Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CFnからCDKへ / the future of developer tools on AWS

katsuya
February 27, 2020

CFnからCDKへ / the future of developer tools on AWS

katsuya

February 27, 2020
Tweet

Other Decks in Programming

Transcript

  1. CDKとは The AWS Cloud Development Kit (AWS CDK) is an

    open-source software development framework to define cloud infrastructure in code and provision it through AWS Cloudformation. https://github.com/aws/aws-cdk Page 6 / 32
  2. CDKとは The AWS Construct Library includes a very large amount

    of "undifferentiated heavy lifting" that you can only enjoy if you use the high level resources which encapsulate all this goodness for you behind a nice clean object-oriented API. https://github.com/aws/aws-cdk/tree/master/packages/cdk-dasm Page 7 / 32
  3. CDKとは 慣れ親しんだ⾔語で宣⾔的にAWSのインフラを定義 vim lib/hello-stack.(ts|py|java|cs) 宣⾔的な定義から、最終的にCFnのテンプレートを出⼒する npm run build && cdk

    synth hello-stack > template.yml 出⼒したテンプレートを簡単にAWSのインフラにデプロイできる cdk deploy hello-stack Page 9 / 32
  4. CDKの強み Aspectsの利⽤例 const gitRepoUrl = capture('git config --get remote.origin.url') const

    gitCommitId = capture('git rev-parse HEAD') const gitBranchName = capture('git rev-parse --abbrev-ref HEAD') for (const c of [cloudfront, s3]) { cdk.Tag.add(c, "hc:env", hcEnv); cdk.Tag.add(c, "hc:git-repo-url", gitRepoUrl); cdk.Tag.add(c, "hc:git-commit-id", gitCommitId); cdk.Tag.add(c, "hc:git-branch-name", gitBranchName); } Page 22 / 32
  5. CDKの強み CFnXzy と addPropertyOverride の利⽤例 const cluster = new rds.CfnDBCluster(

    this, "DBCluster", dbClusterProps ); cluster.addPropertyOverride("EnableHttpEndpoint", true); cluster.cfnOptions.updateReplacePolicy = cdk.CfnDeletionPolicy.RETAIN; Page 24 / 32
  6. CDKの強み CFnからの移⾏も楽 テンプレートからTypeScriptのコードを出⼒するディスアセンブラがある cdk-dasm < hello-stack.yml > lib/hello-stack.ts 強⼒だが、たった157⾏のシンプルな実装 https://github.com/aws/aws-cdk/blob/master/packages/cdk-dasm/lib/dasm.ts

    これで変換して、少しいじるだけで移⾏は終わり。ロジカルIDが変わる可能性も あるので⾃⼰責任で 制限もいくつかある。 Fn::Join などのIntrinsic Functionは対象外。Parameters などは扱えない。⼀部のリソースのキーがパスカルケースになるなど Page 25 / 32
  7. CDKを使った安全なBastionの構築例 export class BastionStack extends cdk.Stack { constructor(scope: cdk.Construct, id:

    string, props: cdk.StackProps = {}) { super(scope, id, props); const hcEnv = this.node.tryGetContext("HC_ENV"); const vpcId = this.node.tryGetContext("VPC_ID"); const vpc = ec2.Vpc.fromLookup(this, "Vpc", { vpcId }); const bastion = new ec2.BastionHostLinux(this, "Bastion", { vpc, instanceName: `${hcEnv}-hc-vpc-bastion`, subnetSelection: { subnetType: ec2.SubnetType.PRIVATE }, }); bastion.instance.role.addManagedPolicy({ managedPolicyArn: "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM" }) cdk.Tag.add(bastion.instance, 'Patch Group', `${hcEnv}-hc-vpc-bastion`, { includeResourceTypes: [ 'AWS::EC2::Instance' ], }); Page 27 / 32
  8. CDKを使った安全なBastionの構築例 new cdk.CfnOutput(this, "BastionAzOutput", { value: bastion.instanceAvailabilityZone, exportName: `${hcEnv}-hc-vpc-bastion-az` });

    new cdk.CfnOutput(this, "BastionIdOutput", { value: bastion.instanceId, exportName: `${hcEnv}-hc-vpc-bastion-id` }); new ssm.CfnPatchBaseline(this, "BastionPatchBaseline", { name: `${hcEnv}-hc-vpc-bastion-patch-baseline`, operatingSystem: 'AMAZON_LINUX_2', patchGroups: [ `${hcEnv}-hc-vpc-bastion` ], approvalRules: { patchRules: [ { approveAfterDays: 0, enableNonSecurity: true, patchFilterGroup: { patchFilters: [ { key: "PRODUCT", values: [ "*" ] }, { key: "CLASSIFICATION", values: [ "*" ] }, { key: "SEVERITY", values: [ "*" ] } ] } } ] } }); Page 28 / 32
  9. CDKを使った安全なBastionの構築例 const maintenanceWindow = new ssm.CfnMaintenanceWindow(this, "BastionMaintenanceWindow", { name: `${hcEnv}-hc-vpc-bastion-maintenance-window`,

    allowUnassociatedTargets: true, cutoff: 1, duration: 2, schedule: "cron(0 3 ? * * *)", scheduleTimezone: "Asia/Tokyo", }); const maintenanceWindowTarget = new ssm.CfnMaintenanceWindowTarget(this, "BastionMaintenanceWindowTarget", { windowId: maintenanceWindow.ref, resourceType: "INSTANCE", targets: [ { key: "InstanceIds", values: [ bastion.instanceId ] } ] }); Page 29 / 32
  10. CDKを使った安全なBastionの構築例 new ssm.CfnMaintenanceWindowTask(this, "BastionMaintenanceWindowTask", { windowId: maintenanceWindow.ref, maxConcurrency: "50", maxErrors:

    "0", priority: 1, targets: [ { key: "WindowTargetIds", values: [ maintenanceWindowTarget.ref ] } ], taskInvocationParameters: { maintenanceWindowRunCommandParameters: { parameters: { "Operation": [ "Install" ], "SnapshotId": [ "{{WINDOW_EXECUTION_ID}}" ] }, timeoutSeconds: 600 } }, taskArn: "AWS-RunPatchBaseline", taskType: "RUN_COMMAND" }); } } Page 30 / 32