feat(pulumi): implement pulumi deploy iam user

raypappa · raypappa · commit 2fe1ce9787c8 · 2025-11-15T15:28:10.000-08:00
Adopting pulumi as an alternative to terraform or cdk. With changes to cloudflare, it's better to use tf or pulumi to manage the tunnels. I'd rather not use tf on this, so I'm migrating to pulumi and deprecating aws cdk in the repo
diff --git a/.cspell-dictionaries/pulumi.txt b/.cspell-dictionaries/pulumi.txt
@@ -0,0 +1 @@
+pulumi
diff --git a/.cspell.json b/.cspell.json
@@ -13,9 +13,14 @@
     "node",
     "k8s-local",
     "ansible",
-    "linux"
+    "linux",
+    "pulumi"
   ],
   "dictionaryDefinitions": [
+    {
+      "name": "pulumi",
+      "path": "./.cspell-dictionaries/pulumi.txt"
+    },
     {
       "name": "sphinx",
       "path": "./.cspell-dictionaries/sphinx.txt"
diff --git a/.mise.toml b/.mise.toml
@@ -0,0 +1,2 @@
+[tools]
+pulumi = "latest"
diff --git a/.taskfiles/pulumi/Taskfile.yaml b/.taskfiles/pulumi/Taskfile.yaml
@@ -0,0 +1,15 @@
+---
+version: "3"
+tasks:
+  up:
+    desc: Pulumi up
+    cmds:
+      - uv run pulumi up {{.CLI_ARGS}}
+  preview:
+    desc: Pulumi preview
+    cmds:
+      - uv run pulumi preview {{.CLI_ARGS}}
+  destroy:
+    desc: Pulumi destroy
+    cmds:
+      - uv run pulumi destroy {{.CLI_ARGS}}
diff --git a/Taskfile.yaml b/Taskfile.yaml
@@ -12,6 +12,9 @@ includes:
   argocd:
     taskfile: .taskfiles/argocd/Taskfile.yaml
     dir: kubernetes
+  pulumi:
+    taskfile: .taskfiles/pulumi/Taskfile.yaml
+    dir: pulumi
 tasks:
   default:
     desc: "List tasks"
diff --git a/pulumi/.gitignore b/pulumi/.gitignore
@@ -0,0 +1,2 @@
+*.pyc
+venv/
diff --git a/pulumi/.python-version b/pulumi/.python-version
@@ -0,0 +1 @@
+3.13
diff --git a/pulumi/Pulumi.prod.yaml b/pulumi/Pulumi.prod.yaml
@@ -0,0 +1,3 @@
+---
+config:
+  aws:region: us-west-2
diff --git a/pulumi/Pulumi.yaml b/pulumi/Pulumi.yaml
@@ -0,0 +1,11 @@
+---
+name: faerun
+description: A minimal AWS Python Pulumi program
+runtime:
+  name: python
+  options:
+    toolchain: uv
+config:
+  pulumi:tags:
+    value:
+      pulumi:template: aws-python
diff --git a/pulumi/README.md b/pulumi/README.md
@@ -0,0 +1,70 @@
+# Pulumi
+
+Deploying resource using pulumi
+
+## Overview
+
+### AWS
+
+- Create IAM user for home-assistant integration for managing r53 records.
+
+## Getting Started
+
+### Preview the planned changes
+
+```bash
+task pulumi:preview
+```
+
+### Deploy the stack
+
+```bash
+task pulumi:up
+```
+
+### Tear down when finished
+
+```bash
+task pulumi:destroy
+```
+
+## Project Layout
+
+After running `pulumi new`, your directory will look like:
+
+```
+├── __main__.py         # Entry point of the Pulumi program
+├── Pulumi.yaml         # Project metadata and template configuration
+└── Pulumi.<stack>.yaml # Stack-specific configuration (e.g., Pulumi.dev.yaml)
+```
+
+## Configuration
+
+This template defines the following config value:
+
+- `aws:region` (string)
+  The AWS region to deploy resources into.
+  Default: `us-east-1`
+
+View or update configuration with:
+
+```bash
+pulumi config get aws:region
+pulumi config set aws:region us-west-2
+```
+
+## Outputs
+
+Once deployed, the stack exports:
+
+### Retrieve outputs
+
+```bash
+pulumi stack output bucket_name
+```
+
+if the output is a secret then use
+
+```bash
+pulumi stack output bucket_name --show-secrets
+```
diff --git a/pulumi/__main__.py b/pulumi/__main__.py
@@ -0,0 +1,55 @@
+"""An AWS Python Pulumi program"""
+
+import pulumi
+from pulumi_aws import iam, route53
+
+ha_user = iam.User("home_assistant_user", name="home-assistant")
+ha_user_access_key = iam.AccessKey("home_assistant_key", user=ha_user.name)
+selected = route53.get_zone(
+    name="stoneydavis.com.",
+    private_zone=False,
+)
+ha_iam_policy_doc = iam.get_policy_document(
+    statements=[
+        {
+            "effect": "Allow",
+            "actions": [
+                "route53:GetHostedZone",
+                "route53:ChangeResourceRecordSets",
+                "route53:ListResourceRecordSets",
+            ],
+            "resources": [selected.arn],
+        },
+        {
+            "effect": "Allow",
+            "resources": ["*"],
+            "actions": ["route53:TestDNSAnswer"],
+        },
+    ]
+)
+iam.UserPolicy(
+    "r53",
+    name="r53",
+    user=ha_user.name,
+    policy=ha_iam_policy_doc.json,
+)
+
+
+pulumi.export("home_assistant_access_key_id", ha_user_access_key.id)
+pulumi.export("home_assistant_secret_access_key", ha_user_access_key.secret)
+
+# ha_user_access_key_dict = config.get_object("home_assistant_access_key")
+# if ha_user_access_key_dict is None:
+#     ha_user_access_key_dict = {
+#         "access_key_id": ha_user_access_key.id,
+#         "secret_access_key": ha_user_access_key.secret
+#     }
+#
+# secretsmanager.SecretVersion(
+#     "home_assistant_key_secret_version",
+#     secret_id=secretsmanager.Secret(
+#         "home_assistant_key_secret", name="/home-assistant/access-key"
+#     ).id,
+#     secret_string=std.jsonencode(ha_user_access_key_dict
+#     ),
+# )
diff --git a/pulumi/main.py b/pulumi/main.py
@@ -0,0 +1,6 @@
+def main():
+    print("Hello from faerun-pulumi!")
+
+
+if __name__ == "__main__":
+    main()
diff --git a/pulumi/pyproject.toml b/pulumi/pyproject.toml
@@ -0,0 +1,11 @@
+[project]
+name = "faerun-pulumi"
+version = "0.1.0"
+description = "Add your description here"
+readme = "README.md"
+requires-python = ">=3.13.0, <4.0.0"
+dependencies = [
+    "pulumi>=3.0.0,<4.0.0",
+    "pulumi-aws>=7.0.0,<8.0.0",
+    "pulumi-std>=2.2.0",
+]
diff --git a/pyproject.toml b/pyproject.toml
@@ -19,3 +19,6 @@ dev = [
     "commitizen==4.9.1",
     "pre-commit<5.0.0,>=4.0.1",
 ]
+
+[tool.uv.workspace]
+members = ["pulumi"]
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+---`
	`2`	`+config:`
	`3`	`+ aws:region: us-west-2`