def eks_role_policy(oidc_provider, namespace, service_account): return Output.from_input( { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": oidc_provider.arn, }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { Output.concat(oidc_provider.url, ":sub"): Output.concat( "system:serviceaccount:", namespace, ":", service_account, ) } }, } ], } ).apply(json.dumps)
def create_dns_record(name: str, domain: str, zone_id: str, value: Output, verify="awverify"): record_name = ".".join([name, domain]).strip(".") main_record = Record( record_name if name != "" else domain, name=name if name != "" else domain, ttl=1, type="CNAME", zone_id=zone_id, proxied=True, value=value, ) verify_record = Record( "{}.{}".format(verify, record_name), name=".".join([verify, name]).strip("."), ttl=1, type="CNAME", zone_id=zone_id, proxied=False, value=Output.concat(verify, ".", value), ) return DnsRecord(main_record, verify_record)
def __init__( self, name: str, args: CrossProjectCloudRunAccessArgs, opts: ResourceOptions = None, ): super().__init__("unopac:modules:CrossProjectCloudRunAccess", name, {}, opts) cloudrun_serviceaccount_name = Output.concat( "serviceAccount:service-", args.target_project_number, "@serverless-robot-prod.iam.gserviceaccount.com", ) self.bucket_policy = storage.BucketIAMMember( resource_name="AccessToContainerRegistry", bucket=args.registry_bucketname, member=cloudrun_serviceaccount_name, role="roles/storage.admin", opts=opts, )
class FinalResource(CustomResource): number: Output[str] def __init__(self, name, number): CustomResource.__init__(self, "test:index:FinalResource", name, { "number": number, }) def assert_eq(lhs, rhs): assert lhs == rhs res1 = MyResource("testResource1") res2 = MyResource("testResource2") res1.number.apply(lambda n: assert_eq(n, 2)) res2.number.apply(lambda n: assert_eq(n, 3)) # Output.all combines a list of outputs into an output of a list. resSum = Output.all(res1.number, res2.number).apply(lambda l: l[0] + l[1]) FinalResource("testResource3", resSum) # Test additional Output helpers hello_world = Output.concat( "Hello ", Output.from_input("world!")).apply(lambda s: assert_eq(s, "Hello world!")) export("helloworld", hello_world)
blob_sas = storage.get_account_blob_container_sas_output( connection_string=storage_account.primary_connection_string, start="2020-01-01", expiry="2030-01-01", container_name=container_storage_account.name, permissions=storage.GetAccountBlobContainerSASPermissionsArgs( read=True, write=False, delete=False, list=False, add=False, create=False)) signed_blob_url = Output.concat("https://", storage_account.name, ".blob.core.windows.net/", storage_account.name, "/", blob.name, blob_sas.sas) secret = keyvault.Secret("deployment-zip", key_vault_id=vault.id, value=signed_blob_url) secret_uri = Output.all(vault.vault_uri, secret.name, secret.version) \ .apply(lambda args: f"{args[0]}secrets/{args[1]}/{args[2]}") app = appservice.AppService( "app", resource_group_name=resource_group.name, app_service_plan_id=app_service_plan.id, identity=appservice.AppServiceIdentityArgs(type="SystemAssigned", ), app_settings={
skip_final_snapshot=True, storage_type="gp2", username="******", vpc_security_group_ids=[db_secgrp.id], opts=ResourceOptions(protect=protect_persistent_storage), ) airflow_db_cname = aws.route53.Record("airflow-postgres-cname", name="airflow-postgres", zone_id=db_zone.zone_id, type='CNAME', ttl=60, records=[airflow_db.address]) export(f"airflow-db-endpoint", airflow_db.endpoint) export( f"airflow-db-alias", Output.concat(f"airflow-postgres.", db_zone.name, ":", airflow_db.port.apply(lambda x: str(x)))) redata_db = aws.rds.Instance( "redata-postgres", allocated_storage=20, db_subnet_group_name=rds_subnetgroup.name, engine="postgres", engine_version="12.5", instance_class="db.t2.micro", name="redata", password=redata_db_password, port=5432, skip_final_snapshot=True, storage_type="gp2", username="******", vpc_security_group_ids=[db_secgrp.id],
}, # CloudFront typically takes 15 minutes to fully deploy a new distribution. # Skip waiting for that to complete. wait_for_deployment=False) def create_alias_record(target_domain, distribution): """ Create a Route 53 Alias A record from the target domain name to the CloudFront distribution. """ subdomain, parent_domain = get_domain_and_subdomain(target_domain) hzid = pulumi_aws.route53.get_zone(name=parent_domain).id return pulumi_aws.route53.Record(target_domain, name=subdomain, zone_id=hzid, type='A', aliases=[{ 'name': distribution.domain_name, 'zoneId': distribution.hosted_zone_id, 'evaluateTargetHealth': True }]) alias_a_record = create_alias_record(target_domain, cdn) # Export the bucket URL, bucket website endpoint, and the CloudFront distribution information. export('content_bucket_url', Output.concat('s3://', content_bucket.bucket)) export('content_bucket_website_endpoint', content_bucket.website_endpoint) export('cloudfront_domain', cdn.domain_name) export('target_domain_endpoint', f'https://{target_domain}/')
pulumi.export('storageaccount', account.name) # Export the Consumption Plan pulumi.export('consumptionplan', plan.name) # List of storage account keys storageAccountKeys = pulumi.Output.all( resource_group.name, account.name).apply(lambda args: storage.list_storage_account_keys( resource_group_name=args[0], account_name=args[1])) # Primary storage account key primaryStorageKey = storageAccountKeys.apply( lambda accountKeys: accountKeys.keys[0].value) # Build a storage connection string out of it: storageConnectionString = Output.concat( "DefaultEndpointsProtocol=https;AccountName=", account.name, ";AccountKey=", primaryStorageKey) # Export the storageacountkey as a secret pulumi.export("storageaccountkeys", pulumi.Output.secret(storageAccountKeys)) # Export the primarystoragekey as a secret pulumi.export('primarystoragekey', pulumi.Output.secret(primaryStorageKey)) # Export the storageconnectionstring as a secret pulumi.export('storageconnectionstring', pulumi.Output.secret(storageConnectionString)) # Create the functionapp app = web.WebApp( "functionapp", resource_group_name=resource_group.name, location=resource_group.location,
InvalidationBatch={ 'Paths': { 'Quantity': 1, 'Items': ['/*'], }, 'CallerReference': str(time()).replace(".", "") }) return response logs_bucket = s3.Bucket(LOGS_BUCKET_NAME, bucket=LOGS_BUCKET_NAME, acl="private") wwwroot_bucket = create_s3website_bucket(WWWROOT_BUCKET_NAME) ssl_certificate = acm.get_certificate(domain=WEBSITE_DOMAIN_NAME, statuses=["ISSUED"]) s3_distribution = create_cloudfront_distribution_for_s3website( wwwroot_bucket, logs_bucket, ssl_certificate) create_alias_record(WEBSITE_DOMAIN_NAME, s3_distribution) # Added a cache invalidation instead of decreasing default_ttl of a distribution cache. # However, invalidations will inflict additional costs after 1000 paths s3_distribution.id.apply(invalidate_distribution_cache) export("s3_bucket_url", Output.concat("s3://", wwwroot_bucket.bucket)) export("s3_bucket_website_endpoint", wwwroot_bucket.website_endpoint) export("cloudfront_domain_name", s3_distribution.domain_name) export("route53_endpoint", f"https://{WEBSITE_DOMAIN_NAME}/")
# Create a small linux volume that contains a tiny (and thus fast to download) linux. vm_vol = libvirt.Volume( f"{basename}-linux", pool=vm_pool.name, source= "http://download.cirros-cloud.net/0.5.2/cirros-0.5.2-x86_64-disk.img", format="qcow2", opts=ResourceOptions(provider=libvirt_provider)) export("libvirt volume name", vm_vol.name) # Create a VM using the volume created above. vm = libvirt.Domain(f"{basename}-vm", memory=512, vcpu=1, disks=[libvirt.DomainDiskArgs(volume_id=vm_vol.id)], network_interfaces=[ libvirt.DomainNetworkInterfaceArgs( network_name="default", wait_for_lease=True, ) ], opts=ResourceOptions(provider=libvirt_provider)) export("libvirt VM name", vm.name) # Export a command that can be used to see that there is indeed a VM running under KVM on the KVM host. test_cmd = Output.concat('echo virsh list | ssh -i ', libvirt_server.ssh_priv_key_file, ' ', libvirt_server.username, '@', libvirt_server.ip) export("Check the libvirt VM on the KVM host", test_cmd)
def __init__(self, name: str, opts: ResourceOptions = None): super().__init__('custom:resource:LibvirtHost', name, {}, opts) basename = f"{name}-kvm" username = "******" computername = "kvmhost" # Resource group, etc for the KVM host resource_group = resources.ResourceGroup( f"{basename}-rg", opts=ResourceOptions(parent=self)) net = network.VirtualNetwork(f"{basename}-net", resource_group_name=resource_group.name, address_space=network.AddressSpaceArgs( address_prefixes=["10.0.0.0/16"], ), subnets=[ network.SubnetArgs( name="default", address_prefix="10.0.1.0/24", ) ], opts=ResourceOptions(parent=self)) public_ip = network.PublicIPAddress( f"{basename}-ip", resource_group_name=resource_group.name, public_ip_allocation_method=network.IPAllocationMethod.DYNAMIC, opts=ResourceOptions(parent=self)) network_iface = network.NetworkInterface( f"{basename}-nic", resource_group_name=resource_group.name, ip_configurations=[ network.NetworkInterfaceIPConfigurationArgs( name="serveripcfg", subnet=network.SubnetArgs(id=net.subnets[0].id), private_ip_allocation_method=network.IPAllocationMethod. DYNAMIC, public_ip_address=network.PublicIPAddressArgs( id=public_ip.id), ) ], opts=ResourceOptions(parent=self)) # SSH key for accessing the Azure VM that is going to be the KVM host. ssh_key = tls.PrivateKey(f"{basename}-sshkey", algorithm="RSA", rsa_bits=4096, opts=ResourceOptions(parent=self)) # Script to configure the kvm service on the kvm host init_script = f"""#!/bin/bash # Install KVM sudo apt update sudo apt-get -y install qemu-kvm libvirt-bin # hack to account for this bug: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1677398 # Work around: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1677398/comments/42 sudo sed -i '$ a security_driver = "none"' /etc/libvirt/qemu.conf sudo systemctl restart libvirt-bin """ vm = compute.VirtualMachine( f"{basename}-vm", resource_group_name=resource_group.name, network_profile=compute.NetworkProfileArgs(network_interfaces=[ compute.NetworkInterfaceReferenceArgs(id=network_iface.id), ], ), hardware_profile=compute.HardwareProfileArgs( vm_size=compute.VirtualMachineSizeTypes.STANDARD_D4S_V3), os_profile=compute.OSProfileArgs( computer_name=computername, admin_username=username, custom_data=base64.b64encode( init_script.encode("ascii")).decode("ascii"), linux_configuration=compute.LinuxConfigurationArgs( ssh=compute.SshConfigurationArgs(public_keys=[ compute.SshPublicKeyArgs( key_data=ssh_key.public_key_openssh, path=f"/home/{username}/.ssh/authorized_keys") ]))), storage_profile=compute.StorageProfileArgs( os_disk=compute.OSDiskArgs( create_option=compute.DiskCreateOptionTypes.FROM_IMAGE, ), image_reference=compute.ImageReferenceArgs( publisher="canonical", offer="UbuntuServer", sku="18.04-LTS", version="latest", ), ), opts=ResourceOptions(parent=self)) # There's some delay between when Azure says the VM is ready and # when the KVM/qemu service can start accepting connections. # So, wait a bit to allow the KVM server to become fully ready. # But only do the wait if the VM has been provisioned (i.e. not during a preview). vm.provisioning_state.apply(lambda state: time.sleep(90)) public_ip_addr = vm.id.apply( lambda _: network.get_public_ip_address_output( public_ip_address_name=public_ip.name, resource_group_name=resource_group.name)) # Create/update the private key file for the SSH remote connection URI. def write_key_file(priv_key, key_file): if (os.path.exists(key_file)): os.chmod(key_file, 0o666) f = open(key_file, "w") f.write(priv_key) f.close() os.chmod(key_file, 0o400) key_file = f"{basename}_server.priv" ssh_key.private_key_pem.apply( lambda priv_key: write_key_file(priv_key, key_file)) # Build the connection URI that is returned for use by the libvirt provider. # See https://libvirt.org/uri.html#URI_remote for details on the remote URI options self.libvirt_remote_uri = Output.concat( "qemu+ssh://", username, "@", public_ip_addr.ip_address, "/system?keyfile=./", key_file, "&socket=/var/run/libvirt/libvirt-sock&no_verify=1") # Return where the VM pool should be created. # In this case, the "vm pool" is simply placed under the KVM host user's home folder self.vm_pool_dir = f"/home/{username}/vms" # Other values for convenience to output useful information self.ip = public_ip_addr.ip_address self.username = username self.ssh_priv_key_file = key_file self.register_outputs({})
for replica in range(0, DROPLET_COUNT): instance_name = "web-%s" % replica name_tag = do.Tag(instance_name) do.Droplet( instance_name, image="ubuntu-20-04-x64", region=region, size="512mb", tags=[name_tag.id, droplet_type_tag.id], user_data=userdata, ) loadbalancer = do.LoadBalancer( "public", droplet_tag=droplet_type_tag.name, forwarding_rules=[{ "entry_port": 80, "entry_protocol": "http", "target_port": 80, "target_protocol": "http", }], healthcheck={ "port": 80, "protocol": "tcp", }, region=region, ) endpoint = Output.concat("http://", loadbalancer.ip) export("endpoint", endpoint)
def __init__(self, name: str, args: BucketWithNotificationArgs, opts: ResourceOptions = None): super().__init__("unopac:modules:BucketWithNotification", name, {}, opts) log.info( f"Trying to get project default service account for new project with {args.gcp_project}" ) self.bucket = storage.Bucket( args.bucket_resource_name, project=args.gcp_project.project_id, opts=opts, ) gcs_account = args.gcp_project.project_id.apply( lambda project_id: self._get_storage_project_service_account( project_id, opts)) self.topic = pubsub.Topic( f"{args.bucket_resource_name}-{args.topic_resource_name_suffix}", project=args.gcp_project.project_id, opts=opts, ) self.gcs_default_project_service_account_topicbindingtopic_iambinding = ( pubsub.TopicIAMBinding( f"{name}-default-project-service-account-topic-iam-binding", topic=self.topic.id, role="roles/pubsub.publisher", members=[f"serviceAccount:{gcs_account.email_address}"], opts=opts, )) self.pubsub_accountcreator_policy_binding = projects.IAMMember( resource_name= "project-service-account-pubsub-serviceAccount-tokenCreator", project=args.gcp_project.project_id, member=Output.concat( "serviceAccount:service-", args.gcp_project.number, "@gcp-sa-pubsub.iam.gserviceaccount.com", ), role="roles/iam.serviceAccountTokenCreator", ) self.notification = storage.Notification( f"{args.bucket_resource_name}-notification", bucket=self.bucket.name, payload_format="JSON_API_V1", topic=self.topic.id, event_types=[ "OBJECT_FINALIZE", "OBJECT_METADATA_UPDATE", ], custom_attributes={ "new-attribute": "new-attribute-value", }, opts=opts, )
# Route 3 start route_3 = """ /prod: post: responses: {} x-amazon-apigateway-integration: httpMethod: "POST" passthroughBehavior: "when_no_match" type: "AWS_PROXY" uri: """ # We are creating the body via apply & concat: https://www.pulumi.com/docs/intro/concepts/inputs-outputs/#outputs-and-strings # invoke_arn: https://www.pulumi.com/docs/reference/pkg/aws/lambda/function/#invoke_arn_python # You can pass in any # of lambda functions on 1 api gateway with this solution fullbody = Output.concat(f'{first_part_swagger_openapi}', f'{route_1}', api_airtable.invoke_arn, f'{route_2}', api_airtable.invoke_arn, f'{route_3}', api_airtable.invoke_arn) pulumi.export("fullbody", fullbody) api_gateway = apigateway.RestApi( resource_name='api-gateway', api_key_source='HEADER', body=fullbody, description="This is the hello python apigateway with lambda integration", ) api_gateway_deployment = apigateway.Deployment( 'api-gateway-deployment', rest_api=api_gateway.id, description="This is the apigateway deployment", opts=pulumi.ResourceOptions(depends_on=[api_gateway]))
version: "2021-03-29T15:07:58Z" title: "marv" basePath: "/dev" schemes: - "https" paths: /test: post: responses: {} x-amazon-apigateway-integration: httpMethod: "POST" passthroughBehavior: "when_no_match" type: "AWS_PROXY" uri: """ final_output = Output.concat(f'{first_part}', api_airtable.invoke_arn) api_gateway = apigateway.RestApi( 'api-gateway', body=final_output, api_key_source='HEADER', description="This is the hello python apigateway with lambda integration", ) api_gateway_deployment = apigateway.Deployment( 'api-gateway-deployment', rest_api=api_gateway.id, opts=pulumi.ResourceOptions(depends_on=[api_gateway])) api_gateway_stage = apigateway.Stage( 'api-gateway-stage', stage_name='dev',
blob = storage.Blob("appservice-b", resource_group_name=resource_group.name, account_name=storage_account.name, container_name=storage_container.name, type=storage.BlobType.BLOCK, source=asset.FileArchive("wwwroot")) blob_sas = storage.list_storage_account_service_sas_output( account_name=storage_account.name, protocols=storage.HttpProtocol.HTTPS, shared_access_start_time="2021-01-01", shared_access_expiry_time="2030-01-01", resource=storage.SignedResource.C, resource_group_name=resource_group.name, permissions=storage.Permissions.R, canonicalized_resource=Output.concat("/blob/", storage_account.name, "/", storage_container.name), content_type="application/json", cache_control="max-age=5", content_disposition="inline", content_encoding="deflate") signed_blob_url = Output.concat("https://", storage_account.name, ".blob.core.windows.net/", storage_container.name, "/", blob.name, "?", blob_sas.service_sas_token) app_insights = insights.Component( "appservice-ai", application_type=insights.ApplicationType.WEB, kind="web", resource_group_name=resource_group.name)
"Sid": "AWSCloudTrailCreateLogStream", "Effect": "Allow", "Action": ["logs:CreateLogStream"], "Resource": f"{resource}" }, { "Sid": "AWSCloudTrailPutLogEvents", "Effect": "Allow", "Action": ["logs:PutLogEvents"], "Resource": f"{resource}" }] }) # build resource string for iam_role_generate function resource = Output.concat("arn:aws:logs:", region, ":", account_id, ":log-group:", cloudwatch_log.name, ":log-stream:", log_stream.name, "*") # Apply policy to role role_policy = iam.RolePolicy("cloudwatch_log_stream", role=role.id, policy=resource.apply(iam_role_generate)) # Create cloudtrail for s3 and write to s3 bucket trail_s3 = cloudtrail.Trail('CloudTrail_logging_for_s3', opts=ResourceOptions(depends_on=[bucket_policy]), cloud_watch_logs_group_arn=cloudwatch_log.arn, cloud_watch_logs_role_arn=role.arn, enable_logging=True, enable_log_file_validation=True, name="Cloudtrail_s3",
database = pulumi_gcp.sql.Database( "database", instance=cloud_sql_instance.name, name=config.require("db-name") ) users = pulumi_gcp.sql.User( "users", name=config.require("db-name"), instance=cloud_sql_instance.name, password=config.require_secret("db-password"), ) sql_instance_url = Output.concat( "postgres://", config.require("db-name"), ":", config.require_secret("db-password"), "@/", config.require("db-name"), "?host=/cloudsql/", cloud_sql_instance.connection_name, ) cloud_run = pulumi_gcp.cloudrun.Service( "default-service", location=Config("gcp").require("region"), template=pulumi_gcp.cloudrun.ServiceTemplateArgs( metadata=ServiceTemplateMetadataArgs( annotations={ "run.googleapis.com/cloudsql-instances": cloud_sql_instance.connection_name } ), spec=pulumi_gcp.cloudrun.ServiceTemplateSpecArgs(