Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CDK Day 2023 - Configure cross-account deployme...

hassaku63
September 29, 2023

CDK Day 2023 - Configure cross-account deployment using CDK

hassaku63

September 29, 2023
Tweet

More Decks by hassaku63

Other Decks in Programming

Transcript

  1. Con f igure cross-account deployment using CDK Takuya Hashimoto /

    @hassaku_63 CDK Day 2023 29th September 2023
  2. Speaker Developer, IT system admin X(Twitter): @hassaku_63 GitHub: hassaku63 SpeakerDeck:

    hassaku63 Takuya Hashimoto (Serverworks Co., Ltd.) Serverworks is; System Integrator & AWS Premier Tier Service Partner (since 2014) 1st Japanese Company to acquire MSP Competency in AWS Partner Network (APN)
  3. Contents 1. Overview of the “CDK Security and Safety Dev

    Guide” 2. What “cdk bootstrap” command actually doing 3. Con f igure cross-account deployment for CDK project This is my f irst time outputting in English. I'm looking forward to discussing with all of you today, but I apologize if my English is hard to understand.
  4. Goal The architecture we are assuming for this session Actor

    (pipeline account) Target account(s) Trigger on push cdk deploy
  5. CDK deployments and IAM permission #Controlling the permissions used by

    CDK deployments [2] DefaultStackSynthesizer CDK’s default approach Fewer permissions are required for the principal who is initiating CDK deployment action than [1] [1] CliCredentialsStackSynthesizer Simple deployment pattern Do not use AssumeRole for deployment
  6. Permissions and Roles in DefaultStackSynthesizer The principal who starts CDK

    Deployment action (It invokes cfn ExecuteChangeSet or Deploy API internally)
  7. Permissions and Roles in DefaultStackSynthesizer “Assets” publishing (Container images) “Assets”

    publishing (static f iles like such as Lambda function’s packages)
  8. Permissions and Roles in DefaultStackSynthesizer Executes cfn deployment IAM Role

    for Invoke cfn deploy API IAM Role for used when constructs resources
  9. Permissions and Roles in DefaultStackSynthesizer Account for starting deployment action

    Deployment target account(s) (1) CDK’s default approach makes it easier to migrate to cross-account architecture because deployment are based on AssumeRole & PassRole (2) These resources (in orange box) are constructed ”cdk bootstrap” (3) Need to con f igure IAM Roles to “trust” the principals in another account if con f igure cross-account deployment (by execute “cdk bootstrap” command)
  10. CDK bootstrap (revision) Deploy a cfn stack which is called

    “bootstrap stack” CDK Developer Guide - Concepts; Bootstraping https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html
  11. CDK bootstrap $ cdk bootstrap —show-template > bootstrap-template.yml De f

    ined resources are; (only covering those relevant to my talk theme) Allow AssumeRole to AWS Account principal if “TrustedAccouts” given IAM Role resource de f ined in bootstrap template 1. S3 Bucket for storing f ile assets 2. ECR Repository for upload container assets 3. IAM Role for Upload f ile assets 4. IAM Role for push container assets 5. IAM Role for lookup resources
  12. Con f iguration for cross-account deployment Overview hassaku63/cdk-cross-account-deployment-example 1. bootstrap

    on Pipeline account 2. bootstrap on Target account 
 (trust “pipeline account” principal) 3. Deploy pipeline stack 4. Deploy to target (by git push) Pipeline account Target account(s)
  13. Con f iguration for cross-account deployment Overview hassaku63/cdk-cross-account-deployment-example Pipeline account

    Target account(s) 1. bootstrap on Pipeline account 2. bootstrap on Target account 
 (trust “pipeline account” principal) 3. Deploy pipeline stack 4. Deploy to target (by git push)
  14. Con f iguration for cross-account deployment Bootstrap on target account

    with “trust” option Execute on the all target accounts $ npx cdk bootstrap \ —trust “<pipeline-account>” \ —cloudformation-execution-policies \ ‘arn:aws:iam::aws:policy/AdministratorAccess’ Pipeline account Target account(s)
  15. Con f iguration for cross-account deployment Con f igure service

    role for CodeBuild Allow AssumeRole action to the Roles that are constructed by bootstrap Pipeline account Target account(s)
  16. Conclusion Learn about … 1. What resources are constructed by

    “cdk bootstrap” command 2. Use “trust” option with bootstrap command to con f igure cross-account deployment 3. Allow the actor that starts deployment (such as CodeBuild Project) to execute 
 the AssumeRole action to the Roles that are constructed by bootstrap