CloudBender/cloudbender/pulumi.py

import sys
import os
import re
import shutil
import importlib
import pkg_resources
import pulumi

import logging

logger = logging.getLogger(__name__)


def pulumi_init(stack):

    # Fail early if pulumi binaries are not available
    if not shutil.which("pulumi"):
        raise FileNotFoundError(
            "Cannot find pulumi binary, see https://www.pulumi.com/docs/get-started/install/"
        )

    # add all artifact_paths/pulumi to the search path for easier imports in the pulumi code
    for artifacts_path in stack.ctx["artifact_paths"]:
        _path = "{}/pulumi".format(artifacts_path.resolve())
        sys.path.append(_path)

    # Try local implementation first, similar to Jinja2 mode
    _found = False
    try:
        _stack = importlib.import_module(
            "config.{}.{}".format(stack.rel_path, stack.template).replace("/", ".")
        )
        _found = True

    except ImportError:
        for artifacts_path in stack.ctx["artifact_paths"]:
            try:
                spec = importlib.util.spec_from_file_location(
                    "_stack",
                    "{}/pulumi/{}.py".format(artifacts_path.resolve(), stack.template),
                )
                _stack = importlib.util.module_from_spec(spec)
                spec.loader.exec_module(_stack)
                _found = True

            except FileNotFoundError:
                pass

    if not _found:
        raise FileNotFoundError(
            "Cannot find Pulumi implementation for {}".format(stack.stackname)
        )

    project_name = stack.parameters["Conglomerate"]

    # Remove stacknameprefix if equals Conglomerate as Pulumi implicitly prefixes project_name
    pulumi_stackname = re.sub(r"^" + project_name + "-?", "", stack.stackname)
    try:
        pulumi_backend = "{}/{}/{}".format(
            stack.pulumi["backend"], project_name, stack.region
        )

    except KeyError:
        raise KeyError("Missing pulumi.backend setting !")

    account_id = stack.connection_manager.call(
        "sts", "get_caller_identity", profile=stack.profile, region=stack.region
    )["Account"]
    # Ugly hack as Pulumi currently doesnt support MFA_TOKENs during role assumptions
    # Do NOT set them via 'aws:secretKey' as they end up in the stack.json in plain text !!!
    if (
        stack.connection_manager._sessions[(stack.profile, stack.region)]
        .get_credentials()
        .token
    ):
        os.environ["AWS_SESSION_TOKEN"] = (
            stack.connection_manager._sessions[(stack.profile, stack.region)]
            .get_credentials()
            .token
        )

    os.environ["AWS_ACCESS_KEY_ID"] = (
        stack.connection_manager._sessions[(stack.profile, stack.region)]
        .get_credentials()
        .access_key
    )
    os.environ["AWS_SECRET_ACCESS_KEY"] = (
        stack.connection_manager._sessions[(stack.profile, stack.region)]
        .get_credentials()
        .secret_key
    )
    os.environ["AWS_DEFAULT_REGION"] = stack.region

    # Secrets provider
    try:
        secrets_provider = stack.pulumi["secretsProvider"]
        if (
            secrets_provider == "passphrase"
            and "PULUMI_CONFIG_PASSPHRASE" not in os.environ
        ):
            raise ValueError("Missing PULUMI_CONFIG_PASSPHRASE environment variable!")

    except KeyError:
        logger.warning("Missing pulumi.secretsProvider setting, secrets disabled !")
        secrets_provider = None

    # Set tag for stack file name and version
    _tags = stack.tags
    try:
        _version = _stack.VERSION
    except AttributeError:
        _version = "undefined"

    _tags["zero-downtime.net/cloudbender"] = "{}:{}".format(
        os.path.basename(_stack.__file__), _version
    )

    _config = {
        "aws:region": stack.region,
        "aws:profile": stack.profile,
        "aws:defaultTags": {"tags": _tags},
        "zdt:region": stack.region,
        "zdt:awsAccountId": account_id,
    }

    # inject all parameters as config in the <Conglomerate> namespace
    for p in stack.parameters:
        _config["{}:{}".format(stack.parameters["Conglomerate"], p)] = stack.parameters[
            p
        ]

    stack_settings = pulumi.automation.StackSettings(
        config=_config,
        secrets_provider=secrets_provider,
        encryption_salt=stack.pulumi.get("encryptionsalt", None),
        encrypted_key=stack.pulumi.get("encryptedkey", None),
    )

    project_settings = pulumi.automation.ProjectSettings(
        name=project_name, runtime="python", backend={"url": pulumi_backend}
    )

    ws_opts = pulumi.automation.LocalWorkspaceOptions(
        work_dir=stack.work_dir,
        project_settings=project_settings,
        stack_settings={pulumi_stackname: stack_settings},
        secrets_provider=secrets_provider,
    )

    stack = pulumi.automation.create_or_select_stack(
        stack_name=pulumi_stackname,
        project_name=project_name,
        program=_stack.pulumi_program,
        opts=ws_opts,
    )
    stack.workspace.install_plugin(
        "aws", pkg_resources.get_distribution("pulumi_aws").version
    )

    return stack