https://pulumi.com logo
s

some-football-23966

04/14/2020, 6:55 PM
Hi I am newbie to pulumi, I would like to understand couple of things : 1. How secure is it to use pulumi in production with single user ? 2. pulumi doesn’t have 2fa enabled to enhance extra level of security, is it something in plan ? 3. What’s the best practice to maintain the pulumi code, can I maintain pulumi code in git repo and deploy it through jenkins ? 4. Is pulumi also best suited for reading infra details ? Let’s say I want to figure out the cost incurred by s3 resources on AWS account ?
g

green-morning-1318

04/14/2020, 7:02 PM
Hi 👋 (not a Pulumi employee, but I hope I’m able to help you out somewhat) 1. You can have organizations with multiple users: https://www.pulumi.com/docs/intro/console/accounts-and-organizations/organizations/ that way you can have multiple people update a stack and you have insight into who did what 2. I’ll leave that to the Pulumi team 🙂 3. Absolutely! It’s definitely a best practice to keep the Pulumi code in a version control system. I have my pulumi code in the same repo as the serverless apps that code deploys. In my case I use CircleCI, but you can see an example here: https://github.com/retgits/acme-serverless-payment (the Pulumi code is in the pulumi folder) 4. Pulumi allows you to search the data of all sorts of AWS resources, I’m not sure though if it can access the data needed to figure out cost (which in S3 case would be a combination of storage, which you could definitely find out, and egress traffic)
Hope that helps a bit 😄
s

some-football-23966

04/14/2020, 7:07 PM
Thanks @green-morning-1318 would multiple user work with community edition version ?
As I intend to use only opensource version as of now.
g

green-morning-1318

04/14/2020, 7:08 PM
I don’t think it is to be honest (https://www.pulumi.com/pricing/)
b

broad-dog-22463

04/14/2020, 7:10 PM
Hi @some-football-23966 I am not sure what you mean about 2fa? There is currently no remote execution model for Pulumi so it needs to be controlled by the user themselves. what usecase do you believe we need to cover here? Paul
s

some-football-23966

04/14/2020, 7:12 PM
hey @broad-dog-22463 considering that a user needs to first create account and use tokens to execute all the workload, I intend to figure if somehow my account or laptop gets unintended access through a user, the person might end up mess with my account
as UI has all the power to change my configuration and delete my projects, stacks etc.
b

broad-dog-22463

04/14/2020, 7:13 PM
ah I see what you mean - so the Pulumi SaaS only has the state - as long as you follow good practice, then it won't have access to your pulumi secrets or your code so no-one can actually delete your cloud resources via the Pulumi SaaS - they need the pulumi CLI to do that
you can indeed delete the stack itself - but this won't delete the resources - it will simply unmanage them
s

some-football-23966

04/14/2020, 7:15 PM
alright, so just because reasons I explained, that somehow person get access to the account, the person can setup his/her pulumi CLI with my token or credentials
so for ex, aws console provides 2fa/mfa to have double security in order to not compromise on UI to steal any credentials.
b

broad-dog-22463

04/14/2020, 7:17 PM
Pulumi doesn't store any credentials to your cloud cloud provider. YEs, you are correct that if someone gets access to your pulumi account then they can use your pulumi access token but that simply means they can store their cloud state in your pulumi account It 100% doesn't mean they can deploy to your cloud
We can certainly raise the issue of adding 2FA of course - if it makes our users feel more secure, then we can talk about that for the SaaS
s

some-football-23966

04/14/2020, 7:19 PM
Alright got it
Would be gr8 if you can consider that.
b

broad-dog-22463

04/14/2020, 7:20 PM
I will raise it with the team 🙂
s

some-football-23966

04/14/2020, 7:20 PM
Thanks. I would highly appreciate if you can route to best coding practices for pulumi in terms of creating folder structure / naming convention etc.
b

broad-dog-22463

04/14/2020, 7:21 PM
But please rest assured, Pulumi doesn't store any of our data that can compromise either your cloud crendtials or your cloud resources - you can ensure you store any configuration options as secrets 🙂 https://www.pulumi.com/docs/intro/concepts/programming-model/#secrets
s

some-football-23966

04/14/2020, 7:24 PM
The main thing which I liked about pulumi is I can write code like a developer and I don’t have to learn much of the new things like DSL etc. So if you can answer few of these questions as well, it will really help in taking the call : 1. in case pulumi is down, I won’t be able to use pulumi to manage my account, right ? what’s the SLA for pulumi to be up ? 2. as pulumi doesn’t store code, what’s the best practice to create readable folder strucuture for pulumi code base ? 3. Can I run pulumi code using normal python / node commands instead of pulumi up ? The usecase if where I just to read the configurations of cloud rather than deploying it ? Is it even possible. ? 4. In case I use s3 as state backend instead of pulumi.com, what would I lose ?
b

broad-dog-22463

04/14/2020, 7:33 PM
1. <finding that out for you now> 2. It all depends on what you are trying to achieve - we suggest it's software so it can be structured as you would structure your software. We have a reference example https://github.com/pulumi/examples/tree/master/aws-stackreference-architecture 3. There is, at this point in time, no SDK for Pulumi to be embedded in your application. It is under investigation that users want that issue - we have various issues open in Pulumi/pulumi repo for this 4. If you use the open source state backends then the primary thing you loose is concurrency / locking. This is provided by default by the SaaS. Other than that, you need to manage your own backups / versioning etc
s

some-football-23966

04/14/2020, 7:43 PM
Thanks @broad-dog-22463 point 3 is a bigger use case. I want to use pulumi more freely and openly like aws sdk or any third party sdk. Until or unless necessary I don’t want to run pulumi up or we can have pulumi up written in python code itself so that I don’t have to be dependent on CLI. There are lot of usecases which are just plain get calls for aws resources, like reading s3, ecs state, current cost attribution, reading current infrastructure and then duplicating it in same or different env etc.
b

broad-dog-22463

04/14/2020, 7:44 PM
so you can mock your cloud and not have to do any pulumi up and write your code and test it as normal
Maybe I don't understand the usecase for #3 as I've personally never had to use it on the large infrastructures that I worked on
BUt I understand that it may well be a deal breaker for you
s

some-football-23966

04/14/2020, 7:47 PM
Consider a developer developing an application with no restrictions. pulumi up seems to be the only way to run pulumi code, which in my consideration a limitation. It’s bit against the whole idea of having pulumi as framework which can understand regular programming language and code
b

broad-dog-22463

04/14/2020, 7:49 PM
but it's the same way as with other tools right? I mean kubectl commands, terraform commands, arm template deployments
It's a deployment centric tool (as at this time)
I understand that you would love to be able to drive it via an SDK so you can embed in your applications
we are just not there right now 😕
s

some-football-23966

04/14/2020, 7:50 PM
That’s what these guys haven’t solved. They are just deployment centric, while you have the whole power to solve all non-deployment use cases too.
world is moving in direction where every engineer is capable enough to do devops, and every engineer is able to write the code in most of the hot langauges. Pulumi provides that flexibility to write the code in language you love. other tools have certain learning curve which would take time
b

broad-dog-22463

04/14/2020, 7:51 PM
WRT to the SLA - this is what I was quoted from the SaaS team: '“The Pulumi service is operated with a high bar for availability. Financially-backed SLAs are available as part of our Team and Enterprise offerings for organizations that need tighter guarantees around service availability.”"
s

some-football-23966

04/14/2020, 7:52 PM
people using java/node/python already has best practices defined and can just utilise puluni within the stack as one of the super crazy library to solve for infra automatio
b

broad-dog-22463

04/14/2020, 7:52 PM
@some-football-23966 one thing that we do enabled is CI / CD workflows - we believed that was a higher priority to solve https://www.pulumi.com/docs/guides/continuous-delivery/
but we will be looking at SDK driven development at some point
s

some-football-23966

04/14/2020, 7:53 PM
cool. 🙂 I just feel IaaC is not just about deployment but about management as well 🙂
b

broad-dog-22463

04/14/2020, 7:54 PM
the workflow we provider 100% enables management as well 🙂
I was a user of Pulumi before I joined the team
s

some-football-23966

04/14/2020, 7:54 PM
Is it possible today to get s3 costing attribution using pulumi ?
b

broad-dog-22463

04/14/2020, 7:54 PM
and I also worked for HashiCorp before that so I do understand this space luckily 🙂
That is not possible
s

some-football-23966

04/14/2020, 7:55 PM
yeah I do understand you are way better in this than me. 🙂 Terraform and pulumi, I am inclined toward pulumi too
b

broad-dog-22463

04/14/2020, 7:55 PM
no not better at all
I am just lucky that I got to see some of the more common usecases is all
s

some-football-23966

04/14/2020, 7:56 PM
But one question why do you think that’s not possible ?
why s3 cost attribution isn’t possible with pulumi ?
b

broad-dog-22463

04/14/2020, 7:56 PM
we have currently got no interaction from Pulumi to the cost APIs directly
you can use a dynamic proider to do this and use the ASK SDK as part of your pulumi application
s

some-football-23966

04/14/2020, 7:57 PM
okk, if I talk about I want to read a Kafka cluster which wasn’t deployed by pulumi before can I read the infra and deploy duplicate version of it using pulumi ?
ASK or AWS ?
b

broad-dog-22463

04/14/2020, 7:57 PM
AWS*
Pulumi can import existing infrastructure that was deployed outside of Pulumi to be under Pulumi management
s

some-football-23966

04/14/2020, 7:58 PM
Got it. Any documentation of that would be helpful
b

broad-dog-22463

04/14/2020, 8:00 PM
There's even a video 🙂

https://www.youtube.com/watch?v=kX_3Wdft0Ms

s

some-football-23966

04/14/2020, 8:03 PM
Consider that I don’t have any existing IaC, in that case how is it possible ? In case infra is deployed using imperative approach using shell or manual steps ?
b

broad-dog-22463

04/14/2020, 8:07 PM
you would use the IDs that the Pulumi API expects and use those in the Pulumi code as part of the CustomResourceOptions