Skip to content

Commit

Permalink
Update tutorials
Browse files Browse the repository at this point in the history
  • Loading branch information
@pulumi-bot
pulumi-bot committed Oct 19, 2023
1 parent 1203751 commit 39afc64
Show file tree
Hide file tree
Showing 3 changed files with 343 additions and 0 deletions.
116 changes: 116 additions & 0 deletions ...ontent/registry/packages/aws/how-to-guides/aws-py-oidc-provider-pulumi-cloud.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
---
title: "Provisioning an OIDC Provider in AWS for Pulumi Cloud | Python"
h1: "Provisioning an OIDC Provider in AWS for Pulumi Cloud"
linktitle: "Provisioning an OIDC Provider in AWS for Pulumi Cloud"
meta_desc: "Provisioning an OIDC Provider in AWS for Pulumi Cloud How-to Guide using Python"
no_edit_this_page: true
cloud: aws
language: py
layout: package
---

<!-- WARNING: this page was generated by a tool. Do not edit it by hand. -->
<!-- To change it, please see https://github.com/pulumi/docs/tree/master/tools/mktutorial. -->

<p class="mb-4 flex">
<a class="flex flex-wrap items-center rounded-md font-display text-lg text-white bg-blue-600 border-2 border-blue-600 px-2 mr-2 whitespace-no-wrap hover:text-white" style="height: 45px;" href="https://github.com/pulumi/examples/tree/master/aws-py-oidc-provider-pulumi-cloud" target="_blank">
<span><i class="fab fa-github pr-2"></i> View Code</span>
</a>
</p>


This example will create OIDC configuration between Pulumi Cloud and AWS, specifically demonstrating connectivity with [Pulumi ESC](https://www.pulumi.com/docs/pulumi-cloud/esc/). The program automates the process detailed in the AWS documentation for the following activities:

- [Obtaining the thumbprint for an OpenID Connect Identity Provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html)
- [Creating an OpenID Connect Identity Provider](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html)

## Prerequisites

* [Install Pulumi](https://www.pulumi.com/docs/get-started/install/)
* [Configure Pulumi to Use AWS](https://www.pulumi.com/docs/intro/cloud-providers/aws/setup/) (if your AWS CLI is configured, no further changes are required)
* Install Python 3.x

Make sure to deploy this example in an AWS account that does not already have a provider configured for Pulumi, otherwise the deployment will fail with the following error:

`creating IAM OIDC Provider: EntityAlreadyExists: Provider with url https://api.pulumi.com/oidc already exists.`

## Running the Example

Clone [the examples repo](https://github.com/pulumi/examples/tree/master/aws-py-oidc-provider) and navigate to the folder for this example.

```bash
git clone https://github.com/pulumi/examples.git
cd examples/aws-py-oidc-provider-pulumi-cloud
```

Next, to deploy the application and its infrastructure, follow these steps:

1. Create a new stack, which is an isolated deployment target for this example:

```bash
$ pulumi stack init dev
```

1. Set your desired AWS region:

```bash
pulumi config set aws:region us-east-1 # any valid AWS region will work
```

1. Install requirements.

```bash
python3 -m venv venv
venv/bin/pip install -r requirements.txt
```

1. Run `pulumi up -y`. Once the program completes, it will output a YAML template for you to use in the next step.

## Validating the OIDC Configuration

This next section will walk you through validating your OIDC configuration using [Pulumi ESC](https://www.pulumi.com/docs/pulumi-cloud/esc/).

Start by [creating a new Pulumi ESC environment](https://www.pulumi.com/docs/pulumi-cloud/esc/get-started/#create-an-environment). Then, copy the template definition from the output in the CLI and paste it into your environment. Save your environment file and run the `pulumi env open <your-pulumi-org>/<your-environment>` command in the CLI. You should see output similar to the following:

```bash
$ pulumi env open myOrg/myEnvironment
{
"aws": {
"login": {
"accessKeyId": "ASIA......",
"secretAccessKey": "PYP.....",
"sessionToken": "FwoGZ....."
}
}
}
```

You can configure more granular access control by adding the `sub` claim to the Provider role's trust policy conditions with the appropriate pattern. In the following example, the role may only be assumed by the specific Pulumi ESC environment that you designate.
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::616138583583:oidc-provider/api.pulumi.com/oidc"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"api.pulumi.com/oidc:aud": "<your-pulumi-org>",
"api.pulumi.com/oidc:sub": "pulumi:environments:org:<your-pulumi-org>:env:<your-environment-name>"
}
}
}
]
}
```
Once you are done, you can destroy all of the resources as well as the stack:
```bash
$ pulumi destroy
$ pulumi stack rm
```
133 changes: 133 additions & 0 deletions ...stry/packages/azure-native/how-to-guides/azure-py-oidc-provider-pulumi-cloud.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
---
title: "Provisioning an OIDC Provider in Azure for Pulumi Cloud | Python"
h1: "Provisioning an OIDC Provider in Azure for Pulumi Cloud"
linktitle: "Provisioning an OIDC Provider in Azure for Pulumi Cloud"
meta_desc: "Provisioning an OIDC Provider in Azure for Pulumi Cloud How-to Guide using Python"
no_edit_this_page: true
cloud: azure
language: py
layout: package
---

<!-- WARNING: this page was generated by a tool. Do not edit it by hand. -->
<!-- To change it, please see https://github.com/pulumi/docs/tree/master/tools/mktutorial. -->

<p class="mb-4 flex">
<a class="flex flex-wrap items-center rounded-md font-display text-lg text-white bg-blue-600 border-2 border-blue-600 px-2 mr-2 whitespace-no-wrap hover:text-white" style="height: 45px;" href="https://github.com/pulumi/examples/tree/master/azure-py-oidc-provider-pulumi-cloud" target="_blank">
<span><i class="fab fa-github pr-2"></i> View Code</span>
</a>
</p>


This example will create OIDC configuration between Pulumi Cloud and Azure, specifically demonstrating connectivity with [Pulumi ESC](https://www.pulumi.com/docs/pulumi-cloud/esc/). The program automates the process detailed in the Azure documentation for the following activities:

- [Create a Microsoft Entra application and service principal that can access resources](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal)
- [Create federated credentials](https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html#federated-identity-credential-for-an-azure-ad-application-1)

## Prerequisites

* [Install Pulumi](https://www.pulumi.com/docs/get-started/install/)
* [Configure Pulumi to Use Azure](https://www.pulumi.com/docs/clouds/azure/get-started/begin/)

## Running the Example

Clone [the examples repo](https://github.com/pulumi/examples/tree/master/azure-py-oidc-provider) and navigate to the folder for this example.

```bash
git clone https://github.com/pulumi/examples.git
cd examples/azure-py-oidc-provider-pulumi-cloud
```

Next, to deploy the application and its infrastructure, follow these steps:

1. Create a new stack, which is an isolated deployment target for this example:

```bash
pulumi stack init dev
```

1. Set your Pulumi ESC environment name and desired Azure region:

```bash
pulumi config set environmentName <your-environment-name> # replace with your environment name
pulumi config set azure-native:location WestUS2 # any valid Azure region will work
```

1. Install requirements.

```bash
python3 -m venv venv
venv/bin/pip install -r requirements.txt
```

1. Run `pulumi up -y`. Once the program completes, it will output a YAML template for you to use in the next step.

## Validating the OIDC Configuration

This next section will walk you through validating your OIDC configuration using [Pulumi ESC](https://www.pulumi.com/docs/pulumi-cloud/esc/).

Start by [creating a new Pulumi ESC environment](https://www.pulumi.com/docs/pulumi-cloud/esc/get-started/#create-an-environment). Then, copy the template definition from the output in the CLI and paste it into your environment. Save your environment file and run the `pulumi env open <your-pulumi-org>/<your-environment>` command in the CLI. You should see output similar to the following:

```bash
$ pulumi env open myOrg/myEnvironment
{
"azure": {
"login": {
"clientId": "3e5505f6-90b9-....",
"oidc": {
"token": "eyJhbGciOi...."
},
"subscriptionId": "/subscriptions/0282681f-7a9e....",
"tenantId": "706143bc-e1d4...."
}
}
}
```

## Additional Considerations

You can configure more granular access control by adding a `RoleAssignment` resource to your program. In the following example, the application is assigned a role with permissions to read secrets from Azure Keyvault.

```python
# Create an IAM role assignment at the subscription level
role_assignment = authorization.RoleAssignment(
'role-assignment',
scope=pulumi.Output.format('/subscriptions/{subscription_id}', subscription_id=az_subscription),
role_definition_id=pulumi.Output.format('/subscriptions/{subscription_id}/providers/Microsoft.Authorization/roleDefinitions/{role_definition_id}',
subscription_id=az_subscription,
role_definition_id='4633458b-17de-408a-b874-0445c86b69e6'), # ID for "Key Vault Secrets User" role
principal_id=application.object_id,
)
```

For this example, you would need to update your environment file to retrieve a KeyVault secret:

```yaml
values:
azure:
login:
fn::open::azure-login:
clientId: <your-client-id>
tenantId: <your-tenant-id>
subscriptionId: /subscriptions/<your-subscription-id>
oidc: true
secrets:
fn::open::azure-secrets:
login: ${azure.login}
vault: <your-vault-name>
get:
api-key:
name: api-key #an example of retrieving a secret named "api-key" and storing it in a parameter
environmentVariables:
API_KEY: ${azure.secrets.api-key} # an example of how you can reference your api-key value elsewhere in the file
```

## Clean-Up Resources

Once you are done, you can destroy all of the resources as well as the stack:

```bash
$ pulumi destroy
$ pulumi stack rm
```

94 changes: 94 additions & 0 deletions ...ontent/registry/packages/gcp/how-to-guides/gcp-py-oidc-provider-pulumi-cloud.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
---
title: "Provisioning an OIDC Provider in Google Cloud for Pulumi Cloud | Python"
h1: "Provisioning an OIDC Provider in Google Cloud for Pulumi Cloud"
linktitle: "Provisioning an OIDC Provider in Google Cloud for Pulumi Cloud"
meta_desc: "Provisioning an OIDC Provider in Google Cloud for Pulumi Cloud How-to Guide using Python"
no_edit_this_page: true
cloud: gcp
language: py
layout: package
---

<!-- WARNING: this page was generated by a tool. Do not edit it by hand. -->
<!-- To change it, please see https://github.com/pulumi/docs/tree/master/tools/mktutorial. -->

<p class="mb-4 flex">
<a class="flex flex-wrap items-center rounded-md font-display text-lg text-white bg-blue-600 border-2 border-blue-600 px-2 mr-2 whitespace-no-wrap hover:text-white" style="height: 45px;" href="https://github.com/pulumi/examples/tree/master/gcp-py-oidc-provider-pulumi-cloud" target="_blank">
<span><i class="fab fa-github pr-2"></i> View Code</span>
</a>
</p>


This example will create OIDC configuration between Pulumi Cloud and Google Cloud, specifically demonstrating connectivity with [Pulumi ESC](https://www.pulumi.com/docs/pulumi-cloud/esc/). The program automates the process detailed in the Google Cloud documentation for the following activities:

- [Create Workload Identity Provider and Pool](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#create_the_workload_identity_pool_and_provider)
- [Authenticate the Workload](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#authenticate)

## Prerequisites

* [Install Pulumi](https://www.pulumi.com/docs/get-started/install/)
* [Configure Pulumi to Use GCP](https://www.pulumi.com/docs/clouds/gcp/get-started/begin/#configure-pulumi-to-access-your-google-cloud-account)
* [Create a Google Cloud Project with the required APIs enabled](https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#configure)

## Running the Example

Clone [the examples repo](https://github.com/pulumi/examples/tree/master/gcp-py-oidc-provider) and navigate to the folder for this example.

```bash
git clone https://github.com/pulumi/examples.git
cd examples/gcp-py-oidc-provider-pulumi-cloud
```

Next, to deploy the application and its infrastructure, follow these steps:

1. Create a new stack, which is an isolated deployment target for this example:

```bash
pulumi stack init dev
```

1. Set your Pulumi ESC environment name and the name of your GCP Project:

```bash
pulumi config set environmentName <your-environment-name> # replace with your environment name
pulumi config set gcp:project <your-project-id> # replace with your GCP project ID
```

1. Install requirements.

```bash
python3 -m venv venv
venv/bin/pip install -r requirements.txt
```

1. Run `pulumi up -y`. Once the program completes, it will output a YAML template for you to use in the next step.

## Validating the OIDC Configuration

This next section will walk you through validating your OIDC configuration using [Pulumi ESC](https://www.pulumi.com/docs/pulumi-cloud/esc/).

Start by [creating a new Pulumi ESC environment](https://www.pulumi.com/docs/pulumi-cloud/esc/get-started/#create-an-environment). Then, copy the template definition from the output in the CLI and paste it into your environment. Save your environment file and run the `pulumi env open <your-pulumi-org>/<your-environment>` command in the CLI. You should see output similar to the following:

```bash
$ pulumi env open myOrg/myEnvironment
{
"gcp": {
"login": {
"accessToken": "N777Agel_gBF...",
"expiry": "2023-10-12T14:38:00Z",
"project": 842111111111,
"tokenType": "Bearer"
}
}
}
```

## Clean-Up Resources

Once you are done, you can destroy all of the resources as well as the stack:

```bash
$ pulumi destroy
$ pulumi stack rm
```

0 comments on commit 39afc64

Please sign in to comment.