添加逻辑以检查 Infra 是否在帐户中,如果不在则部署 AWS-CDK
Adding Logic To Check If Infra is In Account and Deploying If Not AWS-CDK
标题可能含糊不清,让我澄清一下。我目前正在尝试启用 AWSConfig 规则,为了执行此操作,帐户必须具有 AWSConfigurationRecorder 和 AWSDeliveryChannel。问题在于,当一个帐户已经启用此功能时,它会在尝试部署时出错,使您的整个堆栈出错。我正在尝试找出一种创建逻辑的方法,该逻辑基本上会检查 AWSConfigurationRecorder 或 AWSDeliveryChannel 是否已经存在,以及它们是否要跳过它并仅部署规则,反之亦然。这是代码:
export class fullConfigStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const globalConfigRole = new iam.Role(this, 'globalConfigRole', {
assumedBy: new iam.ServicePrincipal('config.amazonaws.com'), // required
});
globalConfigRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSConfigRoleForOrganizations'));
globalConfigRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('ReadOnlyAccess'));
const globalConfigRecorder = new config.CfnConfigurationRecorder(this, 'globalConfigRecorder',{
roleArn: globalConfigRole.roleArn,
name: 'globalConfigRecorder',
recordingGroup: {
allSupported: true,
includeGlobalResourceTypes: true
}
});
const globalConfigBucket = new s3.Bucket(this, 'globalConfigBucket',{
accessControl: s3.BucketAccessControl.LOG_DELIVERY_WRITE
});
const cisConfigDeliveryChannel = new config.CfnDeliveryChannel(this,'cisConfigDeliveryChannel',{
s3BucketName: globalConfigBucket.bucketName,
configSnapshotDeliveryProperties: {
deliveryFrequency: 'TwentyFour_Hours'
}
});
const generalConfigRole = new iam.Role(this, 'generalConfigRole',{
assumedBy: new iam.ServicePrincipal('config.amazonaws.com')
});
const cloudTrailEnabledRule = new ManagedRule(this, 'cloudTrailEnabledRule', {
identifier: 'CLOUD_TRAIL_ENABLED'
});
所以再次澄清一下,我想用 cisConfigDeliveryChannel 和 globalConfigRecorder 添加一些 if/else 逻辑,以免整个堆栈出错!如果有其他我没有看到的解决方法,请告诉我!
在您的 AWS CloudFormation 模板中,您可以 create a Lambda-backed custom resource 使用检查您的资源是否存在的函数。此 Lambda 函数然后 returns CloudFormation 的标识符以确定是否需要创建资源。
标题可能含糊不清,让我澄清一下。我目前正在尝试启用 AWSConfig 规则,为了执行此操作,帐户必须具有 AWSConfigurationRecorder 和 AWSDeliveryChannel。问题在于,当一个帐户已经启用此功能时,它会在尝试部署时出错,使您的整个堆栈出错。我正在尝试找出一种创建逻辑的方法,该逻辑基本上会检查 AWSConfigurationRecorder 或 AWSDeliveryChannel 是否已经存在,以及它们是否要跳过它并仅部署规则,反之亦然。这是代码:
export class fullConfigStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const globalConfigRole = new iam.Role(this, 'globalConfigRole', {
assumedBy: new iam.ServicePrincipal('config.amazonaws.com'), // required
});
globalConfigRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSConfigRoleForOrganizations'));
globalConfigRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('ReadOnlyAccess'));
const globalConfigRecorder = new config.CfnConfigurationRecorder(this, 'globalConfigRecorder',{
roleArn: globalConfigRole.roleArn,
name: 'globalConfigRecorder',
recordingGroup: {
allSupported: true,
includeGlobalResourceTypes: true
}
});
const globalConfigBucket = new s3.Bucket(this, 'globalConfigBucket',{
accessControl: s3.BucketAccessControl.LOG_DELIVERY_WRITE
});
const cisConfigDeliveryChannel = new config.CfnDeliveryChannel(this,'cisConfigDeliveryChannel',{
s3BucketName: globalConfigBucket.bucketName,
configSnapshotDeliveryProperties: {
deliveryFrequency: 'TwentyFour_Hours'
}
});
const generalConfigRole = new iam.Role(this, 'generalConfigRole',{
assumedBy: new iam.ServicePrincipal('config.amazonaws.com')
});
const cloudTrailEnabledRule = new ManagedRule(this, 'cloudTrailEnabledRule', {
identifier: 'CLOUD_TRAIL_ENABLED'
});
所以再次澄清一下,我想用 cisConfigDeliveryChannel 和 globalConfigRecorder 添加一些 if/else 逻辑,以免整个堆栈出错!如果有其他我没有看到的解决方法,请告诉我!
在您的 AWS CloudFormation 模板中,您可以 create a Lambda-backed custom resource 使用检查您的资源是否存在的函数。此 Lambda 函数然后 returns CloudFormation 的标识符以确定是否需要创建资源。