lab04

Author: acecution

pulumi/.gitignore

@@ -0,0 +1,4 @@
+*.pyc
+venv/
+__pycache__
+Pulumi.dev.yaml

pulumi/Pulumi.yaml

@@ -0,0 +1,11 @@
+name: devops-vm
+description: VM for DevOps lab
+runtime:
+  name: python
+  options:
+    toolchain: pip
+    virtualenv: venv
+config:
+  pulumi:tags:
+    value:
+      pulumi:template: python

pulumi/__main__.py

@@ -0,0 +1,84 @@
+import pulumi
+import pulumi_yandex as yandex
+
+# Read configuration (set via pulumi config)
+config = pulumi.Config()
+cloud_id = config.require("cloud_id")
+folder_id = config.require("folder_id")
+zone = config.get("zone") or "ru-central1-a"
+public_key_path = config.get("public_key_path") or "~/.ssh/id_rsa.pub"
+
+# Read SSH public key file
+with open(public_key_path, "r") as f:
+    ssh_public_key = f.read().strip()
+
+# Get Ubuntu image
+image = yandex.get_compute_image(family="ubuntu-2404-lts-oslogin")
+
+# Create VPC network
+network = yandex.VpcNetwork("lab-network")
+
+# Create subnet
+subnet = yandex.VpcSubnet("lab-subnet",
+    zone=zone,
+    network_id=network.id,
+    v4_cidr_blocks=["192.168.10.0/24"])
+
+# Create security group
+security_group = yandex.VpcSecurityGroup("lab-sg",
+    network_id=network.id,
+    description="Allow SSH, HTTP, and app port 5000",
+    ingress=[
+        yandex.VpcSecurityGroupIngressArgs(
+            protocol="TCP",
+            description="SSH",
+            port=22,
+            v4_cidr_blocks=["0.0.0.0/0"],
+        ),
+        yandex.VpcSecurityGroupIngressArgs(
+            protocol="TCP",
+            description="HTTP",
+            port=80,
+            v4_cidr_blocks=["0.0.0.0/0"],
+        ),
+        yandex.VpcSecurityGroupIngressArgs(
+            protocol="TCP",
+            description="App port 5000",
+            port=5000,
+            v4_cidr_blocks=["0.0.0.0/0"],
+        ),
+    ],
+    egress=[yandex.VpcSecurityGroupEgressArgs(
+        protocol="ANY",
+        description="Allow all outbound",
+        v4_cidr_blocks=["0.0.0.0/0"],
+    )])
+
+# Create VM instance
+vm = yandex.ComputeInstance("lab-vm",
+    zone=zone,
+    platform_id="standard-v2",
+    resources=yandex.ComputeInstanceResourcesArgs(
+        cores=2,
+        memory=1,
+        core_fraction=20,
+    ),
+    boot_disk=yandex.ComputeInstanceBootDiskArgs(
+        initialize_params=yandex.ComputeInstanceBootDiskInitializeParamsArgs(
+            image_id=image.id,
+            size=10,
+            type="network-hdd",
+        ),
+    ),
+    network_interfaces=[yandex.ComputeInstanceNetworkInterfaceArgs(
+        subnet_id=subnet.id,
+        security_group_ids=[security_group.id],
+        nat=True,
+    )],
+    metadata={
+        "ssh-keys": f"ubuntu:{ssh_public_key}",
+    })
+
+# Export public IP
+pulumi.export("vm_public_ip", vm.network_interfaces[0].nat_ip_address)
+pulumi.export("ssh_command", pulumi.Output.concat("ssh ubuntu@", vm.network_interfaces[0].nat_ip_address))

pulumi/requirements.txt

@@ -0,0 +1 @@
+pulumi>=3.0.0,<4.0.0

terraform/.gitignore

@@ -0,0 +1,12 @@
+# Terraform
+*.tfstate
+*.tfstate.*
+.terraform/
+terraform.tfvars
+*.tfvars
+.terraform.lock.hcl
+
+# Secrets
+*.json
+*.pem
+*.key

terraform/docs/LAB04.md

@@ -0,0 +1,29 @@
+## Lab 4 — Infrastructure as Code (Terraform & Pulumi)
+
+### 1. Cloud Provider & Infrastructure
+- **Provider:** Yandex Cloud (reason: accessible in Russia, free tier).
+- **Instance Type:** 2 vCPU (20% core fraction), 1 GB RAM (free tier).
+- **Region:** ru-central1-a.
+- **Cost:** $0 (free tier).
+- **Resources Created:** VPC network, subnet, security group, VM with public IP.
+
+### 2. Terraform Implementation
+- **Version:** 1.9.x
+- **Project Structure:** main.tf, variables.tf, outputs.tf, terraform.tfvars (gitignored).
+- **Key Decisions:** Used ephemeral public IP for simplicity; security group allows SSH, HTTP, port 5000.
+- **Challenges:** Had to adjust Yandex provider authentication; resolved by using service account key file.
+
+### 3. Pulumi Implementation
+- **Version:** 3.x
+- **Language:** Python 3.13
+- **How Code Differs:** Imperative style; used Python to read SSH key file; configuration via `pulumi config`.
+- **Advantages:** Could use Python logic (file reading), better IDE support.
+- **Challenges:** Had to install provider package manually; resolved by adding to requirements.txt.
+
+### 4. Terraform vs Pulumi Comparison
+- **Ease of Learning:** Terraform HCL is simpler for basic cases, but Pulumi is natural for developers.
+- **Code Readability:** Terraform is declarative and concise; Pulumi code is more verbose but allows complex logic.
+- **Debugging:** Pulumi's Python stack traces are familiar; Terraform's error messages can be cryptic.
+- **Documentation:** Both have excellent docs, but Pulumi's examples are more varied due to multiple languages.
+- **Use Case:** Terraform is great for pure infrastructure, Pulumi when you need to integrate with application code or reuse logic.
+

terraform/main.tf

@@ -0,0 +1,94 @@
+terraform {
+  required_providers {
+    yandex = {
+      source = "yandex-cloud/yandex"
+    }
+  }
+  required_version = ">= 0.13"
+}
+
+
+provider "yandex" {
+  service_account_key_file = var.service_account_key_file
+  cloud_id                 = var.cloud_id
+  folder_id                = var.folder_id
+  zone                     = var.zone
+}
+
+data "yandex_compute_image" "ubuntu" {
+  family = "ubuntu-2404-lts-oslogin"
+}
+
+resource "yandex_vpc_network" "lab_network" {
+  name = "lab-network"
+}
+
+resource "yandex_vpc_subnet" "lab_subnet" {
+  name           = "lab-subnet"
+  zone           = var.zone
+  network_id     = yandex_vpc_network.lab_network.id
+  v4_cidr_blocks = ["192.168.10.0/24"]
+}
+
+resource "yandex_vpc_security_group" "lab_sg" {
+  name        = "lab-security-group"
+  description = "Allow SSH, HTTP, and app port 5000"
+  network_id  = yandex_vpc_network.lab_network.id
+
+  ingress {
+    protocol       = "TCP"
+    description    = "SSH"
+    port           = 22
+    v4_cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    protocol       = "TCP"
+    description    = "HTTP"
+    port           = 80
+    v4_cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    protocol       = "TCP"
+    description    = "App port 5000"
+    port           = 5000
+    v4_cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    protocol       = "ANY"
+    description    = "Allow all outbound"
+    v4_cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "yandex_compute_instance" "lab_vm" {
+  name        = "lab-vm"
+  platform_id = "standard-v2"
+  zone        = var.zone
+
+  resources {
+    cores         = 2
+    memory        = 1
+    core_fraction = 20
+  }
+
+  boot_disk {
+    initialize_params {
+      image_id = data.yandex_compute_image.ubuntu.id
+      size     = 10
+      type     = "network-hdd"
+    }
+  }
+
+  network_interface {
+    subnet_id          = yandex_vpc_subnet.lab_subnet.id
+    security_group_ids = [yandex_vpc_security_group.lab_sg.id]
+    nat                = true # Ephemeral public IP
+  }
+
+  metadata = {
+    ssh-keys = "ubuntu:${file(var.public_key_path)}"
+  }
+}

terraform/outputs.tf

@@ -0,0 +1,9 @@
+output "vm_public_ip" {
+  description = "Public IP address of the VM"
+  value       = yandex_compute_instance.lab_vm.network_interface[0].nat_ip_address
+}
+
+output "ssh_command" {
+  description = "SSH command to connect to the VM"
+  value       = "ssh ubuntu@${yandex_compute_instance.lab_vm.network_interface[0].nat_ip_address}"
+}

terraform/variables.tf

@@ -0,0 +1,26 @@
+variable "service_account_key_file" {
+  description = "Path to the service account JSON key file"
+  type        = string
+}
+
+variable "cloud_id" {
+  description = "Yandex Cloud ID"
+  type        = string
+}
+
+variable "folder_id" {
+  description = "Yandex Folder ID"
+  type        = string
+}
+
+variable "zone" {
+  description = "Yandex Cloud zone"
+  type        = string
+  default     = "ru-central1-a"
+}
+
+variable "public_key_path" {
+  description = "Path to SSH public key"
+  type        = string
+  default     = "~/.ssh/id_rsa.pub"
+}