From a06d872a75f1b729c5bdd590961107b0631e28c3 Mon Sep 17 00:00:00 2001 From: Haitao Pan Date: Fri, 4 Apr 2025 21:35:06 +0800 Subject: [PATCH] feat: refine firewall rules and improve AMI resolution - Renamed and split firewall rules by VPC - Refactored resolve_ami() to reduce duplication and improve extensibility --- config/sit/firewall.yaml | 18 ++++++-- config/sit/instances.yaml | 16 +++---- iac_modules/pulumi/modules/ec2/utils.py | 56 ++++++++++++++----------- 3 files changed, 54 insertions(+), 36 deletions(-) diff --git a/config/sit/firewall.yaml b/config/sit/firewall.yaml index eaea7a6d..0d7c58b7 100644 --- a/config/sit/firewall.yaml +++ b/config/sit/firewall.yaml @@ -1,14 +1,26 @@ firewall_rules: - - name: allow-ssh-web + - name: allow-web-inbound enabled: true vpc_name: dev-vpc-1 source_ranges: ["0.0.0.0/0"] egress_ranges: ["10.0.0.0/16"] allow: - protocol: tcp - ports: ["22", "80", "443"] + ports: ["80", "443"] - - name: allow-default-inbound + - name: dev-vpc-1-default-inbound + enabled: true + vpc_name: dev-vpc-1 + description: Allow ICMP, SSH, and VXLAN from all sources + source_ranges: ["0.0.0.0/0"] + allow: + - protocol: icmp + - protocol: tcp + ports: ["22"] + - protocol: udp + ports: ["4789"] + + - name: dev-vpc-2-default-inbound enabled: true vpc_name: dev-vpc-2 description: Allow ICMP, SSH, and VXLAN from all sources diff --git a/config/sit/instances.yaml b/config/sit/instances.yaml index 5a43a29e..fa3af917 100644 --- a/config/sit/instances.yaml +++ b/config/sit/instances.yaml @@ -1,9 +1,9 @@ instances: - name: master-1 - ami: ubuntu-22.04 # ✅ 可用 ami-xxx 或关键词(如 ubuntu-22.04) + ami: ubuntu-24.04 # ✅ 可用 ami-xxx 或关键词(如 ubuntu-22.04) type: t3a.xlarge disk_size_gb: 20 - sg_names: ["allow-ssh-web"] + sg_names: ["dev-vpc-1-default-inbound"] subnet: dev-vpc-1-public-subnet-1 lifecycle: spot # 可选: ondemand(默认)或 spot ttl: 1h # 可选: 标记生命周期(不会自动销毁) @@ -12,9 +12,9 @@ instances: associate_public_ip: true # ✅ 明确配置是否需要公网 IP - name: slave-1 - ami: ubuntu-22.04 + ami: ubuntu-24.04 type: t3.nano - sg_names: ["allow-default-inbound"] + sg_names: ["dev-vpc-2-default-inbound"] disk_size_gb: 20 subnet: dev-vpc-2-public-subnet-1 lifecycle: spot @@ -24,11 +24,11 @@ instances: associate_public_ip: true - name: agent-1 - ami: ubuntu-22.04 + ami: ubuntu-24.04 type: t3.nano disk_size_gb: 20 subnet: dev-vpc-1-private-subnet-1 - sg_names: ["allow-ssh-web"] + sg_names: ["dev-vpc-1-default-inbound"] lifecycle: spot ttl: 1h env: sit @@ -36,11 +36,11 @@ instances: associate_public_ip: true - name: agent-2 - ami: ubuntu-22.04 + ami: ubuntu-24.04 type: t3.nano disk_size_gb: 20 subnet: dev-vpc-2-private-subnet-1 - sg_names: ["allow-default-inbound"] + sg_names: ["dev-vpc-2-default-inbound"] lifecycle: spot ttl: 1h env: sit diff --git a/iac_modules/pulumi/modules/ec2/utils.py b/iac_modules/pulumi/modules/ec2/utils.py index 4ae0d2ed..cfbbd266 100644 --- a/iac_modules/pulumi/modules/ec2/utils.py +++ b/iac_modules/pulumi/modules/ec2/utils.py @@ -1,9 +1,28 @@ import pulumi_aws as aws -def resolve_ami(ami_keyword: str, region: str) -> str: - """ - 根据关键词解析 AMI ID。如果已是 AMI ID,则直接返回。 - """ +AMI_MAP = { + "ubuntu-22.04": ("099720109477", "*ubuntu*22.04*"), + "ubuntu-24.04": ("099720109477", "*ubuntu*24.04*"), + "rocky-8.10": ("792107900819", "Rocky-8-ec2-8.10*"), + "amazonlinux-2": ("137112412989", "amzn2-ami-hvm-*-gp2"), + "amazonlinux-2023": ("137112412989", "al2023-ami-*-x86_64"), + "debian-12": ("136693071363", "debian-12-*"), + "almalinux-9": ("151447241410", "AlmaLinux-9-*"), +} + +def query_latest_ami(owner: str, name_filter: str, architecture: str = "x86_64") -> str: + result = aws.ec2.get_ami( + most_recent=True, + owners=[owner], + filters=[ + {"name": "name", "values": [name_filter]}, + {"name": "architecture", "values": [architecture]}, + {"name": "virtualization-type", "values": ["hvm"]}, + ], + ) + return result.id + +def resolve_ami(ami_keyword: str, region: str, architecture: str = "x86_64") -> str: if not aws.config.region: raise ValueError("❌ AWS region is not set. Please set aws.config.region before calling resolve_ami") @@ -11,27 +30,14 @@ def resolve_ami(ami_keyword: str, region: str) -> str: return ami_keyword keyword = ami_keyword.lower() + print(f"🔍 Resolving AMI for keyword='{keyword}' in region='{region}' with arch='{architecture}'") - if keyword in ["ubuntu-22.04", "ubuntu22.04"]: - result = aws.ec2.get_ami( - most_recent=True, - owners=["099720109477"], # Canonical - filters=[ - {"name": "name", "values": ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"]}, - {"name": "virtualization-type", "values": ["hvm"]}, - ], - ) - return result.id + if keyword in AMI_MAP: + owner, name_filter = AMI_MAP[keyword] + try: + return query_latest_ami(owner, name_filter, architecture) + except Exception as e: + raise ValueError(f"❌ Failed to find AMI for '{keyword}' in region '{region}': {e}") - if keyword in ["rocky-8.10", "rockylinux-8.10", "rocky8.10"]: - result = aws.ec2.get_ami( - most_recent=True, - owners=["792107900819"], # Rocky Linux - filters=[ - {"name": "name", "values": ["Rocky-8-ec2-8.10*x86_64"]}, - {"name": "architecture", "values": ["x86_64"]}, - ], - ) - return result.id + raise ValueError(f"❌ Unsupported AMI keyword: {ami_keyword}. Supported keywords: {list(AMI_MAP.keys())}") - raise ValueError(f"❌ Unsupported AMI keyword: {ami_keyword}")