Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CFnからCDKへ / the future of developer tools on AWS

Avatar for katsuya katsuya
February 27, 2020

CFnからCDKへ / the future of developer tools on AWS

Avatar for katsuya

katsuya

February 27, 2020
Tweet

Other Decks in Programming

Transcript

  1. CDKとは The AWS Cloud Development Kit (AWS CDK) is an

    open-source software development framework to define cloud infrastructure in code and provision it through AWS Cloudformation. https://github.com/aws/aws-cdk Page 6 / 32
  2. CDKとは The AWS Construct Library includes a very large amount

    of "undifferentiated heavy lifting" that you can only enjoy if you use the high level resources which encapsulate all this goodness for you behind a nice clean object-oriented API. https://github.com/aws/aws-cdk/tree/master/packages/cdk-dasm Page 7 / 32
  3. CDKとは 慣れ親しんだ⾔語で宣⾔的にAWSのインフラを定義 vim lib/hello-stack.(ts|py|java|cs) 宣⾔的な定義から、最終的にCFnのテンプレートを出⼒する npm run build && cdk

    synth hello-stack > template.yml 出⼒したテンプレートを簡単にAWSのインフラにデプロイできる cdk deploy hello-stack Page 9 / 32
  4. CDKの強み Aspectsの利⽤例 const gitRepoUrl = capture('git config --get remote.origin.url') const

    gitCommitId = capture('git rev-parse HEAD') const gitBranchName = capture('git rev-parse --abbrev-ref HEAD') for (const c of [cloudfront, s3]) { cdk.Tag.add(c, "hc:env", hcEnv); cdk.Tag.add(c, "hc:git-repo-url", gitRepoUrl); cdk.Tag.add(c, "hc:git-commit-id", gitCommitId); cdk.Tag.add(c, "hc:git-branch-name", gitBranchName); } Page 22 / 32
  5. CDKの強み CFnXzy と addPropertyOverride の利⽤例 const cluster = new rds.CfnDBCluster(

    this, "DBCluster", dbClusterProps ); cluster.addPropertyOverride("EnableHttpEndpoint", true); cluster.cfnOptions.updateReplacePolicy = cdk.CfnDeletionPolicy.RETAIN; Page 24 / 32
  6. CDKの強み CFnからの移⾏も楽 テンプレートからTypeScriptのコードを出⼒するディスアセンブラがある cdk-dasm < hello-stack.yml > lib/hello-stack.ts 強⼒だが、たった157⾏のシンプルな実装 https://github.com/aws/aws-cdk/blob/master/packages/cdk-dasm/lib/dasm.ts

    これで変換して、少しいじるだけで移⾏は終わり。ロジカルIDが変わる可能性も あるので⾃⼰責任で 制限もいくつかある。 Fn::Join などのIntrinsic Functionは対象外。Parameters などは扱えない。⼀部のリソースのキーがパスカルケースになるなど Page 25 / 32
  7. CDKを使った安全なBastionの構築例 export class BastionStack extends cdk.Stack { constructor(scope: cdk.Construct, id:

    string, props: cdk.StackProps = {}) { super(scope, id, props); const hcEnv = this.node.tryGetContext("HC_ENV"); const vpcId = this.node.tryGetContext("VPC_ID"); const vpc = ec2.Vpc.fromLookup(this, "Vpc", { vpcId }); const bastion = new ec2.BastionHostLinux(this, "Bastion", { vpc, instanceName: `${hcEnv}-hc-vpc-bastion`, subnetSelection: { subnetType: ec2.SubnetType.PRIVATE }, }); bastion.instance.role.addManagedPolicy({ managedPolicyArn: "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM" }) cdk.Tag.add(bastion.instance, 'Patch Group', `${hcEnv}-hc-vpc-bastion`, { includeResourceTypes: [ 'AWS::EC2::Instance' ], }); Page 27 / 32
  8. CDKを使った安全なBastionの構築例 new cdk.CfnOutput(this, "BastionAzOutput", { value: bastion.instanceAvailabilityZone, exportName: `${hcEnv}-hc-vpc-bastion-az` });

    new cdk.CfnOutput(this, "BastionIdOutput", { value: bastion.instanceId, exportName: `${hcEnv}-hc-vpc-bastion-id` }); new ssm.CfnPatchBaseline(this, "BastionPatchBaseline", { name: `${hcEnv}-hc-vpc-bastion-patch-baseline`, operatingSystem: 'AMAZON_LINUX_2', patchGroups: [ `${hcEnv}-hc-vpc-bastion` ], approvalRules: { patchRules: [ { approveAfterDays: 0, enableNonSecurity: true, patchFilterGroup: { patchFilters: [ { key: "PRODUCT", values: [ "*" ] }, { key: "CLASSIFICATION", values: [ "*" ] }, { key: "SEVERITY", values: [ "*" ] } ] } } ] } }); Page 28 / 32
  9. CDKを使った安全なBastionの構築例 const maintenanceWindow = new ssm.CfnMaintenanceWindow(this, "BastionMaintenanceWindow", { name: `${hcEnv}-hc-vpc-bastion-maintenance-window`,

    allowUnassociatedTargets: true, cutoff: 1, duration: 2, schedule: "cron(0 3 ? * * *)", scheduleTimezone: "Asia/Tokyo", }); const maintenanceWindowTarget = new ssm.CfnMaintenanceWindowTarget(this, "BastionMaintenanceWindowTarget", { windowId: maintenanceWindow.ref, resourceType: "INSTANCE", targets: [ { key: "InstanceIds", values: [ bastion.instanceId ] } ] }); Page 29 / 32
  10. CDKを使った安全なBastionの構築例 new ssm.CfnMaintenanceWindowTask(this, "BastionMaintenanceWindowTask", { windowId: maintenanceWindow.ref, maxConcurrency: "50", maxErrors:

    "0", priority: 1, targets: [ { key: "WindowTargetIds", values: [ maintenanceWindowTarget.ref ] } ], taskInvocationParameters: { maintenanceWindowRunCommandParameters: { parameters: { "Operation": [ "Install" ], "SnapshotId": [ "{{WINDOW_EXECUTION_ID}}" ] }, timeoutSeconds: 600 } }, taskArn: "AWS-RunPatchBaseline", taskType: "RUN_COMMAND" }); } } Page 30 / 32