Good afternoon bahlobo. Ngokulindela ukuqala kokuhamba okutsha kwinqanaba Sabelana nawe ngenguqulelo entsha. Hamba.
Ukusebenzisa iPulumi kunye neenjongo eziqhelekileyo zeprogram yeelwimi zekhowudi yeziseko zophuhliso (iziseko zophuhliso njengeKhowudi) zibonelela ngeenzuzo ezininzi: ukufumaneka kwezakhono kunye nolwazi, ukupheliswa kwe-boilerplate kwikhowudi ngokukhupha, izixhobo eziqhelekileyo kwiqela lakho, njenge-IDE kunye ne-linters. Zonke ezi zixhobo zobunjineli besoftware azisenzi nje ukuba sivelise ngakumbi, kodwa zikwaphucula umgangatho wekhowudi yethu. Ke ngoko, kungokwemvelo ukuba ukusetyenziswa kweelwimi zenkqubo yenjongo jikelele kusivumela ukuba sazise enye into ebalulekileyo yophuhliso lwesoftware - ukuvavanya.
Kweli nqaku, siza kujonga ukuba iPulumi isinceda njani ukuba sivavanye isiseko sethu njengekhowudi.
Kutheni uvavanyo lweziseko zophuhliso?
Ngaphambi kokuba ungene kwiinkcukacha, kufanelekile ukubuza lo mbuzo: "Kutheni uvavanyo lweziseko zophuhliso konke konke?" Kukho izizathu ezininzi zoku kwaye nazi ezinye zazo:
- Uvavanyo lweyunithi yemisebenzi nganye okanye amaqhekeza engqiqo yenkqubo yakho
- Iqinisekisa ubume obunqwenelekayo beziseko ezingundoqo ngokuchasene nemiqobo ethile.
- Ukufunyanwa kweempazamo eziqhelekileyo, ezifana nokunqongophala kwe-encryption yebhakethi yokugcina okanye ukungakhuselekanga, ukufikelela okuvulekileyo ukusuka kwi-Intanethi ukuya koomatshini benyani.
- Ukujonga ukuphunyezwa kobonelelo lweziseko zophuhliso.
- Ukwenza uvavanyo lwexesha lokusebenza lwengqiqo yesicelo esebenza ngaphakathi kwesiseko sakho "esicwangcisiweyo" ukujonga ukusebenza emva kokunikezelwa.
- Njengoko sibona, kukho uluhlu olubanzi lweendlela zokuvavanya iziseko zophuhliso. I-Polumi ineendlela zokuvavanya kwindawo nganye kule spectrum. Masiqalise kwaye sibone ukuba isebenza njani.
Uvavanyo lweyunithi
Iinkqubo zePulumi zibhalwe kwiilwimi zenkqubo yenjongo ngokubanzi njengeJavaScript, iPython, iTypeScript okanye iGo. Ke ngoko, amandla apheleleyo ezi lwimi, kubandakanywa izixhobo zabo kunye namathala eencwadi, kubandakanywa nezikhokelo zovavanyo, ayafumaneka kubo. I-Pulumi inamafu amaninzi, okuthetha ukuba ingasetyenziselwa uvavanyo kuwo nawuphi na umboneleli welifu.
(Kweli nqaku, nangona sineelwimi ezininzi kunye ne-multicloud, sisebenzisa iJavaScript kunye neMocha kwaye sigxininise kwi-AWS. Ungasebenzisa iPython unittest, Yiya kuvavanyo lwesakhelo, okanye nasiphi na esinye isakhelo sovavanyo osithandayo. Kwaye, ewe, iPulumi isebenza kakuhle ngeAzure, Google Cloud, Kubernetes.)
Njengoko sele sibonile, kukho izizathu ezininzi zokuba kutheni ungafuna ukuvavanya ikhowudi yakho yesiseko. Enye yazo luvavanyo lweyunithi eqhelekileyo. Ngenxa yokuba ikhowudi yakho ingaba nemisebenzi - umzekelo, ukubala i-CIDR, ukubala ngokuguquguqukayo amagama, iithegi, njl. - mhlawumbi uya kufuna ukubavavanya. Oku kuyafana nokubhala iimvavanyo zeyunithi rhoqo kwizicelo ngolwimi lwakho lwenkqubo oluthandayo.
Ukufumana intsonkothe ngakumbi, unokujonga indlela inkqubo yakho eyaba ngayo izibonelelo. Ukwenza umzekelo, masicinge ukuba kufuneka senze iseva ye-EC2 elula kwaye sifuna ukuqiniseka koku kulandelayo:
- Iimeko zinethegi
Name. - Iimeko akufuneki zisebenzise iskripthi esingaphakathi
userData- kufuneka sisebenzise i-AMI (umfanekiso). - Akufuneki kubekho i-SSH evezwe kwi-Intanethi.
Lo mzekelo usekelwe kwi :
index.js:
"use strict";
let aws = require("@pulumi/aws");
let group = new aws.ec2.SecurityGroup("web-secgrp", {
ingress: [
{ protocol: "tcp", fromPort: 22, toPort: 22, cidrBlocks: ["0.0.0.0/0"] },
{ protocol: "tcp", fromPort: 80, toPort: 80, cidrBlocks: ["0.0.0.0/0"] },
],
});
let userData =
`#!/bin/bash
echo "Hello, World!" > index.html
nohup python -m SimpleHTTPServer 80 &`;
let server = new aws.ec2.Instance("web-server-www", {
instanceType: "t2.micro",
securityGroups: [ group.name ], // reference the group object above
ami: "ami-c55673a0" // AMI for us-east-2 (Ohio),
userData: userData // start a simple web server
});
exports.group = group;
exports.server = server;
exports.publicIp = server.publicIp;
exports.publicHostName = server.publicDns;
Le yinkqubo yePulumi esisiseko: yabela nje iqela lokhuseleko leEC2 kunye nomzekelo. Nangona kunjalo, kufuneka kuqatshelwe ukuba apha siphula yonke imigaqo emithathu echazwe ngasentla. Masibhale iimvavanyo!
Ukubhala iimvavanyo
Ubume ngokubanzi bovavanyo lwethu luya kujongeka njengovavanyo oluqhelekileyo lweMocha:
ec2tes.js
test.js:
let assert = require("assert");
let mocha = require("mocha");
let pulumi = require("@pulumi/pulumi");
let infra = require("./index");
describe("Infrastructure", function() {
let server = infra.server;
describe("#server", function() {
// TODO(check 1): Должен быть тэг Name.
// TODO(check 2): Не должно быть inline-скрипта userData.
});
let group = infra.group;
describe("#group", function() {
// TODO(check 3): Не должно быть SSH, открытого в Интернет.
});
});
Ngoku masibhale uvavanyo lwethu lokuqala: qinisekisa ukuba imizekelo inethegi Name. Ukujonga oku sifumana ngokulula into yomzekelo weEC2 kwaye sijonge ipropathi ehambelanayo tags:
// check 1: Должен быть тэг Name.
it("must have a name tag", function(done) {
pulumi.all([server.urn, server.tags]).apply(([urn, tags]) => {
if (!tags || !tags["Name"]) {
done(new Error(`Missing a name tag on server ${urn}`));
} else {
done();
}
});
});Kubonakala ngathi luvavanyo oluqhelekileyo, kodwa luneempawu ezimbalwa ekufuneka ziqatshelwe:
- Ngenxa yokuba sibuza ubume besixhobo ngaphambi kokuba sisetyenziswe, uvavanyo lwethu luhlala luqhutywa “kwisicwangciso” (okanye “sokubona kwangaphambili”) imowudi. Ke, kukho iipropathi ezininzi ezixabiso lazo lingayi kufunyanwa kwakhona okanye lingayi kuchazwa. Oku kubandakanya zonke iipropathi zemveliso ezibalwe ngumboneleli wakho welifu. Oku kuqhelekileyo kwiimvavanyo zethu - sijonga kuphela idatha yegalelo. Siza kubuyela kulo mbandela kamva, xa kuziwa kuvavanyo lokudibanisa.
- Ekubeni zonke iipropathi zePulumi ziziphumo, kwaye ezininzi zazo zivavanywa ngokulinganayo, kufuneka sisebenzise indlela yokufaka ukufikelela kumaxabiso. Oku kufana kakhulu nezithembiso kunye nokusebenza
then. - Kuba sisebenzisa iipropathi ezininzi ukubonisa i-URN yesixhobo kumyalezo wemposiso, kufuneka sisebenzise umsebenzi
pulumi.allukuzidibanisa. - Okokugqibela, kuba la maxabiso abalwa ngokungahambelaniyo, kufuneka sisebenzise i-Mocha eyakhelwe-ngaphakathi i-async callback feature.
doneokanye ukubuyisela isithembiso.
Nje ukuba simise yonke into, siya kuba nofikelelo kumagalelo njengamaxabiso alula weJavaScript. Ipropati tags yimephu (uluhlu oludibeneyo), ngoko ke siza kuqinisekisa ukuba (1) ayibubuxoki, kwaye (2) kukho isitshixo se Name. Kulula kakhulu kwaye ngoku sinokujonga nantoni na!
Ngoku masibhale itshekhi yethu yesibini. Ilula ngakumbi:
// check 2: Не должно быть inline-скрипта userData.
it("must not use userData (use an AMI instead)", function(done) {
pulumi.all([server.urn, server.userData]).apply(([urn, userData]) => {
if (userData) {
done(new Error(`Illegal use of userData on server ${urn}`));
} else {
done();
}
});
});Kwaye ekugqibeleni, masibhale uvavanyo lwesithathu. Oku kuya kuba nzima ngakumbi ngenxa yokuba sijonge imigaqo yokungena ehambelana neqela lokhuseleko, apho kunokubakho ezininzi, kunye ne-CIDR yoluhlu lwaloo migaqo, apho kunokubakho ezininzi. Kodwa sikwazile:
// check 3: Не должно быть SSH, открытого в Интернет.
it("must not open port 22 (SSH) to the Internet", function(done) {
pulumi.all([ group.urn, group.ingress ]).apply(([ urn, ingress ]) => {
if (ingress.find(rule =>
rule.fromPort == 22 && rule.cidrBlocks.find(block =>
block === "0.0.0.0/0"))) {
done(new Error(`Illegal SSH port 22 open to the Internet (CIDR 0.0.0.0/0) on group ${urn}`));
} else {
done();
}
});
});Kuko konke. Ngoku masiqhube iimvavanyo!
Ukuqhuba iimvavanyo
Kwiimeko ezininzi, ungaqhuba iimvavanyo ngendlela eqhelekileyo, usebenzisa isakhelo sovavanyo olukhethileyo. Kodwa kukho uphawu olunye lwePulumi olufanele ukuhoywa.
Ngokuqhelekileyo, ukuqhuba iinkqubo zePulumi, i-pulimi CLI (i-Command Line interface) isetyenzisiwe, ecwangcisa ixesha lokusebenzisa ulwimi, ilawula ukuqaliswa kwe-injini yePulumi ukwenzela ukuba ukusebenza kunye nezixhobo kungabhalwa kwaye kufakwe kwisicwangciso, njl. Nangona kunjalo, kukho ingxaki enye. Xa usebenza phantsi kolawulo lwesakhelo sovavanyo lwakho, akuyi kubakho unxibelelwano phakathi kwe-CLI kunye ne-injini yePulumi.
Ukujongana nale ngxaki, kufuneka sicacise oku kulandelayo:
- Igama leprojekthi, eliqulethwe kuguquguquka kokusingqongileyo
PULUMI_NODEJS_PROJECT(okanye, ngokubanzi,PULUMI__PROJECT для других языков).
Igama lesipaki esixeliweyo kuguquguquko lwemekobumePULUMI_NODEJS_STACK(okanye, ngokubanzi,PULUMI__ STACK).
Izahluko zoqwalaselo lwesitaki sakho. Zinokufunyanwa kusetyenziswa imo eguquguqukayoPULUMI_CONFIGkwaye ifomathi yabo yimephu ye-JSON enezitshixo/ixabiso lezibini.Inkqubo iya kukhupha izilumkiso ezibonisa ukuba uxhumano kwi-CLI / injini ayifumaneki ngexesha lokuphunyezwa. Oku kubalulekile kuba inkqubo yakho ayizukuhambisa nantoni na kwaye inokumangalisa ukuba ayisiyiyo le ubufuna ukuyenza! Ukuxelela uPulumi ukuba yile nto kanye oyifunayo, ungayifaka
PULUMI_TEST_MODEвtrue.Khawucinge ukuba kufuneka sichaze igama leprojekthi
my-ws, igama lesitakidev, kunye neNgingqi ye-AWSus-west-2. Umgca womyalelo wokuqhuba iimvavanyo zeMocha uya kujongeka ngolu hlobo:$ PULUMI_TEST_MODE=true PULUMI_NODEJS_STACK="my-ws" PULUMI_NODEJS_PROJECT="dev" PULUMI_CONFIG='{ "aws:region": "us-west-2" }' mocha tests.jsUkwenza oku, njengoko kulindelekile, kuya kusibonisa ukuba sineemvavanyo ezintathu esingaphumeleliyo!
Infrastructure #server 1) must have a name tag 2) must not use userData (use an AMI instead) #group 3) must not open port 22 (SSH) to the Internet 0 passing (17ms) 3 failing 1) Infrastructure #server must have a name tag: Error: Missing a name tag on server urn:pulumi:my-ws::my-dev::aws:ec2/instance:Instance::web-server-www 2) Infrastructure #server must not use userData (use an AMI instead): Error: Illegal use of userData on server urn:pulumi:my-ws::my-dev::aws:ec2/instance:Instance::web-server-www 3) Infrastructure #group must not open port 22 (SSH) to the Internet: Error: Illegal SSH port 22 open to the Internet (CIDR 0.0.0.0/0) on groupMasilungise inkqubo yethu:
"use strict"; let aws = require("@pulumi/aws"); let group = new aws.ec2.SecurityGroup("web-secgrp", { ingress: [ { protocol: "tcp", fromPort: 80, toPort: 80, cidrBlocks: ["0.0.0.0/0"] }, ], }); let server = new aws.ec2.Instance("web-server-www", { tags: { "Name": "web-server-www" }, instanceType: "t2.micro", securityGroups: [ group.name ], // reference the group object above ami: "ami-c55673a0" // AMI for us-east-2 (Ohio), }); exports.group = group; exports.server = server; exports.publicIp = server.publicIp; exports.publicHostName = server.publicDns;Uze uqhube iimvavanyo kwakhona:
Infrastructure #server ✓ must have a name tag ✓ must not use userData (use an AMI instead) #group ✓ must not open port 22 (SSH) to the Internet 3 passing (16ms)Yonke into yahamba kakuhle... Hurray! ✓✓✓
Kuphelele apho namhlanje, kodwa siza kuthetha ngovavanyo lokuthunyelwa kwinxalenye yesibini yenguqulelo 😉
umthombo: www.habr.com