pulumi/dch_cloud/iam/roles.py

import json

import pulumi_aws as aws

from dch_cloud.config import config


admin_role_trust_policy = {
    'Version': '2012-10-17',
    'Statement': [
        {
            'Effect': 'Allow',
            'Principal': {
                'AWS': 'arn:aws:iam::566967686773:root',
            },
            'Action': 'sts:AssumeRole',
            'Condition': {},
        }
    ],
}

if source_ip := config.get('source_ip'):
    admin_role_trust_policy['Statement'][0]['Condition'] = {
        'IpAddress': {
            'aws:SourceIp': f'{source_ip}/32',
        }
    }

admin_role = aws.iam.Role(
    'admin_role',
    name='admin',
    assume_role_policy=json.dumps(admin_role_trust_policy),
)