Mais conteúdo relacionado
Semelhante a 自己修復的なインフラ -Self-Healing Infrastructure- (20)
Mais de sinsoku listy (20)
自己修復的なインフラ -Self-Healing Infrastructure-
- 11. • REST API
• 1 IAM 2
• 1
1
h$ps://docs.aws.amazon.com/ja_jp/general/latest/gr/aws-access-keys-best-prac=ces.html
11
- 16. MFA Deny
{
"Sid": "DenyEc2Full",
"Effect": "Deny",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": false
}
}
}
BoolIfExists 2
2
h$ps://docs.aws.amazon.com/jajp/IAM/latest/UserGuide/idcreden5alsmfasample-
policies.html#ExampleMFAforResource
16
- 27. aws-cli AWS STS
$ aws sts get-caller-identity
{
"UserId": "ABCDEFGHIJKLMNOPQRSTU",
"Account": "123456789012",
"Arn": "arn:aws:iam::123456789012:user/sinsoku"
}
IAM arn
27
- 28. aws-cli AWS STS
$ aws sts assume-role
--role-arn arn:aws:iam::123456789012:role/AssumeRoleTest
--role-session-name "foo"
{
"Credentials": {
"AccessKeyId": "ASIATNT2A6NHADIU4J6O",
"SecretAccessKey": "PaarCp7VtbstlKoO5wUh2wsNhD2AWofDjFqvL7+I",
"SessionToken": "FQoGZXIvYXdzEAQaDOnrQA7f7kXteOkVCFk...i1ttbkBQ==",
"Expiration": "2019-03-23T03:34:29Z"
},
"AssumedRoleUser": {
"AssumedRoleId": "AROAJRJLCZOBJHBW5S6FK:foo",
"Arn": "arn:aws:sts::123456789012:assumed-role/AssumeRoleTest/foo"
}
}
28
- 29. $ export AWS_ACCESS_KEY_ID=<AccessKeyId>
$ export AWS_SECRET_ACCESS_KEY=<SecretAccessKey>
$ export AWS_SESSION_TOKEN=<SessionToken>
$ aws sts get-caller-identity
{
"UserId": "AROAJRJLCZOBJHBW5S6FK:foo",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/AssumeRoleTest/foo"
}
arn
29
- 40. [ ] Terraform vs CloudForma2on
IaC
AWS
Terraform 3
3
CloudForma,on
40
- 45. Docker entrypoint.sh
# Post the comment.
PAYLOAD=$(echo '{}' | jq --arg body "$COMMENT" '.body = $body')
COMMENTS_URL=$(cat /github/workflow/event.json | jq -r .pull_request.comments_url)
curl -s -S -H "Authorization: token $GITHUB_TOKEN" --header "Content-Type: application/json" --data "$PAYLOAD" "$COMMENTS_URL" > /dev/null
URL /github/workflow/event.json
45
- 46. bin/ci_simulate_github_ac0ons
#!/bin/sh
set +e
# github.com => api.github.com/repos
API_URL_TEMP="${CIRCLE_PULL_REQUEST/github.com/api.github.com/repos}"
# pull => issues comments
API_URL="${API_URL_TEMP/pull/issues}/comments"
mkdir -p /github/workflow
echo '{}' | jq --arg comments_url "${API_URL}" '.pull_request.comments_url = $comments_url' > /github/workflow/event.json
46
- 47. bin/ci_build
#!/bin/sh
set -e
if [ -n "${CIRCLE_PULL_REQUEST}" ]; then
bin/ci_simulate_github_actions
else
export TF_ACTION_COMMENT=false
fi
bin/tf_fmt # fmt/entrypoint.sh
bin/tf_init # init/entrypoint.sh
bin/tf_plan # plan/entrypoint.sh
47
- 52. [ ]
4
CircleCI CodeBuild
GitHub Enterprise CodeBuild
CircleCI Enterprise
4
h$ps://circleci.com/docs/2.0/workflows/#holding-a-workflow-for-a-manual-approval
52
- 53. Terraform on AWS CodeBuild
CircleCI
• CodeCommit Push
• InfraReadOnly
CodeBuild terraform apply
53
- 56. Running Terraform in Automa0on5
5
h$ps://learn.hashicorp.com/terraform/development/running-terraform-in-automa:on
56