def update_glue_connections(self): glue_connections = self.model.aws.glue_connections databases = self.model.aws.databases for db_uid, con in glue_connections.items(): db = databases[db_uid] resource_name = self._res_name(f"glue/{db_uid}") password = random.RandomPassword( resource_name, length=32, special=False, opts=pulumi.ResourceOptions( additional_secret_outputs=["result"])) login = "******" mysql_provider = self._get_mysql_provider(db_uid) mysql_user = mysql.User(resource_name, user=login, host=ANY_HOST, plaintext_password=password.result, tls_option="SSL", opts=pulumi.ResourceOptions( provider=mysql_provider, delete_before_replace=True, )) for db_name in con.db_names: grant_name = resource_name if db_name == db.db_name \ else self._res_name("/".join((db_uid, db_name, login))) mysql.Grant( grant_name, user=mysql_user.user, database=db.db_name, host=mysql_user.host, privileges=self.model.custom.grant_types[con.grant_type], opts=pulumi.ResourceOptions( provider=mysql_provider, delete_before_replace=True, )) region, db_id = db_uid.split("/") aws_provider = self._get_aws_provider(region) glue.Connection( resource_name, name=f"sari.{db_id}", description=MANAGED_BY_SARI_NOTICE, connection_type="JDBC", connection_properties={ "JDBC_CONNECTION_URL": f"jdbc:mysql://{db.endpoint.address}:{db.endpoint.port}/" f"{db.db_name}", "JDBC_ENFORCE_SSL": "true", "USERNAME": login, "PASSWORD": password.result, }, physical_connection_requirements=con. physical_connection_requirements, opts=pulumi.ResourceOptions( provider=aws_provider, delete_before_replace=True, ))
def __init__(self, name: str, args: DbArgs, opts: ResourceOptions = None): super().__init__('custom:resource:Postgres', name, {}, opts) database_instance_name = f'{name}-dbinstance' self.sql = sql.DatabaseInstance( database_instance_name, database_version=args.database_version, settings=sql.DatabaseInstanceSettingsArgs( tier=args.tier, activation_policy=args.activation_policy, availability_type=args.availability_type, disk_size=args.disk_size, ip_configuration=args.private_network, user_labels=args.tags, backup_configuration={ "enabled": args.backup_configuration_enabled, "point_in_time_recovery_enabled": args.backup_configuration_point_in_time_recovery_enabled }, ), deletion_protection=args.deletion_protection, opts=ResourceOptions(parent=self)) # creates a random password https://www.pulumi.com/docs/reference/pkg/random/randompassword/ mypassword = random.RandomPassword(f'{name}-random', length=12, special=False, lower=True, min_lower=4, min_numeric=4, min_upper=4, number=True) users_name = f'{name}-user' self.users = sql.User(users_name, instance=self.sql.id, name="pulumiadmin", password=mypassword.result, opts=ResourceOptions(parent=self.sql)) database_name = f'{name}-pulumidb' self.database = sql.Database(database_name, instance=self.sql.id, charset="UTF8", opts=ResourceOptions(parent=self.sql)) self.register_outputs({})
def update_applications(self): applications: Dict[str, dict] = self.model.applications databases = self.model.aws.databases for app_name, db_list in applications.items(): for db_uid in db_list: db = databases[db_uid] region, db_id = db_uid.split("/") aws_provider = self._get_aws_provider(region) resource_basename = f"app/{app_name}/{db_uid}" username = f"app:{app_name}" password = random.RandomPassword( f"{resource_basename}/pass", length=32, special=False, opts=pulumi.ResourceOptions( additional_secret_outputs=["result"])) ssm.Parameter( f"{resource_basename}/user", name=f"sari.{app_name}.{db_id}.username", type="String", value=username, opts=pulumi.ResourceOptions(provider=aws_provider)) ssm.Parameter( f"{resource_basename}/pass", name=f"sari.{app_name}.{db_id}.password", type="SecureString", value=password.result, opts=pulumi.ResourceOptions(provider=aws_provider)) mysql_provider = self._get_mysql_provider(db_uid) mysql_user = mysql.User(resource_basename, user=username, host=ANY_HOST, plaintext_password=password.result, tls_option="SSL", opts=pulumi.ResourceOptions( provider=mysql_provider, delete_before_replace=True, )) mysql.Grant(resource_basename, user=mysql_user.user, database=db.db_name, host=mysql_user.host, privileges=self.model.custom. grant_types[DEFAULT_GRANT_TYPE], opts=pulumi.ResourceOptions( provider=mysql_provider, delete_before_replace=True, ))
import pulumi_azuread as azuread import pulumi_kubernetes as k8s from pulumi_kubernetes.helm.v3 import Chart, ChartOpts import pulumi_random as random # Config values or defaults config = Config() k8s_version = config.get('k8sVersion') or '1.18.14' admin_username = config.get('adminUserName') or 'testuser' node_count = config.get_int('nodeCount') or 2 node_size = config.get('nodeSize') or 'Standard_D2_v2' password = config.get_secret("password") if not password: rando_password = random.RandomPassword( 'password', length=16, special=True, override_special='@_#', ) password = rando_password.result # Resource Group resource_group = resources.ResourceGroup('rg') ### AKS Cluster Related Resources generated_key_pair = PrivateKey('ssh-key', algorithm='RSA', rsa_bits=4096) ssh_public_key = generated_key_pair.public_key_openssh ad_app = azuread.Application('app', display_name='app') ad_sp = azuread.ServicePrincipal('service-principal', application_id=ad_app.application_id) ad_sp_password = azuread.ServicePrincipalPassword(
from pulumi_azure_native import resources, containerservice import pulumi_azuread as azuread import pulumi_random as random import pulumi_tls as tls config = pulumi.Config() # Create new resource group resource_group = resources.ResourceGroup("azure-native-py-aks") # Create an AD service principal ad_app = azuread.Application("aks", display_name="aks") ad_sp = azuread.ServicePrincipal("aksSp", application_id=ad_app.application_id) # Generate random password password = random.RandomPassword("password", length=20, special=True) # Create the Service Principal Password ad_sp_password = azuread.ServicePrincipalPassword( "aksSpPassword", service_principal_id=ad_sp.id, value=password.result, end_date="2099-01-01T00:00:00Z") # Generate an SSH key ssh_key = tls.PrivateKey("ssh-key", algorithm="RSA", rsa_bits=4096) # Create cluster managed_cluster_name = config.get("managedClusterName") if managed_cluster_name is None: managed_cluster_name = "azure-native-aks"
container_name="users", public_access="None") workspace = synapse.Workspace("workspace", resource_group_name=resource_group.name, location=resource_group.location, workspace_name="my-workspace", default_data_lake_storage=synapse.DataLakeStorageAccountDetailsArgs( account_url=data_lake_storage_account_url, filesystem="users", ), identity=synapse.ManagedIdentityArgs( type="SystemAssigned", ), sql_administrator_login="******", sql_administrator_login_password=random.RandomPassword("workspacePwd", length=12).result) allow_all = synapse.IpFirewallRule("allowAll", resource_group_name=resource_group.name, workspace_name=workspace.name, rule_name="allowAll", end_ip_address="255.255.255.255", start_ip_address="0.0.0.0") subscription_id = resource_group.id.apply(lambda id: id.split('/')[2]) role_definition_id = subscription_id.apply(lambda id: f"/subscriptions/{id}/providers/Microsoft.Authorization/roleDefinitions/ba92f5b4-2d11-453d-a403-e96b0029c9fe") storage_access = authorization.RoleAssignment("storageAccess", role_assignment_name=random.RandomUuid("roleName").result, scope=storage_account.id, principal_id=workspace.identity.principal_id.apply(lambda v: v or "<preview>"),
from pulumi import Config, get_stack, export, Output import pulumi_azuread as ad import pulumi_random as random from pulumi_azure import core, containerservice config = Config() password = config.get_secret("password") or random.RandomPassword( "pwd", length=20, special=True).result ssh_public_key = config.require("sshPublicKey") resource_group = core.ResourceGroup("aksresourcegroup") ad_app = ad.Application("aks") ad_sp = ad.ServicePrincipal("aksSp", application_id=ad_app.application_id) ad_sp_password = ad.ServicePrincipalPassword("aksSpPassword", service_principal_id=ad_sp.id, value=password, end_date="2099-01-01T00:00:00Z") aks_cluster_config = [ { "name": "east", "location": "eastus", "node_count": 2, "node_size": "Standard_D2_v2" }, { "name": "west", "location": "westus",
resource_group = core.ResourceGroup("resourceGroup") storage_account = storage.Account("storage", resource_group_name=resource_group.name, account_replication_type="LRS", account_tier="Standard") container = storage.Container("files", storage_account_name=storage_account.name, container_access_type="private") administrator_login_password = random.RandomPassword( "password", length=16, special=True, ).result sql_server = sql.SqlServer( "sqlserver", resource_group_name=resource_group.name, administrator_login_password=administrator_login_password, administrator_login="******", version="12.0") database = sql.Database("sqldb", resource_group_name=resource_group.name, server_name=sql_server.name, requested_service_objective_name="S0")
admin_enabled=not use_sp_auth, sku='Basic') # Get registry info (creds and endpoint). image_name = registry.login_server.apply(lambda s: f'{s}/myapp') if use_sp_auth: sp = azuread.ServicePrincipal( 'mysp', application_id=azuread.Application('myspapp').application_id, ) sp_password = azuread.ServicePrincipalPassword( 'mysp-pass', service_principal_id=sp.id, value=random.RandomPassword( 'mypass', length=32, opts=pulumi.ResourceOptions( additional_secret_outputs=['result'])).result, end_date_relative='8760h', ) sp_auth = azure.authorization.Assignment( 'myauth', scope=registry.id, role_definition_name='acrpush', principal_id=sp.id, ) registry_info = docker.ImageRegistry( server=registry.login_server, username=sp.application_id, password=sp_auth.id.apply(lambda _: sp_password.value), )
from pulumi import Config, export, ResourceOptions from pulumi_azure import core, network, lb, compute import pulumi_random as random config = Config() admin_user = config.get("adminUser") or "azureuser" admin_password = config.get_secret("adminPassword") or random.RandomPassword( "pwd", length=20, special="true").result domain = config.get("domain") or random.RandomString( "domain", length=10, number="false", special="false", upper="false").result application_port = config.get_float("applicationPort") or 80 resource_group = core.ResourceGroup("vmss-rg") public_ip = network.PublicIp("public-ip", resource_group_name=resource_group.name, allocation_method="Static", domain_name_label=domain) load_balancer = lb.LoadBalancer("lb", resource_group_name=resource_group.name, frontend_ip_configurations=[{ "name": "PublicIPAddress", "publicIpAddressId": public_ip.id, }]) bpepool = lb.BackendAddressPool("bpepool", resource_group_name=resource_group.name, loadbalancer_id=load_balancer.id)
import network import backend import frontend # Get config data config = pulumi.Config() service_name = config.get('service_name') or 'wp-example' db_name = config.get('db_name') or 'lampdb' db_user = config.get('db_user') or 'admin' # Get secretified password from config and protect it going forward, or create one using the 'random' provider. db_password = config.get_secret('db_password') if not db_password: password = random.RandomPassword( 'db_password', length=16, special=True, override_special='_%@', ) # Pulumi knows this provider is used to create a password and thus automatically protects it going forward. db_password = password.result # Create an AWS VPC and subnets, etc network = network.Vpc(f'{service_name}-net', network.VpcArgs()) subnet_ids = [] for subnet in network.subnets: subnet_ids.append(subnet.id) # Create a backend DB instance be = backend.Db( f'{service_name}-be', backend.DbArgs(
# The following 4 inputs will be updated ONLY after the initial postgres sql database instance, database, and users have been created. # We need the instance information to pass back in since we are using python package # to create the tables. See the readme # Start postgres_sql_instance_public_ip_address = config.get( "postgres_sql_instance_public_ip_address") postgres_sql_user_username = config.get("postgres_sql_user_username") postgres_sql_database_name = config.get("postgres_sql_database_name") postgres_sql_user_password = config.get("postgres_sql_user_password") # End # creates a random password https://www.pulumi.com/docs/reference/pkg/random/randompassword/ mypassword = random.RandomPassword("randompassword", length=12, special=False, lower=True, min_lower=4, min_numeric=4, min_upper=4, number=True) # Create database instance Google Cloud. # https://www.pulumi.com/docs/reference/pkg/gcp/sql/databaseinstance/ myinstance = sql.DatabaseInstance( "pulumidbinstance", database_version="POSTGRES_12", settings=sql.DatabaseInstanceSettingsArgs( tier="db-f1-micro", activation_policy="ALWAYS", availability_type="REGIONAL", ip_configuration={"authorized_networks": [{ "value": myip
def __init__( self, name: str, vpc_id: pulumi.Input[str], subnet_ids: pulumi.Input[List[str]], nomad_agent_security_group_id: pulumi.Input[str], availability_zone: pulumi.Input[str], opts: Optional[pulumi.ResourceOptions] = None, ) -> None: super().__init__("grapl:Postgres", name, None, opts) child_opts = pulumi.ResourceOptions(parent=self) username = "******" # FYI we ran into some weird pulumi bugs around RandomPassword. # https://grapl-internal.slack.com/archives/C0174A8QV2S/p1642183461098100 password = random.RandomPassword( f"{name}-password", length=32, # Disable special characters, ":" can lead to unexpected # sqlx errors: https://github.com/launchbadge/sqlx/issues/1624 special=False, opts=pulumi.ResourceOptions(parent=self), ) subnet_group_name = f"{name}-postgres-subnet-group" rds_subnet_group = aws.rds.SubnetGroup( subnet_group_name, subnet_ids=subnet_ids, tags={"Name": subnet_group_name}, opts=child_opts, ) sg_name = f"{name}-postgres-security-group" self.security_group = aws.ec2.SecurityGroup( sg_name, vpc_id=vpc_id, # Tags are necessary for the moment so we can look up the resource from a different pulumi stack. # Once this is refactored we can remove the tags tags={"Name": sg_name}, opts=pulumi.ResourceOptions(parent=self), ) postgres_port = 5432 # Allow communication between nomad-agents and RDS aws.ec2.SecurityGroupRule( f"{name}-nomad-agents-egress-to-rds", type="egress", security_group_id=nomad_agent_security_group_id, from_port=postgres_port, to_port=postgres_port, protocol="tcp", source_security_group_id=self.security_group.id, opts=pulumi.ResourceOptions(parent=self.security_group), ) aws.ec2.SecurityGroupRule( f"{name}-rds-ingress-from-nomad-agents", type="ingress", security_group_id=self.security_group.id, from_port=postgres_port, to_port=postgres_port, protocol="tcp", source_security_group_id=nomad_agent_security_group_id, opts=pulumi.ResourceOptions(parent=self.security_group), ) # Parameter Groups are what we use to preload pg libraries parameter_group = aws.rds.ParameterGroup( name, description=f"{name} managed by Pulumi", # TODO autoparse the family family="postgres13", parameters=[ { "name": "shared_preload_libraries", "value": "pg_cron,pg_stat_statements", "apply_method": "pending-reboot", } ], ) postgres_config = PostgresConfigValues.from_config() # Quick diatribe: # "The database name is the name of a database hosted in your DB instance. # A database name is not required when creating a DB instance. # Databases hosted by the same DB instance must have a unique name within # that instance." # Since we're using 1 database per instance right now, I'm going to # hardcode it to the default value of `postgres` (like the postgres # docker image does). # # As for giving the instance a name we can see on the console, that's # the `identifier=`. database_name = "postgres" assert re.match( "^[a-zA-Z][a-zA-Z0-9]+$", database_name ), "Database name must be alpha+alphanumeric" instance_name = f"{name}-instance" self._instance = aws.rds.Instance( instance_name, identifier=instance_name, name=database_name, # See above diatribe engine="postgres", engine_version=postgres_config.postgres_version, instance_class=postgres_config.instance_type, parameter_group_name=parameter_group.name, # These storage parameters should be more thoroughly thought out. allocated_storage=10, max_allocated_storage=20, # Subnet/vpc stuff db_subnet_group_name=rds_subnet_group.id, vpc_security_group_ids=[self.security_group.id], availability_zone=availability_zone, # TODO: EnableIAMDatabaseAuthentication # Makes teardown easier. This can be revisited. skip_final_snapshot=True, # Eventually this would be managed by Vault. # In the meantime, security is basically only enforced by VPC username=username, password=password.result, port=postgres_port, # Because we're not specifying a kms key, this will use the default aws/rds key storage_encrypted=True, # Enable performance insights for 7 days, which is free performance_insights_enabled=True, performance_insights_retention_period=7, # We need delete before replace in order to encrypt instances. Once prod is up and running we may want to # remove this option to avoid accidental downtime. opts=pulumi.ResourceOptions(parent=self, delete_before_replace=True), )
import pulumi_tls as tls config = pulumi.Config() name = "shaht" # Create new resource group resource_group = resources.ResourceGroup(f'{name}-azure-native-py-aks') # Create an AD service principal ad_app = azuread.Application(f'{name}-aks-app', display_name=f'{name}-aks-app') ad_sp = azuread.ServicePrincipal(f'{name}-aksSp', application_id=ad_app.application_id) # Generate random password password = random.RandomPassword(f'{name}-password', length=20, special=True) # Create the Service Principal Password ad_sp_password = azuread.ServicePrincipalPassword( f'{name}-aksSpPassword', service_principal_id=ad_sp.id, value=password.result, end_date="2099-01-01T00:00:00Z") # Generate an SSH key ssh_key = tls.PrivateKey(f'{name}-ssh-key', algorithm="RSA", rsa_bits=4096) # Create cluster managed_cluster_name = config.get("managedClusterName") if managed_cluster_name is None: managed_cluster_name = f'{name}-azure-native-aks'
from pulumi import export import pulumi_random as random import pulumi_rabbitmq as rabbitmq password = random.RandomPassword("my-password", length=30, special="true") user = rabbitmq.User("my-python-user", password=password.result) export("username", user.name)