BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Pulumi Releases Version 2.0 with New Policy as Code Tool

Pulumi Releases Version 2.0 with New Policy as Code Tool

This item in japanese

Bookmarks

Pulumi announced the release of version 2.0 of their open source infrastructure as code platform. This release includes a new policy as code system called CrossGuard. Also included are improvements for moving pre-existing systems into Pulumi.

The policy as code system CrossGuard allows for declaring guardrails to enforce compliance while provisioning infrastructure. This facilitates adhering to best practices in the declaration and creation of infrastructure. These rules can be written in TypeScript, JavaScript, Node.js, or Python and can be applied to stacks written in any language supported by Pulumi.

Policies can be grouped together into policy packs. Each policy within a policy pack must have a unique name. When writing assertions it is recommended to write them in complete sentences while specifying the resource that is in violation. For example, a policy that prohibits S3 buckets from having public read could look like this:

new PolicyPack("policy-pack-typescript", {
    policies: [{
        name: "s3-no-public-read",
        description: "Prohibits setting the publicRead or publicReadWrite permission on AWS S3 buckets.",
        enforcementLevel: "mandatory",
        validateResource: validateResourceOfType(aws.s3.Bucket, (bucket, args, reportViolation) => {
            if (bucket.acl === "public-read" || bucket.acl === "public-read-write") {
                reportViolation(
                    "You cannot set public-read or public-read-write on an S3 bucket. " +
                    "Read more about ACLs here: https://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html");
            }
        }),
    }],
});

This release also includes a set of pre-codified practices for AWS. AWSGuard is a configurable library that can be adopted and used within a policy pack. There are also example policy packs for AWS, Azure, Google Cloud, and Kubernetes. More details on CrossGuard can be found in the FAQ.

Also included within this update are three methods for adopting Pulumi for existing infrastructure. These are coexistence, importing, and conversion. Coexistence is to be used when there is already infrastructure provisioned but a full conversion into Pulumi isn't desired. With coexistence the new infrastructure provisioned with Pulumi can coexist with the original infrastructure. Resource getters are available on every resource to allow for reading all the details from a resource from the cloud provider using its ID. Stack references allow for referencing the outputs of another Pulumi stack for use as an input to a stack. As a similar tool, external stack references allow for referencing outputs from a non-Pulumi stack as inputs to a Pulumi stack.

For example, it is possible to read data from the terraform.tfstate file. In this code, the AWS EC2 VPC and subnet IDs are read from the terraform.tfstate file and used to provision new EC2 instances:

import * as aws from "@pulumi/aws";
import * as terraform from "@pulumi/terraform";

// Reference the Terraform state file:
const networkState = new terraform.state.RemoteStateReference("network", {
    backendType: "local",
    path: "/path/to/terraform.tfstate",
});

// Read the VPC and subnet IDs into variables:
const vpcId = networkState.getOutput("vpc_id");
const publicSubnetIds = networkState.getOutput("public_subnet_ids");

// Now spin up servers in the first two subnets:
for (let i = 0; i < 2; i++) {
    new aws.ec2.Instance(`instance-${i}`, {
        ami: "ami-7172b611",
        instanceType: "t2.medium",
        subnetId: publicSubnetIds[i],
    });
}

It is also possible to import existing infrastructure so that it is under the control of Pulumi. This differs from coexistence in that with importing, Pulumi will be able to modify and delete the infrastructure. Pulumi is able to import infrastructure regardless of how it was created, such as via the cloud provider's console, from the CLI, or from Terraform.

Finally with conversion, it is possible to convert existing infrastructure as code into the equivalent Pulumi program structure. The primary conversion tool available at this time is tf2pulumi which converts Terraform HCL to Pulumi code. By default this will convert into TypeScript. To convert into Python instead, use tf2pulumi --target-language python.

More details about what is included in this release of Pulumi can be found in the official blog. A migration guide for migrating from version 1.0 is available. Pulumi open source is available for download from GitHub. Community Edition is also free for download and use on an individual basis.

Rate this Article

Adoption
Style

BT