$30 off During Our Annual Pro Sale. View Details »

CDK Day 2023 - Configure cross-account deployment using CDK

hassaku63
September 29, 2023
Programming
0
340

CDK Day 2023 - Configure cross-account deployment using CDK

https://www.cdkday.com/

Sample code: https://github.com/hassaku63/cdk-cross-account-deployment-example

登壇レポート: https://blog.serverworks.co.jp/2023/10/02/172950

hassaku63

September 29, 2023
Tweet

More Decks by hassaku63

See All by hassaku63
202310_社内LT/20231012_lighting_talk
hassaku63
0
16
CDK 座談会企画 2023-07 - CDK のメリットを再発掘してみよう
hassaku63
0
120
Serverless Framework ユーザーが CDK に引っ越しして感じたハードルについて言語化してみる
hassaku63
0
1.8k
[AWS Dev Day 2022 Japan] B-4 サーバーレスな社内業務システムを稼働させて1年経ったので、今日までの足跡を語ろうと思う/footprint-of-in-house-system-developed-fully-serverless-on-aws
hassaku63
1
1.3k
AWS X-Ray SDK for Python を使ってトレーサビリティを向上してみよう/start-aws-xray-and-xray-sdk-for-python
hassaku63
1
710
思想から馴染ませるユニットテストの話/let-change-your-viewpoint-about-unit-test
hassaku63
0
110
Lambda だけじゃもったいない。サーバーレス開発の第二歩目を踏み出そう/lets-take-second-step-in-serverless-development
hassaku63
1
1.7k
[JTF2021] 結局インデックスってなんなんですか?/lets-learn-about-b-tree-index
hassaku63
1
1.8k
私がもっと早く知りたかった サーバーレス開発の “Hello world” の次の一歩/serverless-development-practices-the-next-step-of-hello-world
hassaku63
0
800

Other Decks in Programming

See All in Programming
コンピュータグラフィクスの空
fadis
5
1.3k
壓力測試大冒險:解鎖應用程式的隱藏性能之謎
marcustung
0
140
10年モノのAndroidアプリのコード品質を改善していく、3つの取り組み
okuzawats
0
660
エンジニアもUIを作るならユーザーについて知ろう!
ohakutsu
1
120
WantedlyでFeature Storeを導入する際に考えたこと
zerebom
1
400
Expo Router は Expo 導入の決め手となるか フロントエンドカンファレンス沖縄2023 @Kaito-Dogi
doggy
3
1.7k
弊社の開発体験の良いところは?メンバーに訊いてみた!
texmeijin
0
190
「価値」あるものを作るためにエンジニアができること - NIFTY Tech Day 2023
niftycorp
0
130
動くコードを書こう / let's code a process
kishida
21
6.1k
From Spring Boot 2 to Spring Boot 3 with Java 21 and Jakarta EE
ivargrimstad
0
810
if 式と switch 式による SwiftUI のプレビューエラー対策
ojun9
1
160
クソアプリを作ってみた💩 / kusojaku
uhooi
0
180

Featured

See All Featured
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
26
5.7k
Faster Mobile Websites
deanohume
296
29k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
52
19k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k
Unsuck your backbone
ammeep
660
56k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
5
740
Done Done
chrislema
178
15k
The Invisible Customer
myddelton
113
12k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
1
1.1k
4 Signs Your Business is Dying
shpigford
172
21k
Imperfection Machines: The Place of Print at Facebook
scottboms
257
12k
Testing 201, or: Great Expectations
jmmastey
26
6.1k

Transcript

  1. Con
    f
    igure cross-account
    deployment using CDK
    Takuya Hashimoto / @hassaku_63
    CDK Day 2023


    29th September 2023

    View Slide

  2. Speaker
    Developer, IT system admin


    X(Twitter): @hassaku_63


    GitHub: hassaku63


    SpeakerDeck: hassaku63
    Takuya Hashimoto (Serverworks Co., Ltd.)
    Serverworks is;


    System Integrator & AWS Premier Tier Service Partner (since 2014)


    1st Japanese Company to acquire MSP Competency in AWS Partner Network
    (APN)

    View Slide

  3. Contents
    1. Overview of the “CDK Security and Safety Dev Guide”


    2. What “cdk bootstrap” command actually doing


    3. Con
    f
    igure cross-account deployment for CDK project
    This is my
    f
    irst time outputting in English.


    I'm looking forward to discussing with all of you today, but I apologize if my English is hard to understand.

    View Slide

  4. Goal
    The architecture we are assuming for this session
    Actor (pipeline account) Target account(s)
    Trigger on push
    cdk deploy

    View Slide

  5. Overview of the


    “CDK Security and Safety Dev Guide”

    View Slide

  6. (QUESTION)


    What should CDK beginner to learn


    after going through the tutorial?

    View Slide

  7. Fundamental documents about CDK
    https://github.com/aws/aws-cdk/wiki/Security-And-Safety-Dev-Guide
    1. CDK Concepts


    2. Security And Safety Dev Guide
    https://docs.aws.amazon.com/cdk/v2/guide/core_concepts.html

    View Slide

  8. CDK deployments and IAM permission
    #Controlling the permissions used by CDK deployments
    [2] DefaultStackSynthesizer


    CDK’s default approach


    Fewer permissions are required for the principal
    who is initiating CDK deployment action than [1]
    [1] CliCredentialsStackSynthesizer


    Simple deployment pattern


    Do not use AssumeRole for deployment


    View Slide

  9. Permissions and Roles in DefaultStackSynthesizer

    View Slide

  10. Permissions and Roles in DefaultStackSynthesizer
    The principal who starts


    CDK Deployment action


    (It invokes cfn ExecuteChangeSet or
    Deploy API internally)

    View Slide

  11. Permissions and Roles in DefaultStackSynthesizer
    IAM Roles and Permissions


    actually used during CDK deployment

    View Slide

  12. Permissions and Roles in DefaultStackSynthesizer
    “Assets” publishing


    (Container images)
    “Assets” publishing


    (static
    f
    iles like such as Lambda function’s
    packages)

    View Slide

  13. Permissions and Roles in DefaultStackSynthesizer
    Executes cfn deployment

    View Slide

  14. Permissions and Roles in DefaultStackSynthesizer
    Executes cfn deployment
    IAM Role for


    Invoke cfn deploy API
    IAM Role for


    used when constructs resources

    View Slide

  15. Permissions and Roles in DefaultStackSynthesizer
    AssumeRole permission


    are required for the principal


    (do not need other)

    View Slide

  16. Permissions and Roles in DefaultStackSynthesizer
    Account for starting deployment action Deployment target account(s)
    (1) CDK’s default approach makes it easier to migrate to cross-account architecture because
    deployment are based on AssumeRole & PassRole


    (2) These resources (in orange box) are constructed ”cdk bootstrap”


    (3) Need to con
    f
    igure IAM Roles to “trust” the principals in another account


    if con
    f
    igure cross-account deployment (by execute “cdk bootstrap” command)

    View Slide

  17. What “cdk bootstrap” command
    actually doing

    View Slide

  18. CDK bootstrap
    (revision) Deploy a cfn stack which is called “bootstrap stack”
    CDK Developer Guide - Concepts; Bootstraping


    https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html

    View Slide

  19. CDK bootstrap
    $ cdk bootstrap —show-template > bootstrap-template.yml
    De
    f
    ined resources are;
    (only covering those relevant to my talk theme)
    Allow AssumeRole to


    AWS Account principal


    if “TrustedAccouts” given
    IAM Role resource de
    f
    ined in bootstrap template
    1. S3 Bucket for storing
    f
    ile assets


    2. ECR Repository for upload container assets


    3. IAM Role for Upload
    f
    ile assets


    4. IAM Role for push container assets


    5. IAM Role for lookup resources

    View Slide

  20. Con
    f
    igure cross-account
    deployment for CDK project

    View Slide

  21. Con
    f
    iguration for cross-account deployment
    Overview
    hassaku63/cdk-cross-account-deployment-example
    1. bootstrap on Pipeline account


    2. bootstrap on Target account

    (trust “pipeline account” principal)


    3. Deploy pipeline stack


    4. Deploy to target (by git push)
    Pipeline account Target account(s)

    View Slide

  22. Con
    f
    iguration for cross-account deployment
    Overview
    hassaku63/cdk-cross-account-deployment-example
    Pipeline account Target account(s)
    1. bootstrap on Pipeline account


    2. bootstrap on Target account

    (trust “pipeline account” principal)


    3. Deploy pipeline stack


    4. Deploy to target (by git push)

    View Slide

  23. Con
    f
    iguration for cross-account deployment
    Bootstrap on target account with “trust” option
    Execute on the all target accounts


    $ npx cdk bootstrap \


    —trust “” \


    —cloudformation-execution-policies \


    ‘arn:aws:iam::aws:policy/AdministratorAccess’
    Pipeline account Target account(s)

    View Slide

  24. Con
    f
    iguration for cross-account deployment
    Con
    f
    igure service role for CodeBuild
    Allow AssumeRole action to the Roles


    that are constructed by bootstrap


    Pipeline account Target account(s)

    View Slide

  25. Conclusion

    View Slide

  26. Conclusion
    Learn about …
    1. What resources are constructed by “cdk bootstrap” command


    2. Use “trust” option with bootstrap command to con
    f
    igure cross-account
    deployment


    3. Allow the actor that starts deployment (such as CodeBuild Project) to execute

    the AssumeRole action to the Roles that are constructed by bootstrap

    View Slide

  27. Slide
    Published on https://speakerdeck.com/hassaku63


    View Slide