CloudBender/cloudbender/pulumi.py

import sys
import os
import re
import shutil
import tempfile
import importlib
import pulumi
import subprocess
import semver

from functools import wraps

import logging

from . import __version__

logger = logging.getLogger(__name__)

# Disable Pulumis version check globally
os.environ["PULUMI_SKIP_UPDATE_CHECK"] = "true"


def get_pulumi_version():
    p = shutil.which("pulumi")
    if not p:
        return None

    proc = subprocess.Popen(
        [p, "version"], stdout=subprocess.PIPE, stderr=subprocess.DEVNULL
    )
    if not proc.returncode:
        return proc.communicate()[0].decode().strip()
    else:
        return None


def resolve_outputs(outputs):
    my_outputs = {}

    for k, v in outputs.items():
        if isinstance(v, pulumi.automation._output.OutputValue):
            if v.secret:
                my_outputs[k] = "***"
            else:
                my_outputs[k] = v.value
        else:
            my_outputs[k] = v

    return my_outputs


def pulumi_ws(func):
    @wraps(func)
    def decorated(self, *args, **kwargs):
        # setup temp workspace
        if self.mode == "pulumi":
            self.work_dir = tempfile.mkdtemp(
                dir=tempfile.gettempdir(), prefix="cloudbender-"
            )

            # add all artifact_paths/pulumi to the search path for easier
            # imports in the pulumi code
            for artifacts_path in self.ctx["artifact_paths"]:
                _path = "{}/pulumi".format(artifacts_path.resolve())
                sys.path.append(_path)

            # Try local implementation first, similar to Jinja2 mode
            _found = False
            try:
                _stack = importlib.import_module(
                    "config.{}.{}".format(
                        self.rel_path, self.template).replace(
                        "/", "."))
                _found = True

            except ImportError:
                for artifacts_path in self.ctx["artifact_paths"]:
                    try:
                        spec = importlib.util.spec_from_file_location(
                            "_stack",
                            "{}/pulumi/{}.py".format(
                                artifacts_path.resolve(), self.template
                            ),
                        )
                        _stack = importlib.util.module_from_spec(spec)
                        spec.loader.exec_module(_stack)
                        _found = True

                    except FileNotFoundError:
                        pass

            if not _found:
                raise FileNotFoundError(
                    "Cannot find Pulumi implementation for {}".format(
                        self.stackname))

            # Store internal pulumi code reference
            self._pulumi_code = _stack

            # Use legacy Conglomerate as Pulumi project_name
            project_name = self.parameters["Conglomerate"]

            # Remove stacknameprefix if equals Conglomerate as Pulumi
            # implicitly prefixes project_name
            self.pulumi_stackname = re.sub(
                r"^" + project_name + "-?", "", self.stackname
            )
            try:
                pulumi_backend = "{}/{}/{}".format(
                    self.pulumi["backend"], project_name, self.region
                )

            except KeyError:
                raise KeyError("Missing pulumi.backend setting !")

            # Ugly hack as Pulumi currently doesnt support MFA_TOKENs during role assumptions
            # Do NOT set them via 'aws:secretKey' as they end up in the
            # self.json in plain text !!!
            account_id = self.connection_manager.call(
                "sts",
                "get_caller_identity",
                profile=self.profile,
                region=self.region)["Account"]
            self.connection_manager.exportProfileEnv()

            # Secrets provider
            secrets_provider = None
            if "secretsProvider" in self.pulumi:
                secrets_provider = self.pulumi["secretsProvider"]
                if (
                    secrets_provider == "passphrase"
                    and "PULUMI_CONFIG_PASSPHRASE" not in os.environ
                ):
                    raise ValueError(
                        "Missing PULUMI_CONFIG_PASSPHRASE environment variable!"
                    )

            # Set tag for stack file name and version
            _tags = {}
            try:
                _version = self._pulumi_code.VERSION
            except AttributeError:
                _version = "undefined"

            # bail out if we need a minimal cloudbender version for a template
            try:
                _min_version = self._pulumi_code.MIN_CLOUDBENDER_VERSION
                if semver.compare(
                        semver.Version.parse(__version__.strip("v")).finalize_version(),
                        _min_version.strip("v")) < 0:
                    raise ValueError(
                        f"Minimal required CloudBender version is {_min_version}, but we are {__version__}!"
                    )

            except AttributeError:
                pass

            # Tag all resources with our metadata, allowing "prune" eventually
            _tags["zdt:cloudbender.source"] = "{}:{}".format(
                os.path.basename(self._pulumi_code.__file__), _version
            )
            _tags["zdt:cloudbender.owner"] = f"{project_name}.{self.pulumi_stackname}"

            # Inject all stack tags
            _tags.update(self.tags)

            self.pulumi_config.update(
                {
                    "aws:region": self.region,
                    "aws:defaultTags": {"tags": _tags},
                    "zdt:region": self.region,
                    "zdt:awsAccountId": account_id,
                    "zdt:projectName": project_name,
                    "zdt:stackName": self.pulumi_stackname,
                }
            )

            # inject all parameters as config in the <Conglomerate> namespace
            for p in self.parameters:
                self.pulumi_config[
                    "{}:{}".format(self.parameters["Conglomerate"], p)
                ] = self.parameters[p]

            stack_settings = pulumi.automation.StackSettings(
                config=self.pulumi_config,
                secrets_provider=secrets_provider,
                encryption_salt=self.pulumi.get("encryptionsalt", None),
                encrypted_key=self.pulumi.get("encryptedkey", None),
            )

            project_settings = pulumi.automation.ProjectSettings(
                name=project_name, runtime="python", backend={"url": pulumi_backend}
            )

            self.pulumi_ws_opts = pulumi.automation.LocalWorkspaceOptions(
                work_dir=self.work_dir,
                project_settings=project_settings,
                stack_settings={self.pulumi_stackname: stack_settings},
                secrets_provider=secrets_provider,
            )

        response = func(self, *args, **kwargs)

        # Cleanup temp workspace
        if self.work_dir and os.path.exists(self.work_dir):
            shutil.rmtree(self.work_dir)

        return response

    return decorated
feat: Add support for Pulumi 2021-09-20 14:19:14 +00:00			`import sys`
			`import os`
			`import re`
			`import shutil`
feat: add execute task, rework Dockerfile to allow podman run rootless 2022-06-27 18:51:03 +00:00			`import tempfile`
feat: Add support for Pulumi 2021-09-20 14:19:14 +00:00			`import importlib`
			`import pulumi`
feat: implement version checks for extended toolchain 2022-06-28 13:30:13 +00:00			`import subprocess`
Add support for minimal version check 2023-10-27 10:44:44 +00:00			`import semver`
feat: implement version checks for extended toolchain 2022-06-28 13:30:13 +00:00
feat: add execute task, rework Dockerfile to allow podman run rootless 2022-06-27 18:51:03 +00:00			`from functools import wraps`
feat: Add support for Pulumi 2021-09-20 14:19:14 +00:00
			`import logging`
fix: code style / flake8 automation 2022-02-22 10:04:29 +00:00
Add support for minimal version check 2023-10-27 10:44:44 +00:00			`from . import __version__`

feat: Add support for Pulumi 2021-09-20 14:19:14 +00:00			`logger = logging.getLogger(__name__)`

feat: implement version checks for extended toolchain 2022-06-28 13:30:13 +00:00			`# Disable Pulumis version check globally`
			`os.environ["PULUMI_SKIP_UPDATE_CHECK"] = "true"`


			`def get_pulumi_version():`
			`p = shutil.which("pulumi")`
			`if not p:`
			`return None`

			`proc = subprocess.Popen(`
			`[p, "version"], stdout=subprocess.PIPE, stderr=subprocess.DEVNULL`
feat: add execute task, rework Dockerfile to allow podman run rootless 2022-06-27 18:51:03 +00:00			`)`
feat: implement version checks for extended toolchain 2022-06-28 13:30:13 +00:00			`if not proc.returncode:`
			`return proc.communicate()[0].decode().strip()`
			`else:`
			`return None`
feat: Add support for Pulumi 2021-09-20 14:19:14 +00:00

feat: improve docs task to render pulumi docs with live outputs 2022-07-01 12:56:53 +00:00			`def resolve_outputs(outputs):`
			`my_outputs = {}`

feat: New command , cleanup, allow region overwrite 2022-07-04 14:15:14 +00:00			`for k, v in outputs.items():`
Upgrade deprecated setuptools API, fix code style 2023-10-27 12:52:46 +00:00			`if isinstance(v, pulumi.automation._output.OutputValue):`
feat: improve docs task to render pulumi docs with live outputs 2022-07-01 12:56:53 +00:00			`if v.secret:`
			`my_outputs[k] = "***"`
			`else:`
			`my_outputs[k] = v.value`
			`else:`
			`my_outputs[k] = v`

			`return my_outputs`

feat: New command , cleanup, allow region overwrite 2022-07-04 14:15:14 +00:00
feat: add execute task, rework Dockerfile to allow podman run rootless 2022-06-27 18:51:03 +00:00			`def pulumi_ws(func):`
			`@wraps(func)`
			`def decorated(self, args, *kwargs):`
			`# setup temp workspace`
			`if self.mode == "pulumi":`
			`self.work_dir = tempfile.mkdtemp(`
			`dir=tempfile.gettempdir(), prefix="cloudbender-"`
			`)`
feat: Add support for Pulumi 2021-09-20 14:19:14 +00:00
Upgrade deprecated setuptools API, fix code style 2023-10-27 12:52:46 +00:00			`# add all artifact_paths/pulumi to the search path for easier`
			`# imports in the pulumi code`
feat: add execute task, rework Dockerfile to allow podman run rootless 2022-06-27 18:51:03 +00:00			`for artifacts_path in self.ctx["artifact_paths"]:`
			`_path = "{}/pulumi".format(artifacts_path.resolve())`
			`sys.path.append(_path)`
feat: Add support for Pulumi 2021-09-20 14:19:14 +00:00
feat: add execute task, rework Dockerfile to allow podman run rootless 2022-06-27 18:51:03 +00:00			`# Try local implementation first, similar to Jinja2 mode`
			`_found = False`
feat: Add support for Pulumi 2021-09-20 14:19:14 +00:00			`try:`
feat: add execute task, rework Dockerfile to allow podman run rootless 2022-06-27 18:51:03 +00:00			`_stack = importlib.import_module(`
Upgrade deprecated setuptools API, fix code style 2023-10-27 12:52:46 +00:00			`"config.{}.{}".format(`
			`self.rel_path, self.template).replace(`
			`"/", "."))`
feat: Add support for Pulumi 2021-09-20 14:19:14 +00:00			`_found = True`

feat: add execute task, rework Dockerfile to allow podman run rootless 2022-06-27 18:51:03 +00:00			`except ImportError:`
			`for artifacts_path in self.ctx["artifact_paths"]:`
			`try:`
			`spec = importlib.util.spec_from_file_location(`
			`"_stack",`
feat: implement version checks for extended toolchain 2022-06-28 13:30:13 +00:00			`"{}/pulumi/{}.py".format(`
			`artifacts_path.resolve(), self.template`
			`),`
feat: add execute task, rework Dockerfile to allow podman run rootless 2022-06-27 18:51:03 +00:00			`)`
			`_stack = importlib.util.module_from_spec(spec)`
			`spec.loader.exec_module(_stack)`
			`_found = True`

			`except FileNotFoundError:`
			`pass`

			`if not _found:`
			`raise FileNotFoundError(`
Upgrade deprecated setuptools API, fix code style 2023-10-27 12:52:46 +00:00			`"Cannot find Pulumi implementation for {}".format(`
			`self.stackname))`
feat: Add support for Pulumi 2021-09-20 14:19:14 +00:00
feat: add execute task, rework Dockerfile to allow podman run rootless 2022-06-27 18:51:03 +00:00			`# Store internal pulumi code reference`
			`self._pulumi_code = _stack`
feat: Add support for Pulumi 2021-09-20 14:19:14 +00:00
feat: add execute task, rework Dockerfile to allow podman run rootless 2022-06-27 18:51:03 +00:00			`# Use legacy Conglomerate as Pulumi project_name`
			`project_name = self.parameters["Conglomerate"]`

Upgrade deprecated setuptools API, fix code style 2023-10-27 12:52:46 +00:00			`# Remove stacknameprefix if equals Conglomerate as Pulumi`
			`# implicitly prefixes project_name`
feat: implement version checks for extended toolchain 2022-06-28 13:30:13 +00:00			`self.pulumi_stackname = re.sub(`
			`r"^" + project_name + "-?", "", self.stackname`
			`)`
feat: add execute task, rework Dockerfile to allow podman run rootless 2022-06-27 18:51:03 +00:00			`try:`
			`pulumi_backend = "{}/{}/{}".format(`
			`self.pulumi["backend"], project_name, self.region`
			`)`
feat: Add support for Pulumi 2021-09-20 14:19:14 +00:00
feat: add execute task, rework Dockerfile to allow podman run rootless 2022-06-27 18:51:03 +00:00			`except KeyError:`
			`raise KeyError("Missing pulumi.backend setting !")`

fix: allow deploying Pulumi stacks in parallel to CFN 2022-08-26 09:44:33 +00:00			`# Ugly hack as Pulumi currently doesnt support MFA_TOKENs during role assumptions`
Upgrade deprecated setuptools API, fix code style 2023-10-27 12:52:46 +00:00			`# Do NOT set them via 'aws:secretKey' as they end up in the`
			`# self.json in plain text !!!`
feat: add execute task, rework Dockerfile to allow podman run rootless 2022-06-27 18:51:03 +00:00			`account_id = self.connection_manager.call(`
Upgrade deprecated setuptools API, fix code style 2023-10-27 12:52:46 +00:00			`"sts",`
			`"get_caller_identity",`
			`profile=self.profile,`
			`region=self.region)["Account"]`
feat: New command , cleanup, allow region overwrite 2022-07-04 14:15:14 +00:00			`self.connection_manager.exportProfileEnv()`
feat: add execute task, rework Dockerfile to allow podman run rootless 2022-06-27 18:51:03 +00:00
			`# Secrets provider`
Minor Pulumi upgrades 2023-10-02 08:58:32 +00:00			`secrets_provider = None`
feat: add execute task, rework Dockerfile to allow podman run rootless 2022-06-27 18:51:03 +00:00			`if "secretsProvider" in self.pulumi:`
			`secrets_provider = self.pulumi["secretsProvider"]`
			`if (`
			`secrets_provider == "passphrase"`
			`and "PULUMI_CONFIG_PASSPHRASE" not in os.environ`
			`):`
feat: implement version checks for extended toolchain 2022-06-28 13:30:13 +00:00			`raise ValueError(`
			`"Missing PULUMI_CONFIG_PASSPHRASE environment variable!"`
			`)`
feat: add execute task, rework Dockerfile to allow podman run rootless 2022-06-27 18:51:03 +00:00
			`# Set tag for stack file name and version`
			`_tags = {}`
			`try:`
			`_version = self._pulumi_code.VERSION`
			`except AttributeError:`
			`_version = "undefined"`

Add support for minimal version check 2023-10-27 10:44:44 +00:00			`# bail out if we need a minimal cloudbender version for a template`
			`try:`
			`_min_version = self._pulumi_code.MIN_CLOUDBENDER_VERSION`
Upgrade deprecated setuptools API, fix code style 2023-10-27 12:52:46 +00:00			`if semver.compare(`
fix: make semver comparison work with dev versions 2023-12-06 18:05:32 +00:00			`semver.Version.parse(__version__.strip("v")).finalize_version(),`
Upgrade deprecated setuptools API, fix code style 2023-10-27 12:52:46 +00:00			`_min_version.strip("v")) < 0:`
Add support for minimal version check 2023-10-27 10:44:44 +00:00			`raise ValueError(`
			`f"Minimal required CloudBender version is {_min_version}, but we are {__version__}!"`
			`)`

			`except AttributeError:`
			`pass`

feat: add execute task, rework Dockerfile to allow podman run rootless 2022-06-27 18:51:03 +00:00			`# Tag all resources with our metadata, allowing "prune" eventually`
			`_tags["zdt:cloudbender.source"] = "{}:{}".format(`
			`os.path.basename(self._pulumi_code.__file__), _version`
			`)`
			`_tags["zdt:cloudbender.owner"] = f"{project_name}.{self.pulumi_stackname}"`

Add custom stack tags to Pulumi stacks 2023-05-23 19:29:15 +00:00			`# Inject all stack tags`
			`_tags.update(self.tags)`

feat: implement version checks for extended toolchain 2022-06-28 13:30:13 +00:00			`self.pulumi_config.update(`
			`{`
			`"aws:region": self.region,`
			`"aws:defaultTags": {"tags": _tags},`
			`"zdt:region": self.region,`
			`"zdt:awsAccountId": account_id,`
			`"zdt:projectName": project_name,`
			`"zdt:stackName": self.pulumi_stackname,`
			`}`
			`)`
feat: add execute task, rework Dockerfile to allow podman run rootless 2022-06-27 18:51:03 +00:00
			`# inject all parameters as config in the <Conglomerate> namespace`
			`for p in self.parameters:`
feat: implement version checks for extended toolchain 2022-06-28 13:30:13 +00:00			`self.pulumi_config[`
			`"{}:{}".format(self.parameters["Conglomerate"], p)`
			`] = self.parameters[p]`
feat: add execute task, rework Dockerfile to allow podman run rootless 2022-06-27 18:51:03 +00:00
			`stack_settings = pulumi.automation.StackSettings(`
			`config=self.pulumi_config,`
			`secrets_provider=secrets_provider,`
			`encryption_salt=self.pulumi.get("encryptionsalt", None),`
			`encrypted_key=self.pulumi.get("encryptedkey", None),`
			`)`

			`project_settings = pulumi.automation.ProjectSettings(`
			`name=project_name, runtime="python", backend={"url": pulumi_backend}`
			`)`

			`self.pulumi_ws_opts = pulumi.automation.LocalWorkspaceOptions(`
			`work_dir=self.work_dir,`
			`project_settings=project_settings,`
			`stack_settings={self.pulumi_stackname: stack_settings},`
			`secrets_provider=secrets_provider,`
			`)`

			`response = func(self, args, *kwargs)`

			`# Cleanup temp workspace`
			`if self.work_dir and os.path.exists(self.work_dir):`
			`shutil.rmtree(self.work_dir)`

			`return response`

			`return decorated`