cdk deployʹ ඞཁͳݖݶͬͯͳΜͩʁ 2023/1/25 JAWS-UG CDKࢧ෦ #5

Kinyo
 
 גࣜձࣾి௨ࠃࡍ৘ใαʔϏεʢISIDʣ
 ηΩϡϦςΟΤϯδχΞʢ։ൃ΋গ͠ʣ
 
 
 
 ࠓ೔ͷ಺༰ʹ͍ͭͯϒϩά΋ॻ͖·ͨ͠👉
 ʮCDK Security And Safety Dev Guide ΛಡΜͰΈͨʯ
 
 CDK Security And Safety Dev Guide ͷ಺༰Λࢀߟʹ͍ͯ͠·͢
 https://github.com/aws/aws-cdk/wiki/Security-And-Safety-Dev-Guide
 
 CDK v2 ͷ DefaultStackSynthesizer Λ࢖͏લఏͷ࿩Ͱ͢ ࣗݾ঺հ

cdk deploy͢Δͱ͖ʹ AdministratorAccessΛ࢖͍ͬͯ·ͤΜ͔ʁ

ආ͚͍ͨ͜ͱ • CDKͰΠϯϑϥߏங͢ΔͨΊͷAWSΫϨσϯγϟϧ͕࿙Εͨͱ͖ʹɺ
 ڧ͍ݖݶ͕֎෦ʹ౉Δ͜ͱ CDK cdk deploy ։ൃऀ γεςϜ

CDK cdk deploy CloudFormation ϦιʔεσϓϩΠ Ϧιʔεૢ࡞Λ୲͏ͷ͸CloudFormation ඞཁͳݖݶ͸ʁ ڧ͍ݖݶ͕ඞཁ

ൿີ͸ cdk bootstrap ʹ͋Γ

cdk bootstrapͰ࡞੒͞ΕͨϦιʔεΛݟͯΈΑ͏ IAMϩʔϧ͕5ͭ࡞੒͞Ε͍ͯΔ ɾCloudFormationExecutionRole ɾDeploymentActionRole ɾFilePublishingRole ɾImagePublishingRole ɾLookupRole →কདྷͷcdk deployͰར༻͞ΕΔ Ξηοτ༻ͷECRϦϙδτϦ Ξηοτ༻ͷS3όέοτ

cdk deployͰى͍ͬͯ͜Δ͜ͱ CDK CloudFormation S3όέοτ ECRϦϙδτϦ LookupRole cdk deploy fromLookupͰ ϦιʔεΛࢀর͢Δ࣌ͳͲ PassRole ίϯςφΠϝʔδ ʢDockerImageAssetͳͲʣ CfnςϯϓϨʔτ΍ Lambdaؔ਺ίʔυ ࢀর ϦιʔεσϓϩΠ ࢀর File PublishingRole Image PublishingRole Deployment ActionRole CloudFormation ExecutionRole AssumeRole AssumeRole AssumeRole AssumeRole

ɾAWS؅ཧͷ ReadOnlyAccess ϙϦγʔ ɾΠϯϥΠϯͰ kms:Decrypt ͸ Deny ͞Ε͍ͯΔ ※Bootstrap v15 ࣌఺

ɾΞηοτ༻S3όέοτ΁ͷݖݶ ɾ҉߸Խ༻KMSΩʔ΁ͷݖݶ ɾΞηοτ༻ECRϦϙδτϦ΁ͷݖݶ ※Bootstrap v15 ࣌఺

ɾCloudFormationͷૢ࡞ݖݶʢStackɺChangeSetʣ ɾΫϩεΞΧ΢ϯτͰPipelineͷArtifactΛૢ࡞͢ΔݖݶʢS3ͱKMSʣ ɾΞηοτ༻S3όέοτͷಡΈऔΓݖݶ ɾParameter Store͔ΒCDK bootstrapόʔδϣϯͷಡΈऔΓݖݶ ɾɹɹɹɹɹɹɹɹɹɹɹɹɹɹ ͷiam:PassRole CloudFormationExecutionRole ※Bootstrap v15 ࣌఺ CloudFormation ExecutionRole CloudFormation PassRole

AdministratorAccess ※Bootstrap v15 ࣌఺

ͭ·Γɺcdk deployʹඞཁͳݖݶ͸ʁ ͜ΕΒ΁ͷAssumeRoleݖݶ 🙅AssumeRoleෆཁ

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AssumeCDKRoles", "E ff ect": "Allow", "Action": "sts:AssumeRole", "Resource": [ "arn:aws:iam::111111111111:role/cdk-hnb659fds-deploy-role-111111111111-ap-northeast-1", "arn:aws:iam::111111111111:role/cdk-hnb659fds- fi le-publishing-role-111111111111-ap-northeast-1", "arn:aws:iam::111111111111:role/cdk-hnb659fds-image-publishing-role-111111111111-ap-northeast-1", "arn:aws:iam::111111111111:role/cdk-hnb659fds-lookup-role-111111111111-ap-northeast-1" ] } ] } cdk deploy͢ΔͨΊͷ࠷খݖݶIAMϙϦγʔ ෳ਺ϦʔδϣϯʹσϓϩΠ͢Δ৔߹ɺ ϩʔϧ͸Ϧʔδϣϯ͝ͱʹ͋Δ͜ͱʹ஫ҙ

cdk deploy͢Δݖݶ͕ ɾAdminݖݶΛ௚઀࣋ͨͳ͍ ɾAdminݖݶΛ࣋ͭϩʔϧΛAssumeͰ͖ͳ͍ ͜ͱͰϦεΫΛݮΒ͢

͞Βʹਂ۷Γ ͜ΕͰສશʁ🤔

ݫີͳ੍ݶ͸Ͱ͖͖ͯͳ͍ • ɹɹɹɹɹɹɹ͕CloudFormationελοΫΛ࡞Εͯɺ
 AdminݖݶΛ౉ͤΔͷͰɺCloudFormationܦ༝Ͱ͍Ζ͍ΖͰ͖ͯ͠·͏
 • ྫ͑͹ɾɾɾ • ಛఆͷ໊લͷڧݖݶͷRoleΛ࡞੒͠ɺAssume͢Δ
 ʢAssumeΛڐՄ͢Δϩʔϧ໊ΛϫΠϧυΧʔυͰࢦఆ͍ͯ͠Δ৔߹ʣ • ɹɹɹɹɹɹɹࣗ਎ʹڧݖݶͷϙϦγʔΛ௥Ճ͢Δ Deployment ActionRole Deployment ActionRole

ݫີͳ੍ݶΛ͍ͨ͠৔߹͸ɺ ɹɹɹɹͷݖݶΛߜΔ CloudFormation ExecutionRole

cdk bootstrapͷΦϓγϣϯͰ ɹɹɹɹɹͷݖݶΛߜΔํ๏3ͭ • --cloudformation-execution-policies … ϙϦγʔΛ্ॻ͖ • https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html#bootstrapping-customizing • ؆୯ʹݖݶΛ੍ݶ͍ͨ͠৔߹ • --template … BootstrapςϯϓϨʔτΛϑϧΧελϚΠζ • https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html#bootstrapping-customizing-extended • --custom-permissions-boundary … Permissions boundaryΛ௥Ճʢv2.54.0~ʣ • https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk/README.md#cdk-bootstrap • IAMϦιʔεͷ࡞੒ΛڐՄͭͭ͠ݖݶঢ֨Λ๷͍͗ͨ৔߹ CloudFormation ExecutionRole

݁࿦ bootstrapͨ͠ޙ͸ cdk deploy͢ΔݖݶΛݟ௚ͦ͏