add iam role to assume for infrastructure creation

.github/workflows/gh_action_init_dataflows.yml

@@ -62,6 +62,7 @@ jobs:
           work-dir: ./infrastructure
         env:
           PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}  
+          AWS_IAM_ROLE_TO_ASSUME: ${{  secrets.AWS_IAM_ROLE_TO_ASSUME }}
 
       - name: Create AWS Infrastructure Summary
         run: |

README.md

@@ -285,7 +285,7 @@ If you have previously installed and configured the AWS CLI, Pulumi will [respec
 - after you have created an IAM user, click on the user name and open the security credentials tab, create an access key for programmatical access (aws_secret_access_key)
 - install aws cli (on mac: brew install awscli)
 - run command "aws configure" in the terminal, you will be prompted for AWS Access Key ID and AWS Secret Access Key => a credentials file is created in user dir: ~/.aws/credentials
-#### b) Create an AWS IAM Role to manage the required project-specific policies; the role will be assumed when the infrastructure is created:
+#### b) Create an AWS IAM Role to manage the required project-specific policies; the role will be assumed for the specific infrastructure creation (AWS_IAM_ROLE_TO_ASSUME):
 - create an IAM Role in the AWS Management Console (Security Credentials/ Access Management on the left / Role => Create / Custom trust policy and put in the following custom trust policy - don't forget to add your own IAM User arn under Principal/ AWS :
 ```
     {
@@ -315,7 +315,7 @@ If you have previously installed and configured the AWS CLI, Pulumi will [respec
 ### GitHub
 *necessary, as we will use GitHub Actions to deploy our AWS infrastructure with one click*
 - Create a new GitHub repo
-- Add the following secrets to your GitHub repo actions secrets: AWS_ACCESS_KEY, AWS_SECRET_ACCESS_KEY, PULUMI_ACCESS_TOKEN, PREFECT_API_KEY, PREFECT_WORKSPACE, you can mainly follow the guide in this [article].
+- Add the following secrets to your GitHub repo actions secrets: AWS_ACCESS_KEY, AWS_SECRET_ACCESS_KEY, PULUMI_ACCESS_TOKEN, PREFECT_API_KEY, PREFECT_WORKSPACE, AWS_IAM_ROLE_TO_ASSUME you can mainly follow the guide in this [article].
 ### Pulumi
 - Make sure you have executed each step in the [AWS prerequisites](#aws)
 - Create a [Pulumi account](https://www.pulumi.com)

infrastructure/__main__.py

@@ -1,40 +1,61 @@
 import pulumi
 import pulumi_aws as aws
+from dotenv import load_dotenv
 import json
+import os
 
+load_dotenv(override=True)
 
 cluster_name = "prefect-ecs-cluster"
 project_name = "dataflow"
 aws_accout_id = aws.get_caller_identity().account_id
 aws_region = aws.get_region()
 
-# Create an ECR Repository
-ecr_repo = aws.ecr.Repository(project_name + "_ecr")
 
-ecr_lifecycle_policy = aws.ecr.LifecyclePolicy(
-    "ecr_lifecycle_policy",
-    repository=ecr_repo.name,
-    policy=json.dumps(
-        {
-            "rules": [
-                {
-                    "rulePriority": 1,
-                    "description": "Keep only one untagged image, expire all others",
-                    "selection": {
-                        "tagStatus": "untagged",
-                        "countType": "imageCountMoreThan",
-                        "countNumber": 1,
-                    },
-                    "action": {"type": "expire"},
-                }
-            ]
-        }
+# Setup the AWS provider to assume a specific role
+assumed_role_provider = aws.Provider(
+    "assumedRoleProvider",
+    assume_role=aws.ProviderAssumeRoleArgs(
+        role_arn=os.getenv("AWS_IAM_ROLE_TO_ASSUME"),
+        session_name="PulumiSession_ecr_ecs",
     ),
+    region=aws_region.name,
 )
 
+# Create an ECR Repository
+ecr_repo = aws.ecr.Repository(
+    project_name + "_ecr",
+    opts=pulumi.ResourceOptions(provider=assumed_role_provider),
+)
+
+# ecr_lifecycle_policy = aws.ecr.LifecyclePolicy(
+#     "ecr_lifecycle_policy",
+#     repository=ecr_repo.name,
+#     policy=json.dumps(
+#         {
+#             "rules": [
+#                 {
+#                     "rulePriority": 1,
+#                     "description": "Keep only one untagged image, expire all others",
+#                     "selection": {
+#                         "tagStatus": "untagged",
+#                         "countType": "imageCountMoreThan",
+#                         "countNumber": 1,
+#                     },
+#                     "action": {"type": "expire"},
+#                 }
+#             ]
+#         }
+#     ),
+#  #   opts=pulumi.ResourceOptions(provider=assumed_role_provider),
+# )
+
 
 # Create an ECS Cluster
-ecs_cluster = aws.ecs.Cluster(cluster_name)
+ecs_cluster = aws.ecs.Cluster(
+    cluster_name,
+    opts=pulumi.ResourceOptions(provider=assumed_role_provider),
+)
 
 
 # Create VPC and necessary igw, subnet, route table for push work pool
@@ -44,18 +65,28 @@
     cidr_block="10.0.0.0/16",
     enable_dns_support=True,
     enable_dns_hostnames=True,
+    opts=pulumi.ResourceOptions(provider=assumed_role_provider),
 )
 
-igw = aws.ec2.InternetGateway("dataflow_internet_gateway", vpc_id=vpc.id)
+igw = aws.ec2.InternetGateway(
+    "dataflow_internet_gateway",
+    vpc_id=vpc.id,
+    opts=pulumi.ResourceOptions(provider=assumed_role_provider),
+)
 
 
-route_table = aws.ec2.RouteTable("dataflow_route_table", vpc_id=vpc.id)
+route_table = aws.ec2.RouteTable(
+    "dataflow_route_table",
+    vpc_id=vpc.id,
+    opts=pulumi.ResourceOptions(provider=assumed_role_provider),
+)
 
 route = aws.ec2.Route(
     "dataflow_route",
     route_table_id=route_table.id,
     destination_cidr_block="0.0.0.0/0",
     gateway_id=igw.id,
+    opts=pulumi.ResourceOptions(provider=assumed_role_provider),
 )
 
 ecs_service_subnet = aws.ec2.Subnet(
@@ -64,6 +95,7 @@
     cidr_block="10.0.0.0/16",
     map_public_ip_on_launch=True,
     availability_zone="eu-central-1a",
+    opts=pulumi.ResourceOptions(provider=assumed_role_provider),
 )
 
 
@@ -72,6 +104,7 @@
     "dataflow_route_table_association",
     subnet_id=ecs_service_subnet.id,
     route_table_id=route_table.id,
+    opts=pulumi.ResourceOptions(provider=assumed_role_provider),
 )
 
 
@@ -89,6 +122,7 @@
             ],
         }
     ),
+    opts=pulumi.ResourceOptions(provider=assumed_role_provider),
 )
 
 execution_role_policy = aws.iam.RolePolicy(
@@ -117,13 +151,15 @@
             ],
         }
     ),
+    opts=pulumi.ResourceOptions(provider=assumed_role_provider),
 )
 
 
 aws.iam.RolePolicyAttachment(
     "ecsPolicyAttachment",
     role=execution_role.name,
     policy_arn="arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy",
+    opts=pulumi.ResourceOptions(provider=assumed_role_provider),
 )
 
 
@@ -141,6 +177,7 @@
             ],
         }
     ),
+    opts=pulumi.ResourceOptions(provider=assumed_role_provider),
 )
 
 
@@ -168,6 +205,7 @@
             ],
         }
     ),
+    opts=pulumi.ResourceOptions(provider=assumed_role_provider),
 )
 
 

infrastructure/requirements.txt

@@ -1,2 +1,3 @@
 pulumi>=3.0.0,<4.0.0
 pulumi-aws>=6.0.2,<7.0.0
+dotenv