Docs
PackagesAWS Native is in preview. AWS Classic is fully supported.
aws-native.verifiedpermissions.PolicyStore
Explore with Pulumi AI
AWS Native is in preview. AWS Classic is fully supported.
Represents a policy store that you can place schema, policies, and policy templates in to validate authorization requests
Example Usage
Example
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using AwsNative = Pulumi.AwsNative;
return await Deployment.RunAsync(() =>
{
var myPolicyStore = new AwsNative.VerifiedPermissions.PolicyStore("myPolicyStore", new()
{
Schema = new AwsNative.VerifiedPermissions.Inputs.PolicyStoreSchemaDefinitionArgs
{
CedarJson = "{\"PhotoApp\":{\"commonTypes\":{\"PersonType\":{\"type\":\"Record\",\"attributes\":{\"age\":{\"type\":\"Long\"},\"name\":{\"type\":\"String\"}}},\"ContextType\":{\"type\":\"Record\",\"attributes\":{\"ip\":{\"type\":\"Extension\",\"name\":\"ipaddr\",\"required\":false},\"authenticated\":{\"type\":\"Boolean\",\"required\":true}}}},\"entityTypes\":{\"User\":{\"shape\":{\"type\":\"Record\",\"attributes\":{\"userId\":{\"type\":\"String\"},\"personInformation\":{\"type\":\"PersonType\"}}},\"memberOfTypes\":[\"UserGroup\"]},\"UserGroup\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}},\"Photo\":{\"shape\":{\"type\":\"Record\",\"attributes\":{\"account\":{\"type\":\"Entity\",\"name\":\"Account\",\"required\":true},\"private\":{\"type\":\"Boolean\",\"required\":true}}},\"memberOfTypes\":[\"Album\",\"Account\"]},\"Album\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}},\"Account\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}}},\"actions\":{\"viewPhoto\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}},\"createPhoto\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}},\"listPhotos\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}}}}}",
},
ValidationSettings = new AwsNative.VerifiedPermissions.Inputs.PolicyStoreValidationSettingsArgs
{
Mode = AwsNative.VerifiedPermissions.PolicyStoreValidationMode.Strict,
},
});
});
package main
import (
"github.com/pulumi/pulumi-aws-native/sdk/go/aws/verifiedpermissions"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := verifiedpermissions.NewPolicyStore(ctx, "myPolicyStore", &verifiedpermissions.PolicyStoreArgs{
Schema: &verifiedpermissions.PolicyStoreSchemaDefinitionArgs{
CedarJson: pulumi.String("{\"PhotoApp\":{\"commonTypes\":{\"PersonType\":{\"type\":\"Record\",\"attributes\":{\"age\":{\"type\":\"Long\"},\"name\":{\"type\":\"String\"}}},\"ContextType\":{\"type\":\"Record\",\"attributes\":{\"ip\":{\"type\":\"Extension\",\"name\":\"ipaddr\",\"required\":false},\"authenticated\":{\"type\":\"Boolean\",\"required\":true}}}},\"entityTypes\":{\"User\":{\"shape\":{\"type\":\"Record\",\"attributes\":{\"userId\":{\"type\":\"String\"},\"personInformation\":{\"type\":\"PersonType\"}}},\"memberOfTypes\":[\"UserGroup\"]},\"UserGroup\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}},\"Photo\":{\"shape\":{\"type\":\"Record\",\"attributes\":{\"account\":{\"type\":\"Entity\",\"name\":\"Account\",\"required\":true},\"private\":{\"type\":\"Boolean\",\"required\":true}}},\"memberOfTypes\":[\"Album\",\"Account\"]},\"Album\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}},\"Account\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}}},\"actions\":{\"viewPhoto\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}},\"createPhoto\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}},\"listPhotos\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}}}}}"),
},
ValidationSettings: &verifiedpermissions.PolicyStoreValidationSettingsArgs{
Mode: verifiedpermissions.PolicyStoreValidationModeStrict,
},
})
if err != nil {
return err
}
return nil
})
}
Coming soon!
import pulumi
import pulumi_aws_native as aws_native
my_policy_store = aws_native.verifiedpermissions.PolicyStore("myPolicyStore",
schema=aws_native.verifiedpermissions.PolicyStoreSchemaDefinitionArgs(
cedar_json="{\"PhotoApp\":{\"commonTypes\":{\"PersonType\":{\"type\":\"Record\",\"attributes\":{\"age\":{\"type\":\"Long\"},\"name\":{\"type\":\"String\"}}},\"ContextType\":{\"type\":\"Record\",\"attributes\":{\"ip\":{\"type\":\"Extension\",\"name\":\"ipaddr\",\"required\":false},\"authenticated\":{\"type\":\"Boolean\",\"required\":true}}}},\"entityTypes\":{\"User\":{\"shape\":{\"type\":\"Record\",\"attributes\":{\"userId\":{\"type\":\"String\"},\"personInformation\":{\"type\":\"PersonType\"}}},\"memberOfTypes\":[\"UserGroup\"]},\"UserGroup\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}},\"Photo\":{\"shape\":{\"type\":\"Record\",\"attributes\":{\"account\":{\"type\":\"Entity\",\"name\":\"Account\",\"required\":true},\"private\":{\"type\":\"Boolean\",\"required\":true}}},\"memberOfTypes\":[\"Album\",\"Account\"]},\"Album\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}},\"Account\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}}},\"actions\":{\"viewPhoto\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}},\"createPhoto\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}},\"listPhotos\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}}}}}",
),
validation_settings=aws_native.verifiedpermissions.PolicyStoreValidationSettingsArgs(
mode=aws_native.verifiedpermissions.PolicyStoreValidationMode.STRICT,
))
import * as pulumi from "@pulumi/pulumi";
import * as aws_native from "@pulumi/aws-native";
const myPolicyStore = new aws_native.verifiedpermissions.PolicyStore("myPolicyStore", {
schema: {
cedarJson: "{\"PhotoApp\":{\"commonTypes\":{\"PersonType\":{\"type\":\"Record\",\"attributes\":{\"age\":{\"type\":\"Long\"},\"name\":{\"type\":\"String\"}}},\"ContextType\":{\"type\":\"Record\",\"attributes\":{\"ip\":{\"type\":\"Extension\",\"name\":\"ipaddr\",\"required\":false},\"authenticated\":{\"type\":\"Boolean\",\"required\":true}}}},\"entityTypes\":{\"User\":{\"shape\":{\"type\":\"Record\",\"attributes\":{\"userId\":{\"type\":\"String\"},\"personInformation\":{\"type\":\"PersonType\"}}},\"memberOfTypes\":[\"UserGroup\"]},\"UserGroup\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}},\"Photo\":{\"shape\":{\"type\":\"Record\",\"attributes\":{\"account\":{\"type\":\"Entity\",\"name\":\"Account\",\"required\":true},\"private\":{\"type\":\"Boolean\",\"required\":true}}},\"memberOfTypes\":[\"Album\",\"Account\"]},\"Album\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}},\"Account\":{\"shape\":{\"type\":\"Record\",\"attributes\":{}}}},\"actions\":{\"viewPhoto\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}},\"createPhoto\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}},\"listPhotos\":{\"appliesTo\":{\"principalTypes\":[\"User\",\"UserGroup\"],\"resourceTypes\":[\"Photo\"],\"context\":{\"type\":\"ContextType\"}}}}}}",
},
validationSettings: {
mode: aws_native.verifiedpermissions.PolicyStoreValidationMode.Strict,
},
});
Coming soon!
Create PolicyStore Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new PolicyStore(name: string, args: PolicyStoreArgs, opts?: CustomResourceOptions);@overload
def PolicyStore(resource_name: str,
args: PolicyStoreArgs,
opts: Optional[ResourceOptions] = None)
@overload
def PolicyStore(resource_name: str,
opts: Optional[ResourceOptions] = None,
validation_settings: Optional[PolicyStoreValidationSettingsArgs] = None,
description: Optional[str] = None,
schema: Optional[PolicyStoreSchemaDefinitionArgs] = None)func NewPolicyStore(ctx *Context, name string, args PolicyStoreArgs, opts ...ResourceOption) (*PolicyStore, error)public PolicyStore(string name, PolicyStoreArgs args, CustomResourceOptions? opts = null)
public PolicyStore(String name, PolicyStoreArgs args)
public PolicyStore(String name, PolicyStoreArgs args, CustomResourceOptions options)
type: aws-native:verifiedpermissions:PolicyStore
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args PolicyStoreArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args PolicyStoreArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args PolicyStoreArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args PolicyStoreArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args PolicyStoreArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
PolicyStore Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The PolicyStore resource accepts the following input properties:
- Validation
Settings Pulumi.Aws Native. Verified Permissions. Inputs. Policy Store Validation Settings Specifies the validation setting for this policy store.
Currently, the only valid and required value is
Mode.We recommend that you turn on
STRICTmode only after you define a schema. If a schema doesn't exist, thenSTRICTmode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the UpdatePolicyStore . Then, when you have a schema defined, use UpdatePolicyStore again to turn validation back on.- Description string
- Descriptive text that you can provide to help with identification of the current policy store.
- Schema
Pulumi.
Aws Native. Verified Permissions. Inputs. Policy Store Schema Definition - Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.
- Validation
Settings PolicyStore Validation Settings Args Specifies the validation setting for this policy store.
Currently, the only valid and required value is
Mode.We recommend that you turn on
STRICTmode only after you define a schema. If a schema doesn't exist, thenSTRICTmode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the UpdatePolicyStore . Then, when you have a schema defined, use UpdatePolicyStore again to turn validation back on.- Description string
- Descriptive text that you can provide to help with identification of the current policy store.
- Schema
Policy
Store Schema Definition Args - Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.
- validation
Settings PolicyStore Validation Settings Specifies the validation setting for this policy store.
Currently, the only valid and required value is
Mode.We recommend that you turn on
STRICTmode only after you define a schema. If a schema doesn't exist, thenSTRICTmode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the UpdatePolicyStore . Then, when you have a schema defined, use UpdatePolicyStore again to turn validation back on.- description String
- Descriptive text that you can provide to help with identification of the current policy store.
- schema
Policy
Store Schema Definition - Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.
- validation
Settings PolicyStore Validation Settings Specifies the validation setting for this policy store.
Currently, the only valid and required value is
Mode.We recommend that you turn on
STRICTmode only after you define a schema. If a schema doesn't exist, thenSTRICTmode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the UpdatePolicyStore . Then, when you have a schema defined, use UpdatePolicyStore again to turn validation back on.- description string
- Descriptive text that you can provide to help with identification of the current policy store.
- schema
Policy
Store Schema Definition - Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.
- validation_
settings PolicyStore Validation Settings Args Specifies the validation setting for this policy store.
Currently, the only valid and required value is
Mode.We recommend that you turn on
STRICTmode only after you define a schema. If a schema doesn't exist, thenSTRICTmode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the UpdatePolicyStore . Then, when you have a schema defined, use UpdatePolicyStore again to turn validation back on.- description str
- Descriptive text that you can provide to help with identification of the current policy store.
- schema
Policy
Store Schema Definition Args - Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.
- validation
Settings Property Map Specifies the validation setting for this policy store.
Currently, the only valid and required value is
Mode.We recommend that you turn on
STRICTmode only after you define a schema. If a schema doesn't exist, thenSTRICTmode causes any policy to fail validation, and Verified Permissions rejects the policy. You can turn off validation by using the UpdatePolicyStore . Then, when you have a schema defined, use UpdatePolicyStore again to turn validation back on.- description String
- Descriptive text that you can provide to help with identification of the current policy store.
- schema Property Map
- Creates or updates the policy schema in a policy store. Cedar can use the schema to validate any Cedar policies and policy templates submitted to the policy store. Any changes to the schema validate only policies and templates submitted after the schema change. Existing policies and templates are not re-evaluated against the changed schema. If you later update a policy, then it is evaluated against the new schema at that time.
Outputs
All input properties are implicitly available as output properties. Additionally, the PolicyStore resource produces the following output properties:
- Arn string
- The Amazon Resource Name (ARN) of the new or updated policy store.
- Id string
- The provider-assigned unique ID for this managed resource.
- Policy
Store stringId - The unique ID of the new or updated policy store.
- Arn string
- The Amazon Resource Name (ARN) of the new or updated policy store.
- Id string
- The provider-assigned unique ID for this managed resource.
- Policy
Store stringId - The unique ID of the new or updated policy store.
- arn String
- The Amazon Resource Name (ARN) of the new or updated policy store.
- id String
- The provider-assigned unique ID for this managed resource.
- policy
Store StringId - The unique ID of the new or updated policy store.
- arn string
- The Amazon Resource Name (ARN) of the new or updated policy store.
- id string
- The provider-assigned unique ID for this managed resource.
- policy
Store stringId - The unique ID of the new or updated policy store.
- arn str
- The Amazon Resource Name (ARN) of the new or updated policy store.
- id str
- The provider-assigned unique ID for this managed resource.
- policy_
store_ strid - The unique ID of the new or updated policy store.
- arn String
- The Amazon Resource Name (ARN) of the new or updated policy store.
- id String
- The provider-assigned unique ID for this managed resource.
- policy
Store StringId - The unique ID of the new or updated policy store.
Supporting Types
PolicyStoreSchemaDefinition, PolicyStoreSchemaDefinitionArgs
- Cedar
Json string - A JSON string representation of the schema supported by applications that use this policy store. For more information, see Policy store schema in the Amazon Verified Permissions User Guide .
- Cedar
Json string - A JSON string representation of the schema supported by applications that use this policy store. For more information, see Policy store schema in the Amazon Verified Permissions User Guide .
- cedar
Json String - A JSON string representation of the schema supported by applications that use this policy store. For more information, see Policy store schema in the Amazon Verified Permissions User Guide .
- cedar
Json string - A JSON string representation of the schema supported by applications that use this policy store. For more information, see Policy store schema in the Amazon Verified Permissions User Guide .
- cedar_
json str - A JSON string representation of the schema supported by applications that use this policy store. For more information, see Policy store schema in the Amazon Verified Permissions User Guide .
- cedar
Json String - A JSON string representation of the schema supported by applications that use this policy store. For more information, see Policy store schema in the Amazon Verified Permissions User Guide .
PolicyStoreValidationMode, PolicyStoreValidationModeArgs
- Off
- OFF
- Strict
- STRICT
- Policy
Store Validation Mode Off - OFF
- Policy
Store Validation Mode Strict - STRICT
- Off
- OFF
- Strict
- STRICT
- Off
- OFF
- Strict
- STRICT
- OFF
- OFF
- STRICT
- STRICT
- "OFF"
- OFF
- "STRICT"
- STRICT
PolicyStoreValidationSettings, PolicyStoreValidationSettingsArgs
- Mode
Pulumi.
Aws Native. Verified Permissions. Policy Store Validation Mode The validation mode currently configured for this policy store. The valid values are:
- OFF – Neither Verified Permissions nor Cedar perform any validation on policies. No validation errors are reported by either service.
- STRICT – Requires a schema to be present in the policy store. Cedar performs validation on all submitted new or updated static policies and policy templates. Any that fail validation are rejected and Cedar doesn't store them in the policy store.
If
Mode=STRICTand the policy store doesn't contain a schema, Verified Permissions rejects all static policies and policy templates because there is no schema to validate against.To submit a static policy or policy template without a schema, you must turn off validation.
- Mode
Policy
Store Validation Mode The validation mode currently configured for this policy store. The valid values are:
- OFF – Neither Verified Permissions nor Cedar perform any validation on policies. No validation errors are reported by either service.
- STRICT – Requires a schema to be present in the policy store. Cedar performs validation on all submitted new or updated static policies and policy templates. Any that fail validation are rejected and Cedar doesn't store them in the policy store.
If
Mode=STRICTand the policy store doesn't contain a schema, Verified Permissions rejects all static policies and policy templates because there is no schema to validate against.To submit a static policy or policy template without a schema, you must turn off validation.
- mode
Policy
Store Validation Mode The validation mode currently configured for this policy store. The valid values are:
- OFF – Neither Verified Permissions nor Cedar perform any validation on policies. No validation errors are reported by either service.
- STRICT – Requires a schema to be present in the policy store. Cedar performs validation on all submitted new or updated static policies and policy templates. Any that fail validation are rejected and Cedar doesn't store them in the policy store.
If
Mode=STRICTand the policy store doesn't contain a schema, Verified Permissions rejects all static policies and policy templates because there is no schema to validate against.To submit a static policy or policy template without a schema, you must turn off validation.
- mode
Policy
Store Validation Mode The validation mode currently configured for this policy store. The valid values are:
- OFF – Neither Verified Permissions nor Cedar perform any validation on policies. No validation errors are reported by either service.
- STRICT – Requires a schema to be present in the policy store. Cedar performs validation on all submitted new or updated static policies and policy templates. Any that fail validation are rejected and Cedar doesn't store them in the policy store.
If
Mode=STRICTand the policy store doesn't contain a schema, Verified Permissions rejects all static policies and policy templates because there is no schema to validate against.To submit a static policy or policy template without a schema, you must turn off validation.
- mode
Policy
Store Validation Mode The validation mode currently configured for this policy store. The valid values are:
- OFF – Neither Verified Permissions nor Cedar perform any validation on policies. No validation errors are reported by either service.
- STRICT – Requires a schema to be present in the policy store. Cedar performs validation on all submitted new or updated static policies and policy templates. Any that fail validation are rejected and Cedar doesn't store them in the policy store.
If
Mode=STRICTand the policy store doesn't contain a schema, Verified Permissions rejects all static policies and policy templates because there is no schema to validate against.To submit a static policy or policy template without a schema, you must turn off validation.
- mode "OFF" | "STRICT"
The validation mode currently configured for this policy store. The valid values are:
- OFF – Neither Verified Permissions nor Cedar perform any validation on policies. No validation errors are reported by either service.
- STRICT – Requires a schema to be present in the policy store. Cedar performs validation on all submitted new or updated static policies and policy templates. Any that fail validation are rejected and Cedar doesn't store them in the policy store.
If
Mode=STRICTand the policy store doesn't contain a schema, Verified Permissions rejects all static policies and policy templates because there is no schema to validate against.To submit a static policy or policy template without a schema, you must turn off validation.
Package Details
- Repository
- AWS Native pulumi/pulumi-aws-native
- License
- Apache-2.0
AWS Native is in preview. AWS Classic is fully supported.