2024/12/10 ੡଄ϏδωεςΫϊϩδʔ෦ ࠤ౻ஐथ re:Invent2024ͷIaCपΓͷ Ξοϓσʔτ&ηογϣϯͷڞ༗

SNS౤ߘλά ·ͣ͸ૉৼΓʂ #regrowth Λ͚ͭͯ SNS౤ߘΛʂ

ࣗݾ঺հ !UNL !UPNPLJ • ࠤ౻ஐथ • ੡଄ϏδωεςΫϊϩδʔ෦ • ΞʔΩςΫτνʔϜ • JAWS-UG CDKࢧ෦ ӡӦ • ޷͖ͳAWSαʔϏε -BNCEB $%,

͋Ε!?IaCΞοϓσʔτ͚͋ͬͨͬʁ

re:InventظؒதIaCʹؔ͢ΔΞοϓσʔτͳ͠ʂʂ ಺༰Λೖྗ͍ͯͩ͘͠͞

pre:Inventظؒத͸͋Γʂʂ • AWS CloudFormation Hooks ͕ΧελϜ AWS Lambda ؔ਺ͷαϙʔτΛ։࢝ • AWS CloudFormation Hooks ͕ελοΫͱมߋηοτͷλʔήοτݺͼग़͠ϙΠϯτΛಋೖ • AWS CloudFormation Hooks Ͱ AWS Cloud Control API ͷϦιʔεઃఆͷධՁ͕ར༻Մೳʹ • AWS CloudFormation ͷ͝ΈശϧʔϧͷαϙʔτΛൃද • CloudFormation Guard υϝΠϯݻ༗ͷݴޠΛ࢖༻ͯ͠ AWS CloudFormation Hooks Λ࡞੒ • Amazon Q Developer ͷࢧԉػೳΛ࢖ͬͯ AWS CloudFormation ͷτϥϒϧγϡʔςΟϯά Λਝ଎Խ • ʁʁʁ

2024/12/10 ੡଄ϏδωεςΫϊϩδʔ෦ ࠤ౻ஐथ re:Invent2024पΓͷIaCͷ Ξοϓσʔτ&ηογϣϯͷڞ༗

8 ● ैདྷ͸ΞΧ΢ϯτ಺ͷCloudFormation(Cfn) ͷ࡞੒/ߋ৽/࡟আૢ࡞ʹରͯ͠ɺΞΫγϣϯ ΍ϦιʔεݕࠪΛ௥ՃͰ͖ͨHooks ● ैདྷΧελϜHookΛ࢖͏৔߹ɺCfnͱͯ͠ HookΛ࡞੒͠ɺCloudFormation Registryʹ ొ࿥͢Δඞཁ͕͋ͬͨ ● ࠓճͷΞοϓσʔτͰLambdaΛ௚઀Hook ͱͯ͠ར༻͢Δ͜ͱ͕ՄೳʹͳΓɺςετ ΍σϓϩΠΛଞͷ։ൃϓϩηεͱ߹ΘͤΔ ͜ͱ͕Մೳʹͳͬͨʂ AWS CloudFormation Hooks ͕ΧελϜ AWS Lambda ؔ਺ͷαϙʔτΛ։࢝ https://aws.amazon.com/jp/about-aws/whats-new/2024/11/aws-cloudformation-hooks-custom-aws-lambda-functions/

9 ● Hookݺͼग़͠ͷλʔήοτʹελο Ϋ(STACK)ͱมߋηοτ (CHANGE_SET)͕௥Ճʂ ● ࠓ·Ͱ͸Ϧιʔε୯ҐͰͷมߋݕ஌ ͔͠Ͱ͖ͳ͔͕ͬͨɺελοΫͷૢ ࡞΍มߋηοτͷ࡞੒͚ͩͰτϦ ΨʔՄೳ ● Ϧιʔε୯ମʹด͡ͳ͍Ψόφϯε ͷ࣮૷͕Մೳ AWS CloudFormation Hooks ͕ελοΫͱมߋηοτͷλʔήοτݺͼग़͠ϙΠϯτΛಋೖ https://aws.amazon.com/jp/about-aws/whats-new/2024/11/aws-cloudformation-hooks-stack-change-set-target-points/

10 ● Hooksػೳ͕͞ΒʹCloud Control API(CC API)Ͱͷૢ࡞ʹରԠʂ ● Cfn͚ͩͰͳ͘Terraform΍Pulumiͳ ͲଞͷCC APIΛ࢖͏πʔϧ΋Ψόφ ϯεͷର৅ͱͯ͠௥ՃՄೳʂ ● ҎԼ͸ໝ૝ ● কདྷతʹ͸ίϯιʔϧૢ࡞΋͜Ε ͰϒϩοΫͰ͖Δ͔΋ʁ AWS CloudFormation Hooks Ͱ AWS Cloud Control API ͷϦιʔεઃఆͷධՁ͕ར༻Մೳʹ https://aws.amazon.com/jp/about-aws/whats-new/2024/11/aws-cloudformation-hooks-cloud-control-api-configurations-evaluation/

11 ● AMIͱEBSεφοϓγϣοτΛ࡟আ ޙɺҰఆظؒ෮چՄೳʹ͢Δΰϛശ ػೳ͕CfnʹରԠ͠·ͨ͠ʂ ● ΰϛശػೳࣗମΛIaCͰ؅ཧՄೳʹʂ AWS CloudFormation ͷ͝ΈശϧʔϧͷαϙʔτΛൃද https://aws.amazon.com/jp/about-aws/whats-new/2024/11/aws-cloudformation-recycle-bin-rules/ https://dev.classmethod.jp/articles/cloudformation-recycle-bin-rules/ AWSTemplateFormatVersion: 2010-09-09 Description: --- Resources: HogeSnapShotRule: Type: AWS::Rbin::Rule Properties: ResourceType: EBS_SNAPSHOT RetentionPeriod: RetentionPeriodUnit: DAYS RetentionPeriodValue: 3 HogeAmiRule: Type: AWS::Rbin::Rule Properties: ResourceType: EC2_IMAGE RetentionPeriod: RetentionPeriodUnit: DAYS RetentionPeriodValue: 3

12 ● ैདྷϓϩάϥϛϯάݴޠͰͷ࣮૷͕ ඞཁͩͬͨCfn Hooks ● ࠓճͷΞοϓσʔτͰGuard DSLΛ ॻ͘͜ͱͰHookͷ࡞੒͕Մೳʹʂ ● Lambdaͷ؅ཧ͕ෆཁͰɺPolicy as CodeΛ࣮ݱͰ͖Δ ● S3্ʹDSLΛஔ͍ͯ࢖༻ CloudFormation Guard υϝΠϯݻ༗ͷݴޠΛ࢖༻ͯ͠ AWS CloudFormation Hooks Λ࡞੒ https://aws.amazon.com/about-aws/whats-new/2024/11/author-aws-cloudformation-hooks-cloudformation-guard-domain-specific-language/

let aws_lambda_functions_inside_vpc = Resources.*[ Type == 'AWS::Lambda::Function' Metadata.cfn_nag.rules_to_suppress not exists or Metadata.cfn_nag.rules_to_suppress.*.id != "W89" Metadata.guard.SuppressedRules not exists or Metadata.guard.SuppressedRules.* != "LAMBDA_INSIDE_VPC" ] rule LAMBDA_INSIDE_VPC when %aws_lambda_functions_inside_vpc !empty { %aws_lambda_functions_inside_vpc.Properties.VpcConfig.SecurityGroupIds !empty %aws_lambda_functions_inside_vpc.Properties.VpcConfig.SubnetIds !empty << Violation: All AWS Lambda Functions must be configured with access to a VPC … >> } ྫɿVPC LambdaҎ֎Λېࢭ͢Δ৔߹ͷྫ https://github.com/aws-cloudformation/aws-guard-rules-registry/blob/main/rules/aws/lambda/lambda_inside_vpc.guard CloudFormation Guard υϝΠϯݻ༗ͷݴޠΛ࢖༻ͯ͠ AWS CloudFormation Hooks Λ࡞੒ 13

14 ● Amazon Q DeveloperΛ༗ޮʹ͍ͯ͠Δͱɺ CloudFormationͷΤϥʔ͕ى͖͍ͯΔ෦෼ʹ ʮDiagnose with QʯϘλϯ͕දࣔ͞ΕݪҼಛఆ ͕Մೳ ● ஫ҙɿҎԼͷ৔߹ͷΈදࣔʢ2024/12/10࣌఺ʣ ● ݴޠઃఆ͕English(US/UK)ͷ৔߹ ● Ϧʔδϣϯ͕όʔδχΞ๺෦/ΦϨΰϯͷ৔߹ ● ಛఆͷΤϥʔͷ৔߹ ● ͜ͷػೳ͕ݟΕͨ͋ͳͨ͸ϥοΩʔʂ Amazon Q Developer ͷࢧԉػೳΛ࢖ͬͯ AWS CloudFormation ͷτϥϒϧγϡʔςΟϯάΛਝ଎Խ https://aws.amazon.com/jp/about-aws/whats-new/2024/11/cloudformation-troubleshooting-q-developer-assistance/

AWS re:invent?ͷΞοϓσʔτ

16 ● AWS CDKʹ͸L2/L3Constructͱ͍͏ AWSϦιʔεΛந৅Խͯ͠ѻ͑Δ֓ ೦͕͋Δ ● L2/L3ͷConstructΛ΄΅ͦͷ·· Pulumi্Ͱར༻Մೳʹʂ ● CloudFormationΛܦ༝ͤͣɺCloud Control APIܦ༝ͳͷͰߴ଎ʂ AWS CDK on Pulumi͕GAʂ https://www.pulumi.com/blog/aws-cdk-on-pulumi-1.0/ https://dev.classmethod.jp/articles/aws-cdk-on-pulumi-ga/

re:Inventηογϣϯ঺հ

18 ● લ൒͸CloudFormation(Cfn)ͱCloud Control API(CC API)ͷ࿩ ● Cfn͕ݱࡏ͸΄΅CC APIʹҠߦͯ͠ ͍Δ࿩΍Cfn͕ࠓ೥ߴ଎Խͨ͠ཪଆͷ ࣮૷͸Ͳ͏΍ͬͨͷ͔֓ཁ঺հ ● ͳ͔ͥ࠷ޙʹNetflix͕Cfn΋CDK΋ Terraform΋࢖ΘͣʹYAML ✕ CC API ͰIaCΛ࡞ͬͨ࿩΋ ηογϣϯʢAWS infrastructure as code: A year in reviewʣ https://dev.classmethod.jp/articles/aws-reinvent2024-dop201/

pre:InventͳͲΞοϓσʔτ·ͱΊ • AWS CloudFormation Hooks ͕ΧελϜ AWS Lambda ؔ਺ͷαϙʔτΛ։࢝ • AWS CloudFormation Hooks ͕ελοΫͱมߋηοτͷλʔήοτݺͼग़͠ϙΠϯτΛಋೖ • AWS CloudFormation Hooks Ͱ AWS Cloud Control API ͷϦιʔεઃఆͷධՁ͕ར༻Մೳʹ • AWS CloudFormation ͷ͝ΈശϧʔϧͷαϙʔτΛൃද • CloudFormation Guard υϝΠϯݻ༗ͷݴޠΛ࢖༻ͯ͠ AWS CloudFormation Hooks Λ࡞੒ • Amazon Q Developer ͷࢧԉػೳΛ࢖ͬͯ AWS CloudFormation ͷτϥϒϧγϡʔςΟϯά Λਝ଎Խ • AWS CDK on Pulumi͕GAʂ

ͬ͘͟Γ·ͱΊ •CloudFormation Hooks͕࢖͍΍͘͢ɺద༻ ൣғ΋CfnҎ֎ʹ޿͕ͬͨʂ •Cloud Control API΁ͷஔ͖׵͕͑ਐΜͰɺ 3rd party IaC΍ಠࣗIaC΋೤͘ͳΔʂ͔΋

No content