Categories
Alibaba Cloud

Alibaba Cloud Infrastructure Provision with Pulumi

Infrastructure as a code is one of the key factors for DevOps. There are tools and applications available to provision infrastructure. Some of the popular tools are Terraform, Ansible. This blog post covers another popular Infrastructure as a code provider named Pulumi. 

Pulumi helps developers to get started with infrastructure as code with a friendly programming language. Unlike where other tools are using YAML, with pulumi developers can use javascript, typescript, C# and visual basic to write infrastructure code. 

Pulumi supports almost all public cloud service providers. This blog post will help you build infrastructure on alibaba cloud with pulumi and javascript. 

With Pulumi infrastructure as a code following simple site infrastructure will be implemented. Future blog post will include some complex functionality.

To implement the above infrastructure you will need, 

Once the prerequisites are fulfilled follow the following steps to get started.

Step 1: Configure and install Pulumi 

There are multiple ways to install pulumi. Download and installation steps are provided on https://www.pulumi.com/docs/get-started/install/ . For this blog post, we will use Home brew package manager. 

Step 2: Generate Pulumi Access Token 

Generate an access token from pulumi dashboard ( https://www.pulumi.com/docs/intro/console/accounts-and-organizations/accounts/#access-tokens )

Step 3: Configure Pulumi on local system

Configure pulumi on the local system with pulumi login. Provide generated access token on step#2 to here. 

Step 4: Create a new project

Create a new project for Alibaba Cloud. To create a new project it is recommended to use an empty folder. For getting started enter pulumi new 

Note: Before executing pulumi new , make sure that nodejs is installed.

  • On entering pulumi new, the system will prompt for the templates, select Show additional templates and once list is populated, enter (select) alicloud-javascript. 
  • Enter project name as per your choice
  • Enter project description 
  • Enter stack name
  • Enter region. As per the plan we are going to deploy infrastructure in the Singapore region. For alibaba cloud, the singapore region code is ap-southeast-1. (To deploy infrastructure in different regions, please refer to the regions guide on Alibaba cloud.)

Once the project is created, details of the stack can be accessed with pulumi stack. To list of stacks, use “pulumi stack ls” 

The stack details can also be accessed from the pulumi dashboard. 

pulumi new command creates following file/folder structure on the system. 

A closure look at the files and folders

  • node_modules : This directory contains libraries from npm 
  • .gitignore: list of files/directories  to be ignored during the git push 
  • index.js : A sample file to create OSS. All the infrastructure creation commands will be provided here. 
  • package-lock.json : An auto generated file on modification of npm 
  • <project-name>.yaml: Alibaba cloud related configurations and stack secrets are stored here
  • Pulumi.yaml: Project details

Step 5: Configure Alibaba Cloud Credentials

Alibaba cloud credentials can be configured two ways. 

  • By setting environment variables:
    • export ALICLOUD_ACCESS_KEY=YOURALIBABACLOUDACCESSKEY
    • export ALICLOUD_SECRET_KEY=YOURALIBABACLOUDACCESSSECRET
  • By setting as pulumi configuration variables. This option is useful in a multiuser environment. All the parameters are encrypted before storing. 
    • pulumi config set alicloud:accessKey YOURALIBABACLOUDACCESSKEY –secret 
    • pulumi config set alicloud:secretKey YOURALIBABACLOUDACCESSSECRET –secret

Note: Make sure to use a secret flag while using the pulumi config. Without secret tag all the values will be stored in clear text.

Step 6: Create VPC

As all the basic configurations are completed, we can start with implementing infrastructure. 

Open index.js in your favourite code editor and update the code as follows. 

"use strict";
const pulumi = require("@pulumi/pulumi");
const alicloud = require("@pulumi/alicloud");

// Create an Alibaba Cloud VPC
const vpc = new alicloud.vpc.Network("alicloud-pulumi-vpc", {
    cidrBlock: "192.168.0.0/16",
    description: "Alibaba Cloud VPC for Hosting Web Application created with pulumi"
});

//Exports VPC ID
exports.vpc = vpc.id;

Note: Pulumi API reference guide can be accessed from https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/alicloud/index.html

  • pulumi preview: Previews all the changes that will be made when command executes 
  • pulumi update (pulumi up): Applies changes to the infrastructure 

Alibaba cloud vRouter is deployed automatically with the VPC creation, there is no other code needed to create vRouter. 

As a best practice each component on infrastructure should be tagged. With pulumi you can apply changes to the infrastructure and validate changes before applying.

For our example, lets add two tags to the VPC. (Tags can be defined once and used for all the components, advanced pulumi code with javascript will be covered in subsequent posts)

"use strict";
const pulumi = require("@pulumi/pulumi");
const alicloud = require("@pulumi/alicloud");

// Create an Alibaba Cloud VPC
const vpc = new alicloud.vpc.Network("alicloud-pulumi-vpc", {
   cidrBlock: "192.168.0.0/16",
   description: "Alibaba Cloud VPC for Hosting Web Application created with pulumi",
   tags: {"create with": "pulumi", "created by": "Ankit"},
});

//Exports VPC ID
exports.vpc = vpc.id;

Note: As of writing this blog post there is no way to check VPC tags on the Alibaba cloud console directly. Current tags can be found on the pulumi. 

Step 7: Create VSwitch

As the VPC and vRouters are created, now it is time to create two VSwitches. We will place vSwitches in two different availability zones. Zone A will be treated as a public zone and Zone B will be treated as a private zone. 

"use strict";
const pulumi = require("@pulumi/pulumi");
const alicloud = require("@pulumi/alicloud");

// Create an Alibaba Cloud VPC
const vpc = new alicloud.vpc.Network("alicloud-pulumi-vpc", {
   cidrBlock: "192.168.0.0/16",
   description: "Alibaba Cloud VPC for Hosting Web Application created with pulumi",
   tags: {"create with": "pulumi", "created by": "Ankit"},
});

// Create VSwitches
const vswitchZ1 = new alicloud.vpc.Switch("alicloud-vswitch-zone-a", {
   vpcId: vpc.id,
   cidrBlock: "192.168.1.0/24",
   description: "Vswitch 1",
   availabilityZone: "ap-southeast-1a",
   tags: {"create with": "pulumi", "created by": "Ankit"},
});
const vswitchZ2 = new alicloud.vpc.Switch("alicloud-vswitch-zone-b", {
   vpcId: vpc.id,
   cidrBlock: "192.168.2.0/24",
   description: "Vswitch 2",
   availabilityZone: "ap-southeast-1b",
   tags: {"create with": "pulumi", "created by": "Ankit"},
});

//Exports Details
exports.vpc = vpc.id;
exports.vswitchZ1 = vswitchZ1.id;
exports.vswitchZ2 = vswitchZ2.id;

A closure look at the code

  • vpcid : VPC Identifier where the vSwitch will be created. If one wants to use an existing VPC then provide the exact id. 
  • cidrBlock: Provide a CIDR block that can be part of the VPC. Handy CIDR calculation tool https://www.ipaddressguide.com/cidr
  • description: Description of the vSwitch 
  • availabilityZone: Availability Zone where vSwitch will reside
  • tags: tags for the vswitch

Step 8: Create Security Group and Security Group Rules

This section will create VPC level firewall rules that can be attached to the Elastic Compute Service (ECS).

For our example, we want incoming traffic for port 80 (HTTP) and 443 (HTTPS) for web server, so ingress rule for these two ports will be created. The rule will be attached while ECS creation.

Another rule will be created to allow MySQL 3306 port access from the web sever zone to the db server zone.

"use strict";
const pulumi = require("@pulumi/pulumi");
const alicloud = require("@pulumi/alicloud");

// Create an Alibaba Cloud VPC
const vpc = new alicloud.vpc.Network("alicloud-pulumi-vpc", {
    cidrBlock: "192.168.0.0/16",
    description: "Alibaba Cloud VPC for Hosting Web Application created with pulumi",
    tags: {"create with": "pulumi", "created by": "Ankit"},
});

// Create VSwitches 
const vswitchZ1 = new alicloud.vpc.Switch("alicloud-vswitch-zone-a", {
    vpcId: vpc.id,
    cidrBlock: "192.168.1.0/24",
    description: "Vswitch 1",
    availabilityZone: "ap-southeast-1a",
    tags: {"create with": "pulumi", "created by": "Ankit"},
});
const vswitchZ2 = new alicloud.vpc.Switch("alicloud-vswitch-zone-b", {
    vpcId: vpc.id,
    cidrBlock: "192.168.2.0/24",
    description: "Vswitch 2",
    availabilityZone: "ap-southeast-1b",
    tags: {"create with": "pulumi", "created by": "Ankit"},
}); 

// Create Security Group Web
const securitygroup = new alicloud.ecs.SecurityGroup("alicloud-security-group", {
    name: "alicloud-security-group",
    description: "Alicloud Security Group",
    vpcId: vpc.id,
    innnerAccessPolicy: "Allow",
    securityGroupType: "normal",
    tags: {"create with": "pulumi", "created by": "Ankit"},
 });
 
 // Create Security Group Rules HTTP
 const securitygroupruleexternalhttp = new alicloud.ecs.SecurityGroupRule("alicloud-securitygrouprule-external-http", {
     name: "alicloud-security-grouprule-1-http",
     description: "Allow Web Access",
     securityGroupId: securitygroup.id,
     cidrIp: "0.0.0.0/0",
     ipProtocol: "tcp",
     policy: "accept",
     portRange: "80/80",
     priority: 1,
     type: "ingress",
     tags: {"create with": "pulumi", "created by": "Ankit"},
     });
     
 // Create Security Group Rules HTTPS
 const securitygroupruleexternalhttps = new alicloud.ecs.SecurityGroupRule("alicloud-securitygrouprule-external-https", {
     name: "alicloud-security-grouprule-2-https",
     description: "Allow Secure Web Access",
     securityGroupId: securitygroup.id,
     cidrIp: "0.0.0.0/0",
     ipProtocol: "tcp",
     policy: "accept",
     portRange: "443/443",
     priority: 1,
     type: "ingress",
     tags: {"create with": "pulumi", "created by": "Ankit"},
     });
 
// Create security group DB
const securitygroupdb = new alicloud.ecs.SecurityGroup("alicloud-security-group-db", {
    name: "alicloud-security-group-db",
    description: "Alicloud DB Security Group",
    vpcId: vpc.id,
    innnerAccessPolicy: "Allow",
    securityGroupType: "normal",
    tags: {"create with": "pulumi", "created by": "Ankit"},
    });
    
// Create Security Group Rules DB
const securitygroupruleinternaldb = new alicloud.ecs.SecurityGroupRule("alicloud-securitygrouprule-internal-db", {
    name: "alicloud-security-grouprule-db",
    description: "Allow DB Access",
    securityGroupId: securitygroupdb.id,
    cidrIp: "192.168.1.0/24",
    ipProtocol: "tcp",
    policy: "accept",
    portRange: "3306/3306",
    priority: 1,
    type: "ingress",
    tags: {"create with": "pulumi", "created by": "Ankit"},
    });

//Exports Data
exports.vpc = vpc.id;
exports.vswitchZ1 = vswitchZ1.id;
exports.vswitchZ2 = vswitchZ2.id;
exports.securitygroup = securitygroup.id;
exports.securitygroupruleexternalhttp = securitygroupruleexternalhttp.id;
exports.securitygroupruleexternalhttps = securitygroupruleexternalhttps.id;
exports.securitygroupdb = securitygroupdb.id;
exports.securitygroupruleinternaldb = securitygroupruleinternaldb.id;

A closure look at the code 

Security Group:

  • vpcId: VPC ID where the security group will be created
  • innerAccessPolicy: Security group to Allow or Drop (deny) 
  • securityGroupType: normal or enterprise security 

Security Group Rules:

  • securityGroupId: Security group id where the security group will be tied to  
  • cidrIp: IP / IP Range for where the security group will be applicable 
  • ipProtocol: Protocol for which the security group will be applicable to 
  • policy: Accept or Deny traffic
  • portRange: Port range where the rule is applicable
  • priority: Rule execution priority
  • type: Rule type ingress or egress

Step 9: Create SSH Keys

In this step we will create two SSH keys which will be assigned to instances in the later stage. As a best practice we will create separate keys for the web and database server.

"use strict";
const pulumi = require("@pulumi/pulumi");
const alicloud = require("@pulumi/alicloud");

// Create an Alibaba Cloud VPC
const vpc = new alicloud.vpc.Network("alicloud-pulumi-vpc", {
    cidrBlock: "192.168.0.0/16",
    description: "Alibaba Cloud VPC for Hosting Web Application created with pulumi",
    tags: {"create with": "pulumi", "created by": "Ankit"},
});

// Create VSwitches 
const vswitchZ1 = new alicloud.vpc.Switch("alicloud-vswitch-zone-a", {
    vpcId: vpc.id,
    cidrBlock: "192.168.1.0/24",
    description: "Vswitch 1",
    availabilityZone: "ap-southeast-1a",
    tags: {"create with": "pulumi", "created by": "Ankit"},
});
const vswitchZ2 = new alicloud.vpc.Switch("alicloud-vswitch-zone-b", {
    vpcId: vpc.id,
    cidrBlock: "192.168.2.0/24",
    description: "Vswitch 2",
    availabilityZone: "ap-southeast-1b",
    tags: {"create with": "pulumi", "created by": "Ankit"},
}); 

// Create Security Group Web
const securitygroup = new alicloud.ecs.SecurityGroup("alicloud-security-group", {
    name: "alicloud-security-group",
    description: "Alicloud Security Group",
    vpcId: vpc.id,
    innnerAccessPolicy: "Allow",
    securityGroupType: "normal",
    tags: {"create with": "pulumi", "created by": "Ankit"},
 });
 
 // Create Security Group Rules HTTP
 const securitygroupruleexternalhttp = new alicloud.ecs.SecurityGroupRule("alicloud-securitygrouprule-external-http", {
     name: "alicloud-security-grouprule-1-http",
     description: "Allow Web Access",
     securityGroupId: securitygroup.id,
     cidrIp: "0.0.0.0/0",
     ipProtocol: "tcp",
     policy: "accept",
     portRange: "80/80",
     priority: 1,
     type: "ingress",
     tags: {"create with": "pulumi", "created by": "Ankit"},
     });
     
 // Create Security Group Rules HTTPS
 const securitygroupruleexternalhttps = new alicloud.ecs.SecurityGroupRule("alicloud-securitygrouprule-external-https", {
     name: "alicloud-security-grouprule-2-https",
     description: "Allow Secure Web Access",
     securityGroupId: securitygroup.id,
     cidrIp: "0.0.0.0/0",
     ipProtocol: "tcp",
     policy: "accept",
     portRange: "443/443",
     priority: 1,
     type: "ingress",
     tags: {"create with": "pulumi", "created by": "Ankit"},
     });
 
// Create security group DB
const securitygroupdb = new alicloud.ecs.SecurityGroup("alicloud-security-group-db", {
    name: "alicloud-security-group-db",
    description: "Alicloud DB Security Group",
    vpcId: vpc.id,
    innnerAccessPolicy: "Allow",
    securityGroupType: "normal",
    tags: {"create with": "pulumi", "created by": "Ankit"},
    });
    
// Create Security Group Rules DB
const securitygroupruleinternaldb = new alicloud.ecs.SecurityGroupRule("alicloud-securitygrouprule-internal-db", {
    name: "alicloud-security-grouprule-db",
    description: "Allow DB Access",
    securityGroupId: securitygroupdb.id,
    cidrIp: "192.168.1.0/24",
    ipProtocol: "tcp",
    policy: "accept",
    portRange: "3306/3306",
    priority: 1,
    type: "ingress",
    tags: {"create with": "pulumi", "created by": "Ankit"},
    });


// Create SSH Key-pair for web server
const keypairweb = new alicloud.ecs.KeyPair("alicloud-webserver-keypair", {
    name: "Alicloud Web Server Key",
    keyFile: "aliyun-werbserver-key",
    keyNamePrefix: "pulumi-",
    tags: {"create with": "pulumi", "created by": "Ankit"},
 });
// Create SSH Key-pair for Database sevrer
const keypairdb = new alicloud.ecs.KeyPair("alicloud-dbserver-keypair", {
    name: "Alicloud DB server Key",
    keyFile: "aliyun-dbserver-key",
    keyNamePrefix: "pulumi-",
    tags: {"create with": "pulumi", "created by": "Ankit"},
 });

//Exports Data
exports.vpc = vpc.id;
exports.vswitchZ1 = vswitchZ1.id;
exports.vswitchZ2 = vswitchZ2.id;
exports.securitygroup = securitygroup.id;
exports.securitygroupruleexternalhttp = securitygroupruleexternalhttp.id;
exports.securitygroupruleexternalhttps = securitygroupruleexternalhttps.id;
exports.securitygroupdb = securitygroupdb.id;
exports.securitygroupruleinternaldb = securitygroupruleinternaldb.id;

Once the keys are generated, they can be found on the root of the project. 

A closure look at the code 

  • keyFile: key file name to store file in the project 
  • keyNamePrefix: key file name prefix while storing on Alibaba Cloud

Step 10: Create Instances

As the components needed for an ECS  are created, now it is time to bind them all together and create ECS servers. There will be two ECS servers, one for web-server and the other one for database server.

Both servers will be placed in separate vSwitch. Web-server will be created with a public IP address while a database server will be created without a public IP address.  

"use strict";
const pulumi = require("@pulumi/pulumi");
const alicloud = require("@pulumi/alicloud");

// Create an Alibaba Cloud VPC
const vpc = new alicloud.vpc.Network("alicloud-pulumi-vpc", {
    cidrBlock: "192.168.0.0/16",
    description: "Alibaba Cloud VPC for Hosting Web Application created with pulumi",
    tags: {"create with": "pulumi", "created by": "Ankit"},
});

// Create VSwitches 
const vswitchZ1 = new alicloud.vpc.Switch("alicloud-vswitch-zone-a", {
    vpcId: vpc.id,
    cidrBlock: "192.168.1.0/24",
    description: "Vswitch 1",
    availabilityZone: "ap-southeast-1a",
    tags: {"create with": "pulumi", "created by": "Ankit"},
});
const vswitchZ2 = new alicloud.vpc.Switch("alicloud-vswitch-zone-b", {
    vpcId: vpc.id,
    cidrBlock: "192.168.2.0/24",
    description: "Vswitch 2",
    availabilityZone: "ap-southeast-1b",
    tags: {"create with": "pulumi", "created by": "Ankit"},
}); 

// Create Security Group Web
const securitygroup = new alicloud.ecs.SecurityGroup("alicloud-security-group", {
    name: "alicloud-security-group",
    description: "Alicloud Security Group",
    vpcId: vpc.id,
    innnerAccessPolicy: "Allow",
    securityGroupType: "normal",
    tags: {"create with": "pulumi", "created by": "Ankit"},
 });
 
 // Create Security Group Rules HTTP
 const securitygroupruleexternalhttp = new alicloud.ecs.SecurityGroupRule("alicloud-securitygrouprule-external-http", {
     name: "alicloud-security-grouprule-1-http",
     description: "Allow Web Access",
     securityGroupId: securitygroup.id,
     cidrIp: "0.0.0.0/0",
     ipProtocol: "tcp",
     policy: "accept",
     portRange: "80/80",
     priority: 1,
     type: "ingress",
     tags: {"create with": "pulumi", "created by": "Ankit"},
     });
     
 // Create Security Group Rules HTTPS
 const securitygroupruleexternalhttps = new alicloud.ecs.SecurityGroupRule("alicloud-securitygrouprule-external-https", {
     name: "alicloud-security-grouprule-2-https",
     description: "Allow Secure Web Access",
     securityGroupId: securitygroup.id,
     cidrIp: "0.0.0.0/0",
     ipProtocol: "tcp",
     policy: "accept",
     portRange: "443/443",
     priority: 1,
     type: "ingress",
     tags: {"create with": "pulumi", "created by": "Ankit"},
     });
 
// Create security group DB
const securitygroupdb = new alicloud.ecs.SecurityGroup("alicloud-security-group-db", {
    name: "alicloud-security-group-db",
    description: "Alicloud DB Security Group",
    vpcId: vpc.id,
    innnerAccessPolicy: "Allow",
    securityGroupType: "normal",
    tags: {"create with": "pulumi", "created by": "Ankit"},
    });
    
// Create Security Group Rules DB
const securitygroupruleinternaldb = new alicloud.ecs.SecurityGroupRule("alicloud-securitygrouprule-internal-db", {
    name: "alicloud-security-grouprule-db",
    description: "Allow DB Access",
    securityGroupId: securitygroupdb.id,
    cidrIp: "192.168.1.0/24",
    ipProtocol: "tcp",
    policy: "accept",
    portRange: "3306/3306",
    priority: 1,
    type: "ingress",
    tags: {"create with": "pulumi", "created by": "Ankit"},
    });


// Create SSH Key-pair for web server
const keypairweb = new alicloud.ecs.KeyPair("alicloud-webserver-keypair", {
    name: "Alicloud Web Server Key",
    keyFile: "aliyun-werbserver-key",
    keyNamePrefix: "pulumi-",
    tags: {"create with": "pulumi", "created by": "Ankit"},
 });
// Create SSH Key-pair for Database sevrer
const keypairdb = new alicloud.ecs.KeyPair("alicloud-dbserver-keypair", {
    name: "Alicloud DB server Key",
    keyFile: "aliyun-dbserver-key",
    keyNamePrefix: "pulumi-",
    tags: {"create with": "pulumi", "created by": "Ankit"},
 });

 // Create Webserver ECS 
const webserver = new alicloud.ecs.Instance("alicloud-web", {
    name: "Web Server",
    availabilityZone: "ap-southeast-1a",
    creditSpecification: "Standard",
    description: "Web Server",
    dryRun: "false",
    forceDelete: "true",
    hostName: "webserver1.anky.it",
    imageId: "ubuntu_18_04_64_20G_alibase_20190624.vhd",
    instanceChargeType: "PostPaid",
    instanceName: "webserver1.anky.it",
    instanceType: "ecs.t5-lc1m1.small",
    systemDiskCategory: "cloud_ssd",
    internetChargeType: "PayByTraffic",
    internetMaxBandwidthIn: 1,
    internetMaxBandwidthOut: 1,
    isOutdated: "false",
    keyName: keypairweb.keyName,
    securityEnhancementStrategy: "Active",
    securityGroups: [securitygroup.id],
    vswitchId: vswitchZ1.id,
    systemDiskSize: 20,
    tags: {"create with": "pulumi", "created by": "Ankit"},
 });

// Create Db server ECS 
const dbserver = new alicloud.ecs.Instance("alicloud-db", {
    name: "DB Server",
    availabilityZone: "ap-southeast-1b",
    creditSpecification: "Standard",
    description: "DB Server",
    dryRun: "false",
    forceDelete: "true",
    hostName: "dbserver1.anky.it",
    imageId: "ubuntu_18_04_64_20G_alibase_20190624.vhd",
    instanceChargeType: "PostPaid",
    instanceName: "dbserver1.anky.it",
    instanceType: "ecs.t5-lc1m1.small",
    systemDiskCategory: "cloud_ssd",
    internetChargeType: "PayByTraffic",
    internetMaxBandwidthIn: 1,
    internetMaxBandwidthOut: 0,
    isOutdated: "false",
    keyName: keypairdb.keyName,
    securityEnhancementStrategy: "Active",
    securityGroups: [securitygroupdb.id],
    vswitchId: vswitchZ2.id,
    systemDiskSize: 20,
    tags: {"create with": "pulumi", "created by": "Ankit"},
 });

//Exports Data
exports.vpc = vpc.id;
exports.vswitchZ1 = vswitchZ1.id;
exports.vswitchZ2 = vswitchZ2.id;
exports.securitygroup = securitygroup.id;
exports.securitygroupruleexternalhttp = securitygroupruleexternalhttp.id;
exports.securitygroupruleexternalhttps = securitygroupruleexternalhttps.id;
exports.securitygroupdb = securitygroupdb.id;
exports.securitygroupruleinternaldb = securitygroupruleinternaldb.id;
exports.webserver = webserver.id;
exports.webserverip = webserver.privateIp;
exports.webserverip = webserver.publicIp;
exports.dbserver = dbserver.id;
exports.dbserverip = dbserver.privateIp;
exports.dbserverip = dbserver.publicIp;

A closure look at the code

  • availabilityZone: Availability zone where the instance will be created
  • creditSpecification: Running performance of the burstable instance
  • Description: Server description
  • dryRun: A dry-run request is sent and no instance is created to validate the configuration
  • forceDelete: the “PrePaid” instance will be change to “PostPaid” and then deleted forcibly
  • hostName: server host name
  • imageId: OS/Image to deploy
  • instanceChargeType: Instance billing type
  • instanceName: Instance Name
  • instanceType: Instance Type
  • systemDiskCategory: System disk type
  • internetChargeType: Traffic charge type
  • internetMaxBandwidthIn: Max bandwidth for public Ingress
  • internetMaxBandwidthOut: Max bandwidth for public egress
  • isOutdated: Whether to use outdated instance type
  • keyName: key pair to map
  • securityEnhancementStrategy: enable security enhancement strategy, it only works on system images.
  • securityGroups: Security group ids to map
  • vswitchId: Virtual switch id to map
  • systemDiskSize: System disk size

Step 11: Destroy Infrastructure

To destroy the infrastructure provisioned by this script use “pulumi destroy”

Summary:

Pulumi is comparatively easy infrastructure as a code framework where developers can provision infrastructure without much effort, in the programming language they know. 

Pulumi community edition is free forever for a single user. It supports all public cloud providers and with proper planning, one can create and deploy infrastructure quickly.

Commands Mindmap:

Next Steps:

Like all other development life cycles, it is important to validate infrastructure code. The next blog post will help understanding and writing infrastructure unit test codes. 

About Author:

Ankit Mehta is a Alibaba Cloud MVP (2018-2020) and works as a DevOps specialist at Central-Tech . Ankit helps development teams to improve Continuous Integration and Continuous Deployment processes.

To know more about Central Tech and various openings please visit https://jobs.central.tech/jobs/

Be a part of Central Tech Retail Labs by submitting your project / idea at CTRL, https://ctrl.central.tech/

Reference Links:

Categories
Alibaba Cloud

WordPress Deployment – Alibaba Cloud Simple Application Server

A slow website is always a pain for any bloggers using WordPress. There are many reasons for a slow WordPress site and one of them is a noisy neighbours.

One can host a WordPress blog on a shared hosting, however if there are any site on the same server which requires high computation of memory power then it may impact the overall performance of the website. Using a cloud server is one of the solutions to resolve the issue.

This blog post will guide you through building a wordpress blog using Alibaba Simple Application Server. Alibaba Simple Application Server can help one to deploy pre-build application with just a few mouse clicks.

Simple application server provides integration with other popular Alibaba Cloud Services such as VPC, DNS and SSL. For the static content delivery it can also be integrated with Alibaba Cloud CDN.

Simple Application Server can help deploying an application with no or little experience with cloud technology.

Simple Application Server Product Architecture

(Reference: https://www.alibabacloud.com/help/doc-detail/58612.html)

Simple Application Server Use Cases:

Simple application server is the best choice when one has less IT and server management knowledge and wants to start a cloud journey. There are many use cases for the Simple Application server some of them are mentioned as follows

  • Personal Blog Hosting : Simple application server can be used as a personal blogging platform. Once deployed, one can map it with a custom domain name.
  • Development Environment: Simple Application Server is a developer’s friend. Developers can use it as a development or staging environment.
  • Small E-Commerce Store: Simple application server can be used as a small ecommerce store, developed with WordPress and WooCommerce, Joomla or OpenCart

Simple Application Server Deployment:

There are a couple of steps required to install and configure Simple Application Server WordPress Application.

 

  1. Visit Alibaba Cloud Simple Application Server purchase page. (https://www.alibabacloud.com/product/swas)
  2. Click Buy Now
  3. Select Region: Region should be selected from where most of the website visitors are expected. Currently a limited number of regions are available. If the website traffic is mainly expected to come from south east asia then select Asia Pacific SE1 (Singapore)

Select Application Image / OS Image:

Application Image: There are a number of predefined application images defined such as WordPress, LAMP (Linux Apache MySQL PHP) , Drupal, Joomla, Ghost, Open Cart, Plesk.

If your application does not match with any of the predefined CMS and using LAMP environment then you can deploy applications on LAMP image of Plesk image.

OS Image: In the case, one wants to deploy the application and do not want to use the predefined application images then OS images is one of the options. For this blog post the scope is limited to the WordPress predefined image, In the future blog post we will include the OS images option.

At a glance, one can choose any of the popular images options from Linux and Windows.

Select Instance Plan:

Select the instance plan that fits the needs. Plan differs from region to region.

Select Additional Data Disk (optional):

Based on the needs one can buy additional data disk. One can configure a backup / data storage and retrieval from the data disk for the additional layer of disaster recovery.

Additional data disk configuration is out of scope for this blog post, we will include additional data disk configuration in future blog post along with the OS disk configuration.

Select Subscription:

Select subscription for your application server. There are some discounts available for the long time subscription. If one wants to auto-renew the subscription then make sure to select the option.

Verify the current selection before making a purchase. If everything looks good then click Buy Now.

Pay for the instance:

Select the general terms and End user license agreement and click Pay

Final Confirmation before Payment:

Verify all the details before final payment and if everything looks good then click Pay now. The payment process and server allocation may take 5-10 minutes. Once the server is ready you should receive an email or one can get details from Alibaba Cloud Web Console – Simple Application Server menu.

WordPress Access and Configuration:

To access the server from the Alibaba Cloud Console, Navigate to the products menu and select Simple Application Server. To add the simple application server to quick launch menu, click the star sign next to the Simple Application Server.

The simple application server menu will show the configured application name with status.

The left navigation menu shows the dependent components of the server.

  1. Disk List: Disk list shows the list of storage disks configured with the application
  2. Snapshot List: Snapshot lists shows the snapshot chains if backup is configured for the application. It is a best practice to configure snapshots, so in the case of any failure the server can revert back to the previous known state.

Application Configuration:

The application dashboard shows website traffic utilization, CPU Utilization, Public and Private IP addresses, Application image detail and package validity.

From the package validity one can upgrade the configuration to next available package if needed.

 

Once the application initialization is completed, there is a three step process to complete the configuration.

Step 1: Map the Domain Name: The website can be accessed through a public IP address however to make it accessible through a domain name, click Add Now, under the Website Settings.

Enter the domain name you wish to bind with the website. Once the domain name is added, add A record on your domain control panel to point to the application server IP address.

If you do not have any domain name and with to purchase, then click on the Buy now, and you can purchase a domain from Alibaba Cloud Domain Registry Service

If you with to bind an SSL certificate with a website then you can click on HTTPs to open an SSL dialog and bind a certificate purchased from Alibaba Cloud SSL certificate service

Alternatively you can activate the SSL at CDN level (if you do not wish to buy an EV certificate. Alibaba Cloud provides free certificate to CDN service however the HTTP rewrite service is chargeable on number of request)

Step 2: Firewall: The simple application server configures three Firewall rules

A. Port 80 – HTTP traffic

B. Port 443 – HTTPS traffic

C. Port 22 – SSH traffic

It is recommended to keep only the ports that are needed for the application. If you do not wish to use SSH port then remove it from the configuration by clicking delete next to it.

If your application requires any different port then it can be added by clicking the Add New or modifying the existing one.

Step 3: Application Access Details: After completion of the above step, get the application details to logon to the WordPress control panel by clicking Set Now under the Deploy Application.

Click on the Connect button under WordPress information. This will open a browser based command terminal. Paste the command as given in the box.

Open the browser window to access the WordPress control panel.

http://<your website>/wp-admin , Enter admin as the username and password as you received from the command shell.

This should redirect you to the WordPress administrator dashboard. From here you can upgrade the WordPress version to last available version and start using the system.

 

This concludes the tutorial to deploy a WordPress website on simple application server!

Next Steps:

In future blog posts we will cover Security and performance fixes for the Simple Application Server.

Have you deployed application on Simple Application Server? Please share your experience with us by writing in the comments box below.

 

Categories
Alibaba Cloud

Alibaba Cloud – Resource Access Management

Migration to the cloud comes with challenges. A good cloud implementation strategy can help in utilizing the cloud effectively with the least monitoring and management.

Cloud basics start with proper access management. This blog post provides guidelines to implement Resource Access Management (RAM) on Alibaba Cloud.

Alibaba Cloud RAM is an identity and access control service that allows management of the users and resources from a central portal. There are three ways to manage RAM.

  1. From the Alibaba Cloud Console
  2. With Alibaba Cloud API
  3. With Alibaba Cloud SDK

This blog post focuses on the Alibaba Cloud Console method.

Accessing Alibaba Cloud RAM

To access Alibaba Cloud RAM, navigate to Products and search for RAM. To pin RAM to the quick launch, click the star next to RAM.

For the first time, users are required to accept the terms and conditions to activate the RAM service.

Accessing Alibaba Cloud RAM
Accessing Alibaba Cloud RAM

Alibaba Cloud RAM Dashboard

Alibaba Cloud RAM dashboard provides a high level overview along with the security recommendation for the account.

Alibaba Cloud RAM Dashboard
Alibaba Cloud RAM Dashboard

Best Practices:

  • A root account / primary account should be created with a complex password.
  • All the account must also have Multi-Factor Authentication activated for the added security.
  • No resources and access keys should be created with a root account.
  • Create a RAM user with account administrator rights. RAM account with admin rights / least privileges should be used to achieve daily account administration tasks.

Alibaba Cloud Groups

To simplify the management of users and role assignment, creating groups and assign users to specific groups to perform the tasks.

Groups can be created based on the name of the department or working group. For an IT company, the group names can be DevOps, QA, Developer and Finance.

To create groups navigate to the Groups under the identity section of the RAM dashboard.

Alibaba Cloud Groups
Alibaba Cloud Groups

Alibaba Cloud RAM Users

Alibaba Cloud RAM supports two types of users

  1. Users with Console Access (Web Access)
  2. Users with Programmatic Access

Before creating any users, decide the user type. If a user needs to login to logon to the Alibaba Cloud Web Console to perform tasks, then provide the console access. If the user needs to access the system using API / SDK, then select a user creation option with programmatic access.

Alibaba Cloud RAM Users
Alibaba Cloud RAM Users

On creation of the user with programmatic access, the portal provides AccessKeyId and AccessKeySecret. Note that these details are available only once. Programmatic access users can be added to the groups.

Alibaba Cloud RAM Users
Alibaba Cloud RAM Users

Console access users creation requires to set up some extra parameters, including password generation, reset password on the next login and activation of the MFA.

It is recommended to force users to activate the MFA on the first login. This improves the overall security of the cloud account.

Alibaba Cloud RAM Users
Alibaba Cloud RAM Users

Alibaba Cloud RAM User to Group Assignment

Users can be added to any groups by clicking “Add to Group” in the users section or “Add Group Members” in the groups section. Note that adding users in the group receives all the permissions assigned to the group.

Alibaba Cloud RAM User to Group Assignment
Alibaba Cloud RAM User to Group Assignment

Alibaba Cloud RAM User Settings

According to the company policy enhanced RAM settings can be applied. Some of the settings include

  • Don’t allow Password to Contain Username
  • Password Length
  • Allow / Deny User Logon Action After Password Expires

Alibaba Cloud RAM User Settings
Alibaba Cloud RAM User Settings

To change the existing Password rules click on Edit Password Rules / Update RAM User Security Settings.

With advanced security settings, the default named identifier of the Alibaba RAM user can be updated to the name of your choice.

Alibaba Cloud RAM User Settings
Alibaba Cloud RAM User Settings

Alibaba Cloud RAM SSO

Alibaba Cloud RAM can be integrated with SAML2.0 based authentication to provide seamless SSO functionality. There are two types of SSO available.

  1. User-based SSO
  2. Role-based SSO

User-based SSO provides enterprise users to access the cloud portal as a RAM user. Here the users need to be synced with Alibaba Cloud.

Role-based SSO does not require the user sync with Alibaba-cloud and enterprise users can access the Alibaba cloud services based on the Role.

Alibaba Cloud RAM Grants

Alibaba Cloud RAM grants help in validating assigned policy to a group or user. Grant module can help in revoking existing policy or assigning the new policy to a user or group. To revoke all permissions click Revoke Permission under section.

Alibaba Cloud RAM Grants
Alibaba Cloud RAM Grants

Alibaba Cloud RAM Permissions

Alibaba Cloud RAM permissions represent to rule set for RAM users, groups and roles. There are several predefined permissions, and that can be assigned to the users, groups or roles in the section.

Alibaba Cloud RAM Permissions
Alibaba Cloud RAM Permissions

Alibaba Cloud RAM permission also allows users to create custom rules. These rules can be created with easy to follow steps or programmatic way (JSON syntax).

As an example, if a user policy needs to be created where a user/group should not be able to delete a VM, then the following option can be chosen to create a rule definition.

Alibaba Cloud RAM Permissions
Alibaba Cloud RAM Permissions

To create same policy with script,

Alibaba Cloud RAM Permissions
Alibaba Cloud RAM Permissions

Alibaba Cloud RAM Policy Assignment

To assign permission/permissions to a user or group, navigate to grants section and assign required policies. Following is an example assigning Read Only Finance access to the Finance group.

Alibaba Cloud RAM Policy Assignment
Alibaba Cloud RAM Policy Assignment

Alibaba Cloud RAM Roles

Roles are similar to the RAM Users. Users are created for long term access while as the Roles mainly used for temporary access to the another Alibaba account, resources. Roles delegate access to users, applications, or services without giving access to your Alibaba cloud resources.

Alibaba Cloud RAM Roles
Alibaba Cloud RAM Roles

This blog post covered an introduction to Alibaba Cloud RAM. Next blog post will cover custom policy creation and selecting proper policies.

Have you tried Alibaba Cloud RAM? How was your experience configuring policies? Have you tried creating custom policies? What are your pain points in using RAM, creating Users, Groups, Policies and Roles? What do you want us to cover in the upcoming blog posts? Do let us know your comments in the discussion box below.

 

Categories
Uncategorized

Getting Started with Alibaba Cloud

I worked on almost all public cloud service providers ranging from Digital Ocean, Vultr, Google Cloud Platform, Azure , AWS and Alibaba Cloud. Among all of them Alibaba Cloud is a feature rich and also the best platform to start your cloud journey. 

At the time of writing this blog post Alibaba cloud offers more than 40 services to support your cloud journey. You can start with as simple as a simple Virtual Private Server to Kubernetes cluster. 

Alibaba Cloud provides a series of learning tools that you can use to get started. This blog post focuses on some of the tools. 

  • Alibaba Cloud Service Documentation: 

For each and every service that Alibaba Cloud offers comes with a detailed documentation. This documentation can help you learn from very base level to the advance usage of the service. 

For almost all the documentation there is a Quick Start Guide, that can help you getting started with any services very quickly

Alibaba cloud document center can be accessed on  https://www.alibabacloud.com/help

  • Alibaba Cloud Academy:

Alibaba Cloud Academy provides video training, mini and detailed training sessions to get deeper knowledge of each service. 

Alibaba cloud Academy can be accessed on https://edu.alibabacloud.com/

  • Coursera:

Alibaba Cloud has recently launched courses on Coursera. These training courses tech you to architect Alibaba Cloud infrastructure. 

Alibaba cloud courses on coursera can be found on https://www.coursera.org/specializations/alibabacloud