Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Pulumi

  • setup
  • example new project
  • tips

install & initial setup

brew install pulumi
pulumi login s3://occam-tf-state/pulumi?region=eu-central-1
export PULUMI_CONFIG_PASSPHRASE=""
echo '\nexport PULUMI_CONFIG_PASSPHRASE=""\n' >> ~/.zshrc

python - uv

Потому что в качестве мэнеджера пакетов для питона я использую его

curl -LsSf https://astral.sh/uv/install.sh | sh

Example project

create project

mkdir pulumi-example
cd $_
pulumi new python
# enter name
# enter description
# use uv
# enter stack name ususally main

add modules

google pulumi <something> - goes to module and get module for python

cloudflare

uv add pulumi-cloudflare
# Add config for module, usually api keys to access provider (cloudflare api key with access to account zones read and dns in zone read/write)
pulumi config set --secret cloudflare:apiToken ${TOKEN}

import zone or use its string values

hetzner

uv add pulumi-hcloud
# Add config for module, usually api keys to access provider (hetzner project api key)
pulumi config set hcloud:token --secret ${API_KEY}

import network and import subnet and after that use attach to apply propper ip

main cli operations

preview (plan)

pulumi preview

up (apply)

pulumi up

show resources with urn

pulumi stack --show-urns

get updates

if some resources updated mannually

pulumi state upgrade

delete resources with urn

in cases where import was success but some variables was renamed/replaced

pulumi state delete urn:pulumi:main::pulumi-cloudflare::cloudflare:index/zone:Zone::thearchai --force

destroy without protected objects

pulumi destroy --exclude-protected

tips

hetzner network

import pulumi
import pulumi_hcloud as hcloud

import variables

reticulum_network = hcloud.Network(
    "reticulum_network",
    ip_range="10.67.0.0/16",
    labels={
        "Name": "Galactica-reticulum",
    },
    name="reticulum",
    opts=pulumi.ResourceOptions(protect=True),
)

reticulum_network_subnet = hcloud.NetworkSubnet(
    "reticulum_network_subnet",
    ip_range="10.67.0.0/24",
    network_id=reticulum_network.id,
    network_zone="eu-central",
    type="cloud",
    opts=pulumi.ResourceOptions(protect=True),
)

safe_server = hcloud.Server(
    "safe_server",
    name="gala-reti-safe",
    image="debian-12",
    server_type="cpx31",
    public_nets=[
        {
            "ipv4_enabled": True,
            "ipv6_enabled": True,
        }
    ],
    location="fsn1",
    ssh_keys=variables.common_ssh_keys,
    labels=variables.common_labels,
)

net_attach = hcloud.ServerNetwork(
    "safe-server-netattach",
    server_id=safe_server.id,
    network_id=reticulum_network.id,
    ip="10.67.0.202",
)

Using SOPS with Pulumi

  • safe PULUMI_CONFIG_PASSPHRASE to sops file

    1. encrypt PULUMI_CONFIG_PASSPHRASE with sops into file
    2. sops exec-env encrypted-config-file.json 'pulumi preview'

  • safe config to sops file

    sops exec-file sops.yaml 'pulumi up --config-file {}'

  • load config from file as resource

    https://sarg.org.ru/blog/pulumi-sops/ -- ts implementation

outputs TBD