feat: refine firewall rules and improve AMI resolution

- Renamed and split firewall rules by VPC - Refactored resolve_ami() to reduce duplication and improve extensibility
2025-04-04 21:35:06 +08:00 · 2025-04-04 21:35:06 +08:00 · a06d872a75
commit a06d872a75
parent 4e6c370d34
3 changed files with 54 additions and 36 deletions
--- a/config/sit/firewall.yaml
+++ b/config/sit/firewall.yaml
@ -1,14 +1,26 @@
 firewall_rules:
-  - name: allow-ssh-web
+  - name: allow-web-inbound
    enabled: true
    vpc_name: dev-vpc-1
    source_ranges: ["0.0.0.0/0"]
    egress_ranges: ["10.0.0.0/16"]
    allow:
      - protocol: tcp
-        ports: ["22", "80", "443"]
+        ports: ["80", "443"]

-  - name: allow-default-inbound
+  - name: dev-vpc-1-default-inbound
+    enabled: true
+    vpc_name: dev-vpc-1
+    description: Allow ICMP, SSH, and VXLAN from all sources
+    source_ranges: ["0.0.0.0/0"]
+    allow:
+      - protocol: icmp
+      - protocol: tcp
+        ports: ["22"]
+      - protocol: udp
+        ports: ["4789"]
+
+  - name: dev-vpc-2-default-inbound
    enabled: true
    vpc_name: dev-vpc-2
    description: Allow ICMP, SSH, and VXLAN from all sources
--- a/config/sit/instances.yaml
+++ b/config/sit/instances.yaml
@ -1,9 +1,9 @@
 instances:
  - name: master-1
-    ami: ubuntu-22.04                  # ✅ 可用 ami-xxx 或关键词（如 ubuntu-22.04）
+    ami: ubuntu-24.04                  # ✅ 可用 ami-xxx 或关键词（如 ubuntu-22.04）
    type: t3a.xlarge
    disk_size_gb: 20
-    sg_names: ["allow-ssh-web"]
+    sg_names: ["dev-vpc-1-default-inbound"]
    subnet: dev-vpc-1-public-subnet-1
    lifecycle: spot                   # 可选: ondemand（默认）或 spot
    ttl: 1h                           # 可选: 标记生命周期（不会自动销毁）
@ -12,9 +12,9 @@ instances:
    associate_public_ip: true         # ✅ 明确配置是否需要公网 IP

  - name: slave-1
-    ami: ubuntu-22.04
+    ami: ubuntu-24.04
    type: t3.nano
-    sg_names: ["allow-default-inbound"]
+    sg_names: ["dev-vpc-2-default-inbound"]
    disk_size_gb: 20
    subnet: dev-vpc-2-public-subnet-1
    lifecycle: spot
@ -24,11 +24,11 @@ instances:
    associate_public_ip: true

  - name: agent-1
-    ami: ubuntu-22.04
+    ami: ubuntu-24.04
    type: t3.nano
    disk_size_gb: 20
    subnet: dev-vpc-1-private-subnet-1
-    sg_names: ["allow-ssh-web"]
+    sg_names: ["dev-vpc-1-default-inbound"]
    lifecycle: spot
    ttl: 1h
    env: sit
@ -36,11 +36,11 @@ instances:
    associate_public_ip: true

  - name: agent-2
-    ami: ubuntu-22.04
+    ami: ubuntu-24.04
    type: t3.nano
    disk_size_gb: 20
    subnet: dev-vpc-2-private-subnet-1
-    sg_names: ["allow-default-inbound"]
+    sg_names: ["dev-vpc-2-default-inbound"]
    lifecycle: spot
    ttl: 1h
    env: sit
--- a/iac_modules/pulumi/modules/ec2/utils.py
+++ b/iac_modules/pulumi/modules/ec2/utils.py
@ -1,9 +1,28 @@
 import pulumi_aws as aws

-def resolve_ami(ami_keyword: str, region: str) -> str:
-    """
-    根据关键词解析 AMI ID。如果已是 AMI ID，则直接返回。
-    """
+AMI_MAP = {
+    "ubuntu-22.04": ("099720109477", "*ubuntu*22.04*"),
+    "ubuntu-24.04": ("099720109477", "*ubuntu*24.04*"),
+    "rocky-8.10": ("792107900819", "Rocky-8-ec2-8.10*"),
+    "amazonlinux-2": ("137112412989", "amzn2-ami-hvm-*-gp2"),
+    "amazonlinux-2023": ("137112412989", "al2023-ami-*-x86_64"),
+    "debian-12": ("136693071363", "debian-12-*"),
+    "almalinux-9": ("151447241410", "AlmaLinux-9-*"),
+}
+
+def query_latest_ami(owner: str, name_filter: str, architecture: str = "x86_64") -> str:
+    result = aws.ec2.get_ami(
+        most_recent=True,
+        owners=[owner],
+        filters=[
+            {"name": "name", "values": [name_filter]},
+            {"name": "architecture", "values": [architecture]},
+            {"name": "virtualization-type", "values": ["hvm"]},
+        ],
+    )
+    return result.id
+
+def resolve_ami(ami_keyword: str, region: str, architecture: str = "x86_64") -> str:
    if not aws.config.region:
        raise ValueError("❌ AWS region is not set. Please set aws.config.region before calling resolve_ami")

@ -11,27 +30,14 @@ def resolve_ami(ami_keyword: str, region: str) -> str:
        return ami_keyword

    keyword = ami_keyword.lower()
+    print(f"🔍 Resolving AMI for keyword='{keyword}' in region='{region}' with arch='{architecture}'")

-    if keyword in ["ubuntu-22.04", "ubuntu22.04"]:
-        result = aws.ec2.get_ami(
-            most_recent=True,
-            owners=["099720109477"],  # Canonical
-            filters=[
-                {"name": "name", "values": ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"]},
-                {"name": "virtualization-type", "values": ["hvm"]},
-            ],
-        )
-        return result.id
+    if keyword in AMI_MAP:
+        owner, name_filter = AMI_MAP[keyword]
+        try:
+            return query_latest_ami(owner, name_filter, architecture)
+        except Exception as e:
+            raise ValueError(f"❌ Failed to find AMI for '{keyword}' in region '{region}': {e}")

-    if keyword in ["rocky-8.10", "rockylinux-8.10", "rocky8.10"]:
-        result = aws.ec2.get_ami(
-            most_recent=True,
-            owners=["792107900819"],  # Rocky Linux
-            filters=[
-                {"name": "name", "values": ["Rocky-8-ec2-8.10*x86_64"]},
-                {"name": "architecture", "values": ["x86_64"]},
-            ],
-        )
-        return result.id
+    raise ValueError(f"❌ Unsupported AMI keyword: {ami_keyword}. Supported keywords: {list(AMI_MAP.keys())}")

-    raise ValueError(f"❌ Unsupported AMI keyword: {ami_keyword}")