def update_glue_connections(self):
glue_connections = self.model.aws.glue_connections
databases = self.model.aws.databases
for db_uid, con in glue_connections.items():
db = databases[db_uid]
resource_name = self._res_name(f"glue/{db_uid}")
password = random.RandomPassword(
resource_name,
length=32,
special=False,
opts=pulumi.ResourceOptions(
additional_secret_outputs=["result"]))
login = "******"
mysql_provider = self._get_mysql_provider(db_uid)
mysql_user = mysql.User(resource_name,
user=login,
host=ANY_HOST,
plaintext_password=password.result,
tls_option="SSL",
opts=pulumi.ResourceOptions(
provider=mysql_provider,
delete_before_replace=True,
))
for db_name in con.db_names:
grant_name = resource_name if db_name == db.db_name \
else self._res_name("/".join((db_uid, db_name, login)))
mysql.Grant(
grant_name,
user=mysql_user.user,
database=db.db_name,
host=mysql_user.host,
privileges=self.model.custom.grant_types[con.grant_type],
opts=pulumi.ResourceOptions(
provider=mysql_provider,
delete_before_replace=True,
))
region, db_id = db_uid.split("/")
aws_provider = self._get_aws_provider(region)
glue.Connection(
resource_name,
name=f"sari.{db_id}",
description=MANAGED_BY_SARI_NOTICE,
connection_type="JDBC",
connection_properties={
"JDBC_CONNECTION_URL":
f"jdbc:mysql://{db.endpoint.address}:{db.endpoint.port}/"
f"{db.db_name}",
"JDBC_ENFORCE_SSL":
"true",
"USERNAME":
login,
"PASSWORD":
password.result,
},
physical_connection_requirements=con.
physical_connection_requirements,
opts=pulumi.ResourceOptions(
provider=aws_provider,
delete_before_replace=True,
))
def __init__(self, name: str, args: DbArgs, opts: ResourceOptions = None):
super().__init__('custom:resource:Postgres', name, {}, opts)
database_instance_name = f'{name}-dbinstance'
self.sql = sql.DatabaseInstance(
database_instance_name,
database_version=args.database_version,
settings=sql.DatabaseInstanceSettingsArgs(
tier=args.tier,
activation_policy=args.activation_policy,
availability_type=args.availability_type,
disk_size=args.disk_size,
ip_configuration=args.private_network,
user_labels=args.tags,
backup_configuration={
"enabled":
args.backup_configuration_enabled,
"point_in_time_recovery_enabled":
args.backup_configuration_point_in_time_recovery_enabled
},
),
deletion_protection=args.deletion_protection,
opts=ResourceOptions(parent=self))
# creates a random password https://www.pulumi.com/docs/reference/pkg/random/randompassword/
mypassword = random.RandomPassword(f'{name}-random',
length=12,
special=False,
lower=True,
min_lower=4,
min_numeric=4,
min_upper=4,
number=True)
users_name = f'{name}-user'
self.users = sql.User(users_name,
instance=self.sql.id,
name="pulumiadmin",
password=mypassword.result,
opts=ResourceOptions(parent=self.sql))
database_name = f'{name}-pulumidb'
self.database = sql.Database(database_name,
instance=self.sql.id,
charset="UTF8",
opts=ResourceOptions(parent=self.sql))
self.register_outputs({})
def update_applications(self):
applications: Dict[str, dict] = self.model.applications
databases = self.model.aws.databases
for app_name, db_list in applications.items():
for db_uid in db_list:
db = databases[db_uid]
region, db_id = db_uid.split("/")
aws_provider = self._get_aws_provider(region)
resource_basename = f"app/{app_name}/{db_uid}"
username = f"app:{app_name}"
password = random.RandomPassword(
f"{resource_basename}/pass",
length=32,
special=False,
opts=pulumi.ResourceOptions(
additional_secret_outputs=["result"]))
ssm.Parameter(
f"{resource_basename}/user",
name=f"sari.{app_name}.{db_id}.username",
type="String",
value=username,
opts=pulumi.ResourceOptions(provider=aws_provider))
ssm.Parameter(
f"{resource_basename}/pass",
name=f"sari.{app_name}.{db_id}.password",
type="SecureString",
value=password.result,
opts=pulumi.ResourceOptions(provider=aws_provider))
mysql_provider = self._get_mysql_provider(db_uid)
mysql_user = mysql.User(resource_basename,
user=username,
host=ANY_HOST,
plaintext_password=password.result,
tls_option="SSL",
opts=pulumi.ResourceOptions(
provider=mysql_provider,
delete_before_replace=True,
))
mysql.Grant(resource_basename,
user=mysql_user.user,
database=db.db_name,
host=mysql_user.host,
privileges=self.model.custom.
grant_types[DEFAULT_GRANT_TYPE],
opts=pulumi.ResourceOptions(
provider=mysql_provider,
delete_before_replace=True,
))
import pulumi_azuread as azuread
import pulumi_kubernetes as k8s
from pulumi_kubernetes.helm.v3 import Chart, ChartOpts
import pulumi_random as random
# Config values or defaults
config = Config()
k8s_version = config.get('k8sVersion') or '1.18.14'
admin_username = config.get('adminUserName') or 'testuser'
node_count = config.get_int('nodeCount') or 2
node_size = config.get('nodeSize') or 'Standard_D2_v2'
password = config.get_secret("password")
if not password:
rando_password = random.RandomPassword(
'password',
length=16,
special=True,
override_special='@_#',
)
password = rando_password.result
# Resource Group
resource_group = resources.ResourceGroup('rg')
### AKS Cluster Related Resources
generated_key_pair = PrivateKey('ssh-key', algorithm='RSA', rsa_bits=4096)
ssh_public_key = generated_key_pair.public_key_openssh
ad_app = azuread.Application('app', display_name='app')
ad_sp = azuread.ServicePrincipal('service-principal',
application_id=ad_app.application_id)
ad_sp_password = azuread.ServicePrincipalPassword(
from pulumi_azure_native import resources, containerservice
import pulumi_azuread as azuread
import pulumi_random as random
import pulumi_tls as tls
config = pulumi.Config()
# Create new resource group
resource_group = resources.ResourceGroup("azure-native-py-aks")
# Create an AD service principal
ad_app = azuread.Application("aks", display_name="aks")
ad_sp = azuread.ServicePrincipal("aksSp", application_id=ad_app.application_id)
# Generate random password
password = random.RandomPassword("password", length=20, special=True)
# Create the Service Principal Password
ad_sp_password = azuread.ServicePrincipalPassword(
"aksSpPassword",
service_principal_id=ad_sp.id,
value=password.result,
end_date="2099-01-01T00:00:00Z")
# Generate an SSH key
ssh_key = tls.PrivateKey("ssh-key", algorithm="RSA", rsa_bits=4096)
# Create cluster
managed_cluster_name = config.get("managedClusterName")
if managed_cluster_name is None:
managed_cluster_name = "azure-native-aks"
container_name="users",
public_access="None")
workspace = synapse.Workspace("workspace",
resource_group_name=resource_group.name,
location=resource_group.location,
workspace_name="my-workspace",
default_data_lake_storage=synapse.DataLakeStorageAccountDetailsArgs(
account_url=data_lake_storage_account_url,
filesystem="users",
),
identity=synapse.ManagedIdentityArgs(
type="SystemAssigned",
),
sql_administrator_login="******",
sql_administrator_login_password=random.RandomPassword("workspacePwd", length=12).result)
allow_all = synapse.IpFirewallRule("allowAll",
resource_group_name=resource_group.name,
workspace_name=workspace.name,
rule_name="allowAll",
end_ip_address="255.255.255.255",
start_ip_address="0.0.0.0")
subscription_id = resource_group.id.apply(lambda id: id.split('/')[2])
role_definition_id = subscription_id.apply(lambda id: f"/subscriptions/{id}/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe")
storage_access = authorization.RoleAssignment("storageAccess",
role_assignment_name=random.RandomUuid("roleName").result,
scope=storage_account.id,
principal_id=workspace.identity.principal_id.apply(lambda v: v or "<preview>"),
from pulumi import Config, get_stack, export, Output
import pulumi_azuread as ad
import pulumi_random as random
from pulumi_azure import core, containerservice
config = Config()
password = config.get_secret("password") or random.RandomPassword(
"pwd", length=20, special=True).result
ssh_public_key = config.require("sshPublicKey")
resource_group = core.ResourceGroup("aksresourcegroup")
ad_app = ad.Application("aks")
ad_sp = ad.ServicePrincipal("aksSp", application_id=ad_app.application_id)
ad_sp_password = ad.ServicePrincipalPassword("aksSpPassword",
service_principal_id=ad_sp.id,
value=password,
end_date="2099-01-01T00:00:00Z")
aks_cluster_config = [
{
"name": "east",
"location": "eastus",
"node_count": 2,
"node_size": "Standard_D2_v2"
},
{
"name": "west",
"location": "westus",
resource_group = core.ResourceGroup("resourceGroup")
storage_account = storage.Account("storage",
resource_group_name=resource_group.name,
account_replication_type="LRS",
account_tier="Standard")
container = storage.Container("files",
storage_account_name=storage_account.name,
container_access_type="private")
administrator_login_password = random.RandomPassword(
"password",
length=16,
special=True,
).result
sql_server = sql.SqlServer(
"sqlserver",
resource_group_name=resource_group.name,
administrator_login_password=administrator_login_password,
administrator_login="******",
version="12.0")
database = sql.Database("sqldb",
resource_group_name=resource_group.name,
server_name=sql_server.name,
requested_service_objective_name="S0")
admin_enabled=not use_sp_auth,
sku='Basic')
# Get registry info (creds and endpoint).
image_name = registry.login_server.apply(lambda s: f'{s}/myapp')
if use_sp_auth:
sp = azuread.ServicePrincipal(
'mysp',
application_id=azuread.Application('myspapp').application_id,
)
sp_password = azuread.ServicePrincipalPassword(
'mysp-pass',
service_principal_id=sp.id,
value=random.RandomPassword(
'mypass',
length=32,
opts=pulumi.ResourceOptions(
additional_secret_outputs=['result'])).result,
end_date_relative='8760h',
)
sp_auth = azure.authorization.Assignment(
'myauth',
scope=registry.id,
role_definition_name='acrpush',
principal_id=sp.id,
)
registry_info = docker.ImageRegistry(
server=registry.login_server,
username=sp.application_id,
password=sp_auth.id.apply(lambda _: sp_password.value),
)
from pulumi import Config, export, ResourceOptions
from pulumi_azure import core, network, lb, compute
import pulumi_random as random
config = Config()
admin_user = config.get("adminUser") or "azureuser"
admin_password = config.get_secret("adminPassword") or random.RandomPassword(
"pwd", length=20, special="true").result
domain = config.get("domain") or random.RandomString(
"domain", length=10, number="false", special="false", upper="false").result
application_port = config.get_float("applicationPort") or 80
resource_group = core.ResourceGroup("vmss-rg")
public_ip = network.PublicIp("public-ip",
resource_group_name=resource_group.name,
allocation_method="Static",
domain_name_label=domain)
load_balancer = lb.LoadBalancer("lb",
resource_group_name=resource_group.name,
frontend_ip_configurations=[{
"name":
"PublicIPAddress",
"publicIpAddressId":
public_ip.id,
}])
bpepool = lb.BackendAddressPool("bpepool",
resource_group_name=resource_group.name,
loadbalancer_id=load_balancer.id)
import network
import backend
import frontend
# Get config data
config = pulumi.Config()
service_name = config.get('service_name') or 'wp-example'
db_name = config.get('db_name') or 'lampdb'
db_user = config.get('db_user') or 'admin'
# Get secretified password from config and protect it going forward, or create one using the 'random' provider.
db_password = config.get_secret('db_password')
if not db_password:
password = random.RandomPassword(
'db_password',
length=16,
special=True,
override_special='_%@',
)
# Pulumi knows this provider is used to create a password and thus automatically protects it going forward.
db_password = password.result
# Create an AWS VPC and subnets, etc
network = network.Vpc(f'{service_name}-net', network.VpcArgs())
subnet_ids = []
for subnet in network.subnets:
subnet_ids.append(subnet.id)
# Create a backend DB instance
be = backend.Db(
f'{service_name}-be',
backend.DbArgs(
# The following 4 inputs will be updated ONLY after the initial postgres sql database instance, database, and users have been created.
# We need the instance information to pass back in since we are using python package
# to create the tables. See the readme
# Start
postgres_sql_instance_public_ip_address = config.get(
"postgres_sql_instance_public_ip_address")
postgres_sql_user_username = config.get("postgres_sql_user_username")
postgres_sql_database_name = config.get("postgres_sql_database_name")
postgres_sql_user_password = config.get("postgres_sql_user_password")
# End
# creates a random password https://www.pulumi.com/docs/reference/pkg/random/randompassword/
mypassword = random.RandomPassword("randompassword",
length=12,
special=False,
lower=True,
min_lower=4,
min_numeric=4,
min_upper=4,
number=True)
# Create database instance Google Cloud.
# https://www.pulumi.com/docs/reference/pkg/gcp/sql/databaseinstance/
myinstance = sql.DatabaseInstance(
"pulumidbinstance",
database_version="POSTGRES_12",
settings=sql.DatabaseInstanceSettingsArgs(
tier="db-f1-micro",
activation_policy="ALWAYS",
availability_type="REGIONAL",
ip_configuration={"authorized_networks": [{
"value": myip
def __init__(
self,
name: str,
vpc_id: pulumi.Input[str],
subnet_ids: pulumi.Input[List[str]],
nomad_agent_security_group_id: pulumi.Input[str],
availability_zone: pulumi.Input[str],
opts: Optional[pulumi.ResourceOptions] = None,
) -> None:
super().__init__("grapl:Postgres", name, None, opts)
child_opts = pulumi.ResourceOptions(parent=self)
username = "******"
# FYI we ran into some weird pulumi bugs around RandomPassword.
# https://grapl-internal.slack.com/archives/C0174A8QV2S/p1642183461098100
password = random.RandomPassword(
f"{name}-password",
length=32,
# Disable special characters, ":" can lead to unexpected
# sqlx errors: https://github.com/launchbadge/sqlx/issues/1624
special=False,
opts=pulumi.ResourceOptions(parent=self),
)
subnet_group_name = f"{name}-postgres-subnet-group"
rds_subnet_group = aws.rds.SubnetGroup(
subnet_group_name,
subnet_ids=subnet_ids,
tags={"Name": subnet_group_name},
opts=child_opts,
)
sg_name = f"{name}-postgres-security-group"
self.security_group = aws.ec2.SecurityGroup(
sg_name,
vpc_id=vpc_id,
# Tags are necessary for the moment so we can look up the resource from a different pulumi stack.
# Once this is refactored we can remove the tags
tags={"Name": sg_name},
opts=pulumi.ResourceOptions(parent=self),
)
postgres_port = 5432
# Allow communication between nomad-agents and RDS
aws.ec2.SecurityGroupRule(
f"{name}-nomad-agents-egress-to-rds",
type="egress",
security_group_id=nomad_agent_security_group_id,
from_port=postgres_port,
to_port=postgres_port,
protocol="tcp",
source_security_group_id=self.security_group.id,
opts=pulumi.ResourceOptions(parent=self.security_group),
)
aws.ec2.SecurityGroupRule(
f"{name}-rds-ingress-from-nomad-agents",
type="ingress",
security_group_id=self.security_group.id,
from_port=postgres_port,
to_port=postgres_port,
protocol="tcp",
source_security_group_id=nomad_agent_security_group_id,
opts=pulumi.ResourceOptions(parent=self.security_group),
)
# Parameter Groups are what we use to preload pg libraries
parameter_group = aws.rds.ParameterGroup(
name,
description=f"{name} managed by Pulumi",
# TODO autoparse the family
family="postgres13",
parameters=[
{
"name": "shared_preload_libraries",
"value": "pg_cron,pg_stat_statements",
"apply_method": "pending-reboot",
}
],
)
postgres_config = PostgresConfigValues.from_config()
# Quick diatribe:
# "The database name is the name of a database hosted in your DB instance.
# A database name is not required when creating a DB instance.
# Databases hosted by the same DB instance must have a unique name within
# that instance."
# Since we're using 1 database per instance right now, I'm going to
# hardcode it to the default value of `postgres` (like the postgres
# docker image does).
#
# As for giving the instance a name we can see on the console, that's
# the `identifier=`.
database_name = "postgres"
assert re.match(
"^[a-zA-Z][a-zA-Z0-9]+$", database_name
), "Database name must be alpha+alphanumeric"
instance_name = f"{name}-instance"
self._instance = aws.rds.Instance(
instance_name,
identifier=instance_name,
name=database_name, # See above diatribe
engine="postgres",
engine_version=postgres_config.postgres_version,
instance_class=postgres_config.instance_type,
parameter_group_name=parameter_group.name,
# These storage parameters should be more thoroughly thought out.
allocated_storage=10,
max_allocated_storage=20,
# Subnet/vpc stuff
db_subnet_group_name=rds_subnet_group.id,
vpc_security_group_ids=[self.security_group.id],
availability_zone=availability_zone,
# TODO: EnableIAMDatabaseAuthentication
# Makes teardown easier. This can be revisited.
skip_final_snapshot=True,
# Eventually this would be managed by Vault.
# In the meantime, security is basically only enforced by VPC
username=username,
password=password.result,
port=postgres_port,
# Because we're not specifying a kms key, this will use the default aws/rds key
storage_encrypted=True,
# Enable performance insights for 7 days, which is free
performance_insights_enabled=True,
performance_insights_retention_period=7,
# We need delete before replace in order to encrypt instances. Once prod is up and running we may want to
# remove this option to avoid accidental downtime.
opts=pulumi.ResourceOptions(parent=self, delete_before_replace=True),
)
import pulumi_tls as tls
config = pulumi.Config()
name = "shaht"
# Create new resource group
resource_group = resources.ResourceGroup(f'{name}-azure-native-py-aks')
# Create an AD service principal
ad_app = azuread.Application(f'{name}-aks-app', display_name=f'{name}-aks-app')
ad_sp = azuread.ServicePrincipal(f'{name}-aksSp',
application_id=ad_app.application_id)
# Generate random password
password = random.RandomPassword(f'{name}-password', length=20, special=True)
# Create the Service Principal Password
ad_sp_password = azuread.ServicePrincipalPassword(
f'{name}-aksSpPassword',
service_principal_id=ad_sp.id,
value=password.result,
end_date="2099-01-01T00:00:00Z")
# Generate an SSH key
ssh_key = tls.PrivateKey(f'{name}-ssh-key', algorithm="RSA", rsa_bits=4096)
# Create cluster
managed_cluster_name = config.get("managedClusterName")
if managed_cluster_name is None:
managed_cluster_name = f'{name}-azure-native-aks'
from pulumi import export
import pulumi_random as random
import pulumi_rabbitmq as rabbitmq
password = random.RandomPassword("my-password", length=30, special="true")
user = rabbitmq.User("my-python-user", password=password.result)
export("username", user.name)
