pulumi火山引擎服务示例

pulumi

Pulumi 是一个开源工具，用于配置和管理云基础架构和资源。

安装

https://www.pulumi.com/docs/iac/download-install/

pulumi 火山引擎使用

Pulumi 是一个开源工具，用于配置和管理云基础架构和资源。

火山引擎 详细参考

https://www.pulumi.com/registry/packages/volcengine

创建 postgres 使用 python 代码示例

初始化, 也可以手动 pip 安装 pulumi

mkdir volcengine && cd volcengine
pulumi new python
source venv/bin/activate
pip install pulumi-volcengine

pulumi config set volcengine:accessKey <your_secret_id> --secret
pulumi config set volcengine:secretKey <your_secret_key> --secret
pulumi config set volcengine:region cn-beijing # cn-shanghai

postgres

创建

import pulumi
import pulumi_volcengine as volcengine


foo_instance = volcengine.rds_postgresql.Instance("fooInstance",
    db_engine_version="PostgreSQL_14",
    node_spec="rds.postgres.1c2g",
    primary_zone_id='cn-shanghai-a',
    secondary_zone_id='cn-shanghai-a',
    storage_space=40,
    subnet_id='subnet-22jqp154rgum87r2qr1lfsh2i',
    instance_name="test-1",
    charge_info=volcengine.rds_postgresql.InstanceChargeInfoArgs(
        charge_type="PostPaid",
    ),
    project_name="default",
    tags=[volcengine.rds_postgresql.InstanceTagArgs(
        key="tfk1",
        value="tfv1",
    )],
    parameters=[
        volcengine.rds_postgresql.InstanceParameterArgs(
            name="auto_explain.log_analyze",
            value="off",
        ),
        volcengine.rds_postgresql.InstanceParameterArgs(
            name="auto_explain.log_format",
            value="text",
        ),
    ])

pulumi.export('foo_instance', foo_instance) # 查看信息

创建

pulumi up

查看已有实例信息

import pulumi
import pulumi_volcengine as volcengine

# Define variables for the instance name and ID
instance_name = "test-1"
instance_id = "xxxx"  # 上文创建的信息

# Get the existing PostgreSQL instance
existing_instance = volcengine.rds.Instance.get(instance_name, instance_id)

# Export details of the existing instance
pulumi.export("instance_name", existing_instance.instance_name)
pulumi.export("instance_id", existing_instance.id)
pulumi.export("instance_type", existing_instance.instance_type)
pulumi.export("db_engine_version", existing_instance.db_engine_version)
pulumi.export("all", existing_instance)

执行

pulumi up

返回信息

- postgres_instance_id: {
    - backup_use       : 0
    - charge_details   : [
    -     [0]: {
            - auto_renew            : false
            - charge_end_time       : ""
            - charge_start_time     : "2024-01-21T07:52:50.000Z"
            - charge_status         : "Normal"
            - charge_type           : "PostPaid"
            - overdue_reclaim_time  : ""
            - overdue_time          : ""
            - period                : 0
            - period_unit           : "Month"
            - temp_modify_end_time  : ""
            - temp_modify_start_time: ""
          }
      ]
    - charge_info      : {
        - auto_renew : false
        - charge_type: "PostPaid"
        - period     : 0
        - period_unit: "Month"
      }
    - create_time      : "2024-01-21T07:52:50.000Z"
    - data_sync_mode   : "Async"
    - db_engine_version: "PostgreSQL_14"
    - endpoints        : [
    -     [0]: {
            - addresses                  : [
            -     [0]: {
                    - dns_visibility: false
                    - domain        : "postgres143ad36e6258.rds-pg.ivolces.com"
                    - eip_id        : ""
                    - ip_address    : ""
                    - network_type  : "Private"
                    - port          : "5432"
                    - subnet_id     : "subnet-xxxx"
                  }
              ]
            - auto_add_new_nodes         : "Enable"
            - description                : ""
            - enable_read_only           : "Disable"
            - enable_read_write_splitting: "Disable"
            - endpoint_id                : "postgres-143ad36e6258-cluster"
            - endpoint_name              : "默认终端"
            - endpoint_type              : "Cluster"
            - read_only_node_weights     : [
            -     [0]: {
                    - node_id  : ""
                    - node_type: "Primary"
                    - weight   : 300
                  }
              ]
            - read_write_mode            : "ReadWrite"
          }
      ]
    - id               : "postgres-143ad36e6258"
    - instance_id      : "postgres-143ad36e6258"
    - instance_name    : "test-1"
    - instance_status  : "Running"
    - instance_type    : "HA"
    - memory           : 2
    - node_number      : 2
    - node_spec        : "rds.postgres.1c2g"
    - nodes            : [
    -     [0]: {
            - create_time: "2024-01-21T07:52:50.000Z"
            - instance_id: "postgres-143ad36e6258"
            - memory     : 2
            - node_id    : "postgres-143ad36e6258-cxhr"
            - node_spec  : "rds.postgres.1c2g"
            - node_status: "Running"
            - node_type  : "Secondary"
            - region_id  : "cn-shanghai"
            - update_time: ""
            - v_cpu      : 0
            - zone_id    : "cn-shanghai-a"
          }
    -     [1]: {
            - create_time: "2024-01-21T07:52:50.000Z"
            - instance_id: "postgres-143ad36e6258"
            - memory     : 2
            - node_id    : "postgres-143ad36e6258"
            - node_spec  : "rds.postgres.1c2g"
            - node_status: "Running"
            - node_type  : "Primary"
            - region_id  : "cn-shanghai"
            - update_time: ""
            - v_cpu      : 0
            - zone_id    : "cn-shanghai-a"
          }
      ]
    - parameters       : [
    -     [0]: {
            - name : "auto_explain.log_format"
            - value: "text"
          }
    -     [1]: {
            - name : "auto_explain.log_analyze"
            - value: "off"
          }
      ]
    - primary_zone_id  : "cn-shanghai-a"
    - project_name     : "default"
    - region_id        : "cn-shanghai"
    - secondary_zone_id: "cn-shanghai-a"
    - storage_space    : 40
    - storage_type     : "LocalSSD"
    - subnet_id        : "subnet-xxxx"
    - tags             : [
    -     [0]: {
            - key  : "tfk1"
            - value: "tfv1"
          }
      ]
    - update_time      : "2024-01-21T07:55:52.000Z"
    - urn              : "urn:pulumi:dev::volc-postgres::volcengine:rds_postgresql/instance:Instance::fooInstance"
    - v_cpu            : <null>
    - vpc_id           : "vpc-xxxx"
    - zone_id          : "cn-shanghai-a"
    - zone_ids         : [
    -     [0]: "cn-shanghai-a"
      ]
  }

删除

pulumi destroy

iam

"""火山引擎 IAM 用户和用户组管理模块

本模块用于管理火山引擎云平台的 IAM 用户和用户组：
- 为产品团队、开发团队和运维团队创建用户组
- 创建用户并将其分配到相应的用户组
- 设置安全的登录配置和密码策略
- 为不同用户组分配适当的访问权限策略
- 为每个用户创建访问密钥

"""

import pulumi
import pulumi_volcengine as volcengine
import os

# 用户信息配置
# 包含每个用户的团队归属、显示名称、用户名和认证方式
# teams字段现在是一个列表，支持用户同时属于多个团队
# auth_type可以是："password"（仅密码登录）、"access_key"（仅访问密钥）、"both"（两者都需要）或"none"（都不需要）
# password字段是可选的，如果不设置则使用默认密码
USER_CONFIG = [
    {"teams": ["product"], "display_name": "产品经理-张三", "user_name": "prod1", "auth_type": "password"},
    {"teams": ["development"], "display_name": "开发工程师-李四", "user_name": "dev1", "auth_type": "both", "password": "Dev2024@Li4"},
    {"teams": ["development"], "display_name": "开发工程师-王五", "user_name": "dev2", "auth_type": "both", "password": "Dev2024@Wang5"},
    {"teams": ["development", "ops"], "display_name": "开发工程师-赵六", "user_name": "dev3", "auth_type": "both"},
    {"teams": ["development"], "display_name": "开发工程师-孙七", "user_name": "dev4", "auth_type": "both"},
    {"teams": ["product", "development"], "display_name": "产品经理-周八", "user_name": "prod2", "auth_type": "none"},
    {"teams": ["ops"], "display_name": "运维工程师-吴九", "user_name": "ops1", "auth_type": "access_key"},
    {"teams": ["ops", "development"], "display_name": "运维工程师-郑十", "user_name": "ops2", "auth_type": "access_key"}
]

# 用户组配置
# 定义各团队的用户组信息，包括描述、显示名称和用户组名称
TEAM_GROUPS = {
    "product": {
        "description": "产品团队用户组 - 用于管理产品团队成员的权限",
        "display_name": "产品团队",
        "user_group_name": "product-group"
    },
    "development": {
        "description": "开发团队用户组 - 用于管理开发团队成员的权限",
        "display_name": "开发团队",
        "user_group_name": "dev-group"
    },
    "ops": {
        "description": "运维团队用户组 - 用于管理运维团队成员的权限",
        "display_name": "运维团队",
        "user_group_name": "ops-group"
    }
}

# 创建密钥存储目录
SECRET_DIR = "./secrets"
os.makedirs(SECRET_DIR, exist_ok=True)

# 创建用户组
# 为每个团队创建对应的 IAM 用户组
team_user_groups = {}
for team_name, group_config in TEAM_GROUPS.items():
    team_user_groups[team_name] = volcengine.iam.UserGroup(
        group_config["user_group_name"],
        description=group_config["description"],
        display_name=group_config["display_name"],
        user_group_name=group_config["user_group_name"]
    )

# 创建用户并配置用户组关联
iam_users = []
for user_info in USER_CONFIG:
    # 创建 IAM 用户
    iam_user = volcengine.iam.User(
        user_info["user_name"],
        display_name=user_info["display_name"],
        user_name=user_info["user_name"]
    )
    iam_users.append(iam_user)

    # 根据认证方式配置用户登录信息和访问密钥
    if user_info["auth_type"] in ["password", "both"]:
        # 配置用户登录信息和密码策略
        # 使用用户配置的密码或默认密码
        password = user_info.get("password", "DefaultPassword123!")
        user_login_profile = volcengine.iam.LoginProfile(
            f"{user_info['user_name']}-login",
            user_name=iam_user.user_name,
            password=password,               # 使用配置的密码或默认密码
            login_allowed=True,              # 允许登录
            password_reset_required=False     # 首次登录必须修改密码
        )
    
    if user_info["auth_type"] in ["access_key", "both"]:
        # 创建用户访问密钥
        access_key = volcengine.iam.AccessKey(
            f"{user_info['user_name']}-ak",
            user_name=iam_user.user_name,
            secret_file=os.path.join(SECRET_DIR, f"{user_info['user_name']}.sk"),
            status="active"
        )

    # 将用户关联到所有所属的团队用户组
    for team_name in user_info["teams"]:
        user_group_attachment = volcengine.iam.UserGroupAttachment(
            f"{user_info['user_name']}-{team_name}-group",
            user_group_name=team_user_groups[team_name].user_group_name,
            user_name=iam_user.user_name
        )

# 配置用户组权限策略
# 为不同团队的用户组分配适当的系统权限
team_policies = []

# 产品团队权限配置
# - 只读访问权限
# - 工单系统完全访问权限
product_team_policies = ["ReadOnlyAccess", "TicketFullAccess"]
for policy_name in product_team_policies:
    policy = volcengine.iam.UserGroupPolicyAttachment(
        f"product-{policy_name.lower()}-policy",
        user_group_name=team_user_groups["product"].user_group_name,
        policy_name=policy_name,
        policy_type="System"
    )
    team_policies.append(policy)

# 开发团队权限配置
# - 只读访问权限
# - 容器服务完全访问权限
# - 工单系统完全访问权限
dev_team_policies = ["ReadOnlyAccess", "VKEInnerFullAccess", "TicketFullAccess"]
for policy_name in dev_team_policies:
    policy = volcengine.iam.UserGroupPolicyAttachment(
        f"development-{policy_name.lower()}-policy",
        user_group_name=team_user_groups["development"].user_group_name,
        policy_name=policy_name,
        policy_type="System"
    )
    team_policies.append(policy)

# 运维团队权限配置
# - 管理员完全访问权限
ops_policy = volcengine.iam.UserGroupPolicyAttachment(
    "ops-administrator-policy",
    user_group_name=team_user_groups["ops"].user_group_name,
    policy_name="AdministratorAccess",
    policy_type="System"
)
team_policies.append(ops_policy)

# 导出资源信息供参考
# 导出创建的用户组、用户和应用的策略信息
pulumi.export('user_groups', {name: group.user_group_name for name, group in team_user_groups.items()})
pulumi.export('users', [user.user_name for user in iam_users])
pulumi.export('applied_policies', [policy.policy_name for policy in team_policies])