Giter Site home page Giter Site logo

pulumi-bootstrap's Introduction

pulumi-bootstrap

What is this for?

To Deploy Infrastructure on AWS using Pulumi while keeping secrets encrypted in code.


Why do we do this?

Because we always expect our Infrastructure and Secrets will get out of control. By keeping secrets encrypted in code this allows us to audit, rotate, version, and test them. Pulumi extends pure code so we can build stacks that are highly extensible.


What do we use?


What do you need to get started?

  1. At least one AWS Account
  2. At least one IAM user per AWS account
  3. Python 3 installed locally
  4. The AWS CLI installed locally
  5. A method to securely pass IAM credentials to a Python script (we recommend using aws-vault)
  6. A Pulumi CLI installation (v3.0.0 or later)

How do you get started?

Once you've got all the prerequisites taken care of you'll need to provision the following resources:

  1. An S3 Bucket to be used for keeping Pulumi state
  2. An IAM role to assume to to access the bucket
  3. A KMS key for encrypting secrets in state that one or more IAM users have access to
  4. An encryption key for encrypting secrets in Git

To provision all of these things we'll use the Pulumi service without the Automation API.

If you want to allow one or more IAM users to assume the bucket role you need to set iam_users to true and add them. There are examples below.

iam_name will be the name of the IAM role and IAM policy granting access to the bucket.

Create S3 Shared State with IAM permissions

We'll start out by deploying required resources in a single AWS account. If you want to allow users in other AWS accounts to access the bucket check out the Next Steps

  1. cd shared-state
  2. Create a new stack in your account:

    pulumi config
  3. Set configuration options for stack. Change the values to meet your needs: Required:

    pulumi config set bucket_name                my-pulumi-state
    pulumi config set iam_users                  true
    pulumi config set iam_name                   AccessPulumiStateBucket

    Optional:

    pulumi config set --path iam.users[0]        arn:aws:iam::213597402033:user/user1
    pulumi config set --path iam.users[1]        arn:aws:iam::213597402033:user/user2

To provision the resources you need to run:

pulumi up

or

aws-vault exec {{some-profile}} -- pulumi up

Secrets

Secrets are in their own stack. See the README.md at infra/secrets for more details on how to manage your environment secrets.

Deploying CodePipeline

CodePipeline is used to deploy all of the infrastructure in our environment - including updating itself.

There are a number of dependencies to deploying CodePipeline with CodeBuild Projects. These dependencies are in their separate stacks. For example pipeline-iam is a stack that creates IAM Roles and Policies that allow the CodeBuild projects deploying infrastructure to do what they need to do.

Deploying VPC

  • Requires a /16 CIDR

pulumi-bootstrap's People

Contributors

kjenney avatar

Stargazers

 avatar  avatar  avatar  avatar

Watchers

 avatar  avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.