asterion-digital / asterion-as-code Goto Github PK
View Code? Open in Web Editor NEWDeploying asterion digital infrastructure to aws and raspberry pi's using pulumi
Deploying asterion digital infrastructure to aws and raspberry pi's using pulumi
Linked to issue #12 - rather than relying on manual methods, we can utilize aws sso to authenticate with the active identities in our gsuite directory.
We should investigate identity federation in order to better centralize and automate authentication moving forward. In the first instance, we should be looking for a way to deliver this through pulumi.
When destroying the pulumi stack for org-asterion
, pulumi attempts to move the aws member accounts. This triggers aws to attempt transforming the member accounts into stand-alone accounts, which causes exceptions as these member accounts created through pulumi are missing the proper configurations (such as credit card details) to become stand-alone accounts. The exceptions are currently critical issues to bringing the org-asterion
stack down.
Duplication/deletion also renders email addresses inert and should be avoided.
I propose that we configure the aws account resources created in main.py
so that when pulumi destroy is initiated, an aws ou is created in organizations as a holding bay for all accounts to be shifted to prior to destruction.
main.py
will also need further modification so that when the stack is brought up, the holding bay ou contents are placed into a list and checked so that we reuse these resources instead of creating duplicates.
The additional benefit here is that we may be able to run some kind of scheduled jobs in the future over resources in this ou for further vetting or for initiating the aws account deletion processes.
We need backup processes to store all application data in the Asterion AWS infrastructure in the event that a critical failure occurs, causing data to become corrupted.
The best solution would be a job template that can be integrated with existing git workflows, which will run a process to completely store data in an archive file (7z, rar, tar, iso, etc) format prior to commencing actions to replace parts of our infrastructure.
The destination can just be local storage for now, but the final intention should be comparable to storing on a NFS that can be shared across all nodes/clusters.
We should begin the process of creating shared group credentials and services.
Currently, I can see the need for three primary group email accounts that will be mapped to specific permission/role levels in aws iams:
Many services depend on email as a primary means of identification and communication. We have a company email service with g-suite that we could utilize for this purpose.
As per the title - allows each stack to be more easily maintained and critical for usability.
Some values will need to be stored in Pulumi.dev.yaml
:
**Note: ** The pulumi service cannot be utilized to manage global variables, however a workaround could be achieved by exporting a pulumi output json object containing hardcoded values.
org.py
, ou.py
, and users.py
will need to be modified to be repeatable by placing the relevant, existing code into callable functions that are more scalable. The scalability must derive from the pulumi stack model.
We need our git CI workflows to trigger when actions occur (e.g - push, pr) over specific files/folders (e.g infra-aws
) rather than when these actions occur over the entire repository. This will ensure that in our mono-repo implementation, the git workflows will only trigger when necessary.
To manage our resource usage in the cloud, we would need to have controls in place to avoid needless or accidental overspend. For our ec2 instances, aws provides budgets to fulfil that capability.
We need to setup aws budgets to:
This should also be discussed amongst the team as to how these controls should be configured moving forward.
We need to be able to define the asterion organization in pulumi when deploying our infrastructure in aws.
This organization must have access to all features, be easily identifiable, and will eventually define default member accounts and adopt tag policies to control the permissions across all aws services for this organization.
Refer to aws organizations in pulumi for notes on the pulumi-python implementation.
Welcome!
As a good starter, lets "hit three end-points with one api call", so to speak🤣, by doing the following:
Let's see if you can get to the end successfully! 😈
Using the same rationale as issue #7, we need recovery processes to replace existing data with the extracted data from our backup archive file, and seamlessly integrate this with any of our existing kubernetes workloads on AWS.
This could be a git job that initially needs to be manually run.
We need a secrets manager to centrally manage, automate, and standardize authentication with external service providers.
There's multiple solutions out there, but some basic requirements:
First steps TBD.
As a company, we need to self-host services, and as an initial iteration we're running K3S on raspberry pi's (arm64) with networking and persistent storage.
To set this up, we'll need to make some hardware purchases. These should include:
As per this aws document about service control policies, we need to make some adjustments to the structure of the current asterion aws organization to conform with the aws principles of effective permissions.
This involves creating another org unit and account at a new level between root and the infra stacks to be able to apply SCP's at that level - the document linked above refers to the point that SCP's cannot be applied at a root level.
This should be prioritized low as this use case would only apply if the volume of asterion users scaled horizontally.
To avoid accidental overuse of resources, we should introduce controls to destroy or keep pulumi stacks active, depending on environment or activity, when a git workflow is triggered.
For instance, if not requiring a stack to be active, such as a stack produced in a dev environment, the stack may need to be destroyed upon workflow completion.
We can implement some type of conditional control within the git workflow to control this at a rudimentary level. We could also create a boolean environment secret to indicate to our workflow when to destroy stacks or when to keep them alive.
The raspberry pi infrastructure requires http/s traffic incoming to the existing k3s cluster to be routed through nginx to our existing applications (wordpress, mariadb).
The intention is using load balancing principles to mitigate future bottlenecks and improve performance from heavy traffic accessing interfaces/end-points of our applications.
This issue is dependent on #12 and #15 completion.
The email accounts created in #12 will also require associated members set up in aws iams and then applied to all required organizations that will be housed within the solution of #15. You can consult the pulumi documentation to determine how to implement this in pulumi.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.