Continuous Delivery of AI Applications with Repository Deploy Keys

Question

Pulumi · Accepted Answer

Continuous Delivery (CD) is an essential aspect of modern software development practices, especially for AI applications that may require frequent updates and iterations. CD helps in automating the release process, ensuring that new features, bug fixes, or models are quickly and reliably deployed to production.

In the context of using Pulumi to manage infrastructure for Continuous Delivery of AI applications, we will focus on setting up repository deploy keys. Deploy keys are SSH keys that are stored on your repository hosting service and grant access to a single repository. They are an important security feature for Continuous Delivery pipelines because they allow your automated systems to authenticate with your source code repository to pull code or trigger other repository-related actions.

Here's how you could set up a repository deploy key for a GitHub repository using Pulumi and Python. Note that setting up a deploy key involves sensitive information such as the SSH key itself, so be sure to handle this securely.

### Preliminaries:
Before running the Pulumi program, you should have a pre-generated SSH public key that you wish to use as a deploy key for your GitHub repository. Ensure the private key is securely stored and accessible to your CI/CD system for cloning your repository.

### Pulumi Program Explanation:
1. **Importing necessary Pulumi libraries**: We will import the Pulumi GitHub library that contains the classes and functions needed to interact with GitHub resources.

2. **Creating a GitHub Repository Deploy Key**: We'll use the `pulumi_github.RepositoryDeployKey` resource which represents a deploy key for a GitHub repository. We need to provide it with the repository name, the public part of your SSH key, and other optional parameters like `read_only` to define whether the key can be used to push to the repository as well.

3. **Exporting Outputs**: We'll export the deploy key ID and key title to easily reference them later if needed.

Let's see how this looks in a Pulumi program written in Python:

```python
import pulumi
import pulumi_github as github

# Replace these variables with the appropriate values for your GitHub repository and deploy key
repo_name = "my-ai-application-repo"
deploy_key_title = "my-deploy-key-title"
public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3...."  # This is where you put your SSH deploy key

# Create a new deploy key resource for your repository
repo_deploy_key = github.RepositoryDeployKey("ai-app-deploy-key",
    # The repository to which the deploy key is added
    repository=repo_name,
    # The title of the deploy key
    title=deploy_key_title,
    # The actual public SSH key as a string
    key=public_key,
    # Configure the deploy key to be read-only if required (cannot push)
    read_only=True,
    # More options can be provided if necessary (e.g., write access)
)

# Export the deploy key ID so it can be easily referenced
pulumi.export("deploy_key_id", repo_deploy_key.id)
# Optionally, export the deploy key title as well
pulumi.export("deploy_key_title", repo_deploy_key.title)
```

In this program:

- We declare variables for our repo name, deploy key title, and the SSH public key we previously generated.
- We create a `RepositoryDeployKey` resource with the repo name and key.
- We set the `read_only` parameter to `True` so that the deploy key will only be used for read operations (useful for cloning the repository in a CD pipeline). If you want the key to have push access (which is typically not recommended for a CD pipeline), you would set this to `False`.
- We use `pulumi.export` to output the deploy key ID and title, which can be used for further automation or reference.

By applying this program using Pulumi, you integrate your GitHub repository with a deploy key. This key can be used in your CD pipeline to securely clone your AI application repository and then proceed with building, testing, and deploying your AI application.

Remember that managing SSH keys and deployment access involves handling sensitive information. Always make sure that only the correct CI/CD pipeline or deployment automation system has access to the private key associated with the deploy key. Keep your secrets safe, use secret management tools for handling private keys, and follow best practices for security in your CD pipeline.