Feat: Adds base project

2026-02-25 10:55:19 -03:00
parent 31f87ab437
commit 624f5dc7e6
46 changed files with 2355 additions and 0 deletions
--- a/infra/ecs_alb/kms.py
+++ b/infra/ecs_alb/kms.py
@@ -0,0 +1,74 @@
+import pulumi
+import pulumi_aws as aws
+import pulumi_docker as docker
+import conf as config
+import json
+
+
+def setup_kms():
+    # KMS Key Setup
+    app_key = aws.kms.Key(f"{config.project_name}-key",
+        description="Key for encrypting secrets",
+        enable_key_rotation=True,
+        policy=json.dumps({
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Effect": "Allow",
+                    "Sid": "",
+                    "Principal": {
+                        "AWS": f"arn:aws:iam::{config.account_id}:root",
+                    },
+                    "Action": [
+                        "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*",
+                        "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:ScheduleKeyDeletion",
+                        "kms:CancelKeyDeletion", "kms:Tag*", "kms:UntagResource",
+                    ],
+                    "Resource": "*",
+                },
+                {
+                    "Effect": "Allow",
+                    "Principal": {
+                        "AWS": f"arn:aws:iam::{config.account_id}:root",
+                    },
+                    "Action": [
+                        "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey",
+                    ],
+                    "Resource": "*",
+                },
+                {
+                    "Sid": 'Allow access to EFS for all principals in the account that are authorized to use EFS',
+                    "Effect": 'Allow',
+                    "Principal": {"AWS": "*"},
+                    "Action": [
+                        "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*",
+                        "kms:CreateGrant", "kms:DescribeKey",
+                    ],
+                    "Resource": "*",
+                    "Condition": {
+                        "StringEquals": {
+                            "kms:ViaService": f"elasticfilesystem.{config.aws_region}.amazonaws.com",
+                            "kms:CallerAccount": config.account_id,
+                        },
+                    },
+                },
+            ],
+        }),
+        tags={
+            "pulumi-application": config.project_name,
+            "pulumi-environment": config.stack_name,
+        },
+    )
+
+    # SSM Parameter Setup
+    app_ssm_parameter = aws.ssm.Parameter(f"{config.project_name}-ssm-parameter",
+        type="SecureString",
+        value=config.config.require_secret("bedrock_api_key"),
+        key_id=app_key.key_id,
+        name=f"/{config.project_name}/{config.stack_name}/BEDROCK_API_KEY",
+        tags={
+            "pulumi-application": config.project_name,
+            "pulumi-environment": config.stack_name,
+        },
+    )
+    return app_ssm_parameter, app_key