def verify_data(r): t = r.resource_type if t != "pulumi-nodejs:dynamic:Resource": return # Verify is_dry_run() assert is_dry_run() == r.props["isDryRun"] # Verify get_project() assert "PULUMI_TEST_PROJECT" in os.environ assert get_project() == os.environ["PULUMI_TEST_PROJECT"] assert get_project() == r.props["getProject"] # Verify get_stack() assert "PULUMI_TEST_STACK" in os.environ assert get_stack() == os.environ["PULUMI_TEST_STACK"] assert get_stack() == r.props["getStack"] # Verify Config assert json.dumps(CONFIG, sort_keys=True) == json.dumps(dict(r.props["allConfig"]), sort_keys=True) config = Config() value = config.require("aConfigValue") assert value == "this value is a value" assert aws_config.region == "us-west-2"
def validate(r): config = Config() test_scenario = config.require_int("scenario") # We only validate during the first test scenario. The subsequent test scenario is only # used to unprotect protected resources in preparation for destroying the stack. if test_scenario != 1: return t = r.resource_type if (t == "pulumi:pulumi:Stack" or t == "pulumi:providers:pulumi-nodejs" or t == "pulumi:providers:random"): assert options_equal( PolicyResourceOptions( protect=False, ignore_changes=[], delete_before_replace=None, aliases=[], additional_secret_outputs=[], custom_timeouts=PolicyCustomTimeouts(0, 0, 0), ), r.opts) elif t == "pulumi-nodejs:dynamic:Resource": validate_dynamic_resource(r) elif t == "random:index/randomUuid:RandomUuid": assert options_equal( PolicyResourceOptions( protect=False, ignore_changes=[], delete_before_replace=None, aliases=[], additional_secret_outputs=[], custom_timeouts=PolicyCustomTimeouts(0, 0, 0), ), r.opts) else: raise AssertionError(f"Unexpected resource of type: '{t}'.")
def __init__( self, provider_param1: Optional[str] = None, provider_param2: Optional[str] = None, ): config = Config() self.provider_param1 = ( provider_param1 if provider_param1 else config.require("provider_param1") ) self.provider_param2 = ( provider_param2 if provider_param2 else config.require("provider_param2") )
def read_pulumi_config() -> EnvironmentDescriptor: moduleCfg = Config() awsCfg = Config("aws") return EnvironmentDescriptor( provider=moduleCfg.require('provider'), stage=moduleCfg.require('stage'), region=awsCfg.require('region'), name=moduleCfg.require('name'), access_key=awsCfg.get_secret('access_key'), secret_key=awsCfg.get_secret('secret_key'), )
def from_config(pulumi_config: pulumi.Config) -> ArtifactGetter: """ If local-grapl: - We don't require an `artifacts:` field - `.get()` can be None Else: - We require an `artifacts:` field - `.get()` must resolve a value for that key or raise KeyError """ artifact_dict = (pulumi_config.get_object("artifacts") or {} if config.LOCAL_GRAPL else pulumi_config.require_object("artifacts")) return ArtifactGetter( artifacts=artifact_dict, require_artifact=(not config.LOCAL_GRAPL), )
def create_storage_nodes(subnets, security_groups): rds_config = Config().require_object("rds_config") redis_sg = security_groups['redis_sg'] rds_sg = security_groups['rds_sg'] # Create a redis Subnet Group redis_subnet_group = elasticache.SubnetGroup( "RedisSubGroup", subnet_ids=[subnet.id for subnet in subnets]) # To-do: Auth and encryption support # Create a redis cluster # To-do: Handle encryption. Don't see any way from pulumi specs redis_cluster = elasticache.Cluster( "redisnode", engine="redis", engine_version="3.2.10", node_type="cache.t3.micro", num_cache_nodes=1, parameter_group_name="default.redis3.2", port=6379, subnet_group_name=redis_subnet_group.id, security_group_ids=[redis_sg.id]) rds_subnet_group = rds.SubnetGroup( "rdssubgroup", subnet_ids=[subnet.id for subnet in subnets]) # To-do: Secret managment and get from Config rds_username = rds_config["username"] rds_password = rds_config["password"] rds_database_name = rds_config["database_name"] # Create a rds instance rds_instance = rds.Instance("default", allocated_storage=20, engine="mysql", engine_version="5.7", instance_class="db.t3.micro", name=rds_database_name, parameter_group_name="default.mysql5.7", password=rds_password, storage_type="gp2", username=rds_username, storage_encrypted=True, db_subnet_group_name=rds_subnet_group.id, vpc_security_group_ids=[rds_sg.id], skip_final_snapshot=True) return {"rds": rds_instance, "redis": redis_cluster}
def __init__( self, username: str = None, password: str = None, account_name: str = None, role: str = None, database: str = None, schema: str = None ): config = Config() self.username = username if username else config.require('snowflakeUsername') self.password = password if password else config.require('snowflakePassword') self.account_name = account_name if account_name else config.get('snowflakeAccountName') self.role = role if role else config.get('snowflakeRole') self.database = database if database else config.get('snowflakeDatabase') self.schema = schema if schema else config.get('snowflakeSchema')
import pulumi from pulumi import Config, ResourceOptions, Output from pulumi_azure import core, storage, compute, network, sql config = Config("sso-lab") # retrieve password from config pwd = config.require_secret("pwd") sqlpwd = config.require_secret("sqlpwd") print("Secrets retrieved...") # set some vars server_user = "******" sql_user = "******" # Create an Azure Resource Group rg = core.ResourceGroup("rg-ssolab") # create vnet vnet = network.VirtualNetwork("vnet-sso", address_spaces=["10.2.0.0/16"], resource_group_name=rg.name, dns_servers=["10.2.0.4"]) subnet = network.Subnet("servers", virtual_network_name=vnet.name, address_prefix="10.2.0.0/24", resource_group_name=rg.name) bastionSubnet = network.Subnet("bastion", name="AzureBastionSubnet",
import pulumi from pulumi import Config, ResourceOptions from pulumi_kubernetes import Provider from pulumi_kubernetes.apps.v1 import Deployment config = Config() namespace = config.get("namespace") or "default" provider = Provider("kubernetes", namespace=namespace) app_labels = {"app": "nginx"} deployment = Deployment( "nginx", spec={ "selector": {"match_labels": app_labels}, "replicas": 1, "template": { "metadata": {"labels": app_labels}, "spec": {"containers": [{"name": "nginx", "image": "nginx"}]}, }, }, opts=ResourceOptions(provider=provider), ) pulumi.export("name", deployment.metadata["name"])
## Note how you can't destroy the stack as long as protect is true. # Doc: https://www.pulumi.com/docs/intro/concepts/resources/#protect # Doc: https://www.pulumi.com/docs/reference/cli/pulumi_state_unprotect/ import base64 import pulumi from pulumi import Config, ResourceOptions from pulumi_tls import PrivateKey from pulumi_azure_native import resources, containerservice import pulumi_azuread as azuread import pulumi_kubernetes as k8s from pulumi_kubernetes.helm.v3 import Chart, ChartOpts import pulumi_random as random # Config values or defaults config = Config() k8s_version = config.get('k8sVersion') or '1.18.14' admin_username = config.get('adminUserName') or 'testuser' node_count = config.get_int('nodeCount') or 2 node_size = config.get('nodeSize') or 'Standard_D2_v2' password = config.get_secret("password") if not password: rando_password = random.RandomPassword( 'password', length=16, special=True, override_special='@_#', ) password = rando_password.result # Resource Group
GetPolicyDocumentStatementArgs, GetPolicyDocumentStatementPrincipalArgs, Role, RolePolicy, get_policy_document, ) tagger = Tagger( environment_name="alpha", source_code=( "https://github.com/moj-analytical-services/" "data-engineering-database-access-deploy" ), ) GIT_CRYPT_KEY = Config().require("git_crypt_key") GITHUB_TOKEN = Config().require("github_token") account_id = get_caller_identity().account_id assume_role_policy = get_policy_document( statements=[ GetPolicyDocumentStatementArgs( actions=["sts:AssumeRole"], effect="Allow", principals=[ GetPolicyDocumentStatementPrincipalArgs( identifiers=["codebuild.amazonaws.com"], type="Service" ) ], )
import pulumi_aws as aws from pulumi_aws.config.vars import region from pulumi import Config, ResourceOptions, export def require_region(): """ require_region fetches the AWS region, requiring that it exists. if it does not exist, an exception is raised. """ if not region: raise Exception('No AWS region has been configured') return region config = Config() role_to_assume_arn = config.require('roleToAssumeARN') provider = aws.Provider('privileged', assume_role={ 'role_arn': role_to_assume_arn, 'session_name': 'PulumiSession', 'externalId': 'PulumiApplication', }, region=require_region()) # Creates an AWS resource (S3 Bucket) bucket = aws.s3.Bucket('my-bucket', opts=ResourceOptions(provider=provider)) # Exports the DNS name of the bucket export('bucket_name', bucket.bucket_domain_name)
"""Base class for exceptions in this module.""" pass class ConfigError(Error): """Exception raised for errors in Pulumi Config. Attributes: keys -- Config keys with the error message -- explanation of the error """ def __init__(self, keys: [str], message: str): self.keys = keys self.message = message # retrieve the stack configuration data config = Config() # set default tags to be applied to all taggable resources stack = get_stack() default_tags = { 'environment': stack } # Azure Bastion hosts in hub and spokes (until functional across peerings) azure_bastion = config.get_bool('azure_bastion') # Azure Firewall to route all Internet-bound traffic to designated next hop forced_tunnel = config.get('forced_tunnel') if forced_tunnel: ft_ip = ip_address(forced_tunnel) # check IP address is valid
class ConfigError(Error): """Exception raised for errors in Pulumi Config. Attributes: keys -- Config keys with the error message -- explanation of the error """ def __init__(self, keys: [str], message: str): self.keys = keys self.message = message # retrieve the stack configuration data config = Config() # retrieve optional separator choice and suffix separator = config.get('separator') or '-' separator = separator[0] if separator == ' ': separator = '' suffix = config.get('suffix') or '' # retrieve project and stack (org not yet available) project = get_project() stack = get_stack() # set default tags to be applied to all taggable resources default_tags = { 'manager': 'pulumi', 'project': project,
def pulumi_program(): config = Config() export("exp_static", "foo") export("exp_cfg", config.get("bar")) export("exp_secret", config.get_secret("buzz"))
import pulumi_digitalocean as do from pulumi import Config, export, Output, ResourceOptions from pulumi_kubernetes import Provider from pulumi_kubernetes.apps.v1 import Deployment from pulumi_kubernetes.core.v1 import Service config = Config() node_count = config.get_float("nodeCount") or 3 app_replica_count = config.get_float("appReplicaCount") or 5 domain_name = config.get("domainName") cluster = do.KubernetesCluster("do-cluster", region="sfo2", version="latest", node_pool={ "name": "default", "size": "s-2vcpu-2gb", "node_count": node_count }) k8s_provider = Provider("do-k8s", kubeconfig=cluster.kube_configs[0]["rawConfig"]) app_labels = {"app": "app-nginx"} app = Deployment("do-app-dep", spec={ 'selector': { 'matchLabels': app_labels }, 'replicas': 1, 'template': {
import pulumi_azure_native.insights as insights import pulumi_azure_native.resources as resource import pulumi_azure_native.sql as sql import pulumi_azure_native.storage as storage import pulumi_azure_native.web as web from pulumi import Config, Output, asset, export from pulumi_azure_native.storage import (BlobContainer, PublicAccess, StorageAccount) username = "******" config = Config() pwd = config.require("sqlPassword") resource_group = resource.ResourceGroup("appservicerg") storage_account = storage.StorageAccount( "appservicesa", resource_group_name=resource_group.name, kind=storage.Kind.STORAGE_V2, sku=storage.SkuArgs(name=storage.SkuName.STANDARD_LRS)) app_service_plan = web.AppServicePlan("appservice-asp", resource_group_name=resource_group.name, kind="App", sku=web.SkuDescriptionArgs( tier="Basic", name="B1", )) storage_container = BlobContainer("appservice-c",
# Copyright 2016-2020, Pulumi Corporation. All rights reserved. import base64 from pulumi import Config, Output, export from pulumi_azure_nextgen.compute import latest as compute from pulumi_azure_nextgen.network import latest as network from pulumi_azure_nextgen.resources import latest as resources config = Config() location = config.get("location") or "westus" username = config.require("username") password = config.require("password") resource_group = resources.ResourceGroup("server", resource_group_name="server", location=location) net = network.VirtualNetwork("server-network", resource_group_name=resource_group.name, location=location, virtual_network_name="server-network", address_space=network.AddressSpaceArgs( address_prefixes=["10.0.0.0/16"], ), subnets=[ network.SubnetArgs( name="default", address_prefix="10.0.1.0/24", ) ]) public_ip = network.PublicIPAddress("server-ip",
""" Returns the subdomain and the parent domain. """ parts = domain.split('.') if len(parts) < 2: raise Exception(f'No TLD found on ${domain}') if len(parts) == 2: return '', domain subdomain = parts[0] parts.pop(0) return subdomain, '.'.join(parts) + '.' # Read the configuration for this stack. stack_config = Config() target_domain = stack_config.require('targetDomain') path_to_website_contents = stack_config.require('pathToWebsiteContents') certificate_arn = stack_config.get('certificateArn') # Create an S3 bucket configured as a website bucket. content_bucket = pulumi_aws.s3.Bucket('contentBucket', bucket=target_domain, acl='public-read', website={ 'index_document': 'index.html', 'error_document': '404.html' }) def crawl_directory(content_dir, f):
from pulumi import Config, export, get_project, get_stack, Output, ResourceOptions from pulumi_gcp.config import project, zone from pulumi_gcp.container import Cluster, get_engine_versions from pulumi_kubernetes import Provider from pulumi_kubernetes.apps.v1 import Deployment from pulumi_kubernetes.core.v1 import Service from pulumi_random import RandomPassword # Read in some configurable settings for our cluster: config = Config(None) # nodeCount is the number of cluster nodes to provision. Defaults to 3 if unspecified. NODE_COUNT = config.get('node_count') or 3 # nodeMachineType is the machine type to use for cluster nodes. Defaults to n1-standard-1 if unspecified. # See https://cloud.google.com/compute/docs/machine-types for more details on available machine types. NODE_MACHINE_TYPE = config.get('node_machine_type') or 'n1-standard-1' # username is the admin username for the cluster. USERNAME = config.get('username') or 'admin' # password is the password for the admin user in the cluster. PASSWORD = config.get_secret('password') or RandomPassword( "password", length=20, special=True).result # master version of GKE engine MASTER_VERSION = config.get('master_version') # Now, actually create the GKE cluster. k8s_cluster = Cluster( 'gke-cluster', initial_node_count=NODE_COUNT, node_version=MASTER_VERSION, min_master_version=MASTER_VERSION, master_auth={
# Copyright 2016-2018, Pulumi Corporation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. from pulumi import CustomResource, Config class MyResource(CustomResource): def __init__(self, name): CustomResource.__init__(self, "test:index:MyResource", name) config = Config("foo") MyResource(config.require("name"))
"""An Azure RM Python Pulumi program""" import pulumi import pulumi_azure_nextgen.resources.latest as resources import pulumi_azure_nextgen.databricks.latest as databricks from pulumi import Output, export, Config, StackReference, get_stack, get_project config = Config() # reading in StackReference Path from local config mystackpath = config.require("stackreference") # setting the StackReference my_network_stackreference = StackReference(mystackpath) my_secondvirtualnetwork_output = my_network_stackreference.get_output( "virtual_network_name") my_remote_resourcegroup_output = my_network_stackreference.get_output( "resource_group_name") #my_secondvirtualnetwork = my_secondvirtualnetwork_output.apply(lambda my_secondvirtualnetwork_output: f"{my_secondvirtualnetwork_output}") #my_remote_resourcegroup = my_remote_resourcegroup_output.apply(lambda my_remote_resourcegroup_output: f"{my_remote_resourcegroup_output}") # The values for my_secondvirtualnetwork & my_remote_resourcegroup are from the virtualnetwork that has # already been created using another pulumi stack. This has to exist before this code can run. my_secondvirtualnetwork = "shaht-vnet-peering-to-databricks" # 2nd virtual network. Needed for vpn peering block FROM databricks. my_remote_resourcegroup = "shaht-rg-peering-to-databricks" # local variables from config file # my subscription id mysubid = config.get("mysubid") # azure location my_location = config.get("location") # resource group name my_resource_group_name = config.get("resource_group_name")
which can be used to control which principals may assume an IAM Role, by granting the `sts:AssumeRole` action to those principals. """ return { 'Version': '2012-10-17', 'Statement': [{ 'Sid': 'AllowAssumeRole', 'Effect': 'Allow', 'Principal': principal, 'Action': 'sts:AssumeRole' }] } config = Config() unprivileged_username = config.require('unprivilegedUsername') unprivileged_user = aws.iam.User('unprivileged-user', name=unprivileged_username) unprivileged_user_creds = aws.iam.AccessKey( 'unprivileged-user-key', user=unprivileged_user.name, # additional_secret_outputs specify properties that must be encrypted as secrets # https://www.pulumi.com/docs/intro/concepts/resources/#additionalsecretoutputs opts=ResourceOptions(additional_secret_outputs=["secret"])) allow_s3_management_role = aws.iam.Role( 'allow-s3-management', description='Allow management of S3 buckets',
# Copyright 2016-2020, Pulumi Corporation. All rights reserved. import provisioners import pulumi import base64 from pulumi import Config, Output, export from pulumi_azure_nextgen.compute import latest as compute from pulumi_azure_nextgen.network import latest as network from pulumi_azure_nextgen.resources import latest as resources # Get the config ready to go. config = Config() key_name = config.get('keyName') public_key = config.get('publicKey') admin_username = config.get('admin_username') admin_password = config.get('admin_password') location = config.get('location') # The privateKey associated with the selected key must be provided (either directly or base64 encoded), # along with an optional passphrase if needed. def decode_key(key): if key.startswith('-----BEGIN RSA PRIVATE KEY-----'): return key return key.encode('ascii') private_key = config.require_secret('privateKey').apply(decode_key) private_key_passphrase = config.get_secret('privateKeyPassphrase') # Create a resource group to hold project resources.
def mock_config(config_settings): set_all_config(config_settings) return Config("test-config")
import pulumi from pulumi import Config, ResourceOptions from pulumi_azure import core, network from webserver import WebServerArgs, WebServer config = Config() username = config.require_secret("username") password = config.require_secret("password") resource_group = core.ResourceGroup("server", location="West US") net = network.VirtualNetwork( "server-network", resource_group_name=resource_group.name, location=resource_group.location, address_spaces=["10.0.0.0/16"], subnets=[ network.VirtualNetworkSubnetArgs(name="default", address_prefix="10.0.1.0/24") ], opts=ResourceOptions(parent=resource_group), ) subnet = network.Subnet( "server-subnet", resource_group_name=resource_group.name, virtual_network_name=net.name, address_prefixes=["10.0.2.0/24"], opts=ResourceOptions(parent=net), )
def program(): config = Config() config.get("plainstr1") config.require("plainstr2") config.get_secret("plainstr3") config.require_secret("plainstr4") config.get_bool("plainbool1") config.require_bool("plainbool2") config.get_secret_bool("plainbool3") config.require_secret_bool("plainbool4") config.get_int("plainint1") config.require_int("plainint2") config.get_secret_int("plainint3") config.require_secret_int("plainint4") config.get_float("plainfloat1") config.require_float("plainfloat2") config.get_secret_float("plainfloat3") config.require_secret_float("plainfloat4") config.get_object("plainobj1") config.require_object("plainobj2") config.get_secret_object("plainobj3") config.require_secret_object("plainobj4") config.get("str1") config.require("str2") config.get_secret("str3") config.require_secret("str4") config.get_bool("bool1") config.require_bool("bool2") config.get_secret_bool("bool3") config.require_secret_bool("bool4") config.get_int("int1") config.require_int("int2") config.get_secret_int("int3") config.require_secret_int("int4") config.get_float("float1") config.require_float("float2") config.get_secret_float("float3") config.require_secret_float("float4") config.get_object("obj1") config.require_object("obj2") config.get_secret_object("obj3") config.require_secret_object("obj4")
from pulumi import Config, get_stack, export, Output import pulumi_azuread as ad import pulumi_random as random from pulumi_azure import core, containerservice config = Config() password = config.get_secret("password") or random.RandomPassword( "pwd", length=20, special=True).result ssh_public_key = config.require("sshPublicKey") resource_group = core.ResourceGroup("aksresourcegroup") ad_app = ad.Application("aks") ad_sp = ad.ServicePrincipal("aksSp", application_id=ad_app.application_id) ad_sp_password = ad.ServicePrincipalPassword("aksSpPassword", service_principal_id=ad_sp.id, value=password, end_date="2099-01-01T00:00:00Z") aks_cluster_config = [ { "name": "east", "location": "eastus", "node_count": 2, "node_size": "Standard_D2_v2" }, { "name": "west", "location": "westus",
from pulumi import Config, export, get_project, get_stack, Output, ResourceOptions from pulumi_gcp.config import project, zone, region from pulumi_gcp.container import Cluster, get_engine_versions from pulumi_kubernetes import Provider from pulumi_kubernetes.apps.v1 import Deployment from pulumi_kubernetes.core.v1 import Service from pulumi_random import RandomPassword # Read in some configurable settings for our cluster: config = Config(None) NODE_COUNT = config.get("node_count") NODE_MACHINE_TYPE = config.get("node_machine_type") IMAGE_TYPE = config.get("image_type") DISK_TYPE = config.get("disk_type") DISK_SIZE_GB = config.get("disk_size_gb") # master version of GKE engine MASTER_VERSION = config.get("master_version") CLUSTER_NAME = config.get("pulumi-gke") print(f"Master version: {MASTER_VERSION}") print(f"Project: {project} | Region: {region} | Zone: {zone}") # Now, actually create the GKE cluster. # Pulumi docs: https://www.pulumi.com/docs/reference/pkg/python/pulumi_gcp/container/#pulumi_gcp.container.Cluster # Terraform docs: https://www.terraform.io/docs/providers/google/r/container_cluster.html k8s_cluster = Cluster( "gke-cluster", name=CLUSTER_NAME, # Zone is read automagically from the stack config file
from pulumi import Config, export, get_project, get_stack, Output, ResourceOptions from pulumi_gcp.config import project, zone from pulumi_gcp.container import Cluster, get_engine_versions from pulumi_kubernetes import Provider from pulumi_kubernetes.apps.v1 import Deployment from pulumi_kubernetes.core.v1 import Service from pulumi_random import RandomString # Read in some configurable settings for our cluster: config = Config(None) # nodeCount is the number of cluster nodes to provision. Defaults to 3 if unspecified. NODE_COUNT = config.get('node_count') or 3 # nodeMachineType is the machine type to use for cluster nodes. Defaults to n1-standard-1 if unspecified. # See https://cloud.google.com/compute/docs/machine-types for more details on available machine types. NODE_MACHINE_TYPE = config.get('node_machine_type') or 'n1-standard-1' # username is the admin username for the cluster. USERNAME = config.get('username') or 'admin' # password is the password for the admin user in the cluster. PASSWORD = config.get_secret('password') or RandomString( "password", length=20, special=True).result engine_version = Output.from_input(get_engine_versions()).latest_master_version # Now, actually create the GKE cluster. k8s_cluster = Cluster( 'gke-cluster', initial_node_count=NODE_COUNT, node_version=engine_version, min_master_version=engine_version, master_auth={