使用 cloudformation 和 secrets manager 将 Jenkins 部署到 AWS
Deploying Jenkins to AWS using cloudformation and secrets manager
我的 objective 是将 Jenkins 构建为 docker 映像并将其部署到 AWS Elastic Beanstalk。
为了构建 docker 图像,我正在使用 Configuration as Code 插件并通过 Dockerfile 中的环境变量注入所有秘密。
我现在想弄清楚的是如何使用 CloudFormation 或 CodePipeline 自动执行此部署。
我的问题是:
- 我可以使用 CloudFormation 或 CodePipeline 从 AWS Secrets Manager 获取机密并将它们作为环境变量注入到 Elastic Beanstalk 的部署中吗?
不确定您为什么要以这种方式做事,但您不能直接使用 AWS CLI 从您的 ELB 实例中直接从 Secrets Manager 获取机密吗?
Cloudformation 模板可以从 Secrets Manager 恢复机密。它有点难看,但效果很好。一般来说,我使用一个security.yaml嵌套栈在SM中为我生成秘密,然后在其他栈中恢复它们。
我不能对 EB 说太多,但如果您通过 CF 部署它,那么这应该有所帮助。
在 SM (CF security.yaml) 中生成秘密:
Parameters:
DeploymentEnvironment:
Type: String
Description: Deployment environment, e.g. prod, stage, qa, dev, or userdev
Default: "dev"
...
Resources:
...
RegistryDbAdminCreds:
Type: 'AWS::SecretsManager::Secret'
Properties:
Name: !Sub "RegistryDbAdminCreds-${DeploymentEnvironment}"
Description: "RDS master uid/password for artifact registry database."
GenerateSecretString:
SecretStringTemplate: '{"username": "artifactadmin"}'
GenerateStringKey: "password"
PasswordLength: 30
ExcludeCharacters: '"@/\+//:*`"'
Tags:
-
Key: AppName
Value: RegistryDbAdminCreds
在另一个 yaml 中使用秘密:
Parameters:
DeploymentEnvironment:
Type: String
Description: Deployment environment, e.g. prod, stage, qa, dev, or userdev
Default: "dev"
...
Resources:
DB:
Type: 'AWS::RDS::DBInstance'
DependsOn: security
Properties:
Engine: postgres
DBInstanceClass: db.t2.small
DBName: quilt
MasterUsername: !Sub '{{resolve:secretsmanager:RegistryDbAdminCreds-${DeploymentEnvironment}:SecretString:username}}'
MasterUserPassword: !Sub '{{resolve:secretsmanager:RegistryDbAdminCreds-${DeploymentEnvironment}:SecretString:password}}'
StorageType: gp2
AllocatedStorage: "100"
PubliclyAccessible: true
DBSubnetGroupName: !Ref SubnetGroup
MultiAZ: true
VPCSecurityGroups:
- !GetAtt "network.Outputs.VPCSecurityGroup"
Tags:
- Key: Name
Value: !Join [ '-', [ !Ref StackName, "dbinstance", !Ref DeploymentEnvironment ] ]
诀窍在于!Sub '{{resolve:secretsmanager:RegistryDbAdminCreds-${DeploymentEnvironment}:SecretString:username}}'和!Sub '{{resolve:secretsmanager:RegistryDbAdminCreds-${DeploymentEnvironment}:SecretString:password}}'
我的 objective 是将 Jenkins 构建为 docker 映像并将其部署到 AWS Elastic Beanstalk。
为了构建 docker 图像,我正在使用 Configuration as Code 插件并通过 Dockerfile 中的环境变量注入所有秘密。
我现在想弄清楚的是如何使用 CloudFormation 或 CodePipeline 自动执行此部署。
我的问题是:
- 我可以使用 CloudFormation 或 CodePipeline 从 AWS Secrets Manager 获取机密并将它们作为环境变量注入到 Elastic Beanstalk 的部署中吗?
不确定您为什么要以这种方式做事,但您不能直接使用 AWS CLI 从您的 ELB 实例中直接从 Secrets Manager 获取机密吗?
Cloudformation 模板可以从 Secrets Manager 恢复机密。它有点难看,但效果很好。一般来说,我使用一个security.yaml嵌套栈在SM中为我生成秘密,然后在其他栈中恢复它们。
我不能对 EB 说太多,但如果您通过 CF 部署它,那么这应该有所帮助。
在 SM (CF security.yaml) 中生成秘密:
Parameters:
DeploymentEnvironment:
Type: String
Description: Deployment environment, e.g. prod, stage, qa, dev, or userdev
Default: "dev"
...
Resources:
...
RegistryDbAdminCreds:
Type: 'AWS::SecretsManager::Secret'
Properties:
Name: !Sub "RegistryDbAdminCreds-${DeploymentEnvironment}"
Description: "RDS master uid/password for artifact registry database."
GenerateSecretString:
SecretStringTemplate: '{"username": "artifactadmin"}'
GenerateStringKey: "password"
PasswordLength: 30
ExcludeCharacters: '"@/\+//:*`"'
Tags:
-
Key: AppName
Value: RegistryDbAdminCreds
在另一个 yaml 中使用秘密:
Parameters:
DeploymentEnvironment:
Type: String
Description: Deployment environment, e.g. prod, stage, qa, dev, or userdev
Default: "dev"
...
Resources:
DB:
Type: 'AWS::RDS::DBInstance'
DependsOn: security
Properties:
Engine: postgres
DBInstanceClass: db.t2.small
DBName: quilt
MasterUsername: !Sub '{{resolve:secretsmanager:RegistryDbAdminCreds-${DeploymentEnvironment}:SecretString:username}}'
MasterUserPassword: !Sub '{{resolve:secretsmanager:RegistryDbAdminCreds-${DeploymentEnvironment}:SecretString:password}}'
StorageType: gp2
AllocatedStorage: "100"
PubliclyAccessible: true
DBSubnetGroupName: !Ref SubnetGroup
MultiAZ: true
VPCSecurityGroups:
- !GetAtt "network.Outputs.VPCSecurityGroup"
Tags:
- Key: Name
Value: !Join [ '-', [ !Ref StackName, "dbinstance", !Ref DeploymentEnvironment ] ]
诀窍在于!Sub '{{resolve:secretsmanager:RegistryDbAdminCreds-${DeploymentEnvironment}:SecretString:username}}'和!Sub '{{resolve:secretsmanager:RegistryDbAdminCreds-${DeploymentEnvironment}:SecretString:password}}'