CDK Day 2023 - Configure cross-account deployment using CDK

Transcript

1. Con f igure cross-account deployment using CDK Takuya Hashimoto /

   @hassaku_63 CDK Day 2023 29th September 2023

2. Speaker Developer, IT system admin X(Twitter): @hassaku_63 GitHub: hassaku63 SpeakerDeck:

   hassaku63 Takuya Hashimoto (Serverworks Co., Ltd.) Serverworks is; System Integrator & AWS Premier Tier Service Partner (since 2014) 1st Japanese Company to acquire MSP Competency in AWS Partner Network (APN)

3. Contents 1. Overview of the “CDK Security and Safety Dev

   Guide” 2. What “cdk bootstrap” command actually doing 3. Con f igure cross-account deployment for CDK project This is my f irst time outputting in English. I'm looking forward to discussing with all of you today, but I apologize if my English is hard to understand.

4. Goal The architecture we are assuming for this session Actor

   (pipeline account) Target account(s) Trigger on push cdk deploy

5. Overview of the “CDK Security and Safety Dev Guide”

6. (QUESTION) What should CDK beginner to learn after going through

   the tutorial?

7. Fundamental documents about CDK https://github.com/aws/aws-cdk/wiki/Security-And-Safety-Dev-Guide 1. CDK Concepts 2. Security

   And Safety Dev Guide https://docs.aws.amazon.com/cdk/v2/guide/core_concepts.html

8. CDK deployments and IAM permission #Controlling the permissions used by

   CDK deployments [2] DefaultStackSynthesizer CDK’s default approach Fewer permissions are required for the principal who is initiating CDK deployment action than [1] [1] CliCredentialsStackSynthesizer Simple deployment pattern Do not use AssumeRole for deployment

9. Permissions and Roles in DefaultStackSynthesizer

10. Permissions and Roles in DefaultStackSynthesizer The principal who starts CDK

    Deployment action (It invokes cfn ExecuteChangeSet or Deploy API internally)

11. Permissions and Roles in DefaultStackSynthesizer IAM Roles and Permissions actually

    used during CDK deployment

12. Permissions and Roles in DefaultStackSynthesizer “Assets” publishing (Container images) “Assets”

    publishing (static f iles like such as Lambda function’s packages)

13. Permissions and Roles in DefaultStackSynthesizer Executes cfn deployment

14. Permissions and Roles in DefaultStackSynthesizer Executes cfn deployment IAM Role

    for Invoke cfn deploy API IAM Role for used when constructs resources

15. Permissions and Roles in DefaultStackSynthesizer AssumeRole permission are required for

    the principal (do not need other)

16. Permissions and Roles in DefaultStackSynthesizer Account for starting deployment action

    Deployment target account(s) (1) CDK’s default approach makes it easier to migrate to cross-account architecture because deployment are based on AssumeRole & PassRole (2) These resources (in orange box) are constructed ”cdk bootstrap” (3) Need to con f igure IAM Roles to “trust” the principals in another account if con f igure cross-account deployment (by execute “cdk bootstrap” command)

17. What “cdk bootstrap” command actually doing

18. CDK bootstrap (revision) Deploy a cfn stack which is called

    “bootstrap stack” CDK Developer Guide - Concepts; Bootstraping https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html

19. CDK bootstrap $ cdk bootstrap —show-template > bootstrap-template.yml De f

    ined resources are; (only covering those relevant to my talk theme) Allow AssumeRole to AWS Account principal if “TrustedAccouts” given IAM Role resource de f ined in bootstrap template 1. S3 Bucket for storing f ile assets 2. ECR Repository for upload container assets 3. IAM Role for Upload f ile assets 4. IAM Role for push container assets 5. IAM Role for lookup resources

20. Con f igure cross-account deployment for CDK project

21. Con f iguration for cross-account deployment Overview hassaku63/cdk-cross-account-deployment-example 1. bootstrap

    on Pipeline account 2. bootstrap on Target account 
 (trust “pipeline account” principal) 3. Deploy pipeline stack 4. Deploy to target (by git push) Pipeline account Target account(s)

22. Con f iguration for cross-account deployment Overview hassaku63/cdk-cross-account-deployment-example Pipeline account

    Target account(s) 1. bootstrap on Pipeline account 2. bootstrap on Target account 
 (trust “pipeline account” principal) 3. Deploy pipeline stack 4. Deploy to target (by git push)

23. Con f iguration for cross-account deployment Bootstrap on target account

    with “trust” option Execute on the all target accounts $ npx cdk bootstrap \ —trust “<pipeline-account>” \ —cloudformation-execution-policies \ ‘arn:aws:iam::aws:policy/AdministratorAccess’ Pipeline account Target account(s)

24. Con f iguration for cross-account deployment Con f igure service

    role for CodeBuild Allow AssumeRole action to the Roles that are constructed by bootstrap Pipeline account Target account(s)

25. Conclusion

26. Conclusion Learn about … 1. What resources are constructed by

    “cdk bootstrap” command 2. Use “trust” option with bootstrap command to con f igure cross-account deployment 3. Allow the actor that starts deployment (such as CodeBuild Project) to execute 
 the AssumeRole action to the Roles that are constructed by bootstrap

27. Slide Published on https://speakerdeck.com/hassaku63