Rails Developers Meetup 2019 https://railsdm.github.io/

1. -Self-Healing Infrastructure-
Rails Developer Meetup 2019 Day2
1

2. 2

3. CI
3

4. CI
Rails ECS
4

5. 1. AWS IAM
2.
3. Rails
4.
5

6. :
GitHub: @sinsoku ( )
Twi2er: @sinsoku_listy ( )
Rails :
: Rails
6

7. 1. AWS IAM
7

8. Iden%ty Access Management IAM
• IAM
• IAM
• IAM
• IAM
• AssumeRole
8

9. IAM
• AWS
• AWS ID/
•
• IAM
9

10. IAM
• IAM
• IAM
•
10

11. • REST API
• 1 IAM 2
• 1
1
h$ps://docs.aws.amazon.com/ja_jp/general/latest/gr/aws-access-keys-best-prac=ces.html
11

12. IAM
• EC2 AWS
• AWS
•
• IAM
12

13. IAM
• JSON
• Deny
• Deny < Allow < Deny
• Deny
13

14. IAM JSON
Effect Allow Deny
Ac.on
Resource AWS
Condi.on
Principal
14

15. IAM
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket",
"Condition": {
"IpAddress": {
"aws:SourceIp": "123.0.0.10"
}
}
}
}
IP example_bucket s3:ListBucket API
15

16. MFA Deny
{
"Sid": "DenyEc2Full",
"Effect": "Deny",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": false
}
}
}
BoolIfExists 2
2
h$ps://docs.aws.amazon.com/jajp/IAM/latest/UserGuide/idcreden5alsmfasample-
policies.html#ExampleMFAforResource
16

17. MFA
{
"Sid": "DenyEc2Full",
"Effect": "Deny",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": false
}
}
}
MFA
17

18. AssumeRole
18

19. 19

20. IMA IAM
• IAM
•
• 1 1 IAM
• AWS
•
20

21. IAM AssumeRole
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::123456789012:role/AssumeRoleTest"
}
]
}
21

22. {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": { "AWS": "arn:aws:iam::123456789012:user/sinsoku" }
}
]
}
22

23. AWS
23

24. AWS
24

25. AWS
25

26. AssumeRole
AssumeRole AWS Security Token Service AWS
STS
API
26

27. aws-cli AWS STS
$ aws sts get-caller-identity
{
"UserId": "ABCDEFGHIJKLMNOPQRSTU",
"Account": "123456789012",
"Arn": "arn:aws:iam::123456789012:user/sinsoku"
}
IAM arn
27

28. aws-cli AWS STS
$ aws sts assume-role
--role-arn arn:aws:iam::123456789012:role/AssumeRoleTest
--role-session-name "foo"
{
"Credentials": {
"AccessKeyId": "ASIATNT2A6NHADIU4J6O",
"SecretAccessKey": "PaarCp7VtbstlKoO5wUh2wsNhD2AWofDjFqvL7+I",
"SessionToken": "FQoGZXIvYXdzEAQaDOnrQA7f7kXteOkVCFk...i1ttbkBQ==",
"Expiration": "2019-03-23T03:34:29Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "AROAJRJLCZOBJHBW5S6FK:foo",
"Arn": "arn:aws:sts::123456789012:assumed-role/AssumeRoleTest/foo"
}
}
28

29. $ export AWS_ACCESS_KEY_ID=<AccessKeyId>
$ export AWS_SECRET_ACCESS_KEY=<SecretAccessKey>
$ export AWS_SESSION_TOKEN=<SessionToken>
$ aws sts get-caller-identity
{
"UserId": "AROAJRJLCZOBJHBW5S6FK:foo",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/AssumeRoleTest/foo"
}
arn
29

30. 30

31. • InfraReadOnly
• InfraPowerUser
• InfraFullAccess
31

32. 32

33. InfraReadOnly
•
• kms:Decrypt
• MFA
terraform plan
33

34. InfraPowerUser
•
• kms:Decrypt
• state S3
• MFA
terraform import
34

35. InfraFullAccess
• AdministratorAccess
• CodeBuild ( )
•
• MFA
terraform apply
35

36. [ ] aws-whoami
AssumeRole
alias
alias aws-whoami="aws sts get-caller-identity --output text --query Arn"
arn
$ aws-whoami
arn:aws:iam::123456789012:user/sinsoku
36

37. 2.
37

38. Infrastructure as Code IaC
!
Wikipedia
38

39. IaC
•
• grep
•
•
•
39

40. [ ] Terraform vs CloudForma2on
IaC
AWS
Terraform 3
3
CloudForma,on
40

41. 41

42. 1. dry-run
2. (stg)
3. (prod)
42

43. GitHub Ac*ons
43

44. GitHub Ac*ons Private Beta
44

45. Docker entrypoint.sh
# Post the comment.
PAYLOAD=$(echo '{}' | jq --arg body "$COMMENT" '.body = $body')
COMMENTS_URL=$(cat /github/workflow/event.json | jq -r .pull_request.comments_url)
curl -s -S -H "Authorization: token $GITHUB_TOKEN" --header "Content-Type: application/json" --data "$PAYLOAD" "$COMMENTS_URL" > /dev/null
URL /github/workflow/event.json
45

46. bin/ci_simulate_github_ac0ons
#!/bin/sh
set +e
# github.com => api.github.com/repos
API_URL_TEMP="${CIRCLE_PULL_REQUEST/github.com/api.github.com/repos}"
# pull => issues comments
API_URL="${API_URL_TEMP/pull/issues}/comments"
mkdir -p /github/workflow
echo '{}' | jq --arg comments_url "${API_URL}" '.pull_request.comments_url = $comments_url' > /github/workflow/event.json
46

47. bin/ci_build
#!/bin/sh
set -e
if [ -n "${CIRCLE_PULL_REQUEST}" ]; then
bin/ci_simulate_github_actions
else
export TF_ACTION_COMMENT=false
fi
bin/tf_fmt # fmt/entrypoint.sh
bin/tf_init # init/entrypoint.sh
bin/tf_plan # plan/entrypoint.sh
47

48. 48

49. 1.
✅
dry-run
2. (stg)
3. (prod)
49

50. Terraform
50

51. Terraform on AWS CodeBuild
51

52. [ ]
4
CircleCI CodeBuild
GitHub Enterprise CodeBuild
CircleCI Enterprise
4
h$ps://circleci.com/docs/2.0/workflows/#holding-a-workflow-for-a-manual-approval
52

53. Terraform on AWS CodeBuild
CircleCI
• CodeCommit Push
• InfraReadOnly
CodeBuild terraform apply
53

54. 1.
✅
dry-run
2.
✅
(stg)
3. (prod)
54

55. stg/prod
•
• Module
Terraform ...
55

56. Running Terraform in Automa0on5
5
h$ps://learn.hashicorp.com/terraform/development/running-terraform-in-automa:on
56

57. Doc Workspace
*.tf
├── iam_policy
│ ├── foo.json
│ └ ─ bar.json
├── aws_iam_user.tf
├── aws_instance.tf
├── variables.tf
├── ...
57

58. CodeBuild TF_WORKSPACE
58

59. stg prod
CircleCI Approval4
CodeBuild Push
4
h$ps://circleci.com/docs/2.0/workflows/#holding-a-workflow-for-a-manual-approval
59

60. 1.
✅
dry-run
2.
✅
(stg)
3.
✅
(prod)
60

61. 3. Rails
61

62. 62

63. CloudForma*on
ALB CloudFront
URL
/assets
/public
/landing-pages/*
63

64. ECS(Fargate)
• Ruby
•
•
64

65. ECS
• execution_role_arn:
• ECR
• task_role_arn:
• S3 SES
2
65

66. 4.
66

67. 67

68. •
•
• DB
•
68

69. stg
69

70. 1.
2. E2E
•
• Puppeteer E2E
3. Revert PR
70

71. 71

72. 72