https://github.com/kjenney/pulumi-bootstrap
To Deploy Infrastructure on AWS using Pulumi while keeping secrets encrypted in code.
https://github.com/kjenney/pulumi-bootstrap
pulumi pulumi-aws secrets
Last synced: about 2 months ago
JSON representation
To Deploy Infrastructure on AWS using Pulumi while keeping secrets encrypted in code.
- Host: GitHub
- URL: https://github.com/kjenney/pulumi-bootstrap
- Owner: kjenney
- Created: 2021-09-04T15:16:57.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2021-10-13T02:56:22.000Z (over 3 years ago)
- Last Synced: 2023-08-12T18:08:56.531Z (almost 2 years ago)
- Topics: pulumi, pulumi-aws, secrets
- Language: Python
- Homepage:
- Size: 131 KB
- Stars: 5
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# pulumi-bootstrap
## What is this for?
To Deploy Infrastructure on AWS using Pulumi while keeping secrets encrypted in code.
---
## Why do we do this?
Because we always expect our Infrastructure and Secrets will get out of control. By keeping secrets encrypted in code this allows us to audit, rotate, version, and test them. Pulumi extends pure code so we can build stacks that are highly extensible.
---
## What do we use?
* [Pulumi](https://www.pulumi.com/)
* [Pulumi's Automation API](https://www.pulumi.com/docs/guides/automation-api/)
* [AWS](https://aws.amazon.com/)
* [Python](https://www.python.org/)
* [KMS](https://aws.amazon.com/kms/)
* [AWS CLI](https://aws.amazon.com/cli/)
* [aws-vault (*Optional*)](https://github.com/99designs/aws-vault)---
## What do you need to get started?
1. At least one AWS Account
1. At least one IAM user per AWS account
1. Python 3 installed locally
1. The AWS CLI installed locally
1. A method to securely pass IAM credentials to a Python script (we recommend using [aws-vault](https://github.com/99designs/aws-vault))
1. A Pulumi CLI installation ([v3.0.0](https://www.pulumi.com/docs/get-started/install/versions/) or later)---
## How do you get started?
Once you've got all the prerequisites taken care of you'll need to provision the following resources:
1. An S3 Bucket to be used for keeping Pulumi state
1. An IAM role to assume to to access the bucket
1. A KMS key for encrypting secrets in state that one or more IAM users have access to
1. An encryption key for encrypting secrets in GitTo provision all of these things we'll use the Pulumi service without the Automation API.
If you want to allow one or more IAM users to assume the bucket role you need to set `iam_users` to `true` and add them. There are examples below.
`iam_name` will be the name of the IAM role and IAM policy granting access to the bucket.
## Create S3 Shared State with IAM permissions
We'll start out by deploying required resources in a single AWS account. If you want to allow users in other AWS accounts to access the bucket check out the [Next Steps](#next-steps)
1. ```shell
cd shared-state
```
1. Create a new stack in your account:
```shell
pulumi config
```
1. Set configuration options for stack. Change the values to meet your needs:
Required:
```shell
pulumi config set bucket_name my-pulumi-state
pulumi config set iam_users true
pulumi config set iam_name AccessPulumiStateBucket
```Optional:
```shell
pulumi config set --path iam.users[0] arn:aws:iam::213597402033:user/user1
pulumi config set --path iam.users[1] arn:aws:iam::213597402033:user/user2
```To provision the resources you need to run:
```shell
pulumi up
```
or```shell
aws-vault exec {{some-profile}} -- pulumi up
```## Secrets
Secrets are in their own stack. See the README.md at `infra/secrets` for more details on how to manage your environment secrets.
## Deploying CodePipeline
CodePipeline is used to deploy all of the infrastructure in our environment - including updating itself.
There are a number of dependencies to deploying CodePipeline with CodeBuild Projects. These dependencies are in their separate stacks. For example `pipeline-iam` is a stack that creates IAM Roles and Policies that allow the CodeBuild projects deploying infrastructure to do what they need to do.
## Deploying VPC
* Requires a `/16` CIDR