IaC ‐ Pulumi

QA RDS Infrastructure Provisioning with Pulumi

A reproducible Infrastructure as Code (IaC) setup to provision a private PostgreSQL RDS instance, using Pulumi (Python) and AWS best practices.

---

Table of Contents

• Directory Structure
• Infrastructure Architecture
• Prerequisites
• Configuration
• Installation
  • macOS
  • Windows
• Step-by-Step Usage
• Security Considerations
• Known Dependencies
• Cleanup & Teardown

---

Directory Structure

rds-terraform/pulumi/
├── Pulumi.yaml
├── Pulumi.dev.yaml
├── main.py
└── README.md

File Descriptions

Pulumi.yaml

Defines Pulumi project metadata.

This file is mandatory for Pulumi to detect and execute the project.

Pulumi.dev.yaml

Example stack configuration file showing required inputs.

This file demonstrates structure only and must not contain secrets.

main.py

Pulumi program written in Python that defines:

• RDS instance

• Engine and instance class

• VPC security group attachment

• Public accessibility settings

README.md

Local documentation reference (mirrored here in the wiki).

---

Infrastructure Architecture

[ Pulumi CLI ]
      |
      v
[ AWS APIs ]
      |
      v
[ RDS PostgreSQL Instance ]
      |
      v
[ Private VPC + Security Group ]

Key Properties

• No public access

• Scoped to a specific VPC security group

• Intended for QA usage

• Fully managed by Pulumi lifecycle

---

Prerequisites

Local Tools

• Python 3.9+

• Pulumi CLI v3+

• AWS CLI (for authentication)

AWS Access

Pulumi requires programmatic AWS access, one of:

• AWS SSO CLI access

• Assume-role access

• QA-scoped access keys provided by DevSecOps

Console-only AWS access is not sufficient.

---

Configuration

Pulumi requires the following configuration values to be set per stack:

Config Key	Required	Description
aws_region	Yes	AWS region for deployment
environment	Yes	Environment name (e.g. qa)
db_instance_class	Yes	RDS instance type
vpc_security_group_id	Yes	Restricts network access
db_password	Yes (Secret)	Database password

Example Configuration

config:
  rds-deployment:aws_region: eu-west-1
  rds-deployment:environment: qa
  rds-deployment:db_instance_class: db.t3.micro
  rds-deployment:vpc_security_group_id: sg-xxxxxxxx

Secrets must always be set using --secret and are never committed.

---

Installation

macOS

brew install pulumi

Verify:

pulumi version

---

Windows

Option 1: Chocolatey

choco install pulumi

Option 2: Manual Installer

Download from:

https://www.pulumi.com/docs/install/

Verify:

pulumi version

---

Step-by-Step Usage

1. Initialize or Select Stack

pulumi stack init qa-test
pulumi stack select qa-test

2. Set Configuration

pulumi config set rds-deployment:aws_region eu-west-1
pulumi config set rds-deployment:environment qa
pulumi config set rds-deployment:db_instance_class db.t3.micro
pulumi config set rds-deployment:vpc_security_group_id <SG_ID>
pulumi config set rds-deployment:db_password <PASSWORD> --secret

3. Preview Changes

pulumi preview

4. Deploy Infrastructure

pulumi up

5. Verify in AWS Console

• RDS engine: PostgreSQL

• Public access: Disabled

• Correct VPC and security group attached

---

Security Considerations

• No public IP exposure

• Security group must not allow 0.0.0.0/0

• Secrets encrypted by Pulumi

• Stack configuration files with secrets are not committed

• IAM access managed by DevSecOps

---

Known Dependencies

• QA-level programmatic AWS access

• Existing VPC and security group (managed externally)

• Pulumi CLI and AWS CLI installed

• IAM permissions provided by DevSecOps

---

Cleanup & Teardown

To safely remove all resources:

pulumi destroy

This ensures:

• No orphaned RDS instances

• No residual cloud resources

• Cost-safe QA testing

---