资源创建中断堆栈部署
Resource Creation Breaks Stack Deployment
所以我正在尝试对使用 AWS Config 和大约 14 个托管规则所需的所有基础设施进行干净部署。当 AWS Config 已在特定帐户中启用时,我遇到了这个问题,因为它不喜欢我正在尝试重新部署必要的 Infra(Config Recorder 和 Config Delivery Channel)。我正在尝试设置我的逻辑,以便在现有基础设施出现错误时立即尝试仅部署规则。
这是我的代码:
import cdk = require('@aws-cdk/core')
import lambda = require('@aws-cdk/aws-lambda');
import path = require('path')
import s3 = require('@aws-cdk/aws-s3');
import iam = require('@aws-cdk/aws-iam');
import config = require('@aws-cdk/aws-config');
import { ManagedRule } from '@aws-cdk/aws-config';
import events = require('@aws-cdk/aws-events');
import targets = require('@aws-cdk/aws-events-targets');
import { Arn, Aws } from '@aws-cdk/core';
import core = require('@aws-cdk/core')
import { allowedNodeEnvironmentFlags, env } from 'process';
import { SnsTopic } from '@aws-cdk/aws-events-targets';
import * as deliveryChannelConfigStack from '../lib/deliveryChannelConfig';
export class fullConfigStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const globalConfigRole = new iam.Role(this, 'globalConfigRole', {
assumedBy: new iam.ServicePrincipal('config.amazonaws.com'), // required
});
globalConfigRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSConfig'));
globalConfigRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('ReadOnlyAccess'));
const globalConfigRecorder = new config.CfnConfigurationRecorder(this, 'globalConfigRecorder',{
roleArn: globalConfigRole.roleArn,
name: 'globalConfigRecorder',
recordingGroup: {
allSupported: true,
includeGlobalResourceTypes: true
}
});
const globalConfigBucket = new s3.Bucket(this, 'globalConfigBucket',{
accessControl: s3.BucketAccessControl.LOG_DELIVERY_WRITE
});
const cisConfigDeliveryChannel = new config.CfnDeliveryChannel(this,'cisConfigDeliveryChannel',{
s3BucketName: globalConfigBucket.bucketName,
configSnapshotDeliveryProperties: {
deliveryFrequency: 'TwentyFour_Hours'
}
});
const generalConfigRole = new iam.Role(this, 'generalConfigRole',{
assumedBy: new iam.ServicePrincipal('config.amazonaws.com')
});
const cloudTrailEnabledRule = new ManagedRule(this, 'cloudTrailEnabledRule', {
identifier: 'CLOUD_TRAIL_ENABLED'
});
const userGroupMembershipRule = new ManagedRule(this, 'userGroupMembershipRule',{
identifier: 'IAM_USER_GROUP_MEMBERSHIP_CHECK'
});
const rootAccountMfaEnabledRule = new ManagedRule(this, 'rootAccountMfaEnabledRule',{
identifier: 'ROOT_ACCOUNT_MFA_ENABLED'
});
const accessKeysRotatedRule = new ManagedRule(this, 'accessKeysRotatedRule',{
identifier:'ACCESS_KEYS_ROTATED',
inputParameters: {
maxAccessKeyAge: 90 //rule triggers off of config change and keys must be rotated within 100 days
}
});
const iamPasswordPolicyRule = new ManagedRule(this, 'iamPasswordPolicyRule',{
identifier: 'IAM_PASSWORD_POLICY',
inputParameters: {
RequireUppercaseCharacters: true,
RequireLowercaseCharacters: true,
RequireSymbols: true,
RequireNumbers: true,
MinimumPasswordLength: 14,
PasswordReusePrevention: 24,
MaxPasswordAge: 90
}
});
const cloudTrailEncryptionRule = new ManagedRule(this, 'cloudTrailEncryptionRule' ,{
identifier:'CLOUD_TRAIL_ENCRYPTION_ENABLED',
});
const defaultSecurityGroupEniRule = new ManagedRule(this, 'defaultSecurityGroupEniRule',{
identifier:'EC2_SECURITY_GROUP_ATTACHED_TO_ENI'
});
const ebsVolumeEncryption = new ManagedRule(this, 'ebsVolumeEncryption',{
identifier:'EC2_EBS_ENCRYPTION_BY_DEFAULT'
});
const rdsStorageEncryptionRule = new ManagedRule(this, 'rdsStorageEncryptionRule',{
identifier: 'RDS_STORAGE_ENCRYPTED'
//This may need the arn of the kms key used for encryption
});
const s3ConfigLoggingEnabledBucket = new s3.Bucket(this, 's3ConfigLoggingEnabledBucket',{
accessControl: s3.BucketAccessControl.LOG_DELIVERY_WRITE
});
const s3BucketLoggingEnabledRule = new ManagedRule(this, 's3BucketLoggingEnabledRule',{
identifier: 'S3_BUCKET_LOGGING_ENABLED',
// inputParameters: {
// targetBucket: s3ConfigLoggingEnabledBucket,
});
const s3BucketServerSideEncryptionRule = new ManagedRule(this, 's3BucketServerSideEncryptionRule',{
identifier:'S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED'
});
const vpcFlowLogsEnabledRule = new ManagedRule(this, 'vpcFlowLogsEnabledRule',{
identifier:'VPC_FLOW_LOGS_ENABLED',
inputParameters: {
trafficType:'ALL' //vpcs must track all traffic (ALLOW and DENY) with this rule
}
});
const vpcDefaultSecurityGroupRule = new ManagedRule(this, 'vpcDefaultSecurityGroupRule',{
identifier:'VPC_DEFAULT_SECURITY_GROUP_CLOSED'
});
const mfaEnabledForConsoleAccessRule = new ManagedRule(this, 'mfaEnabledForConsoleAccessRule',{
identifier: 'MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS'
});
const rdsMultiAvailZoneRule = new ManagedRule(this, 'rdsMultiAvailZoneRule',{
identifier:'RDS_MULTI_AZ_SUPPORT'
});
const iamUserUnusedCredentialsRule = new ManagedRule(this, 'iamUserUnusedCredentialsRule',{
identifier: 'IAM_USER_UNUSED_CREDENTIALS_CHECK',
inputParameters: {
maxCredentialUsageAge: 90
}
});
正如您在代码中看到的那样,我正在创建一个角色,一个配置记录器、configBucket、交付通道和大约 14 个托管规则。现在,如果我将这段代码分成 2 个不同的堆栈,一个只是基础设施,一个是规则。无论它们是否已经部署,它们自己的规则都可以很好地部署。但是,如果我尝试部署整个东西,我会收到此错误:
You must create a configuration recorder before you can create or update a Config rule. (Service: AmazonConfig; Status Code: 400; Error Code: NoAvailableConfigurationRecorderException; Request ID: a2951019-1
d7b-44a9-8df2-83e6a4a0e229; Proxy: null)
我认为我得到这个的原因是因为记录器需要更长的时间来部署,因此程序试图继续执行规则和错误。我的问题是,有没有办法让程序等到记录器和传送通道完成?或者,我可以在另一个堆栈中执行此操作并使用 IF、ELSE 逻辑或类似的东西引用堆栈吗?谢谢大家!
Sometimes AWS resources depend on other resources, and the creation of one resource must be completed before the next one can be started.
If you need to add an ordering dependency that is not automatically inferred, you do so by adding a dependency relationship using constructA.node.addDependency(constructB).
您可以像这样在资源之间添加额外的依赖关系:
globalConfigRole.node.addDependency(globalConfigRecorder)
所以我正在尝试对使用 AWS Config 和大约 14 个托管规则所需的所有基础设施进行干净部署。当 AWS Config 已在特定帐户中启用时,我遇到了这个问题,因为它不喜欢我正在尝试重新部署必要的 Infra(Config Recorder 和 Config Delivery Channel)。我正在尝试设置我的逻辑,以便在现有基础设施出现错误时立即尝试仅部署规则。 这是我的代码:
import cdk = require('@aws-cdk/core')
import lambda = require('@aws-cdk/aws-lambda');
import path = require('path')
import s3 = require('@aws-cdk/aws-s3');
import iam = require('@aws-cdk/aws-iam');
import config = require('@aws-cdk/aws-config');
import { ManagedRule } from '@aws-cdk/aws-config';
import events = require('@aws-cdk/aws-events');
import targets = require('@aws-cdk/aws-events-targets');
import { Arn, Aws } from '@aws-cdk/core';
import core = require('@aws-cdk/core')
import { allowedNodeEnvironmentFlags, env } from 'process';
import { SnsTopic } from '@aws-cdk/aws-events-targets';
import * as deliveryChannelConfigStack from '../lib/deliveryChannelConfig';
export class fullConfigStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const globalConfigRole = new iam.Role(this, 'globalConfigRole', {
assumedBy: new iam.ServicePrincipal('config.amazonaws.com'), // required
});
globalConfigRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSConfig'));
globalConfigRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('ReadOnlyAccess'));
const globalConfigRecorder = new config.CfnConfigurationRecorder(this, 'globalConfigRecorder',{
roleArn: globalConfigRole.roleArn,
name: 'globalConfigRecorder',
recordingGroup: {
allSupported: true,
includeGlobalResourceTypes: true
}
});
const globalConfigBucket = new s3.Bucket(this, 'globalConfigBucket',{
accessControl: s3.BucketAccessControl.LOG_DELIVERY_WRITE
});
const cisConfigDeliveryChannel = new config.CfnDeliveryChannel(this,'cisConfigDeliveryChannel',{
s3BucketName: globalConfigBucket.bucketName,
configSnapshotDeliveryProperties: {
deliveryFrequency: 'TwentyFour_Hours'
}
});
const generalConfigRole = new iam.Role(this, 'generalConfigRole',{
assumedBy: new iam.ServicePrincipal('config.amazonaws.com')
});
const cloudTrailEnabledRule = new ManagedRule(this, 'cloudTrailEnabledRule', {
identifier: 'CLOUD_TRAIL_ENABLED'
});
const userGroupMembershipRule = new ManagedRule(this, 'userGroupMembershipRule',{
identifier: 'IAM_USER_GROUP_MEMBERSHIP_CHECK'
});
const rootAccountMfaEnabledRule = new ManagedRule(this, 'rootAccountMfaEnabledRule',{
identifier: 'ROOT_ACCOUNT_MFA_ENABLED'
});
const accessKeysRotatedRule = new ManagedRule(this, 'accessKeysRotatedRule',{
identifier:'ACCESS_KEYS_ROTATED',
inputParameters: {
maxAccessKeyAge: 90 //rule triggers off of config change and keys must be rotated within 100 days
}
});
const iamPasswordPolicyRule = new ManagedRule(this, 'iamPasswordPolicyRule',{
identifier: 'IAM_PASSWORD_POLICY',
inputParameters: {
RequireUppercaseCharacters: true,
RequireLowercaseCharacters: true,
RequireSymbols: true,
RequireNumbers: true,
MinimumPasswordLength: 14,
PasswordReusePrevention: 24,
MaxPasswordAge: 90
}
});
const cloudTrailEncryptionRule = new ManagedRule(this, 'cloudTrailEncryptionRule' ,{
identifier:'CLOUD_TRAIL_ENCRYPTION_ENABLED',
});
const defaultSecurityGroupEniRule = new ManagedRule(this, 'defaultSecurityGroupEniRule',{
identifier:'EC2_SECURITY_GROUP_ATTACHED_TO_ENI'
});
const ebsVolumeEncryption = new ManagedRule(this, 'ebsVolumeEncryption',{
identifier:'EC2_EBS_ENCRYPTION_BY_DEFAULT'
});
const rdsStorageEncryptionRule = new ManagedRule(this, 'rdsStorageEncryptionRule',{
identifier: 'RDS_STORAGE_ENCRYPTED'
//This may need the arn of the kms key used for encryption
});
const s3ConfigLoggingEnabledBucket = new s3.Bucket(this, 's3ConfigLoggingEnabledBucket',{
accessControl: s3.BucketAccessControl.LOG_DELIVERY_WRITE
});
const s3BucketLoggingEnabledRule = new ManagedRule(this, 's3BucketLoggingEnabledRule',{
identifier: 'S3_BUCKET_LOGGING_ENABLED',
// inputParameters: {
// targetBucket: s3ConfigLoggingEnabledBucket,
});
const s3BucketServerSideEncryptionRule = new ManagedRule(this, 's3BucketServerSideEncryptionRule',{
identifier:'S3_BUCKET_SERVER_SIDE_ENCRYPTION_ENABLED'
});
const vpcFlowLogsEnabledRule = new ManagedRule(this, 'vpcFlowLogsEnabledRule',{
identifier:'VPC_FLOW_LOGS_ENABLED',
inputParameters: {
trafficType:'ALL' //vpcs must track all traffic (ALLOW and DENY) with this rule
}
});
const vpcDefaultSecurityGroupRule = new ManagedRule(this, 'vpcDefaultSecurityGroupRule',{
identifier:'VPC_DEFAULT_SECURITY_GROUP_CLOSED'
});
const mfaEnabledForConsoleAccessRule = new ManagedRule(this, 'mfaEnabledForConsoleAccessRule',{
identifier: 'MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS'
});
const rdsMultiAvailZoneRule = new ManagedRule(this, 'rdsMultiAvailZoneRule',{
identifier:'RDS_MULTI_AZ_SUPPORT'
});
const iamUserUnusedCredentialsRule = new ManagedRule(this, 'iamUserUnusedCredentialsRule',{
identifier: 'IAM_USER_UNUSED_CREDENTIALS_CHECK',
inputParameters: {
maxCredentialUsageAge: 90
}
});
正如您在代码中看到的那样,我正在创建一个角色,一个配置记录器、configBucket、交付通道和大约 14 个托管规则。现在,如果我将这段代码分成 2 个不同的堆栈,一个只是基础设施,一个是规则。无论它们是否已经部署,它们自己的规则都可以很好地部署。但是,如果我尝试部署整个东西,我会收到此错误:
You must create a configuration recorder before you can create or update a Config rule. (Service: AmazonConfig; Status Code: 400; Error Code: NoAvailableConfigurationRecorderException; Request ID: a2951019-1
d7b-44a9-8df2-83e6a4a0e229; Proxy: null)
我认为我得到这个的原因是因为记录器需要更长的时间来部署,因此程序试图继续执行规则和错误。我的问题是,有没有办法让程序等到记录器和传送通道完成?或者,我可以在另一个堆栈中执行此操作并使用 IF、ELSE 逻辑或类似的东西引用堆栈吗?谢谢大家!
Sometimes AWS resources depend on other resources, and the creation of one resource must be completed before the next one can be started.
If you need to add an ordering dependency that is not automatically inferred, you do so by adding a dependency relationship using constructA.node.addDependency(constructB).
您可以像这样在资源之间添加额外的依赖关系:
globalConfigRole.node.addDependency(globalConfigRecorder)