty"` + MaxExpiration *int64 `json:"maxExpiration,omitempty"` +} + +type AuthPolicy struct { + ID string `json:"id"` + Version int `json:"version"` + Created *string `json:"created,omitempty"` + Modified *string `json:"modified,omitempty"` + Definition []*AuthPolicyDefinition `json:"policies"` +} + +type AuthPolicyDefinition struct { + Decision string `json:"decision"` + TokenType string `json:"tokenType"` + TeamName *string `json:"teamName,omitempty"` + UserLogin *string `json:"userLogin,omitempty"` + RunnerID *string `json:"runnerID,omitempty"` + AuthorizedPermissions []string `json:"authorizedPermissions"` + Rules map[string]string `json:"rules"` +} + +type AuthPolicyUpdateRequest struct { + Definition []AuthPolicyDefinition `json:"policies"` +} + +func (c *Client) RegisterOidcIssuer(ctx context.Context, organization string, request OidcIssuerRegistrationRequest) (*OidcIssuerRegistrationResponse, error) { + apiPath := path.Join("orgs", organization, "oidc", "issuers") + var response = &OidcIssuerRegistrationResponse{} + _, err := c.do(ctx, http.MethodPost, apiPath, request, response) + if err != nil { + return nil, fmt.Errorf("failed to register oidc issuer '%s': %w", request.Name, err) + } + return response, nil +} + +func (c *Client) UpdateOidcIssuer(ctx context.Context, organization string, issuerId string, request OidcIssuerUpdateRequest) (*OidcIssuerRegistrationResponse, error) { + apiPath := path.Join("orgs", organization, "oidc", "issuers", issuerId) + var response = &OidcIssuerRegistrationResponse{} + _, err := c.do(ctx, http.MethodPatch, apiPath, request, response) + if err != nil { + return nil, fmt.Errorf("failed to update oidc issuer with id '%s': %w", issuerId, err) + } + return response, nil +} + +func (c *Client) GetOidcIssuer(ctx context.Context, organization string, issuerId string) (*OidcIssuerRegistrationResponse, error) { + apiPath := path.Join("orgs", organization, "oidc", "issuers", issuerId) + var response = &OidcIssuerRegistrationResponse{} + result, err := c.do(ctx, http.MethodGet, apiPath, nil, response) + if err != nil { + if result.StatusCode == 404 { + return nil, nil + } + return nil, fmt.Errorf("failed to get oidc issuer with id '%s': %w", issuerId, err) + } + return response, nil +} + +func (c *Client) DeleteOidcIssuer(ctx context.Context, organization string, issuerId string) error { + apiPath := path.Join("orgs", organization, "oidc", "issuers", issuerId) + result, err := c.do(ctx, http.MethodDelete, apiPath, nil, nil) + if err != nil { + if result.StatusCode == 404 { + return nil + } + return fmt.Errorf("failed to delete oidc issuer with id '%s': %w", issuerId, err) + } + return nil +} + +func (c *Client) GetAuthPolicies(ctx context.Context, organization string, issuerId string) (*AuthPolicy, error) { + apiPath := path.Join("orgs", organization, "auth", "policies", "oidcissuers", issuerId) + var response = &AuthPolicy{} + _, err := c.do(ctx, http.MethodGet, apiPath, nil, response) + if err != nil { + return nil, fmt.Errorf("failed to get auth policies with issuer id '%s': %w", issuerId, err) + } + return response, nil +} + +func (c *Client) UpdateAuthPolicies(ctx context.Context, organization string, policyId string, request AuthPolicyUpdateRequest) (*AuthPolicy, error) { + apiPath := path.Join("orgs", organization, "auth", "policies", policyId) + var response = &AuthPolicy{} + _, err := c.do(ctx, http.MethodPatch, apiPath, request, response) + if err != nil { + return nil, fmt.Errorf("failed to update auth policies with policy id '%s': %w", policyId, err) + } + return response, nil +} diff --git a/provider/pkg/provider/oidc_issuer.go b/provider/pkg/provider/oidc_issuer.go new file mode 100644 index 00000000..3f9e53e9 --- /dev/null +++ b/provider/pkg/provider/oidc_issuer.go @@ -0,0 +1,484 @@ +package provider + +import ( + "bytes" + "context" + "encoding/gob" + "fmt" + "sort" + "strings" + + pbempty "google.golang.org/protobuf/types/known/emptypb" + "google.golang.org/protobuf/types/known/structpb" + + "github.com/pulumi/pulumi-pulumiservice/provider/pkg/internal/pulumiapi" + "github.com/pulumi/pulumi/sdk/v3/go/common/resource" + "github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin" + pulumirpc "github.com/pulumi/pulumi/sdk/v3/proto/go" +) + +type PulumiServiceOidcIssuerResource struct { + client pulumiapi.OidcClient +} + +type AuthPolicyDecision string + +const ( + AuthPolicyDecisionAllow = AuthPolicyDecision("allow") + AuthPolicyDecisionDeny = AuthPolicyDecision("deny") +) + +type AuthPolicyTokenType string + +const ( + AuthPolicyTokenTypeOrganization = AuthPolicyTokenType("organization") + AuthPolicyTokenTypePersonal = AuthPolicyTokenType("personal") + AuthPolicyTokenTypeTeam = AuthPolicyTokenType("team") + AuthPolicyTokenTypeDeploymentRunner = AuthPolicyTokenType("runner") +) + +type AuthPolicyPermissionLevel string + +const ( + AuthPolicyPermissionLevelStandard = AuthPolicyPermissionLevel("standard") + AuthPolicyPermissionLevelAdmin = AuthPolicyPermissionLevel("admin") +) + +type PulumiServiceAuthPolicyDefinition struct { + Decision AuthPolicyDecision + TokenType AuthPolicyTokenType + TeamName *string + UserLogin *string + RunnerID *string + AuthorizedPermissions []AuthPolicyPermissionLevel + Rules map[string]string +} + +type PulumiServiceOidcIssuerInput struct { + Organization string + Name string + URL string + MaxExpirationSeconds *int64 + Thumbprints []string + Policies []PulumiServiceAuthPolicyDefinition +} + +type PulumiServiceOidcIssuerProperties struct { + PulumiServiceOidcIssuerInput +} + +func GenerateOidcIssuerProperties(input PulumiServiceOidcIssuerInput, issuer *pulumiapi.OidcIssuerRegistrationResponse, authPolicy *pulumiapi.AuthPolicy) (outputs *structpb.Struct, inputs *structpb.Struct, err error) { + inputMap := input.toPropertyMap() + + outputMap := inputMap + outputMap["thumbprints"] = resource.NewPropertyValue(issuer.Thumbprints) + outputMap["policies"] = apiPoliciesToPropertyValue(authPolicy.Definition) + + inputs, err = plugin.MarshalProperties(inputMap, StandardMarshal) + if err != nil { + return nil, nil, err + } + + outputs, err = plugin.MarshalProperties(outputMap, StandardMarshal) + if err != nil { + return nil, nil, err + } + + return outputs, inputs, err +} + +func (oir *PulumiServiceOidcIssuerResource) ToPulumiServiceOidcIssuerInput(inputMap resource.PropertyMap) PulumiServiceOidcIssuerInput { + input := PulumiServiceOidcIssuerInput{} + + input.Organization = inputMap["organization"].StringValue() + input.Name = inputMap["name"].StringValue() + input.URL = inputMap["url"].StringValue() + if inputMap["maxExpirationSeconds"].HasValue() { + seconds := int64(inputMap["maxExpirationSeconds"].NumberValue()) + input.MaxExpirationSeconds = &seconds + } + if inputMap["thumbprints"].HasValue() { + thumbprints := []string{} + for _, thumb := range inputMap["thumbprints"].ArrayValue() { + thumbprints = append(thumbprints, thumb.StringValue()) + } + input.Thumbprints = thumbprints + } + if inputMap["policies"].HasValue() { + policies := []PulumiServiceAuthPolicyDefinition{} + for _, policy := range inputMap["policies"].ArrayValue() { + policies = append(policies, propertyMapToPolicy(policy.ObjectValue())) + } + policies = sortPolicies(policies) + input.Policies = policies + } + + return input +} + +func (oir *PulumiServiceOidcIssuerResource) Name() string { + return "pulumiservice:index:OidcIssuer" +} + +func (oir *PulumiServiceOidcIssuerResource) Diff(req *pulumirpc.DiffRequest) (*pulumirpc.DiffResponse, error) { + replaceProperties := map[string]bool{ + "organization": true, + "url": true, + } + + return StandardDiff(req, replaceProperties) +} + +func (oir *PulumiServiceOidcIssuerResource) Delete(req *pulumirpc.DeleteRequest) (*pbempty.Empty, error) { + ctx := context.Background() + organization, issuerId, err := splitIssuerId(req.Id) + if err != nil { + return nil, err + } + + err = oir.client.DeleteOidcIssuer(ctx, *organization, *issuerId) + if err != nil { + return nil, err + } + + return &pbempty.Empty{}, nil +} + +func (oir *PulumiServiceOidcIssuerResource) Create(req *pulumirpc.CreateRequest) (*pulumirpc.CreateResponse, error) { + ctx := context.Background() + inputMap, err := plugin.UnmarshalProperties(req.GetProperties(), StandardUnmarshal) + if err != nil { + return nil, err + } + + // Create OIDC Issuer itself + input := oir.ToPulumiServiceOidcIssuerInput(inputMap) + registerResponse, err := oir.client.RegisterOidcIssuer(ctx, input.Organization, input.toCreateRequest()) + if err != nil { + return nil, fmt.Errorf("error creating oidc issuer '%s': %s", input.Name, err.Error()) + } + + // Retrieve policy ID + authPolicy, err := oir.client.GetAuthPolicies(ctx, input.Organization, registerResponse.ID) + if err != nil { + return nil, fmt.Errorf("error retrieving auth policies for oidc issuer '%s': %s", registerResponse.ID, err.Error()) + } + + // If user has provided policies, update with those, otherwise use the default one + if len(input.Policies) > 0 { + request := policiesToApiRequest(input.Policies) + authPolicy, err = oir.client.UpdateAuthPolicies(ctx, input.Organization, authPolicy.ID, request) + if err != nil { + // To prevent resource being stuck in limbo, best-effort delete the issuer if policies were invalid + _ = oir.client.DeleteOidcIssuer(ctx, input.Organization, registerResponse.ID) + + return nil, fmt.Errorf("error updating auth policies for oidc issuer '%s': %s", registerResponse.ID, err.Error()) + } + } + + outputProperties, _, err := GenerateOidcIssuerProperties(input, registerResponse, authPolicy) + if err != nil { + return nil, err + } + + return &pulumirpc.CreateResponse{ + Id: fmt.Sprintf("%s/%s", input.Organization, registerResponse.ID), + Properties: outputProperties, + }, nil +} + +func (oir *PulumiServiceOidcIssuerResource) Check(req *pulumirpc.CheckRequest) (*pulumirpc.CheckResponse, error) { + // This conversion to and from is needed to sort policies on input + inputMap, err := plugin.UnmarshalProperties(req.GetNews(), StandardUnmarshal) + if err != nil { + return nil, err + } + input := oir.ToPulumiServiceOidcIssuerInput(inputMap) + inputs, err := plugin.MarshalProperties(input.toPropertyMap(), StandardMarshal) + if err != nil { + return nil, err + } + return &pulumirpc.CheckResponse{Inputs: inputs, Failures: nil}, nil +} + +func (oir *PulumiServiceOidcIssuerResource) Update(req *pulumirpc.UpdateRequest) (*pulumirpc.UpdateResponse, error) { + ctx := context.Background() + inputMap, err := plugin.UnmarshalProperties(req.GetNews(), StandardUnmarshal) + if err != nil { + return nil, err + } + + _, issuerId, err := splitIssuerId(req.Id) + if err != nil { + return nil, err + } + + // Update OIDC Issuer itself + input := oir.ToPulumiServiceOidcIssuerInput(inputMap) + updateResponse, err := oir.client.UpdateOidcIssuer(ctx, input.Organization, *issuerId, input.toUpdateRequest()) + if err != nil { + return nil, fmt.Errorf("error creating oidc issuer '%s': %s", input.Name, err.Error()) + } + + // Retrieve policy ID + authPolicy, err := oir.client.GetAuthPolicies(ctx, input.Organization, *issuerId) + if err != nil { + return nil, fmt.Errorf("error retrieving auth policies for oidc issuer '%s': %s", *issuerId, err.Error()) + } + + // If user has provided policies, update with those, otherwise use the default one + if len(input.Policies) > 0 { + request := policiesToApiRequest(input.Policies) + authPolicy, err = oir.client.UpdateAuthPolicies(ctx, input.Organization, authPolicy.ID, request) + if err != nil { + return nil, fmt.Errorf("error updating auth policies for oidc issuer '%s': %s", *issuerId, err.Error()) + } + } + + outputProperties, _, err := GenerateOidcIssuerProperties(input, updateResponse, authPolicy) + if err != nil { + return nil, err + } + + return &pulumirpc.UpdateResponse{ + Properties: outputProperties, + }, nil +} + +func (oir *PulumiServiceOidcIssuerResource) Read(req *pulumirpc.ReadRequest) (*pulumirpc.ReadResponse, error) { + ctx := context.Background() + + organization, issuerId, err := splitIssuerId(req.Id) + if err != nil { + return nil, err + } + + readResponse, err := oir.client.GetOidcIssuer(ctx, *organization, *issuerId) + if err != nil { + return nil, err + } + if readResponse == nil { + return &pulumirpc.ReadResponse{}, nil + } + + authPolicy, err := oir.client.GetAuthPolicies(ctx, *organization, *issuerId) + if err != nil { + return nil, fmt.Errorf("error retrieving auth policies for oidc issuer '%s': %s", *issuerId, err.Error()) + } + + input := PulumiServiceOidcIssuerInput{ + Organization: *organization, + Name: readResponse.Name, + URL: readResponse.URL, + MaxExpirationSeconds: readResponse.MaxExpiration, + Thumbprints: readResponse.Thumbprints, + Policies: apiPoliciesToInputs(authPolicy.Definition), + } + + outputProperties, inputs, err := GenerateOidcIssuerProperties(input, readResponse, authPolicy) + if err != nil { + return nil, err + } + + return &pulumirpc.ReadResponse{ + Id: req.GetId(), + Properties: outputProperties, + Inputs: inputs, + }, nil +} + +func (oir *PulumiServiceOidcIssuerResource) Configure(_ PulumiServiceConfig) { +} + +func (input PulumiServiceOidcIssuerInput) toPropertyMap() resource.PropertyMap { + inputMap := resource.PropertyMap{} + inputMap["organization"] = resource.NewPropertyValue(input.Organization) + inputMap["name"] = resource.NewPropertyValue(input.Name) + inputMap["url"] = resource.NewPropertyValue(input.URL) + if input.MaxExpirationSeconds != nil { + inputMap["maxExpirationSeconds"] = resource.NewPropertyValue(input.MaxExpirationSeconds) + } + if len(input.Thumbprints) > 0 { + inputMap["thumbprints"] = resource.NewPropertyValue(input.Thumbprints) + } + if len(input.Policies) > 0 { + policyValues := []resource.PropertyValue{} + inputPolicies := sortPolicies(input.Policies) + for _, policy := range inputPolicies { + propertyMap := policy.toPropertyMap() + policyValues = append(policyValues, resource.NewObjectProperty(propertyMap)) + } + inputMap["policies"] = resource.NewArrayProperty(policyValues) + } + return inputMap +} + +func (policy PulumiServiceAuthPolicyDefinition) toPropertyMap() resource.PropertyMap { + propertyMap := resource.PropertyMap{} + propertyMap["decision"] = resource.NewPropertyValue(policy.Decision) + propertyMap["tokenType"] = resource.NewPropertyValue(policy.TokenType) + if policy.TeamName != nil { + propertyMap["teamName"] = resource.NewPropertyValue(policy.TeamName) + } + if policy.UserLogin != nil { + propertyMap["userLogin"] = resource.NewPropertyValue(policy.UserLogin) + } + if policy.RunnerID != nil { + propertyMap["runnerID"] = resource.NewPropertyValue(policy.RunnerID) + } + if len(policy.AuthorizedPermissions) > 0 { + propertyMap["authorizedPermissions"] = resource.NewPropertyValue(policy.AuthorizedPermissions) + } + propertyMap["rules"] = resource.NewPropertyValue(policy.Rules) + + return propertyMap +} + +func apiPoliciesToPropertyValue(apiPolicies []*pulumiapi.AuthPolicyDefinition) resource.PropertyValue { + policyValues := []resource.PropertyValue{} + for _, policy := range apiPoliciesToInputs(apiPolicies) { + propertyMap := policy.toPropertyMap() + policyValues = append(policyValues, resource.NewObjectProperty(propertyMap)) + } + return resource.NewArrayProperty(policyValues) +} + +func (input *PulumiServiceOidcIssuerInput) toCreateRequest() pulumiapi.OidcIssuerRegistrationRequest { + return pulumiapi.OidcIssuerRegistrationRequest{ + Name: input.Name, + URL: input.URL, + Thumbprints: input.Thumbprints, + MaxExpiration: input.MaxExpirationSeconds, + } +} + +func (input *PulumiServiceOidcIssuerInput) toUpdateRequest() pulumiapi.OidcIssuerUpdateRequest { + return pulumiapi.OidcIssuerUpdateRequest{ + Name: &input.Name, + Thumbprints: &input.Thumbprints, + MaxExpiration: input.MaxExpirationSeconds, + } +} + +func propertyMapToPolicy(policyObject resource.PropertyMap) PulumiServiceAuthPolicyDefinition { + var teamName *string = nil + if policyObject["teamName"].HasValue() { + value := policyObject["teamName"].StringValue() + teamName = &value + } + + var userLogin *string = nil + if policyObject["userLogin"].HasValue() { + value := policyObject["userLogin"].StringValue() + userLogin = &value + } + + var runnerID *string = nil + if policyObject["runnerID"].HasValue() { + value := policyObject["runnerID"].StringValue() + runnerID = &value + } + + authorizedPermissions := []AuthPolicyPermissionLevel{} + if policyObject["authorizedPermissions"].HasValue() { + for _, permission := range policyObject["authorizedPermissions"].ArrayValue() { + authorizedPermissions = append(authorizedPermissions, AuthPolicyPermissionLevel(permission.StringValue())) + } + } + + rules := map[string]string{} + if policyObject["rules"].HasValue() { + for k, v := range policyObject["rules"].ObjectValue() { + key := string(k) + rules[key] = v.StringValue() + } + } + + return PulumiServiceAuthPolicyDefinition{ + Decision: AuthPolicyDecision(policyObject["decision"].StringValue()), + TokenType: AuthPolicyTokenType(policyObject["tokenType"].StringValue()), + TeamName: teamName, + UserLogin: userLogin, + RunnerID: runnerID, + AuthorizedPermissions: authorizedPermissions, + Rules: rules, + } +} + +func policiesToApiRequest(policies []PulumiServiceAuthPolicyDefinition) pulumiapi.AuthPolicyUpdateRequest { + apiPolicies := []pulumiapi.AuthPolicyDefinition{} + + for _, policy := range policies { + apiPolicies = append(apiPolicies, pulumiapi.AuthPolicyDefinition{ + Decision: string(policy.Decision), + TokenType: string(policy.TokenType), + TeamName: policy.TeamName, + UserLogin: policy.UserLogin, + RunnerID: policy.RunnerID, + AuthorizedPermissions: permissionsToApi(policy.AuthorizedPermissions), + Rules: policy.Rules, + }) + } + + return pulumiapi.AuthPolicyUpdateRequest{ + Definition: apiPolicies, + } +} + +func apiPoliciesToInputs(policies []*pulumiapi.AuthPolicyDefinition) []PulumiServiceAuthPolicyDefinition { + inputPolicies := []PulumiServiceAuthPolicyDefinition{} + for _, policy := range policies { + inputPolicies = append(inputPolicies, apiPolicyToInput(*policy)) + } + inputPolicies = sortPolicies(inputPolicies) + return inputPolicies +} + +func apiPolicyToInput(policy pulumiapi.AuthPolicyDefinition) PulumiServiceAuthPolicyDefinition { + return PulumiServiceAuthPolicyDefinition{ + Decision: AuthPolicyDecision(policy.Decision), + TokenType: AuthPolicyTokenType(policy.TokenType), + TeamName: policy.TeamName, + UserLogin: policy.UserLogin, + RunnerID: policy.RunnerID, + AuthorizedPermissions: permissionsToInput(policy.AuthorizedPermissions), + Rules: policy.Rules, + } +} + +func permissionsToApi(permissions []AuthPolicyPermissionLevel) []string { + apiPermissions := []string{} + for _, permission := range permissions { + apiPermissions = append(apiPermissions, string(permission)) + } + return apiPermissions +} + +func permissionsToInput(permissions []string) []AuthPolicyPermissionLevel { + inputPermissions := []AuthPolicyPermissionLevel{} + for _, permission := range permissions { + inputPermissions = append(inputPermissions, AuthPolicyPermissionLevel(permission)) + } + return inputPermissions +} + +func splitIssuerId(id string) (organization *string, issuerId *string, err error) { + splitId := strings.Split(id, "/") + if len(splitId) != 2 { + return nil, nil, fmt.Errorf("error splitting resource id '%s'", id) + } + return &splitId[0], &splitId[1], nil +} + +func sortPolicies(policies []PulumiServiceAuthPolicyDefinition) []PulumiServiceAuthPolicyDefinition { + sort.Slice(policies, func(i, j int) bool { + var firstBuffer bytes.Buffer + _ = gob.NewEncoder(&firstBuffer).Encode(policies[i]) + firstHash := firstBuffer.String() + var secondBuffer bytes.Buffer + _ = gob.NewEncoder(&secondBuffer).Encode(policies[j]) + secondHash := secondBuffer.String() + return firstHash < secondHash + }) + return policies +} diff --git a/provider/pkg/provider/provider.go b/provider/pkg/provider/provider.go index fe687e0f..d3d52150 100644 --- a/provider/pkg/provider/provider.go +++ b/provider/pkg/provider/provider.go @@ -181,6 +181,9 @@ func (k *pulumiserviceProvider) Configure(_ context.Context, req *pulumirpc.Conf &PulumiServiceTemplateSourceResource{ client: client, }, + &PulumiServiceOidcIssuerResource{ + client: client, + }, } for _, sr := range k.pulumiResources { diff --git a/provider/pkg/provider/resource_util.go b/provider/pkg/provider/resource_util.go new file mode 100644 index 00000000..89c6ff1a --- /dev/null +++ b/provider/pkg/provider/resource_util.go @@ -0,0 +1,49 @@ +package provider + +import ( + "github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin" + pulumirpc "github.com/pulumi/pulumi/sdk/v3/proto/go" +) + +func StandardDiff(req *pulumirpc.DiffRequest, replaceProperties map[string]bool) (*pulumirpc.DiffResponse, error) { + olds, err := plugin.UnmarshalProperties(req.GetOldInputs(), plugin.MarshalOptions{KeepUnknowns: false, SkipNulls: true}) + if err != nil { + return nil, err + } + + news, err := plugin.UnmarshalProperties(req.GetNews(), plugin.MarshalOptions{KeepUnknowns: true, SkipNulls: true}) + if err != nil { + return nil, err + } + + diffs := olds.Diff(news) + if diffs == nil { + return &pulumirpc.DiffResponse{ + Changes: pulumirpc.DiffResponse_DIFF_NONE, + }, nil + } + + dd := plugin.NewDetailedDiffFromObjectDiff(diffs, false) + + detailedDiffs := map[string]*pulumirpc.PropertyDiff{} + + for k, v := range dd { + if _, ok := replaceProperties[k]; ok { + v.Kind = v.Kind.AsReplace() + } + detailedDiffs[k] = &pulumirpc.PropertyDiff{ + Kind: pulumirpc.PropertyDiff_Kind(v.Kind), + InputDiff: v.InputDiff, + } + } + + changes := pulumirpc.DiffResponse_DIFF_NONE + if len(detailedDiffs) > 0 { + changes = pulumirpc.DiffResponse_DIFF_SOME + } + return &pulumirpc.DiffResponse{ + Changes: changes, + DetailedDiff: detailedDiffs, + HasDetailedDiff: true, + }, nil +} diff --git a/sdk/dotnet/Enums.cs b/sdk/dotnet/Enums.cs index 61c87775..3f951f90 100644 --- a/sdk/dotnet/Enums.cs +++ b/sdk/dotnet/Enums.cs @@ -7,6 +7,116 @@ namespace Pulumi.PulumiService { + [EnumType] + public readonly struct AuthPolicyDecision : IEquatable + { + private readonly string _value; + + private AuthPolicyDecision(string value) + { + _value = value ?? throw new ArgumentNullException(nameof(value)); + } + + /// + /// A deny rule for Oidc Issuer Policy. + /// + public static AuthPolicyDecision Deny { get; } = new AuthPolicyDecision("deny"); + /// + /// An allow rule for Oidc Issuer Policy. + /// + public static AuthPolicyDecision Allow { get; } = new AuthPolicyDecision("allow"); + + public static bool operator ==(AuthPolicyDecision left, AuthPolicyDecision right) => left.Equals(right); + public static bool operator !=(AuthPolicyDecision left, AuthPolicyDecision right) => !left.Equals(right); + + public static explicit operator string(AuthPolicyDecision value) => value._value; + + [EditorBrowsable(EditorBrowsableState.Never)] + public override bool Equals(object? obj) => obj is AuthPolicyDecision other && Equals(other); + public bool Equals(AuthPolicyDecision other) => string.Equals(_value, other._value, StringComparison.Ordinal); + + [EditorBrowsable(EditorBrowsableState.Never)] + public override int GetHashCode() => _value?.GetHashCode() ?? 0; + + public override string ToString() => _value; + } + + [EnumType] + public readonly struct AuthPolicyPermissionLevel : IEquatable + { + private readonly string _value; + + private AuthPolicyPermissionLevel(string value) + { + _value = value ?? throw new ArgumentNullException(nameof(value)); + } + + /// + /// Standard level of permissions. + /// + public static AuthPolicyPermissionLevel Standard { get; } = new AuthPolicyPermissionLevel("standard"); + /// + /// Admin level of permissions. + /// + public static AuthPolicyPermissionLevel Admin { get; } = new AuthPolicyPermissionLevel("admin"); + + public static bool operator ==(AuthPolicyPermissionLevel left, AuthPolicyPermissionLevel right) => left.Equals(right); + public static bool operator !=(AuthPolicyPermissionLevel left, AuthPolicyPermissionLevel right) => !left.Equals(right); + + public static explicit operator string(AuthPolicyPermissionLevel value) => value._value; + + [EditorBrowsable(EditorBrowsableState.Never)] + public override bool Equals(object? obj) => obj is AuthPolicyPermissionLevel other && Equals(other); + public bool Equals(AuthPolicyPermissionLevel other) => string.Equals(_value, other._value, StringComparison.Ordinal); + + [EditorBrowsable(EditorBrowsableState.Never)] + public override int GetHashCode() => _value?.GetHashCode() ?? 0; + + public override string ToString() => _value; + } + + [EnumType] + public readonly struct AuthPolicyTokenType : IEquatable + { + private readonly string _value; + + private AuthPolicyTokenType(string value) + { + _value = value ?? throw new ArgumentNullException(nameof(value)); + } + + /// + /// Personal Pulumi token. Requires userLogin field to be filled. + /// + public static AuthPolicyTokenType Personal { get; } = new AuthPolicyTokenType("personal"); + /// + /// Team Pulumi token. Requires teamName field to be filled. + /// + public static AuthPolicyTokenType Team { get; } = new AuthPolicyTokenType("team"); + /// + /// Organization Pulumi token. Requires authorizedPermissions field to be filled. + /// + public static AuthPolicyTokenType Organization { get; } = new AuthPolicyTokenType("organization"); + /// + /// Deployment Runner Pulumi token. Requires runnerID field to be filled. + /// + public static AuthPolicyTokenType Runner { get; } = new AuthPolicyTokenType("runner"); + + public static bool operator ==(AuthPolicyTokenType left, AuthPolicyTokenType right) => left.Equals(right); + public static bool operator !=(AuthPolicyTokenType left, AuthPolicyTokenType right) => !left.Equals(right); + + public static explicit operator string(AuthPolicyTokenType value) => value._value; + + [EditorBrowsable(EditorBrowsableState.Never)] + public override bool Equals(object? obj) => obj is AuthPolicyTokenType other && Equals(other); + public bool Equals(AuthPolicyTokenType other) => string.Equals(_value, other._value, StringComparison.Ordinal); + + [EditorBrowsable(EditorBrowsableState.Never)] + public override int GetHashCode() => _value?.GetHashCode() ?? 0; + + public override string ToString() => _value; + } + [EnumType] public readonly struct EnvironmentPermission : IEquatable { diff --git a/sdk/dotnet/Inputs/AuthPolicyDefinitionArgs.cs b/sdk/dotnet/Inputs/AuthPolicyDefinitionArgs.cs new file mode 100644 index 00000000..ffc77691 --- /dev/null +++ b/sdk/dotnet/Inputs/AuthPolicyDefinitionArgs.cs @@ -0,0 +1,74 @@ +// *** WARNING: this file was generated by pulumi. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +using System; +using System.Collections.Generic; +using System.Collections.Immutable; +using System.Threading.Tasks; +using Pulumi.Serialization; + +namespace Pulumi.PulumiService.Inputs +{ + + public sealed class AuthPolicyDefinitionArgs : global::Pulumi.ResourceArgs + { + [Input("authorizedPermissions")] + private InputList? _authorizedPermissions; + + /// + /// The permission level for organization tokens. + /// + public InputList AuthorizedPermissions + { + get => _authorizedPermissions ?? (_authorizedPermissions = new InputList()); + set => _authorizedPermissions = value; + } + + /// + /// The rule type of this policy definition + /// + [Input("decision", required: true)] + public Input Decision { get; set; } = null!; + + [Input("rules", required: true)] + private InputMap? _rules; + + /// + /// OIDC rules to set for this policy. + /// + public InputMap Rules + { + get => _rules ?? (_rules = new InputMap()); + set => _rules = value; + } + + /// + /// The runner ID for deployment runner tokens. + /// + [Input("runnerID")] + public Input? RunnerID { get; set; } + + /// + /// The team name for team tokens. + /// + [Input("teamName")] + public Input? TeamName { get; set; } + + /// + /// The token type for this policy definition + /// + [Input("tokenType", required: true)] + public Input TokenType { get; set; } = null!; + + /// + /// The user login for personal tokens. + /// + [Input("userLogin")] + public Input? UserLogin { get; set; } + + public AuthPolicyDefinitionArgs() + { + } + public static new AuthPolicyDefinitionArgs Empty => new AuthPolicyDefinitionArgs(); + } +} diff --git a/sdk/dotnet/OidcIssuer.cs b/sdk/dotnet/OidcIssuer.cs new file mode 100644 index 00000000..040da42c --- /dev/null +++ b/sdk/dotnet/OidcIssuer.cs @@ -0,0 +1,157 @@ +// *** WARNING: this file was generated by pulumi. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +using System; +using System.Collections.Generic; +using System.Collections.Immutable; +using System.Threading.Tasks; +using Pulumi.Serialization; + +namespace Pulumi.PulumiService +{ + /// + /// An OIDC issuer registration with Pulumi. + /// + [PulumiServiceResourceType("pulumiservice:index:OidcIssuer")] + public partial class OidcIssuer : global::Pulumi.CustomResource + { + /// + /// The maximum duration of the Pulumi access token working after an exchange, specified in seconds. + /// + [Output("maxExpirationSeconds")] + public Output MaxExpirationSeconds { get; private set; } = null!; + + /// + /// Issuer name. + /// + [Output("name")] + public Output Name { get; private set; } = null!; + + /// + /// Organization name. + /// + [Output("organization")] + public Output Organization { get; private set; } = null!; + + /// + /// The authorization policies for this Oidc Issuer. + /// + [Output("policies")] + public Output> Policies { get; private set; } = null!; + + /// + /// The thumbprints of issuer's TLS certificates. By default, Pulumi will store the thumbprint of the certificate used to serve the OpenID configuration. If the provider uses multiple certificates to serve content, it is required to manually configure these. + /// + [Output("thumbprints")] + public Output> Thumbprints { get; private set; } = null!; + + /// + /// The OIDC issuer URL. + /// + [Output("url")] + public Output Url { get; private set; } = null!; + + + /// + /// Create a OidcIssuer resource with the given unique name, arguments, and options. + /// + /// + /// The unique name of the resource + /// The arguments used to populate this resource's properties + /// A bag of options that control this resource's behavior + public OidcIssuer(string name, OidcIssuerArgs args, CustomResourceOptions? options = null) + : base("pulumiservice:index:OidcIssuer", name, args ?? new OidcIssuerArgs(), MakeResourceOptions(options, "")) + { + } + + private OidcIssuer(string name, Input id, CustomResourceOptions? options = null) + : base("pulumiservice:index:OidcIssuer", name, null, MakeResourceOptions(options, id)) + { + } + + private static CustomResourceOptions MakeResourceOptions(CustomResourceOptions? options, Input? id) + { + var defaultOptions = new CustomResourceOptions + { + Version = Utilities.Version, + ReplaceOnChanges = + { + "organization", + "url", + }, + }; + var merged = CustomResourceOptions.Merge(defaultOptions, options); + // Override the ID if one was specified for consistency with other language SDKs. + merged.Id = id ?? merged.Id; + return merged; + } + /// + /// Get an existing OidcIssuer resource's state with the given name, ID, and optional extra + /// properties used to qualify the lookup. + /// + /// + /// The unique name of the resulting resource. + /// The unique provider ID of the resource to lookup. + /// A bag of options that control this resource's behavior + public static OidcIssuer Get(string name, Input id, CustomResourceOptions? options = null) + { + return new OidcIssuer(name, id, options); + } + } + + public sealed class OidcIssuerArgs : global::Pulumi.ResourceArgs + { + /// + /// The maximum duration of the Pulumi access token working after an exchange, specified in seconds. + /// + [Input("maxExpirationSeconds")] + public Input? MaxExpirationSeconds { get; set; } + + /// + /// Issuer name. + /// + [Input("name", required: true)] + public Input Name { get; set; } = null!; + + /// + /// Organization name. + /// + [Input("organization", required: true)] + public Input Organization { get; set; } = null!; + + [Input("policies")] + private InputList? _policies; + + /// + /// The auth policies for this Oidc Issuer. + /// + public InputList Policies + { + get => _policies ?? (_policies = new InputList()); + set => _policies = value; + } + + [Input("thumbprints")] + private InputList? _thumbprints; + + /// + /// The thumbprints of issuer's TLS certificates. By default, Pulumi will store the thumbprint of the certificate used to serve the OpenID configuration. If the provider uses multiple certificates to serve content, it is required to manually configure these. + /// + public InputList Thumbprints + { + get => _thumbprints ?? (_thumbprints = new InputList()); + set => _thumbprints = value; + } + + /// + /// The OIDC issuer URL. + /// + [Input("url", required: true)] + public Input Url { get; set; } = null!; + + public OidcIssuerArgs() + { + } + public static new OidcIssuerArgs Empty => new OidcIssuerArgs(); + } +} diff --git a/sdk/dotnet/Outputs/AuthPolicyDefinition.cs b/sdk/dotnet/Outputs/AuthPolicyDefinition.cs new file mode 100644 index 00000000..ac2ff443 --- /dev/null +++ b/sdk/dotnet/Outputs/AuthPolicyDefinition.cs @@ -0,0 +1,70 @@ +// *** WARNING: this file was generated by pulumi. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +using System; +using System.Collections.Generic; +using System.Collections.Immutable; +using System.Threading.Tasks; +using Pulumi.Serialization; + +namespace Pulumi.PulumiService.Outputs +{ + + [OutputType] + public sealed class AuthPolicyDefinition + { + /// + /// The permission level for organization tokens. + /// + public readonly ImmutableArray AuthorizedPermissions; + /// + /// The rule type of this policy definition + /// + public readonly Pulumi.PulumiService.AuthPolicyDecision Decision; + /// + /// OIDC rules to set for this policy. + /// + public readonly ImmutableDictionary Rules; + /// + /// The runner ID for deployment runner tokens. + /// + public readonly string? RunnerID; + /// + /// The team name for team tokens. + /// + public readonly string? TeamName; + /// + /// The token type for this policy definition + /// + public readonly Pulumi.PulumiService.AuthPolicyTokenType TokenType; + /// + /// The user login for personal tokens. + /// + public readonly string? UserLogin; + + [OutputConstructor] + private AuthPolicyDefinition( + ImmutableArray authorizedPermissions, + + Pulumi.PulumiService.AuthPolicyDecision decision, + + ImmutableDictionary rules, + + string? runnerID, + + string? teamName, + + Pulumi.PulumiService.AuthPolicyTokenType tokenType, + + string? userLogin) + { + AuthorizedPermissions = authorizedPermissions; + Decision = decision; + Rules = rules; + RunnerID = runnerID; + TeamName = teamName; + TokenType = tokenType; + UserLogin = userLogin; + } + } +} diff --git a/sdk/go/pulumiservice/init.go b/sdk/go/pulumiservice/init.go index 4ceb0929..eace38c9 100644 --- a/sdk/go/pulumiservice/init.go +++ b/sdk/go/pulumiservice/init.go @@ -35,6 +35,8 @@ func (m *module) Construct(ctx *pulumi.Context, name, typ, urn string) (r pulumi r = &Environment{} case "pulumiservice:index:EnvironmentVersionTag": r = &EnvironmentVersionTag{} + case "pulumiservice:index:OidcIssuer": + r = &OidcIssuer{} case "pulumiservice:index:OrgAccessToken": r = &OrgAccessToken{} case "pulumiservice:index:Stack": diff --git a/sdk/go/pulumiservice/oidcIssuer.go b/sdk/go/pulumiservice/oidcIssuer.go new file mode 100644 index 00000000..047aa791 --- /dev/null +++ b/sdk/go/pulumiservice/oidcIssuer.go @@ -0,0 +1,281 @@ +// Code generated by pulumi-language-go DO NOT EDIT. +// *** WARNING: Do not edit by hand unless you're certain you know what you are doing! *** + +package pulumiservice + +import ( + "context" + "reflect" + + "errors" + "github.com/pulumi/pulumi-pulumiservice/sdk/go/pulumiservice/internal" + "github.com/pulumi/pulumi/sdk/v3/go/pulumi" +) + +// An OIDC issuer registration with Pulumi. +type OidcIssuer struct { + pulumi.CustomResourceState + + // The maximum duration of the Pulumi access token working after an exchange, specified in seconds. + MaxExpirationSeconds pulumi.IntPtrOutput `pulumi:"maxExpirationSeconds"` + // Issuer name. + Name pulumi.StringOutput `pulumi:"name"` + // Organization name. + Organization pulumi.StringOutput `pulumi:"organization"` + // The authorization policies for this Oidc Issuer. + Policies AuthPolicyDefinitionArrayOutput `pulumi:"policies"` + // The thumbprints of issuer's TLS certificates. By default, Pulumi will store the thumbprint of the certificate used to serve the OpenID configuration. If the provider uses multiple certificates to serve content, it is required to manually configure these. + Thumbprints pulumi.StringArrayOutput `pulumi:"thumbprints"` + // The OIDC issuer URL. + Url pulumi.StringOutput `pulumi:"url"` +} + +// NewOidcIssuer registers a new resource with the given unique name, arguments, and options. +func NewOidcIssuer(ctx *pulumi.Context, + name string, args *OidcIssuerArgs, opts ...pulumi.ResourceOption) (*OidcIssuer, error) { + if args == nil { + return nil, errors.New("missing one or more required arguments") + } + + if args.Name == nil { + return nil, errors.New("invalid value for required argument 'Name'") + } + if args.Organization == nil { + return nil, errors.New("invalid value for required argument 'Organization'") + } + if args.Url == nil { + return nil, errors.New("invalid value for required argument 'Url'") + } + replaceOnChanges := pulumi.ReplaceOnChanges([]string{ + "organization", + "url", + }) + opts = append(opts, replaceOnChanges) + opts = internal.PkgResourceDefaultOpts(opts) + var resource OidcIssuer + err := ctx.RegisterResource("pulumiservice:index:OidcIssuer", name, args, &resource, opts...) + if err != nil { + return nil, err + } + return &resource, nil +} + +// GetOidcIssuer gets an existing OidcIssuer resource's state with the given name, ID, and optional +// state properties that are used to uniquely qualify the lookup (nil if not required). +func GetOidcIssuer(ctx *pulumi.Context, + name string, id pulumi.IDInput, state *OidcIssuerState, opts ...pulumi.ResourceOption) (*OidcIssuer, error) { + var resource OidcIssuer + err := ctx.ReadResource("pulumiservice:index:OidcIssuer", name, id, state, &resource, opts...) + if err != nil { + return nil, err + } + return &resource, nil +} + +// Input properties used for looking up and filtering OidcIssuer resources. +type oidcIssuerState struct { +} + +type OidcIssuerState struct { +} + +func (OidcIssuerState) ElementType() reflect.Type { + return reflect.TypeOf((*oidcIssuerState)(nil)).Elem() +} + +type oidcIssuerArgs struct { + // The maximum duration of the Pulumi access token working after an exchange, specified in seconds. + MaxExpirationSeconds *int `pulumi:"maxExpirationSeconds"` + // Issuer name. + Name string `pulumi:"name"` + // Organization name. + Organization string `pulumi:"organization"` + // The auth policies for this Oidc Issuer. + Policies []AuthPolicyDefinition `pulumi:"policies"` + // The thumbprints of issuer's TLS certificates. By default, Pulumi will store the thumbprint of the certificate used to serve the OpenID configuration. If the provider uses multiple certificates to serve content, it is required to manually configure these. + Thumbprints []string `pulumi:"thumbprints"` + // The OIDC issuer URL. + Url string `pulumi:"url"` +} + +// The set of arguments for constructing a OidcIssuer resource. +type OidcIssuerArgs struct { + // The maximum duration of the Pulumi access token working after an exchange, specified in seconds. + MaxExpirationSeconds pulumi.IntPtrInput + // Issuer name. + Name pulumi.StringInput + // Organization name. + Organization pulumi.StringInput + // The auth policies for this Oidc Issuer. + Policies AuthPolicyDefinitionArrayInput + // The thumbprints of issuer's TLS certificates. By default, Pulumi will store the thumbprint of the certificate used to serve the OpenID configuration. If the provider uses multiple certificates to serve content, it is required to manually configure these. + Thumbprints pulumi.StringArrayInput + // The OIDC issuer URL. + Url pulumi.StringInput +} + +func (OidcIssuerArgs) ElementType() reflect.Type { + return reflect.TypeOf((*oidcIssuerArgs)(nil)).Elem() +} + +type OidcIssuerInput interface { + pulumi.Input + + ToOidcIssuerOutput() OidcIssuerOutput + ToOidcIssuerOutputWithContext(ctx context.Context) OidcIssuerOutput +} + +func (*OidcIssuer) ElementType() reflect.Type { + return reflect.TypeOf((**OidcIssuer)(nil)).Elem() +} + +func (i *OidcIssuer) ToOidcIssuerOutput() OidcIssuerOutput { + return i.ToOidcIssuerOutputWithContext(context.Background()) +} + +func (i *OidcIssuer) ToOidcIssuerOutputWithContext(ctx context.Context) OidcIssuerOutput { + return pulumi.ToOutputWithContext(ctx, i).(OidcIssuerOutput) +} + +// OidcIssuerArrayInput is an input type that accepts OidcIssuerArray and OidcIssuerArrayOutput values. +// You can construct a concrete instance of `OidcIssuerArrayInput` via: +// +// OidcIssuerArray{ OidcIssuerArgs{...} } +type OidcIssuerArrayInput interface { + pulumi.Input + + ToOidcIssuerArrayOutput() OidcIssuerArrayOutput + ToOidcIssuerArrayOutputWithContext(context.Context) OidcIssuerArrayOutput +} + +type OidcIssuerArray []OidcIssuerInput + +func (OidcIssuerArray) ElementType() reflect.Type { + return reflect.TypeOf((*[]*OidcIssuer)(nil)).Elem() +} + +func (i OidcIssuerArray) ToOidcIssuerArrayOutput() OidcIssuerArrayOutput { + return i.ToOidcIssuerArrayOutputWithContext(context.Background()) +} + +func (i OidcIssuerArray) ToOidcIssuerArrayOutputWithContext(ctx context.Context) OidcIssuerArrayOutput { + return pulumi.ToOutputWithContext(ctx, i).(OidcIssuerArrayOutput) +} + +// OidcIssuerMapInput is an input type that accepts OidcIssuerMap and OidcIssuerMapOutput values. +// You can construct a concrete instance of `OidcIssuerMapInput` via: +// +// OidcIssuerMap{ "key": OidcIssuerArgs{...} } +type OidcIssuerMapInput interface { + pulumi.Input + + ToOidcIssuerMapOutput() OidcIssuerMapOutput + ToOidcIssuerMapOutputWithContext(context.Context) OidcIssuerMapOutput +} + +type OidcIssuerMap map[string]OidcIssuerInput + +func (OidcIssuerMap) ElementType() reflect.Type { + return reflect.TypeOf((*map[string]*OidcIssuer)(nil)).Elem() +} + +func (i OidcIssuerMap) ToOidcIssuerMapOutput() OidcIssuerMapOutput { + return i.ToOidcIssuerMapOutputWithContext(context.Background()) +} + +func (i OidcIssuerMap) ToOidcIssuerMapOutputWithContext(ctx context.Context) OidcIssuerMapOutput { + return pulumi.ToOutputWithContext(ctx, i).(OidcIssuerMapOutput) +} + +type OidcIssuerOutput struct{ *pulumi.OutputState } + +func (OidcIssuerOutput) ElementType() reflect.Type { + return reflect.TypeOf((**OidcIssuer)(nil)).Elem() +} + +func (o OidcIssuerOutput) ToOidcIssuerOutput() OidcIssuerOutput { + return o +} + +func (o OidcIssuerOutput) ToOidcIssuerOutputWithContext(ctx context.Context) OidcIssuerOutput { + return o +} + +// The maximum duration of the Pulumi access token working after an exchange, specified in seconds. +func (o OidcIssuerOutput) MaxExpirationSeconds() pulumi.IntPtrOutput { + return o.ApplyT(func(v *OidcIssuer) pulumi.IntPtrOutput { return v.MaxExpirationSeconds }).(pulumi.IntPtrOutput) +} + +// Issuer name. +func (o OidcIssuerOutput) Name() pulumi.StringOutput { + return o.ApplyT(func(v *OidcIssuer) pulumi.StringOutput { return v.Name }).(pulumi.StringOutput) +} + +// Organization name. +func (o OidcIssuerOutput) Organization() pulumi.StringOutput { + return o.ApplyT(func(v *OidcIssuer) pulumi.StringOutput { return v.Organization }).(pulumi.StringOutput) +} + +// The authorization policies for this Oidc Issuer. +func (o OidcIssuerOutput) Policies() AuthPolicyDefinitionArrayOutput { + return o.ApplyT(func(v *OidcIssuer) AuthPolicyDefinitionArrayOutput { return v.Policies }).(AuthPolicyDefinitionArrayOutput) +} + +// The thumbprints of issuer's TLS certificates. By default, Pulumi will store the thumbprint of the certificate used to serve the OpenID configuration. If the provider uses multiple certificates to serve content, it is required to manually configure these. +func (o OidcIssuerOutput) Thumbprints() pulumi.StringArrayOutput { + return o.ApplyT(func(v *OidcIssuer) pulumi.StringArrayOutput { return v.Thumbprints }).(pulumi.StringArrayOutput) +} + +// The OIDC issuer URL. +func (o OidcIssuerOutput) Url() pulumi.StringOutput { + return o.ApplyT(func(v *OidcIssuer) pulumi.StringOutput { return v.Url }).(pulumi.StringOutput) +} + +type OidcIssuerArrayOutput struct{ *pulumi.OutputState } + +func (OidcIssuerArrayOutput) ElementType() reflect.Type { + return reflect.TypeOf((*[]*OidcIssuer)(nil)).Elem() +} + +func (o OidcIssuerArrayOutput) ToOidcIssuerArrayOutput() OidcIssuerArrayOutput { + return o +} + +func (o OidcIssuerArrayOutput) ToOidcIssuerArrayOutputWithContext(ctx context.Context) OidcIssuerArrayOutput { + return o +} + +func (o OidcIssuerArrayOutput) Index(i pulumi.IntInput) OidcIssuerOutput { + return pulumi.All(o, i).ApplyT(func(vs []interface{}) *OidcIssuer { + return vs[0].([]*OidcIssuer)[vs[1].(int)] + }).(OidcIssuerOutput) +} + +type OidcIssuerMapOutput struct{ *pulumi.OutputState } + +func (OidcIssuerMapOutput) ElementType() reflect.Type { + return reflect.TypeOf((*map[string]*OidcIssuer)(nil)).Elem() +} + +func (o OidcIssuerMapOutput) ToOidcIssuerMapOutput() OidcIssuerMapOutput { + return o +} + +func (o OidcIssuerMapOutput) ToOidcIssuerMapOutputWithContext(ctx context.Context) OidcIssuerMapOutput { + return o +} + +func (o OidcIssuerMapOutput) MapIndex(k pulumi.StringInput) OidcIssuerOutput { + return pulumi.All(o, k).ApplyT(func(vs []interface{}) *OidcIssuer { + return vs[0].(map[string]*OidcIssuer)[vs[1].(string)] + }).(OidcIssuerOutput) +} + +func init() { + pulumi.RegisterInputType(reflect.TypeOf((*OidcIssuerInput)(nil)).Elem(), &OidcIssuer{}) + pulumi.RegisterInputType(reflect.TypeOf((*OidcIssuerArrayInput)(nil)).Elem(), OidcIssuerArray{}) + pulumi.RegisterInputType(reflect.TypeOf((*OidcIssuerMapInput)(nil)).Elem(), OidcIssuerMap{}) + pulumi.RegisterOutputType(OidcIssuerOutput{}) + pulumi.RegisterOutputType(OidcIssuerArrayOutput{}) + pulumi.RegisterOutputType(OidcIssuerMapOutput{}) +} diff --git a/sdk/go/pulumiservice/pulumiEnums.go b/sdk/go/pulumiservice/pulumiEnums.go index d39a3ad8..50be03a4 100644 --- a/sdk/go/pulumiservice/pulumiEnums.go +++ b/sdk/go/pulumiservice/pulumiEnums.go @@ -10,6 +10,558 @@ import ( "github.com/pulumi/pulumi/sdk/v3/go/pulumi" ) +type AuthPolicyDecision string + +const ( + // A deny rule for Oidc Issuer Policy. + AuthPolicyDecisionDeny = AuthPolicyDecision("deny") + // An allow rule for Oidc Issuer Policy. + AuthPolicyDecisionAllow = AuthPolicyDecision("allow") +) + +func (AuthPolicyDecision) ElementType() reflect.Type { + return reflect.TypeOf((*AuthPolicyDecision)(nil)).Elem() +} + +func (e AuthPolicyDecision) ToAuthPolicyDecisionOutput() AuthPolicyDecisionOutput { + return pulumi.ToOutput(e).(AuthPolicyDecisionOutput) +} + +func (e AuthPolicyDecision) ToAuthPolicyDecisionOutputWithContext(ctx context.Context) AuthPolicyDecisionOutput { + return pulumi.ToOutputWithContext(ctx, e).(AuthPolicyDecisionOutput) +} + +func (e AuthPolicyDecision) ToAuthPolicyDecisionPtrOutput() AuthPolicyDecisionPtrOutput { + return e.ToAuthPolicyDecisionPtrOutputWithContext(context.Background()) +} + +func (e AuthPolicyDecision) ToAuthPolicyDecisionPtrOutputWithContext(ctx context.Context) AuthPolicyDecisionPtrOutput { + return AuthPolicyDecision(e).ToAuthPolicyDecisionOutputWithContext(ctx).ToAuthPolicyDecisionPtrOutputWithContext(ctx) +} + +func (e AuthPolicyDecision) ToStringOutput() pulumi.StringOutput { + return pulumi.ToOutput(pulumi.String(e)).(pulumi.StringOutput) +} + +func (e AuthPolicyDecision) ToStringOutputWithContext(ctx context.Context) pulumi.StringOutput { + return pulumi.ToOutputWithContext(ctx, pulumi.String(e)).(pulumi.StringOutput) +} + +func (e AuthPolicyDecision) ToStringPtrOutput() pulumi.StringPtrOutput { + return pulumi.String(e).ToStringPtrOutputWithContext(context.Background()) +} + +func (e AuthPolicyDecision) ToStringPtrOutputWithContext(ctx context.Context) pulumi.StringPtrOutput { + return pulumi.String(e).ToStringOutputWithContext(ctx).ToStringPtrOutputWithContext(ctx) +} + +type AuthPolicyDecisionOutput struct{ *pulumi.OutputState } + +func (AuthPolicyDecisionOutput) ElementType() reflect.Type { + return reflect.TypeOf((*AuthPolicyDecision)(nil)).Elem() +} + +func (o AuthPolicyDecisionOutput) ToAuthPolicyDecisionOutput() AuthPolicyDecisionOutput { + return o +} + +func (o AuthPolicyDecisionOutput) ToAuthPolicyDecisionOutputWithContext(ctx context.Context) AuthPolicyDecisionOutput { + return o +} + +func (o AuthPolicyDecisionOutput) ToAuthPolicyDecisionPtrOutput() AuthPolicyDecisionPtrOutput { + return o.ToAuthPolicyDecisionPtrOutputWithContext(context.Background()) +} + +func (o AuthPolicyDecisionOutput) ToAuthPolicyDecisionPtrOutputWithContext(ctx context.Context) AuthPolicyDecisionPtrOutput { + return o.ApplyTWithContext(ctx, func(_ context.Context, v AuthPolicyDecision) *AuthPolicyDecision { + return &v + }).(AuthPolicyDecisionPtrOutput) +} + +func (o AuthPolicyDecisionOutput) ToStringOutput() pulumi.StringOutput { + return o.ToStringOutputWithContext(context.Background()) +} + +func (o AuthPolicyDecisionOutput) ToStringOutputWithContext(ctx context.Context) pulumi.StringOutput { + return o.ApplyTWithContext(ctx, func(_ context.Context, e AuthPolicyDecision) string { + return string(e) + }).(pulumi.StringOutput) +} + +func (o AuthPolicyDecisionOutput) ToStringPtrOutput() pulumi.StringPtrOutput { + return o.ToStringPtrOutputWithContext(context.Background()) +} + +func (o AuthPolicyDecisionOutput) ToStringPtrOutputWithContext(ctx context.Context) pulumi.StringPtrOutput { + return o.ApplyTWithContext(ctx, func(_ context.Context, e AuthPolicyDecision) *string { + v := string(e) + return &v + }).(pulumi.StringPtrOutput) +} + +type AuthPolicyDecisionPtrOutput struct{ *pulumi.OutputState } + +func (AuthPolicyDecisionPtrOutput) ElementType() reflect.Type { + return reflect.TypeOf((**AuthPolicyDecision)(nil)).Elem() +} + +func (o AuthPolicyDecisionPtrOutput) ToAuthPolicyDecisionPtrOutput() AuthPolicyDecisionPtrOutput { + return o +} + +func (o AuthPolicyDecisionPtrOutput) ToAuthPolicyDecisionPtrOutputWithContext(ctx context.Context) AuthPolicyDecisionPtrOutput { + return o +} + +func (o AuthPolicyDecisionPtrOutput) Elem() AuthPolicyDecisionOutput { + return o.ApplyT(func(v *AuthPolicyDecision) AuthPolicyDecision { + if v != nil { + return *v + } + var ret AuthPolicyDecision + return ret + }).(AuthPolicyDecisionOutput) +} + +func (o AuthPolicyDecisionPtrOutput) ToStringPtrOutput() pulumi.StringPtrOutput { + return o.ToStringPtrOutputWithContext(context.Background()) +} + +func (o AuthPolicyDecisionPtrOutput) ToStringPtrOutputWithContext(ctx context.Context) pulumi.StringPtrOutput { + return o.ApplyTWithContext(ctx, func(_ context.Context, e *AuthPolicyDecision) *string { + if e == nil { + return nil + } + v := string(*e) + return &v + }).(pulumi.StringPtrOutput) +} + +// AuthPolicyDecisionInput is an input type that accepts values of the AuthPolicyDecision enum +// A concrete instance of `AuthPolicyDecisionInput` can be one of the following: +// +// AuthPolicyDecisionDeny +// AuthPolicyDecisionAllow +type AuthPolicyDecisionInput interface { + pulumi.Input + + ToAuthPolicyDecisionOutput() AuthPolicyDecisionOutput + ToAuthPolicyDecisionOutputWithContext(context.Context) AuthPolicyDecisionOutput +} + +var authPolicyDecisionPtrType = reflect.TypeOf((**AuthPolicyDecision)(nil)).Elem() + +type AuthPolicyDecisionPtrInput interface { + pulumi.Input + + ToAuthPolicyDecisionPtrOutput() AuthPolicyDecisionPtrOutput + ToAuthPolicyDecisionPtrOutputWithContext(context.Context) AuthPolicyDecisionPtrOutput +} + +type authPolicyDecisionPtr string + +func AuthPolicyDecisionPtr(v string) AuthPolicyDecisionPtrInput { + return (*authPolicyDecisionPtr)(&v) +} + +func (*authPolicyDecisionPtr) ElementType() reflect.Type { + return authPolicyDecisionPtrType +} + +func (in *authPolicyDecisionPtr) ToAuthPolicyDecisionPtrOutput() AuthPolicyDecisionPtrOutput { + return pulumi.ToOutput(in).(AuthPolicyDecisionPtrOutput) +} + +func (in *authPolicyDecisionPtr) ToAuthPolicyDecisionPtrOutputWithContext(ctx context.Context) AuthPolicyDecisionPtrOutput { + return pulumi.ToOutputWithContext(ctx, in).(AuthPolicyDecisionPtrOutput) +} + +type AuthPolicyPermissionLevel string + +const ( + // Standard level of permissions. + AuthPolicyPermissionLevelStandard = AuthPolicyPermissionLevel("standard") + // Admin level of permissions. + AuthPolicyPermissionLevelAdmin = AuthPolicyPermissionLevel("admin") +) + +func (AuthPolicyPermissionLevel) ElementType() reflect.Type { + return reflect.TypeOf((*AuthPolicyPermissionLevel)(nil)).Elem() +} + +func (e AuthPolicyPermissionLevel) ToAuthPolicyPermissionLevelOutput() AuthPolicyPermissionLevelOutput { + return pulumi.ToOutput(e).(AuthPolicyPermissionLevelOutput) +} + +func (e AuthPolicyPermissionLevel) ToAuthPolicyPermissionLevelOutputWithContext(ctx context.Context) AuthPolicyPermissionLevelOutput { + return pulumi.ToOutputWithContext(ctx, e).(AuthPolicyPermissionLevelOutput) +} + +func (e AuthPolicyPermissionLevel) ToAuthPolicyPermissionLevelPtrOutput() AuthPolicyPermissionLevelPtrOutput { + return e.ToAuthPolicyPermissionLevelPtrOutputWithContext(context.Background()) +} + +func (e AuthPolicyPermissionLevel) ToAuthPolicyPermissionLevelPtrOutputWithContext(ctx context.Context) AuthPolicyPermissionLevelPtrOutput { + return AuthPolicyPermissionLevel(e).ToAuthPolicyPermissionLevelOutputWithContext(ctx).ToAuthPolicyPermissionLevelPtrOutputWithContext(ctx) +} + +func (e AuthPolicyPermissionLevel) ToStringOutput() pulumi.StringOutput { + return pulumi.ToOutput(pulumi.String(e)).(pulumi.StringOutput) +} + +func (e AuthPolicyPermissionLevel) ToStringOutputWithContext(ctx context.Context) pulumi.StringOutput { + return pulumi.ToOutputWithContext(ctx, pulumi.String(e)).(pulumi.StringOutput) +} + +func (e AuthPolicyPermissionLevel) ToStringPtrOutput() pulumi.StringPtrOutput { + return pulumi.String(e).ToStringPtrOutputWithContext(context.Background()) +} + +func (e AuthPolicyPermissionLevel) ToStringPtrOutputWithContext(ctx context.Context) pulumi.StringPtrOutput { + return pulumi.String(e).ToStringOutputWithContext(ctx).ToStringPtrOutputWithContext(ctx) +} + +type AuthPolicyPermissionLevelOutput struct{ *pulumi.OutputState } + +func (AuthPolicyPermissionLevelOutput) ElementType() reflect.Type { + return reflect.TypeOf((*AuthPolicyPermissionLevel)(nil)).Elem() +} + +func (o AuthPolicyPermissionLevelOutput) ToAuthPolicyPermissionLevelOutput() AuthPolicyPermissionLevelOutput { + return o +} + +func (o AuthPolicyPermissionLevelOutput) ToAuthPolicyPermissionLevelOutputWithContext(ctx context.Context) AuthPolicyPermissionLevelOutput { + return o +} + +func (o AuthPolicyPermissionLevelOutput) ToAuthPolicyPermissionLevelPtrOutput() AuthPolicyPermissionLevelPtrOutput { + return o.ToAuthPolicyPermissionLevelPtrOutputWithContext(context.Background()) +} + +func (o AuthPolicyPermissionLevelOutput) ToAuthPolicyPermissionLevelPtrOutputWithContext(ctx context.Context) AuthPolicyPermissionLevelPtrOutput { + return o.ApplyTWithContext(ctx, func(_ context.Context, v AuthPolicyPermissionLevel) *AuthPolicyPermissionLevel { + return &v + }).(AuthPolicyPermissionLevelPtrOutput) +} + +func (o AuthPolicyPermissionLevelOutput) ToStringOutput() pulumi.StringOutput { + return o.ToStringOutputWithContext(context.Background()) +} + +func (o AuthPolicyPermissionLevelOutput) ToStringOutputWithContext(ctx context.Context) pulumi.StringOutput { + return o.ApplyTWithContext(ctx, func(_ context.Context, e AuthPolicyPermissionLevel) string { + return string(e) + }).(pulumi.StringOutput) +} + +func (o AuthPolicyPermissionLevelOutput) ToStringPtrOutput() pulumi.StringPtrOutput { + return o.ToStringPtrOutputWithContext(context.Background()) +} + +func (o AuthPolicyPermissionLevelOutput) ToStringPtrOutputWithContext(ctx context.Context) pulumi.StringPtrOutput { + return o.ApplyTWithContext(ctx, func(_ context.Context, e AuthPolicyPermissionLevel) *string { + v := string(e) + return &v + }).(pulumi.StringPtrOutput) +} + +type AuthPolicyPermissionLevelPtrOutput struct{ *pulumi.OutputState } + +func (AuthPolicyPermissionLevelPtrOutput) ElementType() reflect.Type { + return reflect.TypeOf((**AuthPolicyPermissionLevel)(nil)).Elem() +} + +func (o AuthPolicyPermissionLevelPtrOutput) ToAuthPolicyPermissionLevelPtrOutput() AuthPolicyPermissionLevelPtrOutput { + return o +} + +func (o AuthPolicyPermissionLevelPtrOutput) ToAuthPolicyPermissionLevelPtrOutputWithContext(ctx context.Context) AuthPolicyPermissionLevelPtrOutput { + return o +} + +func (o AuthPolicyPermissionLevelPtrOutput) Elem() AuthPolicyPermissionLevelOutput { + return o.ApplyT(func(v *AuthPolicyPermissionLevel) AuthPolicyPermissionLevel { + if v != nil { + return *v + } + var ret AuthPolicyPermissionLevel + return ret + }).(AuthPolicyPermissionLevelOutput) +} + +func (o AuthPolicyPermissionLevelPtrOutput) ToStringPtrOutput() pulumi.StringPtrOutput { + return o.ToStringPtrOutputWithContext(context.Background()) +} + +func (o AuthPolicyPermissionLevelPtrOutput) ToStringPtrOutputWithContext(ctx context.Context) pulumi.StringPtrOutput { + return o.ApplyTWithContext(ctx, func(_ context.Context, e *AuthPolicyPermissionLevel) *string { + if e == nil { + return nil + } + v := string(*e) + return &v + }).(pulumi.StringPtrOutput) +} + +// AuthPolicyPermissionLevelInput is an input type that accepts values of the AuthPolicyPermissionLevel enum +// A concrete instance of `AuthPolicyPermissionLevelInput` can be one of the following: +// +// AuthPolicyPermissionLevelStandard +// AuthPolicyPermissionLevelAdmin +type AuthPolicyPermissionLevelInput interface { + pulumi.Input + + ToAuthPolicyPermissionLevelOutput() AuthPolicyPermissionLevelOutput + ToAuthPolicyPermissionLevelOutputWithContext(context.Context) AuthPolicyPermissionLevelOutput +} + +var authPolicyPermissionLevelPtrType = reflect.TypeOf((**AuthPolicyPermissionLevel)(nil)).Elem() + +type AuthPolicyPermissionLevelPtrInput interface { + pulumi.Input + + ToAuthPolicyPermissionLevelPtrOutput() AuthPolicyPermissionLevelPtrOutput + ToAuthPolicyPermissionLevelPtrOutputWithContext(context.Context) AuthPolicyPermissionLevelPtrOutput +} + +type authPolicyPermissionLevelPtr string + +func AuthPolicyPermissionLevelPtr(v string) AuthPolicyPermissionLevelPtrInput { + return (*authPolicyPermissionLevelPtr)(&v) +} + +func (*authPolicyPermissionLevelPtr) ElementType() reflect.Type { + return authPolicyPermissionLevelPtrType +} + +func (in *authPolicyPermissionLevelPtr) ToAuthPolicyPermissionLevelPtrOutput() AuthPolicyPermissionLevelPtrOutput { + return pulumi.ToOutput(in).(AuthPolicyPermissionLevelPtrOutput) +} + +func (in *authPolicyPermissionLevelPtr) ToAuthPolicyPermissionLevelPtrOutputWithContext(ctx context.Context) AuthPolicyPermissionLevelPtrOutput { + return pulumi.ToOutputWithContext(ctx, in).(AuthPolicyPermissionLevelPtrOutput) +} + +// AuthPolicyPermissionLevelArrayInput is an input type that accepts AuthPolicyPermissionLevelArray and AuthPolicyPermissionLevelArrayOutput values. +// You can construct a concrete instance of `AuthPolicyPermissionLevelArrayInput` via: +// +// AuthPolicyPermissionLevelArray{ AuthPolicyPermissionLevelArgs{...} } +type AuthPolicyPermissionLevelArrayInput interface { + pulumi.Input + + ToAuthPolicyPermissionLevelArrayOutput() AuthPolicyPermissionLevelArrayOutput + ToAuthPolicyPermissionLevelArrayOutputWithContext(context.Context) AuthPolicyPermissionLevelArrayOutput +} + +type AuthPolicyPermissionLevelArray []AuthPolicyPermissionLevel + +func (AuthPolicyPermissionLevelArray) ElementType() reflect.Type { + return reflect.TypeOf((*[]AuthPolicyPermissionLevel)(nil)).Elem() +} + +func (i AuthPolicyPermissionLevelArray) ToAuthPolicyPermissionLevelArrayOutput() AuthPolicyPermissionLevelArrayOutput { + return i.ToAuthPolicyPermissionLevelArrayOutputWithContext(context.Background()) +} + +func (i AuthPolicyPermissionLevelArray) ToAuthPolicyPermissionLevelArrayOutputWithContext(ctx context.Context) AuthPolicyPermissionLevelArrayOutput { + return pulumi.ToOutputWithContext(ctx, i).(AuthPolicyPermissionLevelArrayOutput) +} + +type AuthPolicyPermissionLevelArrayOutput struct{ *pulumi.OutputState } + +func (AuthPolicyPermissionLevelArrayOutput) ElementType() reflect.Type { + return reflect.TypeOf((*[]AuthPolicyPermissionLevel)(nil)).Elem() +} + +func (o AuthPolicyPermissionLevelArrayOutput) ToAuthPolicyPermissionLevelArrayOutput() AuthPolicyPermissionLevelArrayOutput { + return o +} + +func (o AuthPolicyPermissionLevelArrayOutput) ToAuthPolicyPermissionLevelArrayOutputWithContext(ctx context.Context) AuthPolicyPermissionLevelArrayOutput { + return o +} + +func (o AuthPolicyPermissionLevelArrayOutput) Index(i pulumi.IntInput) AuthPolicyPermissionLevelOutput { + return pulumi.All(o, i).ApplyT(func(vs []interface{}) AuthPolicyPermissionLevel { + return vs[0].([]AuthPolicyPermissionLevel)[vs[1].(int)] + }).(AuthPolicyPermissionLevelOutput) +} + +type AuthPolicyTokenType string + +const ( + // Personal Pulumi token. Requires userLogin field to be filled. + AuthPolicyTokenTypePersonal = AuthPolicyTokenType("personal") + // Team Pulumi token. Requires teamName field to be filled. + AuthPolicyTokenTypeTeam = AuthPolicyTokenType("team") + // Organization Pulumi token. Requires authorizedPermissions field to be filled. + AuthPolicyTokenTypeOrganization = AuthPolicyTokenType("organization") + // Deployment Runner Pulumi token. Requires runnerID field to be filled. + AuthPolicyTokenTypeRunner = AuthPolicyTokenType("runner") +) + +func (AuthPolicyTokenType) ElementType() reflect.Type { + return reflect.TypeOf((*AuthPolicyTokenType)(nil)).Elem() +} + +func (e AuthPolicyTokenType) ToAuthPolicyTokenTypeOutput() AuthPolicyTokenTypeOutput { + return pulumi.ToOutput(e).(AuthPolicyTokenTypeOutput) +} + +func (e AuthPolicyTokenType) ToAuthPolicyTokenTypeOutputWithContext(ctx context.Context) AuthPolicyTokenTypeOutput { + return pulumi.ToOutputWithContext(ctx, e).(AuthPolicyTokenTypeOutput) +} + +func (e AuthPolicyTokenType) ToAuthPolicyTokenTypePtrOutput() AuthPolicyTokenTypePtrOutput { + return e.ToAuthPolicyTokenTypePtrOutputWithContext(context.Background()) +} + +func (e AuthPolicyTokenType) ToAuthPolicyTokenTypePtrOutputWithContext(ctx context.Context) AuthPolicyTokenTypePtrOutput { + return AuthPolicyTokenType(e).ToAuthPolicyTokenTypeOutputWithContext(ctx).ToAuthPolicyTokenTypePtrOutputWithContext(ctx) +} + +func (e AuthPolicyTokenType) ToStringOutput() pulumi.StringOutput { + return pulumi.ToOutput(pulumi.String(e)).(pulumi.StringOutput) +} + +func (e AuthPolicyTokenType) ToStringOutputWithContext(ctx context.Context) pulumi.StringOutput { + return pulumi.ToOutputWithContext(ctx, pulumi.String(e)).(pulumi.StringOutput) +} + +func (e AuthPolicyTokenType) ToStringPtrOutput() pulumi.StringPtrOutput { + return pulumi.String(e).ToStringPtrOutputWithContext(context.Background()) +} + +func (e AuthPolicyTokenType) ToStringPtrOutputWithContext(ctx context.Context) pulumi.StringPtrOutput { + return pulumi.String(e).ToStringOutputWithContext(ctx).ToStringPtrOutputWithContext(ctx) +} + +type AuthPolicyTokenTypeOutput struct{ *pulumi.OutputState } + +func (AuthPolicyTokenTypeOutput) ElementType() reflect.Type { + return reflect.TypeOf((*AuthPolicyTokenType)(nil)).Elem() +} + +func (o AuthPolicyTokenTypeOutput) ToAuthPolicyTokenTypeOutput() AuthPolicyTokenTypeOutput { + return o +} + +func (o AuthPolicyTokenTypeOutput) ToAuthPolicyTokenTypeOutputWithContext(ctx context.Context) AuthPolicyTokenTypeOutput { + return o +} + +func (o AuthPolicyTokenTypeOutput) ToAuthPolicyTokenTypePtrOutput() AuthPolicyTokenTypePtrOutput { + return o.ToAuthPolicyTokenTypePtrOutputWithContext(context.Background()) +} + +func (o AuthPolicyTokenTypeOutput) ToAuthPolicyTokenTypePtrOutputWithContext(ctx context.Context) AuthPolicyTokenTypePtrOutput { + return o.ApplyTWithContext(ctx, func(_ context.Context, v AuthPolicyTokenType) *AuthPolicyTokenType { + return &v + }).(AuthPolicyTokenTypePtrOutput) +} + +func (o AuthPolicyTokenTypeOutput) ToStringOutput() pulumi.StringOutput { + return o.ToStringOutputWithContext(context.Background()) +} + +func (o AuthPolicyTokenTypeOutput) ToStringOutputWithContext(ctx context.Context) pulumi.StringOutput { + return o.ApplyTWithContext(ctx, func(_ context.Context, e AuthPolicyTokenType) string { + return string(e) + }).(pulumi.StringOutput) +} + +func (o AuthPolicyTokenTypeOutput) ToStringPtrOutput() pulumi.StringPtrOutput { + return o.ToStringPtrOutputWithContext(context.Background()) +} + +func (o AuthPolicyTokenTypeOutput) ToStringPtrOutputWithContext(ctx context.Context) pulumi.StringPtrOutput { + return o.ApplyTWithContext(ctx, func(_ context.Context, e AuthPolicyTokenType) *string { + v := string(e) + return &v + }).(pulumi.StringPtrOutput) +} + +type AuthPolicyTokenTypePtrOutput struct{ *pulumi.OutputState } + +func (AuthPolicyTokenTypePtrOutput) ElementType() reflect.Type { + return reflect.TypeOf((**AuthPolicyTokenType)(nil)).Elem() +} + +func (o AuthPolicyTokenTypePtrOutput) ToAuthPolicyTokenTypePtrOutput() AuthPolicyTokenTypePtrOutput { + return o +} + +func (o AuthPolicyTokenTypePtrOutput) ToAuthPolicyTokenTypePtrOutputWithContext(ctx context.Context) AuthPolicyTokenTypePtrOutput { + return o +} + +func (o AuthPolicyTokenTypePtrOutput) Elem() AuthPolicyTokenTypeOutput { + return o.ApplyT(func(v *AuthPolicyTokenType) AuthPolicyTokenType { + if v != nil { + return *v + } + var ret AuthPolicyTokenType + return ret + }).(AuthPolicyTokenTypeOutput) +} + +func (o AuthPolicyTokenTypePtrOutput) ToStringPtrOutput() pulumi.StringPtrOutput { + return o.ToStringPtrOutputWithContext(context.Background()) +} + +func (o AuthPolicyTokenTypePtrOutput) ToStringPtrOutputWithContext(ctx context.Context) pulumi.StringPtrOutput { + return o.ApplyTWithContext(ctx, func(_ context.Context, e *AuthPolicyTokenType) *string { + if e == nil { + return nil + } + v := string(*e) + return &v + }).(pulumi.StringPtrOutput) +} + +// AuthPolicyTokenTypeInput is an input type that accepts values of the AuthPolicyTokenType enum +// A concrete instance of `AuthPolicyTokenTypeInput` can be one of the following: +// +// AuthPolicyTokenTypePersonal +// AuthPolicyTokenTypeTeam +// AuthPolicyTokenTypeOrganization +// AuthPolicyTokenTypeRunner +type AuthPolicyTokenTypeInput interface { + pulumi.Input + + ToAuthPolicyTokenTypeOutput() AuthPolicyTokenTypeOutput + ToAuthPolicyTokenTypeOutputWithContext(context.Context) AuthPolicyTokenTypeOutput +} + +var authPolicyTokenTypePtrType = reflect.TypeOf((**AuthPolicyTokenType)(nil)).Elem() + +type AuthPolicyTokenTypePtrInput interface { + pulumi.Input + + ToAuthPolicyTokenTypePtrOutput() AuthPolicyTokenTypePtrOutput + ToAuthPolicyTokenTypePtrOutputWithContext(context.Context) AuthPolicyTokenTypePtrOutput +} + +type authPolicyTokenTypePtr string + +func AuthPolicyTokenTypePtr(v string) AuthPolicyTokenTypePtrInput { + return (*authPolicyTokenTypePtr)(&v) +} + +func (*authPolicyTokenTypePtr) ElementType() reflect.Type { + return authPolicyTokenTypePtrType +} + +func (in *authPolicyTokenTypePtr) ToAuthPolicyTokenTypePtrOutput() AuthPolicyTokenTypePtrOutput { + return pulumi.ToOutput(in).(AuthPolicyTokenTypePtrOutput) +} + +func (in *authPolicyTokenTypePtr) ToAuthPolicyTokenTypePtrOutputWithContext(ctx context.Context) AuthPolicyTokenTypePtrOutput { + return pulumi.ToOutputWithContext(ctx, in).(AuthPolicyTokenTypePtrOutput) +} + type EnvironmentPermission string const ( @@ -1055,6 +1607,13 @@ func (o WebhookGroupArrayOutput) Index(i pulumi.IntInput) WebhookGroupOutput { } func init() { + pulumi.RegisterInputType(reflect.TypeOf((*AuthPolicyDecisionInput)(nil)).Elem(), AuthPolicyDecision("deny")) + pulumi.RegisterInputType(reflect.TypeOf((*AuthPolicyDecisionPtrInput)(nil)).Elem(), AuthPolicyDecision("deny")) + pulumi.RegisterInputType(reflect.TypeOf((*AuthPolicyPermissionLevelInput)(nil)).Elem(), AuthPolicyPermissionLevel("standard")) + pulumi.RegisterInputType(reflect.TypeOf((*AuthPolicyPermissionLevelPtrInput)(nil)).Elem(), AuthPolicyPermissionLevel("standard")) + pulumi.RegisterInputType(reflect.TypeOf((*AuthPolicyPermissionLevelArrayInput)(nil)).Elem(), AuthPolicyPermissionLevelArray{}) + pulumi.RegisterInputType(reflect.TypeOf((*AuthPolicyTokenTypeInput)(nil)).Elem(), AuthPolicyTokenType("personal")) + pulumi.RegisterInputType(reflect.TypeOf((*AuthPolicyTokenTypePtrInput)(nil)).Elem(), AuthPolicyTokenType("personal")) pulumi.RegisterInputType(reflect.TypeOf((*EnvironmentPermissionInput)(nil)).Elem(), EnvironmentPermission("none")) pulumi.RegisterInputType(reflect.TypeOf((*EnvironmentPermissionPtrInput)(nil)).Elem(), EnvironmentPermission("none")) pulumi.RegisterInputType(reflect.TypeOf((*PulumiOperationInput)(nil)).Elem(), PulumiOperation("update")) @@ -1067,6 +1626,13 @@ func init() { pulumi.RegisterInputType(reflect.TypeOf((*WebhookGroupInput)(nil)).Elem(), WebhookGroup("stacks")) pulumi.RegisterInputType(reflect.TypeOf((*WebhookGroupPtrInput)(nil)).Elem(), WebhookGroup("stacks")) pulumi.RegisterInputType(reflect.TypeOf((*WebhookGroupArrayInput)(nil)).Elem(), WebhookGroupArray{}) + pulumi.RegisterOutputType(AuthPolicyDecisionOutput{}) + pulumi.RegisterOutputType(AuthPolicyDecisionPtrOutput{}) + pulumi.RegisterOutputType(AuthPolicyPermissionLevelOutput{}) + pulumi.RegisterOutputType(AuthPolicyPermissionLevelPtrOutput{}) + pulumi.RegisterOutputType(AuthPolicyPermissionLevelArrayOutput{}) + pulumi.RegisterOutputType(AuthPolicyTokenTypeOutput{}) + pulumi.RegisterOutputType(AuthPolicyTokenTypePtrOutput{}) pulumi.RegisterOutputType(EnvironmentPermissionOutput{}) pulumi.RegisterOutputType(EnvironmentPermissionPtrOutput{}) pulumi.RegisterOutputType(PulumiOperationOutput{}) diff --git a/sdk/go/pulumiservice/pulumiTypes.go b/sdk/go/pulumiservice/pulumiTypes.go index 627cddad..c7e1e03d 100644 --- a/sdk/go/pulumiservice/pulumiTypes.go +++ b/sdk/go/pulumiservice/pulumiTypes.go @@ -207,6 +207,157 @@ func (o AWSOIDCConfigurationPtrOutput) SessionName() pulumi.StringPtrOutput { }).(pulumi.StringPtrOutput) } +type AuthPolicyDefinition struct { + // The permission level for organization tokens. + AuthorizedPermissions []AuthPolicyPermissionLevel `pulumi:"authorizedPermissions"` + // The rule type of this policy definition + Decision AuthPolicyDecision `pulumi:"decision"` + // OIDC rules to set for this policy. + Rules map[string]string `pulumi:"rules"` + // The runner ID for deployment runner tokens. + RunnerID *string `pulumi:"runnerID"` + // The team name for team tokens. + TeamName *string `pulumi:"teamName"` + // The token type for this policy definition + TokenType AuthPolicyTokenType `pulumi:"tokenType"` + // The user login for personal tokens. + UserLogin *string `pulumi:"userLogin"` +} + +// AuthPolicyDefinitionInput is an input type that accepts AuthPolicyDefinitionArgs and AuthPolicyDefinitionOutput values. +// You can construct a concrete instance of `AuthPolicyDefinitionInput` via: +// +// AuthPolicyDefinitionArgs{...} +type AuthPolicyDefinitionInput interface { + pulumi.Input + + ToAuthPolicyDefinitionOutput() AuthPolicyDefinitionOutput + ToAuthPolicyDefinitionOutputWithContext(context.Context) AuthPolicyDefinitionOutput +} + +type AuthPolicyDefinitionArgs struct { + // The permission level for organization tokens. + AuthorizedPermissions AuthPolicyPermissionLevelArrayInput `pulumi:"authorizedPermissions"` + // The rule type of this policy definition + Decision AuthPolicyDecisionInput `pulumi:"decision"` + // OIDC rules to set for this policy. + Rules pulumi.StringMapInput `pulumi:"rules"` + // The runner ID for deployment runner tokens. + RunnerID pulumi.StringPtrInput `pulumi:"runnerID"` + // The team name for team tokens. + TeamName pulumi.StringPtrInput `pulumi:"teamName"` + // The token type for this policy definition + TokenType AuthPolicyTokenTypeInput `pulumi:"tokenType"` + // The user login for personal tokens. + UserLogin pulumi.StringPtrInput `pulumi:"userLogin"` +} + +func (AuthPolicyDefinitionArgs) ElementType() reflect.Type { + return reflect.TypeOf((*AuthPolicyDefinition)(nil)).Elem() +} + +func (i AuthPolicyDefinitionArgs) ToAuthPolicyDefinitionOutput() AuthPolicyDefinitionOutput { + return i.ToAuthPolicyDefinitionOutputWithContext(context.Background()) +} + +func (i AuthPolicyDefinitionArgs) ToAuthPolicyDefinitionOutputWithContext(ctx context.Context) AuthPolicyDefinitionOutput { + return pulumi.ToOutputWithContext(ctx, i).(AuthPolicyDefinitionOutput) +} + +// AuthPolicyDefinitionArrayInput is an input type that accepts AuthPolicyDefinitionArray and AuthPolicyDefinitionArrayOutput values. +// You can construct a concrete instance of `AuthPolicyDefinitionArrayInput` via: +// +// AuthPolicyDefinitionArray{ AuthPolicyDefinitionArgs{...} } +type AuthPolicyDefinitionArrayInput interface { + pulumi.Input + + ToAuthPolicyDefinitionArrayOutput() AuthPolicyDefinitionArrayOutput + ToAuthPolicyDefinitionArrayOutputWithContext(context.Context) AuthPolicyDefinitionArrayOutput +} + +type AuthPolicyDefinitionArray []AuthPolicyDefinitionInput + +func (AuthPolicyDefinitionArray) ElementType() reflect.Type { + return reflect.TypeOf((*[]AuthPolicyDefinition)(nil)).Elem() +} + +func (i AuthPolicyDefinitionArray) ToAuthPolicyDefinitionArrayOutput() AuthPolicyDefinitionArrayOutput { + return i.ToAuthPolicyDefinitionArrayOutputWithContext(context.Background()) +} + +func (i AuthPolicyDefinitionArray) ToAuthPolicyDefinitionArrayOutputWithContext(ctx context.Context) AuthPolicyDefinitionArrayOutput { + return pulumi.ToOutputWithContext(ctx, i).(AuthPolicyDefinitionArrayOutput) +} + +type AuthPolicyDefinitionOutput struct{ *pulumi.OutputState } + +func (AuthPolicyDefinitionOutput) ElementType() reflect.Type { + return reflect.TypeOf((*AuthPolicyDefinition)(nil)).Elem() +} + +func (o AuthPolicyDefinitionOutput) ToAuthPolicyDefinitionOutput() AuthPolicyDefinitionOutput { + return o +} + +func (o AuthPolicyDefinitionOutput) ToAuthPolicyDefinitionOutputWithContext(ctx context.Context) AuthPolicyDefinitionOutput { + return o +} + +// The permission level for organization tokens. +func (o AuthPolicyDefinitionOutput) AuthorizedPermissions() AuthPolicyPermissionLevelArrayOutput { + return o.ApplyT(func(v AuthPolicyDefinition) []AuthPolicyPermissionLevel { return v.AuthorizedPermissions }).(AuthPolicyPermissionLevelArrayOutput) +} + +// The rule type of this policy definition +func (o AuthPolicyDefinitionOutput) Decision() AuthPolicyDecisionOutput { + return o.ApplyT(func(v AuthPolicyDefinition) AuthPolicyDecision { return v.Decision }).(AuthPolicyDecisionOutput) +} + +// OIDC rules to set for this policy. +func (o AuthPolicyDefinitionOutput) Rules() pulumi.StringMapOutput { + return o.ApplyT(func(v AuthPolicyDefinition) map[string]string { return v.Rules }).(pulumi.StringMapOutput) +} + +// The runner ID for deployment runner tokens. +func (o AuthPolicyDefinitionOutput) RunnerID() pulumi.StringPtrOutput { + return o.ApplyT(func(v AuthPolicyDefinition) *string { return v.RunnerID }).(pulumi.StringPtrOutput) +} + +// The team name for team tokens. +func (o AuthPolicyDefinitionOutput) TeamName() pulumi.StringPtrOutput { + return o.ApplyT(func(v AuthPolicyDefinition) *string { return v.TeamName }).(pulumi.StringPtrOutput) +} + +// The token type for this policy definition +func (o AuthPolicyDefinitionOutput) TokenType() AuthPolicyTokenTypeOutput { + return o.ApplyT(func(v AuthPolicyDefinition) AuthPolicyTokenType { return v.TokenType }).(AuthPolicyTokenTypeOutput) +} + +// The user login for personal tokens. +func (o AuthPolicyDefinitionOutput) UserLogin() pulumi.StringPtrOutput { + return o.ApplyT(func(v AuthPolicyDefinition) *string { return v.UserLogin }).(pulumi.StringPtrOutput) +} + +type AuthPolicyDefinitionArrayOutput struct{ *pulumi.OutputState } + +func (AuthPolicyDefinitionArrayOutput) ElementType() reflect.Type { + return reflect.TypeOf((*[]AuthPolicyDefinition)(nil)).Elem() +} + +func (o AuthPolicyDefinitionArrayOutput) ToAuthPolicyDefinitionArrayOutput() AuthPolicyDefinitionArrayOutput { + return o +} + +func (o AuthPolicyDefinitionArrayOutput) ToAuthPolicyDefinitionArrayOutputWithContext(ctx context.Context) AuthPolicyDefinitionArrayOutput { + return o +} + +func (o AuthPolicyDefinitionArrayOutput) Index(i pulumi.IntInput) AuthPolicyDefinitionOutput { + return pulumi.All(o, i).ApplyT(func(vs []interface{}) AuthPolicyDefinition { + return vs[0].([]AuthPolicyDefinition)[vs[1].(int)] + }).(AuthPolicyDefinitionOutput) +} + type AzureOIDCConfiguration struct { // The client ID of the federated workload identity. ClientId string `pulumi:"clientId"` @@ -2711,6 +2862,8 @@ func (o TemplateSourceDestinationPtrOutput) Url() pulumi.StringPtrOutput { func init() { pulumi.RegisterInputType(reflect.TypeOf((*AWSOIDCConfigurationInput)(nil)).Elem(), AWSOIDCConfigurationArgs{}) pulumi.RegisterInputType(reflect.TypeOf((*AWSOIDCConfigurationPtrInput)(nil)).Elem(), AWSOIDCConfigurationArgs{}) + pulumi.RegisterInputType(reflect.TypeOf((*AuthPolicyDefinitionInput)(nil)).Elem(), AuthPolicyDefinitionArgs{}) + pulumi.RegisterInputType(reflect.TypeOf((*AuthPolicyDefinitionArrayInput)(nil)).Elem(), AuthPolicyDefinitionArray{}) pulumi.RegisterInputType(reflect.TypeOf((*AzureOIDCConfigurationInput)(nil)).Elem(), AzureOIDCConfigurationArgs{}) pulumi.RegisterInputType(reflect.TypeOf((*AzureOIDCConfigurationPtrInput)(nil)).Elem(), AzureOIDCConfigurationArgs{}) pulumi.RegisterInputType(reflect.TypeOf((*DeploymentSettingsCacheOptionsInput)(nil)).Elem(), DeploymentSettingsCacheOptionsArgs{}) @@ -2741,6 +2894,8 @@ func init() { pulumi.RegisterInputType(reflect.TypeOf((*TemplateSourceDestinationPtrInput)(nil)).Elem(), TemplateSourceDestinationArgs{}) pulumi.RegisterOutputType(AWSOIDCConfigurationOutput{}) pulumi.RegisterOutputType(AWSOIDCConfigurationPtrOutput{}) + pulumi.RegisterOutputType(AuthPolicyDefinitionOutput{}) + pulumi.RegisterOutputType(AuthPolicyDefinitionArrayOutput{}) pulumi.RegisterOutputType(AzureOIDCConfigurationOutput{}) pulumi.RegisterOutputType(AzureOIDCConfigurationPtrOutput{}) pulumi.RegisterOutputType(DeploymentSettingsCacheOptionsOutput{}) diff --git a/sdk/nodejs/index.ts b/sdk/nodejs/index.ts index 698dc8cc..9b857606 100644 --- a/sdk/nodejs/index.ts +++ b/sdk/nodejs/index.ts @@ -40,6 +40,11 @@ export type EnvironmentVersionTag = import("./environmentVersionTag").Environmen export const EnvironmentVersionTag: typeof import("./environmentVersionTag").EnvironmentVersionTag = null as any; utilities.lazyLoad(exports, ["EnvironmentVersionTag"], () => require("./environmentVersionTag")); +export { OidcIssuerArgs } from "./oidcIssuer"; +export type OidcIssuer = import("./oidcIssuer").OidcIssuer; +export const OidcIssuer: typeof import("./oidcIssuer").OidcIssuer = null as any; +utilities.lazyLoad(exports, ["OidcIssuer"], () => require("./oidcIssuer")); + export { OrgAccessTokenArgs } from "./orgAccessToken"; export type OrgAccessToken = import("./orgAccessToken").OrgAccessToken; export const OrgAccessToken: typeof import("./orgAccessToken").OrgAccessToken = null as any; @@ -126,6 +131,8 @@ const _module = { return new Environment(name, undefined, { urn }) case "pulumiservice:index:EnvironmentVersionTag": return new EnvironmentVersionTag(name, undefined, { urn }) + case "pulumiservice:index:OidcIssuer": + return new OidcIssuer(name, undefined, { urn }) case "pulumiservice:index:OrgAccessToken": return new OrgAccessToken(name, undefined, { urn }) case "pulumiservice:index:Stack": diff --git a/sdk/nodejs/oidcIssuer.ts b/sdk/nodejs/oidcIssuer.ts new file mode 100644 index 00000000..ff0f1a68 --- /dev/null +++ b/sdk/nodejs/oidcIssuer.ts @@ -0,0 +1,134 @@ +// *** WARNING: this file was generated by pulumi-language-nodejs. *** +// *** Do not edit by hand unless you're certain you know what you are doing! *** + +import * as pulumi from "@pulumi/pulumi"; +import * as inputs from "./types/input"; +import * as outputs from "./types/output"; +import * as enums from "./types/enums"; +import * as utilities from "./utilities"; + +/** + * An OIDC issuer registration with Pulumi. + */ +export class OidcIssuer extends pulumi.CustomResource { + /** + * Get an existing OidcIssuer resource's state with the given name, ID, and optional extra + * properties used to qualify the lookup. + * + * @param name The _unique_ name of the resulting resource. + * @param id The _unique_ provider ID of the resource to lookup. + * @param opts Optional settings to control the behavior of the CustomResource. + */ + public static get(name: string, id: pulumi.Input, opts?: pulumi.CustomResourceOptions): OidcIssuer { + return new OidcIssuer(name, undefined as any, { ...opts, id: id }); + } + + /** @internal */ + public static readonly __pulumiType = 'pulumiservice:index:OidcIssuer'; + + /** + * Returns true if the given object is an instance of OidcIssuer. This is designed to work even + * when multiple copies of the Pulumi SDK have been loaded into the same process. + */ + public static isInstance(obj: any): obj is OidcIssuer { + if (obj === undefined || obj === null) { + return false; + } + return obj['__pulumiType'] === OidcIssuer.__pulumiType; + } + + /** + * The maximum duration of the Pulumi access token working after an exchange, specified in seconds. + */ + public readonly maxExpirationSeconds!: pulumi.Output; + /** + * Issuer name. + */ + public readonly name!: pulumi.Output; + /** + * Organization name. + */ + public readonly organization!: pulumi.Output; + /** + * The authorization policies for this Oidc Issuer. + */ + public readonly policies!: pulumi.Output; + /** + * The thumbprints of issuer's TLS certificates. By default, Pulumi will store the thumbprint of the certificate used to serve the OpenID configuration. If the provider uses multiple certificates to serve content, it is required to manually configure these. + */ + public readonly thumbprints!: pulumi.Output; + /** + * The OIDC issuer URL. + */ + public readonly url!: pulumi.Output; + + /** + * Create a OidcIssuer resource with the given unique name, arguments, and options. + * + * @param name The _unique_ name of the resource. + * @param args The arguments to use to populate this resource's properties. + * @param opts A bag of options that control this resource's behavior. + */ + constructor(name: string, args: OidcIssuerArgs, opts?: pulumi.CustomResourceOptions) { + let resourceInputs: pulumi.Inputs = {}; + opts = opts || {}; + if (!opts.id) { + if ((!args || args.name === undefined) && !opts.urn) { + throw new Error("Missing required property 'name'"); + } + if ((!args || args.organization === undefined) && !opts.urn) { + throw new Error("Missing required property 'organization'"); + } + if ((!args || args.url === undefined) && !opts.urn) { + throw new Error("Missing required property 'url'"); + } + resourceInputs["maxExpirationSeconds"] = args ? args.maxExpirationSeconds : undefined; + resourceInputs["name"] = args ? args.name : undefined; + resourceInputs["organization"] = args ? args.organization : undefined; + resourceInputs["policies"] = args ? args.policies : undefined; + resourceInputs["thumbprints"] = args ? args.thumbprints : undefined; + resourceInputs["url"] = args ? args.url : undefined; + } else { + resourceInputs["maxExpirationSeconds"] = undefined /*out*/; + resourceInputs["name"] = undefined /*out*/; + resourceInputs["organization"] = undefined /*out*/; + resourceInputs["policies"] = undefined /*out*/; + resourceInputs["thumbprints"] = undefined /*out*/; + resourceInputs["url"] = undefined /*out*/; + } + opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts); + const replaceOnChanges = { replaceOnChanges: ["organization", "url"] }; + opts = pulumi.mergeOptions(opts, replaceOnChanges); + super(OidcIssuer.__pulumiType, name, resourceInputs, opts); + } +} + +/** + * The set of arguments for constructing a OidcIssuer resource. + */ +export interface OidcIssuerArgs { + /** + * The maximum duration of the Pulumi access token working after an exchange, specified in seconds. + */ + maxExpirationSeconds?: pulumi.Input; + /** + * Issuer name. + */ + name: pulumi.Input; + /** + * Organization name. + */ + organization: pulumi.Input; + /** + * The auth policies for this Oidc Issuer. + */ + policies?: pulumi.Input[]>; + /** + * The thumbprints of issuer's TLS certificates. By default, Pulumi will store the thumbprint of the certificate used to serve the OpenID configuration. If the provider uses multiple certificates to serve content, it is required to manually configure these. + */ + thumbprints?: pulumi.Input[]>; + /** + * The OIDC issuer URL. + */ + url: pulumi.Input; +} diff --git a/sdk/nodejs/tsconfig.json b/sdk/nodejs/tsconfig.json index 68d4d19b..f8209818 100644 --- a/sdk/nodejs/tsconfig.json +++ b/sdk/nodejs/tsconfig.json @@ -23,6 +23,7 @@ "environment.ts", "environmentVersionTag.ts", "index.ts", + "oidcIssuer.ts", "orgAccessToken.ts", "provider.ts", "stack.ts", diff --git a/sdk/nodejs/types/enums/index.ts b/sdk/nodejs/types/enums/index.ts index ee6dcb82..e0f1655a 100644 --- a/sdk/nodejs/types/enums/index.ts +++ b/sdk/nodejs/types/enums/index.ts @@ -2,6 +2,53 @@ // *** Do not edit by hand unless you're certain you know what you are doing! *** +export const AuthPolicyDecision = { + /** + * A deny rule for Oidc Issuer Policy. + */ + Deny: "deny", + /** + * An allow rule for Oidc Issuer Policy. + */ + Allow: "allow", +} as const; + +export type AuthPolicyDecision = (typeof AuthPolicyDecision)[keyof typeof AuthPolicyDecision]; + +export const AuthPolicyPermissionLevel = { + /** + * Standard level of permissions. + */ + Standard: "standard", + /** + * Admin level of permissions. + */ + Admin: "admin", +} as const; + +export type AuthPolicyPermissionLevel = (typeof AuthPolicyPermissionLevel)[keyof typeof AuthPolicyPermissionLevel]; + +export const AuthPolicyTokenType = { + /** + * Personal Pulumi token. Requires userLogin field to be filled. + */ + Personal: "personal", + /** + * Team Pulumi token. Requires teamName field to be filled. + */ + Team: "team", + /** + * Organization Pulumi token. Requires authorizedPermissions field to be filled. + */ + Organization: "organization", + /** + * Deployment Runner Pulumi token. Requires runnerID field to be filled. + */ + Runner: "runner", +} as const; + +export type AuthPolicyTokenType = (typeof AuthPolicyTokenType)[keyof typeof AuthPolicyTokenType]; + export const EnvironmentPermission = { /** * No permissions. diff --git a/sdk/nodejs/types/input.ts b/sdk/nodejs/types/input.ts index 7f0f6d39..d84a6b1d 100644 --- a/sdk/nodejs/types/input.ts +++ b/sdk/nodejs/types/input.ts @@ -27,6 +27,37 @@ export interface AWSOIDCConfigurationArgs { sessionName: pulumi.Input; } +export interface AuthPolicyDefinitionArgs { + /** + * The permission level for organization tokens. + */ + authorizedPermissions?: pulumi.Input[]>; + /** + * The rule type of this policy definition + */ + decision: pulumi.Input; + /** + * OIDC rules to set for this policy. + */ + rules: pulumi.Input<{[key: string]: pulumi.Input}>; + /** + * The runner ID for deployment runner tokens. + */ + runnerID?: pulumi.Input; + /** + * The team name for team tokens. + */ + teamName?: pulumi.Input; + /** + * The token type for this policy definition + */ + tokenType: pulumi.Input; + /** + * The user login for personal tokens. + */ + userLogin?: pulumi.Input; +} + export interface AzureOIDCConfigurationArgs { /** * The client ID of the federated workload identity. diff --git a/sdk/nodejs/types/output.ts b/sdk/nodejs/types/output.ts index c9febb7b..48958223 100644 --- a/sdk/nodejs/types/output.ts +++ b/sdk/nodejs/types/output.ts @@ -27,6 +27,37 @@ export interface AWSOIDCConfiguration { sessionName: string; } +export interface AuthPolicyDefinition { + /** + * The permission level for organization tokens. + */ + authorizedPermissions?: enums.AuthPolicyPermissionLevel[]; + /** + * The rule type of this policy definition + */ + decision: enums.AuthPolicyDecision; + /** + * OIDC rules to set for this policy. + */ + rules: {[key: string]: string}; + /** + * The runner ID for deployment runner tokens. + */ + runnerID?: string; + /** + * The team name for team tokens. + */ + teamName?: string; + /** + * The token type for this policy definition + */ + tokenType: enums.AuthPolicyTokenType; + /** + * The user login for personal tokens. + */ + userLogin?: string; +} + export interface AzureOIDCConfiguration { /** * The client ID of the federated workload identity. diff --git a/sdk/python/pulumi_pulumiservice/__init__.py b/sdk/python/pulumi_pulumiservice/__init__.py index 5700b036..4af76963 100644 --- a/sdk/python/pulumi_pulumiservice/__init__.py +++ b/sdk/python/pulumi_pulumiservice/__init__.py @@ -13,6 +13,7 @@ from .drift_schedule import * from .environment import * from .environment_version_tag import * +from .oidc_issuer import * from .org_access_token import * from .provider import * from .stack import * @@ -49,6 +50,7 @@ "pulumiservice:index:DriftSchedule": "DriftSchedule", "pulumiservice:index:Environment": "Environment", "pulumiservice:index:EnvironmentVersionTag": "EnvironmentVersionTag", + "pulumiservice:index:OidcIssuer": "OidcIssuer", "pulumiservice:index:OrgAccessToken": "OrgAccessToken", "pulumiservice:index:Stack": "Stack", "pulumiservice:index:StackTag": "StackTag", diff --git a/sdk/python/pulumi_pulumiservice/_enums.py b/sdk/python/pulumi_pulumiservice/_enums.py index 6a0840bf..6d1bf900 100644 --- a/sdk/python/pulumi_pulumiservice/_enums.py +++ b/sdk/python/pulumi_pulumiservice/_enums.py @@ -5,6 +5,9 @@ from enum import Enum __all__ = [ + 'AuthPolicyDecision', + 'AuthPolicyPermissionLevel', + 'AuthPolicyTokenType', 'EnvironmentPermission', 'PulumiOperation', 'TeamStackPermissionScope', @@ -14,6 +17,47 @@ ] +class AuthPolicyDecision(str, Enum): + DENY = "deny" + """ + A deny rule for Oidc Issuer Policy. + """ + ALLOW = "allow" + """ + An allow rule for Oidc Issuer Policy. + """ + + +class AuthPolicyPermissionLevel(str, Enum): + STANDARD = "standard" + """ + Standard level of permissions. + """ + ADMIN = "admin" + """ + Admin level of permissions. + """ + + +class AuthPolicyTokenType(str, Enum): + PERSONAL = "personal" + """ + Personal Pulumi token. Requires userLogin field to be filled. + """ + TEAM = "team" + """ + Team Pulumi token. Requires teamName field to be filled. + """ + ORGANIZATION = "organization" + """ + Organization Pulumi token. Requires authorizedPermissions field to be filled. + """ + RUNNER = "runner" + """ + Deployment Runner Pulumi token. Requires runnerID field to be filled. + """ + + class EnvironmentPermission(str, Enum): NONE = "none" """ diff --git a/sdk/python/pulumi_pulumiservice/_inputs.py b/sdk/python/pulumi_pulumiservice/_inputs.py index 4b72d654..19644351 100644 --- a/sdk/python/pulumi_pulumiservice/_inputs.py +++ b/sdk/python/pulumi_pulumiservice/_inputs.py @@ -18,6 +18,8 @@ __all__ = [ 'AWSOIDCConfigurationArgs', 'AWSOIDCConfigurationArgsDict', + 'AuthPolicyDefinitionArgs', + 'AuthPolicyDefinitionArgsDict', 'AzureOIDCConfigurationArgs', 'AzureOIDCConfigurationArgsDict', 'DeploymentSettingsCacheOptionsArgs', @@ -140,6 +142,155 @@ def policy_arns(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] pulumi.set(self, "policy_arns", value) +if not MYPY: + class AuthPolicyDefinitionArgsDict(TypedDict): + decision: pulumi.Input['AuthPolicyDecision'] + """ + The rule type of this policy definition + """ + rules: pulumi.Input[Mapping[str, pulumi.Input[str]]] + """ + OIDC rules to set for this policy. + """ + token_type: pulumi.Input['AuthPolicyTokenType'] + """ + The token type for this policy definition + """ + authorized_permissions: NotRequired[pulumi.Input[Sequence[pulumi.Input['AuthPolicyPermissionLevel']]]] + """ + The permission level for organization tokens. + """ + runner_id: NotRequired[pulumi.Input[str]] + """ + The runner ID for deployment runner tokens. + """ + team_name: NotRequired[pulumi.Input[str]] + """ + The team name for team tokens. + """ + user_login: NotRequired[pulumi.Input[str]] + """ + The user login for personal tokens. + """ +elif False: + AuthPolicyDefinitionArgsDict: TypeAlias = Mapping[str, Any] + +@pulumi.input_type +class AuthPolicyDefinitionArgs: + def __init__(__self__, *, + decision: pulumi.Input['AuthPolicyDecision'], + rules: pulumi.Input[Mapping[str, pulumi.Input[str]]], + token_type: pulumi.Input['AuthPolicyTokenType'], + authorized_permissions: Optional[pulumi.Input[Sequence[pulumi.Input['AuthPolicyPermissionLevel']]]] = None, + runner_id: Optional[pulumi.Input[str]] = None, + team_name: Optional[pulumi.Input[str]] = None, + user_login: Optional[pulumi.Input[str]] = None): + """ + :param pulumi.Input['AuthPolicyDecision'] decision: The rule type of this policy definition + :param pulumi.Input[Mapping[str, pulumi.Input[str]]] rules: OIDC rules to set for this policy. + :param pulumi.Input['AuthPolicyTokenType'] token_type: The token type for this policy definition + :param pulumi.Input[Sequence[pulumi.Input['AuthPolicyPermissionLevel']]] authorized_permissions: The permission level for organization tokens. + :param pulumi.Input[str] runner_id: The runner ID for deployment runner tokens. + :param pulumi.Input[str] team_name: The team name for team tokens. + :param pulumi.Input[str] user_login: The user login for personal tokens. + """ + pulumi.set(__self__, "decision", decision) + pulumi.set(__self__, "rules", rules) + pulumi.set(__self__, "token_type", token_type) + if authorized_permissions is not None: + pulumi.set(__self__, "authorized_permissions", authorized_permissions) + if runner_id is not None: + pulumi.set(__self__, "runner_id", runner_id) + if team_name is not None: + pulumi.set(__self__, "team_name", team_name) + if user_login is not None: + pulumi.set(__self__, "user_login", user_login) + + @property + @pulumi.getter + def decision(self) -> pulumi.Input['AuthPolicyDecision']: + """ + The rule type of this policy definition + """ + return pulumi.get(self, "decision") + + @decision.setter + def decision(self, value: pulumi.Input['AuthPolicyDecision']): + pulumi.set(self, "decision", value) + + @property + @pulumi.getter + def rules(self) -> pulumi.Input[Mapping[str, pulumi.Input[str]]]: + """ + OIDC rules to set for this policy. + """ + return pulumi.get(self, "rules") + + @rules.setter + def rules(self, value: pulumi.Input[Mapping[str, pulumi.Input[str]]]): + pulumi.set(self, "rules", value) + + @property + @pulumi.getter(name="tokenType") + def token_type(self) -> pulumi.Input['AuthPolicyTokenType']: + """ + The token type for this policy definition + """ + return pulumi.get(self, "token_type") + + @token_type.setter + def token_type(self, value: pulumi.Input['AuthPolicyTokenType']): + pulumi.set(self, "token_type", value) + + @property + @pulumi.getter(name="authorizedPermissions") + def authorized_permissions(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['AuthPolicyPermissionLevel']]]]: + """ + The permission level for organization tokens. + """ + return pulumi.get(self, "authorized_permissions") + + @authorized_permissions.setter + def authorized_permissions(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['AuthPolicyPermissionLevel']]]]): + pulumi.set(self, "authorized_permissions", value) + + @property + @pulumi.getter(name="runnerID") + def runner_id(self) -> Optional[pulumi.Input[str]]: + """ + The runner ID for deployment runner tokens. + """ + return pulumi.get(self, "runner_id") + + @runner_id.setter + def runner_id(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "runner_id", value) + + @property + @pulumi.getter(name="teamName") + def team_name(self) -> Optional[pulumi.Input[str]]: + """ + The team name for team tokens. + """ + return pulumi.get(self, "team_name") + + @team_name.setter + def team_name(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "team_name", value) + + @property + @pulumi.getter(name="userLogin") + def user_login(self) -> Optional[pulumi.Input[str]]: + """ + The user login for personal tokens. + """ + return pulumi.get(self, "user_login") + + @user_login.setter + def user_login(self, value: Optional[pulumi.Input[str]]): + pulumi.set(self, "user_login", value) + + if not MYPY: class AzureOIDCConfigurationArgsDict(TypedDict): client_id: pulumi.Input[str] diff --git a/sdk/python/pulumi_pulumiservice/oidc_issuer.py b/sdk/python/pulumi_pulumiservice/oidc_issuer.py new file mode 100644 index 00000000..cb693bc3 --- /dev/null +++ b/sdk/python/pulumi_pulumiservice/oidc_issuer.py @@ -0,0 +1,277 @@ +# coding=utf-8 +# *** WARNING: this file was generated by pulumi-language-python. *** +# *** Do not edit by hand unless you're certain you know what you are doing! *** + +import copy +import warnings +import sys +import pulumi +import pulumi.runtime +from typing import Any, Mapping, Optional, Sequence, Union, overload +if sys.version_info >= (3, 11): + from typing import NotRequired, TypedDict, TypeAlias +else: + from typing_extensions import NotRequired, TypedDict, TypeAlias +from . import _utilities +from . import outputs +from ._enums import * +from ._inputs import * + +__all__ = ['OidcIssuerArgs', 'OidcIssuer'] + +@pulumi.input_type +class OidcIssuerArgs: + def __init__(__self__, *, + name: pulumi.Input[str], + organization: pulumi.Input[str], + url: pulumi.Input[str], + max_expiration_seconds: Optional[pulumi.Input[int]] = None, + policies: Optional[pulumi.Input[Sequence[pulumi.Input['AuthPolicyDefinitionArgs']]]] = None, + thumbprints: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None): + """ + The set of arguments for constructing a OidcIssuer resource. + :param pulumi.Input[str] name: Issuer name. + :param pulumi.Input[str] organization: Organization name. + :param pulumi.Input[str] url: The OIDC issuer URL. + :param pulumi.Input[int] max_expiration_seconds: The maximum duration of the Pulumi access token working after an exchange, specified in seconds. + :param pulumi.Input[Sequence[pulumi.Input['AuthPolicyDefinitionArgs']]] policies: The auth policies for this Oidc Issuer. + :param pulumi.Input[Sequence[pulumi.Input[str]]] thumbprints: The thumbprints of issuer's TLS certificates. By default, Pulumi will store the thumbprint of the certificate used to serve the OpenID configuration. If the provider uses multiple certificates to serve content, it is required to manually configure these. + """ + pulumi.set(__self__, "name", name) + pulumi.set(__self__, "organization", organization) + pulumi.set(__self__, "url", url) + if max_expiration_seconds is not None: + pulumi.set(__self__, "max_expiration_seconds", max_expiration_seconds) + if policies is not None: + pulumi.set(__self__, "policies", policies) + if thumbprints is not None: + pulumi.set(__self__, "thumbprints", thumbprints) + + @property + @pulumi.getter + def name(self) -> pulumi.Input[str]: + """ + Issuer name. + """ + return pulumi.get(self, "name") + + @name.setter + def name(self, value: pulumi.Input[str]): + pulumi.set(self, "name", value) + + @property + @pulumi.getter + def organization(self) -> pulumi.Input[str]: + """ + Organization name. + """ + return pulumi.get(self, "organization") + + @organization.setter + def organization(self, value: pulumi.Input[str]): + pulumi.set(self, "organization", value) + + @property + @pulumi.getter + def url(self) -> pulumi.Input[str]: + """ + The OIDC issuer URL. + """ + return pulumi.get(self, "url") + + @url.setter + def url(self, value: pulumi.Input[str]): + pulumi.set(self, "url", value) + + @property + @pulumi.getter(name="maxExpirationSeconds") + def max_expiration_seconds(self) -> Optional[pulumi.Input[int]]: + """ + The maximum duration of the Pulumi access token working after an exchange, specified in seconds. + """ + return pulumi.get(self, "max_expiration_seconds") + + @max_expiration_seconds.setter + def max_expiration_seconds(self, value: Optional[pulumi.Input[int]]): + pulumi.set(self, "max_expiration_seconds", value) + + @property + @pulumi.getter + def policies(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['AuthPolicyDefinitionArgs']]]]: + """ + The auth policies for this Oidc Issuer. + """ + return pulumi.get(self, "policies") + + @policies.setter + def policies(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['AuthPolicyDefinitionArgs']]]]): + pulumi.set(self, "policies", value) + + @property + @pulumi.getter + def thumbprints(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]: + """ + The thumbprints of issuer's TLS certificates. By default, Pulumi will store the thumbprint of the certificate used to serve the OpenID configuration. If the provider uses multiple certificates to serve content, it is required to manually configure these. + """ + return pulumi.get(self, "thumbprints") + + @thumbprints.setter + def thumbprints(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]]): + pulumi.set(self, "thumbprints", value) + + +class OidcIssuer(pulumi.CustomResource): + @overload + def __init__(__self__, + resource_name: str, + opts: Optional[pulumi.ResourceOptions] = None, + max_expiration_seconds: Optional[pulumi.Input[int]] = None, + name: Optional[pulumi.Input[str]] = None, + organization: Optional[pulumi.Input[str]] = None, + policies: Optional[pulumi.Input[Sequence[pulumi.Input[Union['AuthPolicyDefinitionArgs', 'AuthPolicyDefinitionArgsDict']]]]] = None, + thumbprints: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + url: Optional[pulumi.Input[str]] = None, + __props__=None): + """ + An OIDC issuer registration with Pulumi. + + :param str resource_name: The name of the resource. + :param pulumi.ResourceOptions opts: Options for the resource. + :param pulumi.Input[int] max_expiration_seconds: The maximum duration of the Pulumi access token working after an exchange, specified in seconds. + :param pulumi.Input[str] name: Issuer name. + :param pulumi.Input[str] organization: Organization name. + :param pulumi.Input[Sequence[pulumi.Input[Union['AuthPolicyDefinitionArgs', 'AuthPolicyDefinitionArgsDict']]]] policies: The auth policies for this Oidc Issuer. + :param pulumi.Input[Sequence[pulumi.Input[str]]] thumbprints: The thumbprints of issuer's TLS certificates. By default, Pulumi will store the thumbprint of the certificate used to serve the OpenID configuration. If the provider uses multiple certificates to serve content, it is required to manually configure these. + :param pulumi.Input[str] url: The OIDC issuer URL. + """ + ... + @overload + def __init__(__self__, + resource_name: str, + args: OidcIssuerArgs, + opts: Optional[pulumi.ResourceOptions] = None): + """ + An OIDC issuer registration with Pulumi. + + :param str resource_name: The name of the resource. + :param OidcIssuerArgs args: The arguments to use to populate this resource's properties. + :param pulumi.ResourceOptions opts: Options for the resource. + """ + ... + def __init__(__self__, resource_name: str, *args, **kwargs): + resource_args, opts = _utilities.get_resource_args_opts(OidcIssuerArgs, pulumi.ResourceOptions, *args, **kwargs) + if resource_args is not None: + __self__._internal_init(resource_name, opts, **resource_args.__dict__) + else: + __self__._internal_init(resource_name, *args, **kwargs) + + def _internal_init(__self__, + resource_name: str, + opts: Optional[pulumi.ResourceOptions] = None, + max_expiration_seconds: Optional[pulumi.Input[int]] = None, + name: Optional[pulumi.Input[str]] = None, + organization: Optional[pulumi.Input[str]] = None, + policies: Optional[pulumi.Input[Sequence[pulumi.Input[Union['AuthPolicyDefinitionArgs', 'AuthPolicyDefinitionArgsDict']]]]] = None, + thumbprints: Optional[pulumi.Input[Sequence[pulumi.Input[str]]]] = None, + url: Optional[pulumi.Input[str]] = None, + __props__=None): + opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts) + if not isinstance(opts, pulumi.ResourceOptions): + raise TypeError('Expected resource options to be a ResourceOptions instance') + if opts.id is None: + if __props__ is not None: + raise TypeError('__props__ is only valid when passed in combination with a valid opts.id to get an existing resource') + __props__ = OidcIssuerArgs.__new__(OidcIssuerArgs) + + __props__.__dict__["max_expiration_seconds"] = max_expiration_seconds + if name is None and not opts.urn: + raise TypeError("Missing required property 'name'") + __props__.__dict__["name"] = name + if organization is None and not opts.urn: + raise TypeError("Missing required property 'organization'") + __props__.__dict__["organization"] = organization + __props__.__dict__["policies"] = policies + __props__.__dict__["thumbprints"] = thumbprints + if url is None and not opts.urn: + raise TypeError("Missing required property 'url'") + __props__.__dict__["url"] = url + replace_on_changes = pulumi.ResourceOptions(replace_on_changes=["organization", "url"]) + opts = pulumi.ResourceOptions.merge(opts, replace_on_changes) + super(OidcIssuer, __self__).__init__( + 'pulumiservice:index:OidcIssuer', + resource_name, + __props__, + opts) + + @staticmethod + def get(resource_name: str, + id: pulumi.Input[str], + opts: Optional[pulumi.ResourceOptions] = None) -> 'OidcIssuer': + """ + Get an existing OidcIssuer resource's state with the given name, id, and optional extra + properties used to qualify the lookup. + + :param str resource_name: The unique name of the resulting resource. + :param pulumi.Input[str] id: The unique provider ID of the resource to lookup. + :param pulumi.ResourceOptions opts: Options for the resource. + """ + opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(id=id)) + + __props__ = OidcIssuerArgs.__new__(OidcIssuerArgs) + + __props__.__dict__["max_expiration_seconds"] = None + __props__.__dict__["name"] = None + __props__.__dict__["organization"] = None + __props__.__dict__["policies"] = None + __props__.__dict__["thumbprints"] = None + __props__.__dict__["url"] = None + return OidcIssuer(resource_name, opts=opts, __props__=__props__) + + @property + @pulumi.getter(name="maxExpirationSeconds") + def max_expiration_seconds(self) -> pulumi.Output[Optional[int]]: + """ + The maximum duration of the Pulumi access token working after an exchange, specified in seconds. + """ + return pulumi.get(self, "max_expiration_seconds") + + @property + @pulumi.getter + def name(self) -> pulumi.Output[str]: + """ + Issuer name. + """ + return pulumi.get(self, "name") + + @property + @pulumi.getter + def organization(self) -> pulumi.Output[str]: + """ + Organization name. + """ + return pulumi.get(self, "organization") + + @property + @pulumi.getter + def policies(self) -> pulumi.Output[Sequence['outputs.AuthPolicyDefinition']]: + """ + The authorization policies for this Oidc Issuer. + """ + return pulumi.get(self, "policies") + + @property + @pulumi.getter + def thumbprints(self) -> pulumi.Output[Sequence[str]]: + """ + The thumbprints of issuer's TLS certificates. By default, Pulumi will store the thumbprint of the certificate used to serve the OpenID configuration. If the provider uses multiple certificates to serve content, it is required to manually configure these. + """ + return pulumi.get(self, "thumbprints") + + @property + @pulumi.getter + def url(self) -> pulumi.Output[str]: + """ + The OIDC issuer URL. + """ + return pulumi.get(self, "url") + diff --git a/sdk/python/pulumi_pulumiservice/outputs.py b/sdk/python/pulumi_pulumiservice/outputs.py index 3c77b67e..059444d3 100644 --- a/sdk/python/pulumi_pulumiservice/outputs.py +++ b/sdk/python/pulumi_pulumiservice/outputs.py @@ -18,6 +18,7 @@ __all__ = [ 'AWSOIDCConfiguration', + 'AuthPolicyDefinition', 'AzureOIDCConfiguration', 'DeploymentSettingsCacheOptions', 'DeploymentSettingsExecutorContext', @@ -108,6 +109,119 @@ def policy_arns(self) -> Optional[Sequence[str]]: return pulumi.get(self, "policy_arns") +@pulumi.output_type +class AuthPolicyDefinition(dict): + @staticmethod + def __key_warning(key: str): + suggest = None + if key == "tokenType": + suggest = "token_type" + elif key == "authorizedPermissions": + suggest = "authorized_permissions" + elif key == "runnerID": + suggest = "runner_id" + elif key == "teamName": + suggest = "team_name" + elif key == "userLogin": + suggest = "user_login" + + if suggest: + pulumi.log.warn(f"Key '{key}' not found in AuthPolicyDefinition. Access the value via the '{suggest}' property getter instead.") + + def __getitem__(self, key: str) -> Any: + AuthPolicyDefinition.__key_warning(key) + return super().__getitem__(key) + + def get(self, key: str, default = None) -> Any: + AuthPolicyDefinition.__key_warning(key) + return super().get(key, default) + + def __init__(__self__, *, + decision: 'AuthPolicyDecision', + rules: Mapping[str, str], + token_type: 'AuthPolicyTokenType', + authorized_permissions: Optional[Sequence['AuthPolicyPermissionLevel']] = None, + runner_id: Optional[str] = None, + team_name: Optional[str] = None, + user_login: Optional[str] = None): + """ + :param 'AuthPolicyDecision' decision: The rule type of this policy definition + :param Mapping[str, str] rules: OIDC rules to set for this policy. + :param 'AuthPolicyTokenType' token_type: The token type for this policy definition + :param Sequence['AuthPolicyPermissionLevel'] authorized_permissions: The permission level for organization tokens. + :param str runner_id: The runner ID for deployment runner tokens. + :param str team_name: The team name for team tokens. + :param str user_login: The user login for personal tokens. + """ + pulumi.set(__self__, "decision", decision) + pulumi.set(__self__, "rules", rules) + pulumi.set(__self__, "token_type", token_type) + if authorized_permissions is not None: + pulumi.set(__self__, "authorized_permissions", authorized_permissions) + if runner_id is not None: + pulumi.set(__self__, "runner_id", runner_id) + if team_name is not None: + pulumi.set(__self__, "team_name", team_name) + if user_login is not None: + pulumi.set(__self__, "user_login", user_login) + + @property + @pulumi.getter + def decision(self) -> 'AuthPolicyDecision': + """ + The rule type of this policy definition + """ + return pulumi.get(self, "decision") + + @property + @pulumi.getter + def rules(self) -> Mapping[str, str]: + """ + OIDC rules to set for this policy. + """ + return pulumi.get(self, "rules") + + @property + @pulumi.getter(name="tokenType") + def token_type(self) -> 'AuthPolicyTokenType': + """ + The token type for this policy definition + """ + return pulumi.get(self, "token_type") + + @property + @pulumi.getter(name="authorizedPermissions") + def authorized_permissions(self) -> Optional[Sequence['AuthPolicyPermissionLevel']]: + """ + The permission level for organization tokens. + """ + return pulumi.get(self, "authorized_permissions") + + @property + @pulumi.getter(name="runnerID") + def runner_id(self) -> Optional[str]: + """ + The runner ID for deployment runner tokens. + """ + return pulumi.get(self, "runner_id") + + @property + @pulumi.getter(name="teamName") + def team_name(self) -> Optional[str]: + """ + The team name for team tokens. + """ + return pulumi.get(self, "team_name") + + @property + @pulumi.getter(name="userLogin") + def user_login(self) -> Optional[str]: + """ + The user login for personal tokens. + """ + return pulumi.get(self, "user_login") + + @pulumi.output_type class AzureOIDCConfiguration(dict): @staticmethod