Pulumi Examples - Infrastructure as Code
October 31, 2022 ยท View on GitHub
This repository contains Pulumi examples for AWS, Azure, and Google Cloud Platform. The examples are in TypeScript, python, and go.
Examples are in different languages & different clouds
ts = typescript, py = python, go = go
Prerequisite - How to Get Started with Pulumi - skip if you have already done this
| CLOUD | STEPS | COMMENTS |
|---|---|---|
| AWS | 1. Getting Started with AWS | Start with 1 cloud only. Then when you need to, configure the next cloud. |
| AWS | 2. Configure your AWS account | Start with 1 cloud only. Then when you need to, configure the next cloud. |
| AZURE | 1. Getting Started with AZURE | Start with 1 cloud only. Then when you need to, configure the next cloud. |
| AZURE | 2. Configure your Azure account | Start with 1 cloud only. Then when you need to, configure the next cloud. |
| 1.Getting Started with GOOGLE | Start with 1 cloud only. Then when you need to, configure the next cloud. | |
| 2.Configure your Google account | Start with 1 cloud only. Then when you need to, configure the next cloud. |
[![PULUMI AccessToken]How to set up your ACCESS TOKEN** - Only need to do this once, no need to do it for each cloud.
- Navigate to Profile Settings by selecting your avatar, then Settings.
- Click on Access Tokens on the left side.
- Create a new AccessToken. Copy the AccessToken to your clipboard to use in the next step. Enter your AccessToken on the next step after
- On your cli: pulumi login
AWS
| Example | Description | Cloud & Language |
|---|---|---|
| aws-classic-ts-vpc-with-ecs-fargate-py | vpc built-in TypeScript - independent from ecs, ecs uses vpc via stackreferences |  |
| aws-classic-ts-sshkey | ssh key | |
| aws-classic-ts-vpc-crosswalk | vpc built-in TypeScript via crosswalk | |
| aws-classic-ts-acm-awsguard | tls private key, aws self signed certificate and acm created. Running awsguard. Calling pulumi-policy-aws | |
| aws-classic-ts-launchtemplate | ec2 via launchtemplate. also has vpc, securitygroup, & ssh keypair. Addd tags.ts for tags. Calls then | |
| aws-classic-ts-vpc-ecs-autoscaling-lt | vpc, ecs, autoscaling groups, and launchtemplate in TypeScript. This creates a new vpc | |
| aws-ts-existingvpc-ecs-autoscaling-lt | existing vpc, ecs, autoscaling groups, and launchtemplate in TypeScript. Calls then creates a new vpc | |
| aws-classic-ts-ecs-awsx | uses an existing vpc, creates ecs via awsx, loadbalancer via aws. no targetgroup or targetlistener created. next stack is aws-classic-ts-get-ecs | |
| aws-classic-ts-get-ecs | uses an existing vpc, calls the existing ecs created via aws-classic-ts-ecs-awsx | |
| aws-classic-ts-eks | eks cluster with namespace | |
| aws-classic-ts-eks-spot-mg | eks cluster with spot managednode instance with vpc via awsx | |
| aws-classic-ts-eks-awsx-spot | eks cluster with no managed nodes, spot nodegroup, and interface nginx with provider with vpc via awsx | |
| aws-classic-ts-lakeformation | aws lakeformation permissions | |
| aws-classic-ts-eks-different-awsprofile | aws eks cluster with awsx vpc with different aws config profile, not using default | |
| aws-classic-ts-eks-nodetaint | aws eks cluster with awsx vpc with no managednodegroup, one fixed nodegroup, and on spot nodegroup. The spot nodegroup has taints. | |
| aws-classic-ts-eks-node-alltaints | aws eks cluster with awsx vpc with no managednodegroup, fixed & spot nodegroup both have taints. | |
| aws-classic-ts-ebs-volume-snapshot | aws ebs volume with multiple snapshots. then used, for loop used, and protect | |
| aws-classic-ts-ec2-instance-with-ebs-volume | aws vpc with awsx package, ec2 instance with encrypted storage and 2 ebs volumes added that are encrypted. Call then on getAmi and on the subnet ID to use. Also call interpolate | |
| aws-classic-ts-vpc-quickstart | aws vpc with aws quickstart vpc | |
| aws-classic-ts-eks-vpc-sg-default-rules | aws vpc with EKS with no security group rule passed in aws quickstart vpc | |
| aws-classic-ts-vpc-peeringconnectionoption | 2 vpcs in SAME regions connecting them via vpcpeeringconnection | |
| aws-classic-ts-vpc-peeringconnectionoption | 2 vpcs in different regions via providers and then connecting them via vpcpeeringconnection cross account | |
| aws-classic-ts-vpc-natgatway-strategy | awsx multilang vpc with single nat gateway strategy | |
| aws-classic-ts-vpc-get-zones-awsx | awsx multilang vpc with single nat gateway strategy, availability zones, public and private subnets, NO APPLY | |
| aws-classic-ts-securitygroup-vs-securitygrouprules | multilang vpc with single nat gateway strategy, availability zones, public and private subnets, securitygroup vs securitygroup rules. Also call self on securitygroup | |
| aws-classic-ts-vpc-rds-postgres | multilang vpc with single nat gateway strategy, availability zones, public and private subnets, rds, & programtically creating secrets. | |
| aws-py-ecs-fargate | Deploys your own ECS Fargate cluster with tags and uses the vpc via stackreferences | |
| aws-classic-py-s3-staticwebsite | Deploy you own static site in s3 | |
| aws-classic-py-apigateway-lambda-serverless | API Gateway with lambda. swagger and openapi apigateways. Using the triggers option. added multiple paths | |
| aws-classic-py-dynamodb | dynamodb table | |
| aws-classic-py-vpc | creates aws vpc, subnet, igw, nat-gateway(1-3), & route tables all in python. no awsx package | |
| aws-classic-py-eks-spot-mg | eks cluster with spot managednode instance. Creates own vpc based on aws-classic-py-vpc that is in vpc.py | |
| aws-classic-py-aws-load-balancer-controller-helm-release | eks cluster with spot managednode instance. Creates own vpc based on aws-classic-py-vpc that is in vpc.py. Installs aws-load-balancer-controller as helm release. Also pass in the cluster as a provider | |
| aws-classic-py-eks | aws eks cluster with namespace | |
| aws-classic-py-eks-spot-nodegroups | aws eks cluster with no managednode group and fixed and spot nodegroups | |
| aws-classic-py-beanstalk | aws beanstalk application | |
| aws-classic-py-get-ami | aws get ami | |
| aws-classic-py-get-regions | aws get regions | |
| aws-classic-py-vpc-quickstart | aws vpc with aws quickstart vpc | |
| aws-classic-py-vpc-msk-kafka-client | awsx vpc with kinesis firehose, individual az via apply, msk kafka cluster | |
| aws-classic-py-vpc-msk-kafka-client-part2 | awsx vpc keypair, ami, ec2 instance as a client | |
| aws-classic-py-multiple-ec2-ebs | multilanguage awsx vpc keypair, ami, multiple ec2s with ebs block, with apply | |
| aws-classic-py-vpc-awsx-natgateway-strategy | multilanguage awsx vpc vpc, natgateway single zone strategy, igw, public and private subnets | |
| aws-classic-py-vpc-awsx-natgateway-strategy | awsx vpc multilang vpc with single nat gateway strategy, availability zones, public and private subnets, NO APPLY | |
| aws-classic-py-securitygroup-vs-securitygrouprules | awsx vpc multilang vpc with single nat gateway strategy, availability zones, public and private subnets, securitygroups vs securitygroup rules | |
Azure
| Example | Description | Cloud & Language |
|---|---|---|
| azure-classic-py-insights | azure classic resource group, workspace & insights. azure native resource group & workspace mixed with azure classic insights | |
| azure-py-insights | azure native resource group, workspace & azure classic insights. azure native resource group & workspace mixed with azure classic insights | |
| azure-py-vnet | azure virtual network with 2 subnets. | |
| azure-py-databricks | azure databricks. Also retrieving subscription ID and using Output.concat | |
| azure-py-subscriptionid-from-resourcegroup | azure resource group creating and retrieving subscriptionId | |
| azure-py-rg-storageaccounts | azure resource group and storage account with secret outputs | |
| azure-py-aks | azure resource group, azuread service principal pinned to 4.3.0, aks, and outputs with secret outputs | |
| azure-py-aks-diagnosticsetting | azure resource group, azuread service principal pinned to 4.3.0, aks, and diagnostic settings and outputs with secret outputs | |
| azure-py-redis | azure resource group, storage account, redis cache, apply, call the listrediskeys function | |
| azure-py-keyvault-appserviceplan-webservice | azure resource group, appserviceplan, webapp,keyvault, tenant ID, subscription ID, object ID, replaced VaultPropertiesResponseArgs with VaultPropertiesArgs | |
| azure-py-storage-account-networkrulesetresponseargs | azure resource group, storage account, replaced NetworkRuleSetResponseArgs with NetworkRuleSetArgs | |
| azure-ts-sqlserver-loganalytics | SQL Server database with SQL auditing at the database level sent to log analytics in TypeScript | |
| azure-ts-keyvault | create and destroy azure keyvault in TypeScript | |
| azure-ts-consumption-budget | azure consumption budget and switching languages from German to English | |
| azure-classic-ts-datalakegen2 | azure native resource group, storage account, azure classic datalakegen2 path and datalakegen2 filesystem |  |
| azure-ts-iac-workshop-lab1 | azure workshop lab 1, creates resourceg group, storage account, and blob container. Code works independently, does not require workshop | |
| azure-ts-serverless-http-trigger | azure workshop lab 2, azure serverless http trigger function workshop code. Code works independently, does not require workshop | |
| azure-ts-resourcegroup-fixname | azure resource group fixed names | |
| azure-ts-subscriptionid-from-resourcegroup | azure resource group creating and retrieving subscriptionId | |
| azure-ts-jenkins | jenkins deployed on azure function with docker image in ts | |
| azure-ts-sqlserver-servervulnerabilityassessment | azure sql server with vulnerability assessment requires that Azure Defender for SQL Server turned on at subscription level. Due to Azure Consistency issues, we have to uncomment out code and the run pulumi up a couple of minutes after the sql database has been created | |
| azure-ts-sqlserver | azure sql server with firewall rule that toggles Allow Azure services from No to Yes | |
| azure-ts-synapse-workspace | azure datalakestore with synapse sqlpool | |
| azure-ts-synapse-bigdatapool | azure synapse workspace with synapse bigdatapool | |
| azure-ts-serverless-www-HTML | azure static site with StorageAccountStaticWebsite | |
| azure-ts-managedinstance | azure resource group, vnet, subnet1/2 with delegation created. Code for managedinstance is there, do NOT use it when standing up intital stack. Main reason, is that managedinstance takes 3+ hours to stand up. Create managedinstance in azure portal and then import it. | |
| azure-ts-datafactory | azure datafactory with identity set to SystemAssigned | |
| azure-ts-aks-managed-profile | azure aks with aadprofile input enableAzureRBAC toggled | |
| azure-classic-ts-datafactory | azure classic datafactory with identity set to SystemAssigned | |
| azure-go-aks-diagnosticsetting | azure resource group, azuread service principal pinned to 4.3.0, aks, and diagnostic settings and outputs with secret outputs | |
| azure-go-resourcegroup | azure resource group and storage account | |
| azure-go-subscriptionid-from-resourcegroup | azure resource group creating and retrieving subscriptionId | |
| azure-go-sqlserver-loganalytics | sql server database with sql auditing at the database level sent to log analytics in go. Busted due to typo | |
| azure-go-sqlserver-servervulnerabilityassessment | azure sql server with vulnerability assessment requires that Azure Defender for SQL Server turned on at subscription level. Due to Azure Consistency issues, we have to uncomment out code and the run pulumi up a couple of minutes after the sql database has been created. | |
| Example | Description | Cloud & Language |
|---|---|---|
| google-native-py-network-postgres-function | google cloud native - storage bucket & vpc & postgres |  |
| google-native-py-bigquerydatatransfer | google cloud native - storage bucket, google classic - bigquery and service account and data transfer config | |
DataDog
| Example | Description | Cloud & Language |
|---|---|---|
| datadog-py-monitorjson | datadog monitorjson |  |
Pulumi
| Example | Description | Cloud & Language |
|---|---|---|
| pulumi-ts-map-string-string | pulumi with no cloud. output Map<string,string> is empty while console.log shows the value | |
Workshops
| Example | Description | Cloud & Language |
|---|---|---|
| azure-workshop-ts | azure serverless http trigger function workshop in TypeScript | |
Pulumi GitHub Actions Setup (Optional)
We have setup Pulumi GitHub Actions.
-
Located in .github/workflows
-
Pull WorkFlow Files for Python with comments by GitHub actions
-
Pull WorkFlow Files for TypeScript with comments by GitHub actions
-
Pull WorkFlow Files for Go with comments by GitHub actions
- aws, azure, & gcp pull_request_go.yml
-
SuperLinter setup
- super-linter setup
- superlinter.yml -
.github/workflows/superlinter.yml - slim image
- VALIDATE_PYTHON_BLACK turned OFF
- VALIDATE_PYTHON_FLAKE8 turned OFF
- VALIDATE_PYTHON_ISORT turned OFF
- VALIDATE_TYPESCRIPT_STANDARD turned OFF
-
AWS SSO login in for GitHub Actions
- Set thisAWS SESSION TOKEN in pipeline
- Set the token via aws-sso-creds get
-
Removed from githubactions pipeline due to service principal issues even though preview and up work via cli
- azure-ts-keyvault, azure-classic-ts-datalakegen2, azure-classic-ts-datafactory
- azure-py-insights, azure-classic-py-insights, azure-py-aks-diagnosticsetting
