Sanibonani ntambama bangane. Ngokulindele ukuqala kokugeleza okusha ngenani Sabelana nawe ngokuhumusha okusha. Hamba.
Ukusebenzisa i-Pulumi nezilimi zokuhlela ezihloselwe jikelele zekhodi yengqalasizinda (Ingqalasizinda njengeKhodi) kunikeza izinzuzo eziningi: ukutholakala kwamakhono nolwazi, ukuqedwa kwe-boilerplate kukhodi ngokukhipha, amathuluzi ajwayelekile eqenjini lakho, njengama-IDE nama-linter. Wonke lawa mathuluzi wobunjiniyela besofthiwe akasenzi nje kuphela ukuthi sikhiqize kakhudlwana, kodwa futhi athuthukisa ikhwalithi yekhodi yethu. Ngakho-ke, kungokwemvelo ukuthi ukusetshenziswa kwezilimi zohlelo ezijwayelekile kusivumela ukuthi sethule omunye umkhuba obalulekile wokuthuthukisa isoftware - ukuhlola.
Kulesi sihloko, sizobheka ukuthi iPulumi isisiza kanjani ukuthi sihlole ingqalasizinda yethu njengekhodi.
Kungani kuhlolwa ingqalasizinda?
Ngaphambi kokungena ngemininingwane, kufanelekile ukubuza lo mbuzo: "Kungani kuhlolwa ingqalasizinda?" Kunezizathu eziningi zalokhu futhi nazi ezinye zazo:
- Ukuhlolwa kweyunithi yemisebenzi ngayinye noma izingcezwana zohlelo lwakho lokusebenza
- Iqinisekisa isimo esifiswayo sengqalasizinda ngokumelene nezingqinamba ezithile.
- Ukutholwa kwamaphutha avamile, njengokuntuleka kokubethela kwebhakede lesitoreji noma okungavikelwe, ukufinyelela okuvulekile kusuka ku-inthanethi kuya emishinini ebonakalayo.
- Ukuhlola ukuqaliswa kokuhlinzekwa kwengqalasizinda.
- Yenza ukuhlola kwesikhathi sokusebenza sohlelo lokusebenza olusebenza ngaphakathi kwengqalasizinda yakho "ehleliwe" ukuze kuhlolwe ukusebenza ngemva kokuhlinzekwa.
- Njengoba sibona, kunohlu olubanzi lwezinketho zokuhlola ingqalasizinda. I-Polumi inezindlela zokuhlola kuzo zonke izindawo kulo mkhakha. Ake siqale sibone ukuthi kusebenza kanjani.
Ukuhlolwa kweyunithi
Izinhlelo zePulumi zibhalwa ngezilimi zokuhlela ezisetshenziselwa inhloso ejwayelekile njengeJavaScript, Python, TypeScript noma Go. Ngakho-ke, amandla aphelele alezi zilimi, okuhlanganisa amathuluzi azo nemitapo yolwazi, okuhlanganisa nezinhlaka zokuhlola, ayatholakala kubo. I-Pulumi inamafu amaningi, okusho ukuthi ingasetshenziselwa ukuhlolwa kunoma yimuphi umhlinzeki wamafu.
(Kulesi sihloko, naphezu kokuba ngezilimi eziningi namafu amaningi, sisebenzisa i-JavaScript ne-Mocha futhi sigxile ku-AWS. Ungasebenzisa i-Python unittest, Hamba uhlaka lokuhlola, nanoma yiluphi olunye uhlaka lokuhlola oluthandayo. Futhi, kunjalo, iPulumi isebenza kahle nge-Azure, Google Cloud, Kubernetes.)
Njengoba sesibonile, kunezizathu ezimbalwa zokuthi kungani ungase ufune ukuhlola ikhodi yakho yengqalasizinda. Enye yazo ukuhlolwa kweyunithi evamile. Ngoba ikhodi yakho ingase ibe nemisebenzi - isibonelo, ukubala i-CIDR, ukubala amagama, amathegi, njll. - cishe uzofuna ukuwahlola. Lokhu kuyafana nokubhala izivivinyo zeyunithi ezijwayelekile zezinhlelo zokusebenza ngolimi lwakho oluthandayo lokuhlela.
Ukuze uthole inkimbinkimbi, ungabheka ukuthi uhlelo lwakho luzaba kanjani izinsiza. Ukufanekisa, ake sicabange ukuthi sidinga ukwakha iseva ye-EC2 elula futhi sifuna ukuqiniseka ngokulandelayo:
- Izimo zinethegi
Name. - Izimo akufanele zisebenzise iskripthi esisemgqeni
userData- Kumelwe sisebenzise i-AMI (isithombe). - Akufanele kube khona i-SSH evezwe ku-inthanethi.
Lesi sibonelo sisekelwe ku :
index.js:
"use strict";
let aws = require("@pulumi/aws");
let group = new aws.ec2.SecurityGroup("web-secgrp", {
ingress: [
{ protocol: "tcp", fromPort: 22, toPort: 22, cidrBlocks: ["0.0.0.0/0"] },
{ protocol: "tcp", fromPort: 80, toPort: 80, cidrBlocks: ["0.0.0.0/0"] },
],
});
let userData =
`#!/bin/bash
echo "Hello, World!" > index.html
nohup python -m SimpleHTTPServer 80 &`;
let server = new aws.ec2.Instance("web-server-www", {
instanceType: "t2.micro",
securityGroups: [ group.name ], // reference the group object above
ami: "ami-c55673a0" // AMI for us-east-2 (Ohio),
userData: userData // start a simple web server
});
exports.group = group;
exports.server = server;
exports.publicIp = server.publicIp;
exports.publicHostName = server.publicDns;
Lolu wuhlelo oluyisisekelo lwePulumi: ivele yabele iqembu lezokuphepha le-EC2 kanye nesibonelo. Nokho-ke kufanele kuqashelwe ukuthi lapha sephula yomithathu imithetho eshiwo ngenhla. Masibhale izivivinyo!
Ukubhala izivivinyo
Ukwakheka okujwayelekile kokuhlolwa kwethu kuzobukeka njengokuhlolwa okujwayelekile kwe-Mocha:
ec2tes.js
test.js:
let assert = require("assert");
let mocha = require("mocha");
let pulumi = require("@pulumi/pulumi");
let infra = require("./index");
describe("Infrastructure", function() {
let server = infra.server;
describe("#server", function() {
// TODO(check 1): Должен быть тэг Name.
// TODO(check 2): Не должно быть inline-скрипта userData.
});
let group = infra.group;
describe("#group", function() {
// TODO(check 3): Не должно быть SSH, открытого в Интернет.
});
});
Manje ake sibhale ukuhlola kwethu kokuqala: qiniseka ukuthi izimo zinethegi Name. Ukuhlola lokhu sivele sithole into eyisibonelo ye-EC2 futhi sihlole impahla ehambisanayo tags:
// check 1: Должен быть тэг Name.
it("must have a name tag", function(done) {
pulumi.all([server.urn, server.tags]).apply(([urn, tags]) => {
if (!tags || !tags["Name"]) {
done(new Error(`Missing a name tag on server ${urn}`));
} else {
done();
}
});
});Kubukeka njengokuhlola okuvamile, kodwa kunezici ezimbalwa okufanele wazi:
- Ngoba sibuza isimo sensiza ngaphambi kokuthi sisetshenziswe, ukuhlola kwethu kuhlala kwenziwa ngemodi "yohlelo" (noma "yokuhlola kuqala"). Ngakho-ke, kunezindawo eziningi amanani azo angeke aphinde atholakale noma angeke achazwe. Lokhu kubandakanya zonke izici zokukhiphayo ezibalwe umhlinzeki wakho wamafu. Lokhu kuvamile ezivivinyweni zethu - sihlola kuphela idatha yokufaka. Sizobuyela kulolu daba ngokuhamba kwesikhathi, uma kuziwa ekuhlolweni kokuhlanganisa.
- Njengoba zonke izakhiwo zensiza ye-Pulumi ziyimiphumela, futhi eziningi zazo zihlolwa ngokuhambisanayo, sidinga ukusebenzisa indlela yokufaka ukuze sifinyelele amanani. Lokhu kufana kakhulu nezithembiso nokusebenza
then. - Njengoba sisebenzisa izici ezimbalwa ukuze sibonise i-URN yensiza kumlayezo wephutha, sidinga ukusebenzisa umsebenzi
pulumi.allukuzihlanganisa. - Okokugcina, njengoba la manani abalwa ngendlela efanayo, sidinga ukusebenzisa isici sikaMocha esakhelwe ngaphakathi sokuphinda ushayele i-async.
donenoma ukubuyisela isithembiso.
Uma sesimise yonke into, sizokwazi ukufinyelela okokufaka njengamavelu alula we-JavaScript. Impahla tags imephu (associative array), ngakho-ke sizokwenza isiqiniseko sokuthi (1) akuwona amanga, futhi (2) kukhona ukhiye we Name. Kulula kakhulu futhi manje singahlola noma yini!
Manje ake sibhale isheke lethu lesibili. Kulula nakakhulu:
// check 2: Не должно быть inline-скрипта userData.
it("must not use userData (use an AMI instead)", function(done) {
pulumi.all([server.urn, server.userData]).apply(([urn, userData]) => {
if (userData) {
done(new Error(`Illegal use of userData on server ${urn}`));
} else {
done();
}
});
});Futhi ekugcineni, ake sibhale isivivinyo sesithathu. Lokhu kuzoba yinkimbinkimbi kakhulu ngoba sifuna imithetho yokungena ehlotshaniswa neqembu lezokuphepha, okungaba khona abaningi, futhi ububanzi be-CIDR kuleyo mithetho, okungaba khona futhi eminingi. Kodwa sikwazile:
// check 3: Не должно быть SSH, открытого в Интернет.
it("must not open port 22 (SSH) to the Internet", function(done) {
pulumi.all([ group.urn, group.ingress ]).apply(([ urn, ingress ]) => {
if (ingress.find(rule =>
rule.fromPort == 22 && rule.cidrBlocks.find(block =>
block === "0.0.0.0/0"))) {
done(new Error(`Illegal SSH port 22 open to the Internet (CIDR 0.0.0.0/0) on group ${urn}`));
} else {
done();
}
});
});Yilokho kuphela. Manje ake senze izivivinyo!
Ukuhlola okusebenzayo
Ezimweni eziningi, ungaqhuba izivivinyo ngendlela evamile, usebenzisa uhlaka lokuhlola oluthandayo. Kodwa kunesici esisodwa sePulumi okufanele sinake.
Ngokuvamile, ukuze kuqhutshwe izinhlelo zePulumi, i-pulimi CLI (Command Line interface) isetshenziswa, elungisa isikhathi sokusebenza solimi, ilawula ukwethulwa kwenjini yePulumi ukuze ukusebenza ngezinsiza kuqoshwe futhi kufakwe ohlelweni, njll. Nokho, kunenkinga eyodwa. Uma usebenza ngaphansi kolawulo lohlaka lwakho lokuhlola, ngeke kube khona ukuxhumana phakathi kwe-CLI nenjini yePulumi.
Ukuze sibhekane nalolu daba, sidinga nje ukucacisa okulandelayo:
- Igama lephrojekthi, eliqukethwe kokuguquguquka kwemvelo
PULUMI_NODEJS_PROJECT(noma, ngokuvamile,PULUMI__PROJECT для других языков).
Igama lesitaki elicaciswe kokuguquguquka kwemveloPULUMI_NODEJS_STACK(noma, ngokuvamile,PULUMI__ STACK).
Okuguquguqukayo kokucushwa kwesitaki sakho. Angatholakala kusetshenziswa i-variable yemveloPULUMI_CONFIGfuthi ifomethi yawo iyimephu ye-JSON enokhiye/inani ngamapheya.Uhlelo luzokhipha izexwayiso ezibonisa ukuthi ukuxhumeka ku-CLI/injini akutholakali ngesikhathi sokusetshenziswa. Lokhu kubalulekile ngoba uhlelo lwakho empeleni ngeke lukhiphe lutho futhi kungase kumangaze uma kungeyona into obuhlose ukuyenza leyo! Ukutshela uPulumi ukuthi lokhu yikho kanye okudingayo, ungafaka
PULUMI_TEST_MODEвtrue.Cabanga ukuthi sidinga ukucacisa igama lephrojekthi
my-ws, igama lesitakidev, kanye nesifunda se-AWSus-west-2. Umugqa womyalo wokusebenzisa izivivinyo ze-Mocha uzobukeka kanje:$ PULUMI_TEST_MODE=true PULUMI_NODEJS_STACK="my-ws" PULUMI_NODEJS_PROJECT="dev" PULUMI_CONFIG='{ "aws:region": "us-west-2" }' mocha tests.jsUkwenza lokhu, njengoba kulindelekile, kuzosibonisa ukuthi sinezivivinyo ezintathu ezafeyila!
Infrastructure #server 1) must have a name tag 2) must not use userData (use an AMI instead) #group 3) must not open port 22 (SSH) to the Internet 0 passing (17ms) 3 failing 1) Infrastructure #server must have a name tag: Error: Missing a name tag on server urn:pulumi:my-ws::my-dev::aws:ec2/instance:Instance::web-server-www 2) Infrastructure #server must not use userData (use an AMI instead): Error: Illegal use of userData on server urn:pulumi:my-ws::my-dev::aws:ec2/instance:Instance::web-server-www 3) Infrastructure #group must not open port 22 (SSH) to the Internet: Error: Illegal SSH port 22 open to the Internet (CIDR 0.0.0.0/0) on groupMasilungise uhlelo lwethu:
"use strict"; let aws = require("@pulumi/aws"); let group = new aws.ec2.SecurityGroup("web-secgrp", { ingress: [ { protocol: "tcp", fromPort: 80, toPort: 80, cidrBlocks: ["0.0.0.0/0"] }, ], }); let server = new aws.ec2.Instance("web-server-www", { tags: { "Name": "web-server-www" }, instanceType: "t2.micro", securityGroups: [ group.name ], // reference the group object above ami: "ami-c55673a0" // AMI for us-east-2 (Ohio), }); exports.group = group; exports.server = server; exports.publicIp = server.publicIp; exports.publicHostName = server.publicDns;Bese uphinda uhlola futhi:
Infrastructure #server ✓ must have a name tag ✓ must not use userData (use an AMI instead) #group ✓ must not open port 22 (SSH) to the Internet 3 passing (16ms)Konke kuhambe kahle... Hurray! ✓✓✓
Yilokho kuphela okwanamuhla, kodwa sizokhuluma ngokuhlolwa kokuthunyelwa engxenyeni yesibili yokuhumusha 😉
Source: www.habr.com