Documentation
¶
Index ¶
- Constants
- Variables
- func EcrRepositoryReadConfig(config *api.Config) (api.Config, error)
- func ReadAuthServiceAccountConfig(config *api.Config) (api.Config, error)
- func ReadCloudTrailSecurityAlertsConfig(config *api.Config) (api.Config, error)
- func ReadRdsMysqlConfig(config *api.Config) (api.Config, error)
- func ReadRdsPostgresConfig(config *api.Config) (api.Config, error)
- func ReadSecretsConfig(config *api.Config) (api.Config, error)
- func ReadSecretsProviderConfig(config *api.Config) (api.Config, error)
- func ReadStateStorageConfig(config *api.Config) (api.Config, error)
- func ReadTemplateConfig(config *api.Config) (api.Config, error)
- func S3BucketReadConfig(config *api.Config) (api.Config, error)
- func ToAwsLambdaConfig(tpl any, stackCfg *api.StackConfigSingleImage) (any, error)
- func ToEcsFargateConfig(tpl any, composeCfg compose.Config, stackCfg *api.StackConfigCompose) (any, error)
- func ToStaticSiteConfig(tpl any, stackDir, stackName string, stackCfg *api.StackConfigStatic) (any, error)
- type AccountConfig
- type CloudExtras
- type CloudTrailAlertOverride
- type CloudTrailAlertSelectors
- type CloudTrailSecurityAlertsConfig
- type EcrLifecyclePolicy
- type EcrLifecyclePolicyAction
- type EcrLifecyclePolicySelection
- type EcrLifecycleRule
- type EcrRepository
- type EcsFargateConfig
- type EcsFargateContainer
- type EcsFargateDependsOn
- type EcsFargateInput
- type EcsFargateMountPoint
- type EcsFargateProbe
- type EcsFargateResources
- type EcsFargateScale
- type EcsFargateScalePolicy
- type EcsFargateScalePolicyType
- type EcsFargateVolume
- type FargateRollingUpdate
- type LambdaInput
- type LambdaInvokeMode
- type LambdaRoutingType
- type LambdaSchedule
- type LoadBalancerType
- type MysqlConfig
- type PostgresConfig
- type ProbeHttpGet
- type S3Bucket
- type SecretsConfig
- type SecretsProviderConfig
- type SecurityGroup
- type SecurityGroupRule
- type StateStorageConfig
- type StaticSiteInput
- type TemplateConfig
Constants ¶
const ( AuthTypeAWSToken = "aws-token" SecretsTypeAWSSecretsManager = "aws-secrets-manager" SecretsProviderTypeAwsKms = "aws-kms" StateStorageTypeS3Bucket = "s3-bucket" )
const ( LambdaRoutingApiGw = "api-gateway" LambdaRoutingFunctionUrl = "function-url" LambdaInvokeModeBuffered = "BUFFERED" LambdaInvokeModeResponseStream = "RESPONSE_STREAM" LoadBalancerTypeAlb LoadBalancerType = "alb" LoadBalancerTypeNlb LoadBalancerType = "nlb" )
const ProviderType = "aws"
const ResourceTypeCloudTrailSecurityAlerts = "aws-cloudtrail-security-alerts"
const ResourceTypeEcrRepository = "ecr-repository"
const (
ResourceTypeRdsMysql = "aws-rds-mysql"
)
const (
ResourceTypeRdsPostgres = "aws-rds-postgres"
)
const ResourceTypeS3Bucket = "s3-bucket"
const (
TemplateTypeAwsLambda = "aws-lambda"
)
const (
TemplateTypeEcsFargate = "ecs-fargate"
)
const TemplateTypeStaticWebsite = "aws-static-website"
Variables ¶
var DefaultEcrLifecyclePolicy = EcrLifecyclePolicy{ Rules: []EcrLifecycleRule{ { RulePriority: 1, Description: "Keep only 3 last images", Selection: EcrLifecyclePolicySelection{ TagStatus: "any", CountType: "imageCountMoreThan", CountNumber: 3, }, Action: EcrLifecyclePolicyAction{ Type: "expire", }, }, }, }
DefaultEcrLifecyclePolicy is the default ECR lifecycle policy (keep only 3 last images)
Functions ¶
func ToAwsLambdaConfig ¶
func ToAwsLambdaConfig(tpl any, stackCfg *api.StackConfigSingleImage) (any, error)
func ToEcsFargateConfig ¶
func ToStaticSiteConfig ¶
Types ¶
type AccountConfig ¶
type AccountConfig struct {
Account string `json:"account" yaml:"account"`
AccessKey string `json:"accessKey" yaml:"accessKey"`
SecretAccessKey string `json:"secretAccessKey" yaml:"secretAccessKey"`
Region string `json:"region" yaml:"region"`
api.Credentials `json:",inline" yaml:",inline"`
}
func (*AccountConfig) CredentialsValue ¶
func (r *AccountConfig) CredentialsValue() string
func (*AccountConfig) ProjectIdValue ¶
func (r *AccountConfig) ProjectIdValue() string
func (*AccountConfig) ProviderType ¶
func (r *AccountConfig) ProviderType() string
type CloudExtras ¶
type CloudExtras struct {
AwsRoles []string `json:"awsRoles" yaml:"awsRoles"`
LambdaSchedule *LambdaSchedule `json:"lambdaSchedule,omitempty" yaml:"lambdaSchedule,omitempty"` // e.g. for lambda functions to be triggered on schedule
LambdaSchedules []LambdaSchedule `json:"lambdaSchedules,omitempty" yaml:"lambdaSchedules,omitempty"` // e.g. for lambda functions to be triggered on schedule
LambdaRoutingType LambdaRoutingType `json:"lambdaRoutingType" yaml:"lambdaRoutingType"`
LambdaInvokeMode LambdaInvokeMode `json:"lambdaInvokeMode" yaml:"lambdaInvokeMode"` // invoke mode for lambda
SecurityGroup *SecurityGroup `json:"securityGroup,omitempty" yaml:"securityGroup,omitempty"`
LoadBalancerType LoadBalancerType `json:"loadBalancerType,omitempty" yaml:"loadBalancerType,omitempty"` // default: alb
}
type CloudTrailAlertOverride ¶
type CloudTrailAlertOverride struct {
// Threshold raises the alarm threshold (events per period). 0 = use the plugin default
// for this detector (1 for most, 5 for unauthorizedApiCalls, 10 for anonymousProbes).
Threshold float64 `json:"threshold,omitempty" yaml:"threshold,omitempty"`
// Period in seconds. 0 = 300 (5 min). CloudWatch supports 60, 300, 3600.
Period int `json:"period,omitempty" yaml:"period,omitempty"`
// EvaluationPeriods is how many consecutive periods must breach. 0 = 1.
EvaluationPeriods int `json:"evaluationPeriods,omitempty" yaml:"evaluationPeriods,omitempty"`
// ExcludeUserNames excludes events where $.userIdentity.userName matches the given
// names exactly. Useful for IAMUser-type principals like CI bot accounts.
ExcludeUserNames []string `json:"excludeUserNames,omitempty" yaml:"excludeUserNames,omitempty"`
// ExcludePrincipalIds excludes by $.userIdentity.principalId (AIDA..., AROA..., AKIA...).
ExcludePrincipalIds []string `json:"excludePrincipalIds,omitempty" yaml:"excludePrincipalIds,omitempty"`
// ExcludeUserArns excludes by exact $.userIdentity.arn match.
ExcludeUserArns []string `json:"excludeUserArns,omitempty" yaml:"excludeUserArns,omitempty"`
// ExcludeUserArnGlobs excludes by $.userIdentity.arn glob (CloudWatch metric filter
// patterns support * within string values, e.g.
// "arn:aws:sts::*:assumed-role/AWSServiceRoleFor*/*"). One glob per list entry.
ExcludeUserArnGlobs []string `json:"excludeUserArnGlobs,omitempty" yaml:"excludeUserArnGlobs,omitempty"`
// ExcludeUserTypes excludes by $.userIdentity.type (e.g. "AWSService", "AWSAccount",
// "AssumedRole"). Useful for stripping AWS internal plumbing from unauthorized-api-calls.
ExcludeUserTypes []string `json:"excludeUserTypes,omitempty" yaml:"excludeUserTypes,omitempty"`
// ExcludeInvokedBy excludes by $.userIdentity.invokedBy (e.g. "s3.amazonaws.com").
// This is the canonical way to strip AWS service self-probes.
ExcludeInvokedBy []string `json:"excludeInvokedBy,omitempty" yaml:"excludeInvokedBy,omitempty"`
}
CloudTrailAlertOverride tunes a single detector. All fields are optional; zero values mean "use plugin default."
type CloudTrailAlertSelectors ¶
type CloudTrailAlertSelectors struct {
// CIS CloudWatch.1-14
RootAccountUsage bool `json:"rootAccountUsage,omitempty" yaml:"rootAccountUsage,omitempty"` // CIS CloudWatch.1
ConsoleLoginWithoutMfa bool `json:"consoleLoginWithoutMfa,omitempty" yaml:"consoleLoginWithoutMfa,omitempty"` // CIS CloudWatch.3
IamPolicyChanges bool `json:"iamPolicyChanges,omitempty" yaml:"iamPolicyChanges,omitempty"` // CIS CloudWatch.4
CloudTrailTampering bool `json:"cloudTrailTampering,omitempty" yaml:"cloudTrailTampering,omitempty"` // CIS CloudWatch.5
FailedConsoleLogins bool `json:"failedConsoleLogins,omitempty" yaml:"failedConsoleLogins,omitempty"` // CIS CloudWatch.6
KmsKeyDeletion bool `json:"kmsKeyDeletion,omitempty" yaml:"kmsKeyDeletion,omitempty"` // CIS CloudWatch.7
S3BucketPolicyChanges bool `json:"s3BucketPolicyChanges,omitempty" yaml:"s3BucketPolicyChanges,omitempty"` // CIS CloudWatch.8
ConfigChanges bool `json:"configChanges,omitempty" yaml:"configChanges,omitempty"` // CIS CloudWatch.9
SecurityGroupChanges bool `json:"securityGroupChanges,omitempty" yaml:"securityGroupChanges,omitempty"` // CIS CloudWatch.10
NaclChanges bool `json:"naclChanges,omitempty" yaml:"naclChanges,omitempty"` // CIS CloudWatch.11
NetworkGatewayChanges bool `json:"networkGatewayChanges,omitempty" yaml:"networkGatewayChanges,omitempty"` // CIS CloudWatch.12
RouteTableChanges bool `json:"routeTableChanges,omitempty" yaml:"routeTableChanges,omitempty"` // CIS CloudWatch.13
VpcChanges bool `json:"vpcChanges,omitempty" yaml:"vpcChanges,omitempty"` // CIS CloudWatch.14
// Beyond-CIS detectors. Default off so existing deployments don't gain new alerts on plugin upgrade.
GuardDutyDisabled bool `json:"guardDutyDisabled,omitempty" yaml:"guardDutyDisabled,omitempty"` // GuardDuty disabled/detector deleted
SecurityHubDisabled bool `json:"securityHubDisabled,omitempty" yaml:"securityHubDisabled,omitempty"` // Security Hub disabled or standards turned off
AccessKeyCreation bool `json:"accessKeyCreation,omitempty" yaml:"accessKeyCreation,omitempty"` // CreateAccessKey on any IAM user
S3PublicAccessChanges bool `json:"s3PublicAccessChanges,omitempty" yaml:"s3PublicAccessChanges,omitempty"` // Block Public Access toggled at account or bucket scope
LambdaUrlPublic bool `json:"lambdaUrlPublic,omitempty" yaml:"lambdaUrlPublic,omitempty"` // Lambda Function URL created/updated with AuthType=NONE
// KMS-related detectors are split into two by signal density:
// KmsKeyPolicy — PutKeyPolicy: rare, real signal, default threshold 1. The structural
// change to "who can use this key" — page on any occurrence.
// KmsKeyGrants — CreateGrant / RetireGrant / RevokeGrant: high-volume in any IaC-driven
// environment (Pulumi/Terraform issue a grant per encrypted resource).
// Default off; turn on only with the override.threshold tuned to your
// deploy cadence. Splitting was driven by production data showing
// ~25 CreateGrant/hour from one Pulumi bot account that would have
// buried a single PutKeyPolicy signal.
KmsKeyPolicy bool `json:"kmsKeyPolicy,omitempty" yaml:"kmsKeyPolicy,omitempty"` // PutKeyPolicy (rare; default threshold 1)
KmsKeyGrants bool `json:"kmsKeyGrants,omitempty" yaml:"kmsKeyGrants,omitempty"` // CreateGrant / RetireGrant / RevokeGrant (high-volume; default threshold 10)
OrganizationsChanges bool `json:"organizationsChanges,omitempty" yaml:"organizationsChanges,omitempty"` // SCP / account-membership churn in AWS Organizations
AnonymousProbes bool `json:"anonymousProbes,omitempty" yaml:"anonymousProbes,omitempty"` // userIdentity.type=AWSAccount AccessDenied probes from public IPs
// Overrides allows per-detector tuning without forking the plugin. Keyed by detector
// selector name (e.g. "iamPolicyChanges"). An override can:
// - bake exclusion clauses into the CloudWatch metric filter pattern (preferred
// for governed automation that contributes nothing but noise — Pulumi CI bots,
// known scanners, AWS service-linked roles);
// - raise the alarm threshold so a single matched event no longer trips the alarm
// (CIS Benchmark guidance for unauthorized-api-calls);
// - adjust the evaluation window.
//
// Suppression happens at the metric-filter layer, not in the Lambda enrichment
// step — excluded events never increment the metric, the alarm never trips, and
// no Slack notification is sent. The CW alarm dashboard therefore reflects real
// signal rather than known-good noise (preserves SOC2/ISO audit clarity).
Overrides map[string]CloudTrailAlertOverride `json:"overrides,omitempty" yaml:"overrides,omitempty"`
}
CloudTrailAlertSelectors controls which security alerts are enabled. Each field maps to a CloudWatch metric filter + alarm on the CloudTrail log group. Built-in detectors track AWS Security Hub/CIS CloudWatch controls (CloudWatch.1-14) plus a set of high-value additions covering attacker-blinding moves and exposure paths that CIS does not cover (GuardDuty/SecurityHub disable, IAM access keys, S3 Block Public Access, public Lambda Function URLs, KMS key policy edits, AWS Organizations changes, anonymous external probes).
type CloudTrailSecurityAlertsConfig ¶
type CloudTrailSecurityAlertsConfig struct {
AccountConfig `json:",inline" yaml:",inline"`
LogGroupName string `json:"logGroupName" yaml:"logGroupName"`
LogGroupRegion string `json:"logGroupRegion,omitempty" yaml:"logGroupRegion,omitempty"`
Slack *api.SlackCfg `json:"slack,omitempty" yaml:"slack,omitempty"`
Discord *api.DiscordCfg `json:"discord,omitempty" yaml:"discord,omitempty"`
Telegram *api.TelegramCfg `json:"telegram,omitempty" yaml:"telegram,omitempty"`
Email *api.EmailCfg `json:"email,omitempty" yaml:"email,omitempty"`
Alerts CloudTrailAlertSelectors `json:"alerts" yaml:"alerts"`
// Trail pre-flight check (SOC2 CC7.1 / ISO 27001 A.8.15): when TrailName
// is set, SC inspects the referenced CloudTrail trail at provision time
// and refuses to deploy unless log-file validation is enabled. This
// prevents a silent gap where the metric filters + alarms happily match
// events in a trail whose log files are not tamper-detectable.
//
// TrailName is the friendly name of the CloudTrail trail (not the ARN).
// AWS accepts either, but friendly name is what `aws cloudtrail
// describe-trails` returns by default and what users actually see in
// the console.
//
// When TrailName is empty the check is skipped (back-compat for
// deployments that don't want SC touching the trail). Set explicitly to
// opt into the guardrail.
TrailName string `json:"trailName,omitempty" yaml:"trailName,omitempty"`
// When true (default, if TrailName is set) the provisioner FAILS deploy
// if log-file validation is off. When false, SC only logs a warning
// and continues — use during incremental rollout, not as a permanent
// escape hatch.
RequireLogFileValidation *bool `json:"requireLogFileValidation,omitempty" yaml:"requireLogFileValidation,omitempty"`
}
CloudTrailSecurityAlertsConfig defines CloudWatch metric filters and alarms for security-relevant CloudTrail events (SOC2 CC6.1/CC7.1, ISO 27001 A.8.2/A.8.15/A.8.16).
func (CloudTrailSecurityAlertsConfig) RequiresTrailValidation ¶
func (c CloudTrailSecurityAlertsConfig) RequiresTrailValidation() bool
RequiresTrailValidation reports whether the config has opted into the pre-flight check. True iff TrailName is set AND RequireLogFileValidation is either unset (default true) or explicitly true.
type EcrLifecyclePolicy ¶
type EcrLifecyclePolicy struct {
Rules []EcrLifecycleRule `json:"rules" yaml:"rules"`
}
type EcrLifecyclePolicyAction ¶
type EcrLifecyclePolicyAction struct {
Type string `json:"type" yaml:"type"`
}
type EcrLifecyclePolicySelection ¶
type EcrLifecyclePolicySelection struct {
TagStatus string `json:"tagStatus" yaml:"tagStatus"`
TagPatternList []string `json:"tagPatternList,omitempty" yaml:"tagPatternList,omitempty"`
TagPrefixList []string `json:"tagPrefixList,omitempty" yaml:"tagPrefixList,omitempty"`
CountType string `json:"countType" yaml:"countType"`
CountNumber int `json:"countNumber" yaml:"countNumber"`
CountUnit string `json:"countUnit,omitempty" yaml:"countUnit,omitempty"`
}
type EcrLifecycleRule ¶
type EcrLifecycleRule struct {
RulePriority int `json:"rulePriority" yaml:"rulePriority"`
Description string `json:"description" yaml:"description"`
Selection EcrLifecyclePolicySelection `json:"selection" yaml:"selection"`
Action EcrLifecyclePolicyAction `json:"action" yaml:"action"`
}
type EcrRepository ¶
type EcrRepository struct {
AccountConfig `json:",inline" yaml:",inline"`
Name string `json:"name,omitempty" yaml:"name,omitempty"`
LifecyclePolicy *EcrLifecyclePolicy `json:"lifecyclePolicy" yaml:"lifecyclePolicy"`
}
type EcsFargateConfig ¶
type EcsFargateConfig struct {
api.Credentials `json:",inline" yaml:",inline"`
AccountConfig `json:",inline" yaml:",inline"`
Cpu int `json:"cpu" yaml:"cpu"`
Memory int `json:"memory" yaml:"memory"`
EphemeralStorageGB int `json:"ephemeralStorageGB" yaml:"ephemeralStorageGB"`
Version string `json:"version" yaml:"version"`
}
func (*EcsFargateConfig) CredentialsValue ¶
func (r *EcsFargateConfig) CredentialsValue() string
func (*EcsFargateConfig) ProjectIdValue ¶
func (r *EcsFargateConfig) ProjectIdValue() string
type EcsFargateContainer ¶
type EcsFargateContainer struct {
Name string `json:"name" yaml:"name"`
Image api.ContainerImage `json:"image" yaml:"image"`
Env map[string]string `json:"env" yaml:"env"`
Secrets map[string]string `json:"secrets" yaml:"secrets"`
Port int `json:"port" yaml:"port"`
LivenessProbe EcsFargateProbe `json:"livenessProbe" yaml:"livenessProbe"`
StartupProbe EcsFargateProbe `json:"startupProbe" yaml:"startupProbe"`
MountPoints []EcsFargateMountPoint `json:"mountPoints" yaml:"mountPoints"`
Cpu int `json:"cpu" yaml:"cpu"`
Memory int `json:"memory" yaml:"memory"`
DependsOn []EcsFargateDependsOn `json:"dependsOn" yaml:"dependsOn"`
}
type EcsFargateDependsOn ¶
type EcsFargateInput ¶
type EcsFargateInput struct {
TemplateConfig `json:"templateConfig" yaml:"templateConfig"`
Scale EcsFargateScale `json:"scale" yaml:"scale"`
Containers []EcsFargateContainer `json:"containers" yaml:"containers"`
IngressContainer EcsFargateContainer `json:"ingressContainer" yaml:"ingressContainer"`
Config EcsFargateConfig `json:"config" yaml:"config"`
Domain string `json:"domain" yaml:"domain"`
DomainProxied *bool `json:"domainProxied" yaml:"domainProxied"`
RefResourceNames []string `json:"refResourceNames" yaml:"refResourceNames"`
Secrets map[string]string `json:"secrets" yaml:"secrets"`
BaseDnsZone string `json:"baseDnsZone" yaml:"baseDnsZone"`
Dependencies []api.StackConfigDependencyResource `json:"dependencies" yaml:"dependencies"`
Volumes []EcsFargateVolume `json:"volumes" yaml:"volumes"`
Alerts *api.AlertsConfig `json:"alerts" yaml:"alerts"`
ComposeDir string `json:"composeDir" yaml:"composeDir"`
CloudExtras *CloudExtras `json:"cloudExtras" yaml:"cloudExtras"`
StackConfig *api.StackConfigCompose `json:"stackConfig" yaml:"stackConfig"`
}
func (*EcsFargateInput) DependsOnResources ¶
func (i *EcsFargateInput) DependsOnResources() []api.StackConfigDependencyResource
func (*EcsFargateInput) OverriddenBaseZone ¶
func (i *EcsFargateInput) OverriddenBaseZone() string
func (*EcsFargateInput) Uses ¶
func (i *EcsFargateInput) Uses() []string
type EcsFargateMountPoint ¶
type EcsFargateProbe ¶
type EcsFargateProbe struct {
Command []string `json:"command" yaml:"command"`
HttpGet ProbeHttpGet `json:"httpGet" yaml:"httpGet"`
InitialDelaySeconds int `json:"initialDelaySeconds" yaml:"initialDelaySeconds"`
TimeoutSeconds int `json:"timeoutSeconds" yaml:"timeoutSeconds"`
IntervalSeconds int `json:"intervalSeconds" yaml:"intervalSeconds"`
Retries int `json:"retries" yaml:"retries"`
}
func (*EcsFargateProbe) FromHealthCheck ¶
func (p *EcsFargateProbe) FromHealthCheck(svc types.ServiceConfig, port int)
type EcsFargateResources ¶
type EcsFargateScale ¶
type EcsFargateScale struct {
Min int `json:"min" yaml:"min"`
Max int `json:"max" yaml:"max"`
Policies []EcsFargateScalePolicy `json:"policy" yaml:"policy"`
Update FargateRollingUpdate `json:"update" yaml:"update"`
}
type EcsFargateScalePolicy ¶
type EcsFargateScalePolicy struct {
Type EcsFargateScalePolicyType `json:"type" yaml:"type"`
TargetValue int `yaml:"targetValue" json:"targetValue"`
ScaleInCooldown int `json:"scaleInCooldown" yaml:"scaleInCooldown"`
ScaleOutCooldown int `json:"scaleOutCooldown" yaml:"scaleOutCooldown"`
}
type EcsFargateScalePolicyType ¶
type EcsFargateScalePolicyType string
const ( ScaleCpu EcsFargateScalePolicyType = "cpu" ScaleMemory EcsFargateScalePolicyType = "memory" )
type EcsFargateVolume ¶
type EcsFargateVolume struct {
Name string `json:"name" yaml:"name"`
}
type FargateRollingUpdate ¶
type LambdaInput ¶
type LambdaInput struct {
AccountConfig `json:",inline" yaml:",inline"`
StackConfig api.StackConfigSingleImage `json:"stackConfig" yaml:"stackConfig"`
}
func (*LambdaInput) DependsOnResources ¶
func (l *LambdaInput) DependsOnResources() []api.StackConfigDependencyResource
func (*LambdaInput) OverriddenBaseZone ¶
func (l *LambdaInput) OverriddenBaseZone() string
func (*LambdaInput) Uses ¶
func (l *LambdaInput) Uses() []string
type LambdaInvokeMode ¶
type LambdaInvokeMode string
type LambdaRoutingType ¶
type LambdaRoutingType string
type LambdaSchedule ¶
type LoadBalancerType ¶
type LoadBalancerType string
type MysqlConfig ¶
type MysqlConfig struct {
AccountConfig `json:",inline" yaml:",inline"`
Name string `json:"name" yaml:"name"`
InstanceClass string `json:"instanceClass" yaml:"instanceClass"`
AllocateStorage *int `json:"allocateStorage" yaml:"allocateStorage"`
EngineVersion string `json:"engineVersion" yaml:"engineVersion"`
Username string `json:"username" yaml:"username"`
Password string `json:"password" yaml:"password"`
DatabaseName *string `json:"databaseName" yaml:"databaseName"`
EngineName *string `json:"engineName,omitempty" yaml:"engineName,omitempty"`
// StorageEncrypted controls AWS-side encryption-at-rest for the
// underlying EBS volume. When unset (nil), new instances default
// to ENCRYPTED (AWS-managed `aws/rds` KMS key), matching CIS-AWS
// Foundations RDS.3. Set `false` explicitly to opt out for legacy
// unencrypted stacks; set `true` to be explicit.
//
// AWS RDS `storage_encrypted` is IMMUTABLE post-creation. The
// default flip is safe for existing instances because the
// `pulumi.IgnoreChanges` on the resource opts (see
// pkg/clouds/pulumi/aws/rds_mysql.go) silences storage_encrypted
// drift — Pulumi will not propose a destructive replacement when
// the spec value differs from the cloud-actual value. Customers
// who want to genuinely migrate an existing unencrypted RDS to
// encrypted must do it out-of-band: snapshot → encrypted-copy →
// restore → re-import.
StorageEncrypted *bool `json:"storageEncrypted,omitempty" yaml:"storageEncrypted,omitempty"`
}
type PostgresConfig ¶
type PostgresConfig struct {
AccountConfig `json:",inline" yaml:",inline"`
Name string `json:"name" yaml:"name"`
InstanceClass string `json:"instanceClass" yaml:"instanceClass"`
AllocateStorage *int `json:"allocateStorage" yaml:"allocateStorage"`
EngineVersion string `json:"engineVersion" yaml:"engineVersion"`
Username string `json:"username" yaml:"username"`
Password string `json:"password" yaml:"password"`
DatabaseName *string `json:"databaseName" yaml:"databaseName"`
InitSQL *string `json:"initSQL,omitempty" yaml:"initSQL,omitempty"`
// StorageEncrypted controls AWS-side encryption-at-rest for the
// underlying EBS volume. When unset (nil), new instances default
// to ENCRYPTED (AWS-managed `aws/rds` KMS key), matching CIS-AWS
// Foundations RDS.3. Set `false` explicitly to opt out for legacy
// unencrypted stacks; set `true` to be explicit.
//
// AWS RDS `storage_encrypted` is IMMUTABLE post-creation. The
// default flip is safe for existing instances because the
// `pulumi.IgnoreChanges` on the resource opts (see
// pkg/clouds/pulumi/aws/rds_postgres.go) silences storage_encrypted
// drift — Pulumi will not propose a destructive replacement when
// the spec value differs from the cloud-actual value. Customers
// who want to genuinely migrate an existing unencrypted RDS to
// encrypted must do it out-of-band: snapshot → encrypted-copy →
// restore → re-import.
StorageEncrypted *bool `json:"storageEncrypted,omitempty" yaml:"storageEncrypted,omitempty"`
}
type ProbeHttpGet ¶
type S3Bucket ¶
type S3Bucket struct {
AccountConfig `json:",inline" yaml:",inline"`
*api.StaticSiteConfig `json:",inline,omitempty" yaml:",inline,omitempty"`
Name string `json:"name,omitempty" yaml:"name,omitempty"`
AllowOnlyHttps bool `json:"allowOnlyHttps" yaml:"allowOnlyHttps"`
}
type SecretsConfig ¶
type SecretsConfig struct {
AccountConfig `json:",inline" yaml:",inline"`
}
type SecretsProviderConfig ¶
type SecretsProviderConfig struct {
AccountConfig `json:",inline" yaml:",inline"`
Provision bool `json:"provision" yaml:"provision"`
// must be in the format:
// awskms://1234abcd-12ab-34cd-56ef-1234567890ab?region=us-east-1
KeyName string `json:"keyName" yaml:"keyName"`
}
func (*SecretsProviderConfig) IsProvisionEnabled ¶
func (sa *SecretsProviderConfig) IsProvisionEnabled() bool
func (*SecretsProviderConfig) KeyUrl ¶
func (sa *SecretsProviderConfig) KeyUrl() string
type SecurityGroup ¶
type SecurityGroup struct {
Ingress *SecurityGroupRule `json:"ingress,omitempty" yaml:"ingress,omitempty"`
}
type SecurityGroupRule ¶
type SecurityGroupRule struct {
AllowOnlyCloudflare *bool `json:"allowOnlyCloudflare,omitempty" yaml:"allowOnlyCloudflare,omitempty"`
CidrBlocks *[]string `json:"cidrBlocks,omitempty" yaml:"cidrBlocks,omitempty"`
Ipv6CidrBlocks *[]string `json:"ipv6CidrBlocks,omitempty" yaml:"ipv6CidrBlocks,omitempty"`
}
type StateStorageConfig ¶
type StateStorageConfig struct {
AccountConfig `json:",inline" yaml:",inline"`
BucketName string `json:"bucketName" yaml:"bucketName"`
Provision bool `json:"provision" yaml:"provision"`
}
func (*StateStorageConfig) IsProvisionEnabled ¶
func (sa *StateStorageConfig) IsProvisionEnabled() bool
func (*StateStorageConfig) StorageUrl ¶
func (sa *StateStorageConfig) StorageUrl() string
type StaticSiteInput ¶
type StaticSiteInput struct {
TemplateConfig `json:"templateConfig" yaml:"templateConfig"`
api.StackConfigStatic `json:",inline" yaml:",inline"`
StackDir string `json:"stackDir" yaml:"stackDir"`
StackName string `json:"stackName" yaml:"stackName"`
}
func (*StaticSiteInput) OverriddenBaseZone ¶
func (i *StaticSiteInput) OverriddenBaseZone() string
OverriddenBaseZone implements api.DnsConfigAware so the Cloudflare registrar uses the stack's baseDnsZone instead of the parent stack's default zone — otherwise records get created with the parent zone suffixed (e.g. simple-forge.com → simple-forge.com.simple-container.com).
type TemplateConfig ¶
type TemplateConfig struct {
AccountConfig `json:",inline" yaml:",inline"`
}