Pulumi project written in Go with multiple stacks for dev, staging, prod support.
This uses an existing Billing Account/DNS Resource Group created outside of IaC at this time.
This will replace the GH Pages hosted version of elyclover.com that lives here.
The goal is to have multiple environments for elyclover.com [dev, stg, prod] that are deployed to via GitOps-like principles using GitHub Actions automation workflows.
Pulumi state is currently managed in Pulumi Cloud.
$web
dnsResourceGroup
and dnsZoneName
.dev.tld.com
) or an apex A record (if prod e.g. tld.com
) in this upstream dnsResourceGroup
/dnsZoneName
in Azure DNS.pulumi up
to get it over the line. Pulumi does not appear to support an easy "native" retry
here as they put the onus on the providers to handle such things with their own logic.pulumi stack ls
# pick a stack
pulumi stack select dev
pulumi up
I've included a makefile with an encrypt
+ decrypt
target, and helper script at scripts/sops.sh
to
help handle basic use-cases. The SOPS project-wide config is located at .sops.yaml
in the project's root.
An Azure Key Vault + key is being used to encrypt/decrypt these secrets at rest. There's an addition to .gitignore
to try and ensure decrypted files (ending in .dec
) are not comitted if a user hasn't installed the GitGuardian pre-commit
hook/check which would also catch an accidental secret being added to a commit/PR.
make decrypt
pulumi stack select prod
pulumi up
cd scripts
./pem-to-pfx.sh yourkey.key yourcrt.crt outpfx.pfx.dec
# this cert fileame is set in Pulumi.prod.yaml -> elyclover.com-infra:prodPfxCertPath
mv outpfx.pfx.dec ../assets/tls/
cd ..
pulumi stack select prod
pulumi up
make encrypt
git add assets/tls
This will auto-detect any potential secrets before they make it into a commit.
The first time I ran this I had to auth like so:
# ggshield is located in a unique folder to each environment installed as a python venv by pre-commit tooling
# GGSHIELD=$(find ~/.cache -name ggshield | grep bin)
$GGSHIELD auth login