From 1b8648eaa822c5a17cc717a5334dcf56781db8d6 Mon Sep 17 00:00:00 2001 From: Ryan Jung Date: Tue, 17 Feb 2026 08:10:58 -0700 Subject: [PATCH] Add dev environment --- pulumi/Pulumi.dev.yaml | 3 + pulumi/config.dev.yaml | 167 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 170 insertions(+) create mode 100644 pulumi/Pulumi.dev.yaml create mode 100644 pulumi/config.dev.yaml diff --git a/pulumi/Pulumi.dev.yaml b/pulumi/Pulumi.dev.yaml new file mode 100644 index 0000000..6a30ae2 --- /dev/null +++ b/pulumi/Pulumi.dev.yaml @@ -0,0 +1,3 @@ +config: + observability:posthog_api_key: + secure: AAABAACLeD5lasJAmY66NyJXtacSmTSMj/PiXtmBNIHeBfLx2HA3mhTzyWkPZnD9j8MCYPbtnjJiWeZBzOROWVKEcKpuysV/FV5CDoHCJg== diff --git a/pulumi/config.dev.yaml b/pulumi/config.dev.yaml new file mode 100644 index 0000000..3a5d617 --- /dev/null +++ b/pulumi/config.dev.yaml @@ -0,0 +1,167 @@ +--- + +config: + build_site24x7: False + build_tbpulumi: True + +resources: + tb:secrets:PulumiSecretsManager: + secrets: + secret_names: + - posthog_api_key + + tb:network:MultiCidrVpc: + fluentbit: + # The observability project has all of 10.202.0.0/16 assigned to it, but let's not soak all + # those up just serving fluent-bit. This CIDR gets us 10.202.0.0 -> 10.202.3.255. + cidr_block: 10.202.0.0/22 + subnets: + eu-central-1a: + - 10.202.0.0/23 # 10.202.0.0 - 10.202.1.255 + eu-central-1b: + - 10.202.2.0/23 # 10.202.2.0 - 10.202.3.255 + # Allow traffic out via an IGW so we can talk to Posthog and other services + enable_internet_gateway: True + egress_via_internet_gateway: True + # Required for load balancing Fargate containers + enable_dns_hostnames: True + endpoint_interfaces: + - logs + - secretsmanager + additional_routes: + - destination_cidr_block: 10.2.0.0/16 # mailstrom-dev + vpc_peering_connection_id: pcx-018f09af30c2dce6c + + tb:fargate:AutoscalingFargateCluster: + fluentbit: + cluster: {} + + container_security_groups: + fluentbit: + fluentbit-http: + rules: + ingress: + - description: Allow traffic from the load balancer to the container + # Sources are set in code + protocol: tcp + from_port: 1337 + to_port: 1337 + egress: + - description: Allow traffic from the container out to the Internet + protocol: tcp + from_port: 0 + to_port: 65535 + cidr_blocks: + - 0.0.0.0/0 + + secrets: + fluentbit: + - arn:aws:secretsmanager:eu-central-1:768512802988:secret:observability/dev/posthog_api_key* + + ssm_params: {} + + task_definitions: + fluentbit: + container_definitions: + - name: fluentbit + environment: + - name: ENV + value: dev + - name: FLUENTBIT_LOG_LEVEL + value: info + - name: FLUENTBIT_VERSION + value: 4.2.2 + - name: FLUENTBIT_STALWART_DELETE_KEYS + value: contents + - name: FLUENTBIT_STALWART_HASH_KEYS + value: from,to + secrets: + - name: POSTHOG_API_KEY + valueFrom: arn:aws:secretsmanager:eu-central-1:768512802988:secret:observability/dev/posthog_api_key-e3UEK4 + image: 768512802988.dkr.ecr.eu-central-1.amazonaws.com/thunderbird/fluent-bit:7b9c3eed77ed + logConfiguration: + logDriver: awslogs + options: + awslogs-group: observability-dev-fargate-fluentbit-loggroup-fluentbit + awslogs-region: eu-central-1 + awslogs-stream-prefix: observability/dev/fluentbit/ + portMappings: + - containerPort: 1337 + protocol: tcp + restartPolicy: + enabled: yes + restartAttemptPeriod: 300 + cpu: 512 + family: fluentbit + memory: 1024 + network_mode: awsvpc + requires_compatibilities: + - FARGATE + + load_balancer_security_groups: + fluentbit-http: + description: Governs access to the fluent-bit-http load balancer in dev + rules: + ingress: + - from_port: 443 + to_port: 443 + protocol: tcp + cidr_blocks: + - 10.2.0.0/16 # stalwart-dev + description: Allow access from stalwart-dev + egress: + - from_port: 0 + to_port: 65535 + protocol: all + cidr_blocks: + - 0.0.0.0/0 + + load_balancers: + fluentbit-http: + enable_cross_zone_load_balancing: yes + internal: yes + ip_address_type: ipv4 + load_balancer_type: application + name: fluentbit-http-dev + preserve_host_header: yes + + targets: + stalwart-metrics: + name: dev-telemetry-http + health_check: + protocol: HTTP + # fluentbit is set up to throw away records submitted to this endpoint + path: /health/check + port: 1337 + # I wish it wasn't like this. fluentbit will not accept non-POST methods, but these health checks cannot be + # made with custom methods. Therefore, we expect a 400 Bad Request as a sign of health. *shrug* + matcher: "400" + port: 1337 + protocol: HTTP + # Next two options are required for ECS services; ref: + # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/alb.html + target_type: ip + ip_address_type: ipv4 + + listeners: + fluentbit-http: + stalwart-metrics: + # This cert is for fluentbit-dev.tb.pro + certificate_arn: arn:aws:acm:eu-central-1:768512802988:certificate/04dd0573-a3cc-4c19-b483-a868876c63b0 + port: 443 + protocol: HTTPS + + services: + fluentbit: + assign_public_ip: yes + container_name: fluentbit + container_port: 1337 + load_balancer: fluentbit-http + service: + desired_count: 2 + target: stalwart-metrics + + autoscalers: + fluentbit: + min_capacity: 2 + max_capacity: 4 \ No newline at end of file