Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CDK Day 2023 - Configure cross-account deployment using CDK

hassaku63
September 29, 2023
Programming
0
230

CDK Day 2023 - Configure cross-account deployment using CDK

https://www.cdkday.com/

Sample code: https://github.com/hassaku63/cdk-cross-account-deployment-example

hassaku63

September 29, 2023
Tweet

More Decks by hassaku63

See All by hassaku63
CDK 座談会企画 2023-07 - CDK のメリットを再発掘してみよう
hassaku63
0
110
Serverless Framework ユーザーが CDK に引っ越しして感じたハードルについて言語化してみる
hassaku63
0
1.6k
[AWS Dev Day 2022 Japan] B-4 サーバーレスな社内業務システムを稼働させて1年経ったので、今日までの足跡を語ろうと思う/footprint-of-in-house-system-developed-fully-serverless-on-aws
hassaku63
1
1.2k
AWS X-Ray SDK for Python を使ってトレーサビリティを向上してみよう/start-aws-xray-and-xray-sdk-for-python
hassaku63
1
630
思想から馴染ませるユニットテストの話/let-change-your-viewpoint-about-unit-test
hassaku63
0
88
Lambda だけじゃもったいない。サーバーレス開発の第二歩目を踏み出そう/lets-take-second-step-in-serverless-development
hassaku63
1
1.6k
[JTF2021] 結局インデックスってなんなんですか?/lets-learn-about-b-tree-index
hassaku63
1
1.8k
私がもっと早く知りたかった サーバーレス開発の “Hello world” の次の一歩/serverless-development-practices-the-next-step-of-hello-world
hassaku63
0
750
ソースコードを快適に引き継いでいくためにやりたいこと/jtf2021w-f5-hassaku-building-development-environment-with-docker-and-vscode
hassaku63
1
1.2k

Other Decks in Programming

See All in Programming
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
510
The Future of Rails as a Full-stack Framework Powered by Hotwire @ Rails World 2023, Amsterdam
marcoroth
2
430
Hardware and its Concurrency Habits
ennael
PRO
0
440
データベース/SQL超入門!完全初心者向けに世界一分かりやすく解説します
ttskch
0
330
Math in Notes on the Synthesis of Form
hiranabe
1
3.9k
本当の FizzBuzz をお見せします
memory1994
PRO
1
1.5k
Why Tomcat Matters for Jakarta EE
ivargrimstad
0
220
スケーラブルシステム / Scalable System
nrslib
3
230
アンチパターンに踏み込む -作って理解するサーバーレスPHPフレームワーク / Stepping into anti-patterns -Serverless PHP frameworks to build and understand -.
seike460
PRO
1
130
Google Cloudへ大半を移行した SmartHRにおける活用事例紹介
moonstruckdrops
1
1.3k
[RailsWorld 2023] Untangling cables & demystifying twisted transistors
palkan
0
390
STORES二年生が得た新しい視点
mitchan
0
150

Featured

See All Featured
10 Git Anti Patterns You Should be Aware of
lemiorhan
644
56k
Typedesign – Prime Four
hannesfritz
35
1.8k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
1
510
A Modern Web Designer's Workflow
chriscoyier
688
190k
StorybookのUI Testing Handbookを読んだ
zakiyama
9
3.9k
Building Better People: How to give real-time feedback that sticks.
wjessup
349
18k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.4k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
351
28k
YesSQL, Process and Tooling at Scale
rocio
159
13k
Scaling GitHub
holman
455
140k
Product Roadmaps are Hard
iamctodd
43
8.8k
Rebuilding a faster, lazier Slack
samanthasiow
71
7.9k

Transcript

  1. Con
    f
    igure cross-account
    deployment using CDK
    Takuya Hashimoto / @hassaku_63
    CDK Day 2023


    29th September 2023

    View Slide

  2. Speaker
    Developer, IT system admin


    X(Twitter): @hassaku_63


    GitHub: hassaku63


    SpeakerDeck: hassaku63
    Takuya Hashimoto (Serverworks Co., Ltd.)
    Serverworks is;


    System Integrator & AWS Premier Tier Service Partner (since 2014)


    1st Japanese Company to acquire MSP Competency in AWS Partner Network
    (APN)

    View Slide

  3. Contents
    1. Overview of the “CDK Security and Safety Dev Guide”


    2. What “cdk bootstrap” command actually doing


    3. Con
    f
    igure cross-account deployment for CDK project
    This is my
    f
    irst time outputting in English.


    I'm looking forward to discussing with all of you today, but I apologize if my English is hard to understand.

    View Slide

  4. Goal
    The architecture we are assuming for this session
    Actor (pipeline account) Target account(s)
    Trigger on push
    cdk deploy

    View Slide

  5. Overview of the


    “CDK Security and Safety Dev Guide”

    View Slide

  6. (QUESTION)


    What should CDK beginner to learn


    after going through the tutorial?

    View Slide

  7. Fundamental documents about CDK
    https://github.com/aws/aws-cdk/wiki/Security-And-Safety-Dev-Guide
    1. CDK Concepts


    2. Security And Safety Dev Guide
    https://docs.aws.amazon.com/cdk/v2/guide/core_concepts.html

    View Slide

  8. CDK deployments and IAM permission
    #Controlling the permissions used by CDK deployments
    [2] DefaultStackSynthesizer


    CDK’s default approach


    Fewer permissions are required for the principal
    who is initiating CDK deployment action than [1]
    [1] CliCredentialsStackSynthesizer


    Simple deployment pattern


    Do not use AssumeRole for deployment


    View Slide

  9. Permissions and Roles in DefaultStackSynthesizer

    View Slide

  10. Permissions and Roles in DefaultStackSynthesizer
    The principal who starts


    CDK Deployment action


    (It invokes cfn ExecuteChangeSet or
    Deploy API internally)

    View Slide

  11. Permissions and Roles in DefaultStackSynthesizer
    IAM Roles and Permissions


    actually used during CDK deployment

    View Slide

  12. Permissions and Roles in DefaultStackSynthesizer
    “Assets” publishing


    (Container images)
    “Assets” publishing


    (static
    f
    iles like such as Lambda function’s
    packages)

    View Slide

  13. Permissions and Roles in DefaultStackSynthesizer
    Executes cfn deployment

    View Slide

  14. Permissions and Roles in DefaultStackSynthesizer
    Executes cfn deployment
    IAM Role for


    Invoke cfn deploy API
    IAM Role for


    used when constructs resources

    View Slide

  15. Permissions and Roles in DefaultStackSynthesizer
    AssumeRole permission


    are required for the principal


    (do not need other)

    View Slide

  16. Permissions and Roles in DefaultStackSynthesizer
    Account for starting deployment action Deployment target account(s)
    (1) CDK’s default approach makes it easier to migrate to cross-account architecture because
    deployment are based on AssumeRole & PassRole


    (2) These resources (in orange box) are constructed ”cdk bootstrap”


    (3) Need to con
    f
    igure IAM Roles to “trust” the principals in another account


    if con
    f
    igure cross-account deployment (by execute “cdk bootstrap” command)

    View Slide

  17. What “cdk bootstrap” command
    actually doing

    View Slide

  18. CDK bootstrap
    (revision) Deploy a cfn stack which is called “bootstrap stack”
    CDK Developer Guide - Concepts; Bootstraping


    https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html

    View Slide

  19. CDK bootstrap
    $ cdk bootstrap —show-template > bootstrap-template.yml
    De
    f
    ined resources are;
    (only covering those relevant to my talk theme)
    Allow AssumeRole to


    AWS Account principal


    if “TrustedAccouts” given
    IAM Role resource de
    f
    ined in bootstrap template
    1. S3 Bucket for storing
    f
    ile assets


    2. ECR Repository for upload container assets


    3. IAM Role for Upload
    f
    ile assets


    4. IAM Role for push container assets


    5. IAM Role for lookup resources

    View Slide

  20. Con
    f
    igure cross-account
    deployment for CDK project

    View Slide

  21. Con
    f
    iguration for cross-account deployment
    Overview
    hassaku63/cdk-cross-account-deployment-example
    1. bootstrap on Pipeline account


    2. bootstrap on Target account

    (trust “pipeline account” principal)


    3. Deploy pipeline stack


    4. Deploy to target (by git push)
    Pipeline account Target account(s)

    View Slide

  22. Con
    f
    iguration for cross-account deployment
    Overview
    hassaku63/cdk-cross-account-deployment-example
    Pipeline account Target account(s)
    1. bootstrap on Pipeline account


    2. bootstrap on Target account

    (trust “pipeline account” principal)


    3. Deploy pipeline stack


    4. Deploy to target (by git push)

    View Slide

  23. Con
    f
    iguration for cross-account deployment
    Bootstrap on target account with “trust” option
    Execute on the all target accounts


    $ npx cdk bootstrap \


    —trust “” \


    —cloudformation-execution-policies \


    ‘arn:aws:iam::aws:policy/AdministratorAccess’
    Pipeline account Target account(s)

    View Slide

  24. Con
    f
    iguration for cross-account deployment
    Con
    f
    igure service role for CodeBuild
    Allow AssumeRole action to the Roles


    that are constructed by bootstrap


    Pipeline account Target account(s)

    View Slide

  25. Conclusion

    View Slide

  26. Conclusion
    Learn about …
    1. What resources are constructed by “cdk bootstrap” command


    2. Use “trust” option with bootstrap command to con
    f
    igure cross-account
    deployment


    3. Allow the actor that starts deployment (such as CodeBuild Project) to execute

    the AssumeRole action to the Roles that are constructed by bootstrap

    View Slide

  27. Slide
    Published on https://speakerdeck.com/hassaku63


    View Slide