Using the AWS CDK - Part 2
Adam D'Abbracci ??
Building Proteus, an agentic adversary simulator for deepfakes and social engineering ? Tech Lead, SRE @ The New York Times ? Previously IAM @ Disney ? Experienced Incident Commander ? Engaging Public Speaker
The same friend that recommended the CDK told me my LinkedIn blog post was "cringe" so I'm writing another one. Well... that and the fact that the CDK continues to amaze me. I'm just going to show you some of the things I've been able to deploy in the last couple of days.
First, the bad: deploying Route 53 Domains
The domain has to be verified through DNS, so it takes a while. That means your stack is stuck trying to deploy, and you can't do anything about it. If it fails or times out, it rolls back your changes, which means you can't work on other things either. It would be nice if CloudFormation marked resource with manual steps in a pending status as COMPLETE.
Setup an S3 bucket for static website hosting. It even sets up CloudFront for you!
web_app_bucket = s3.Bucket(
self,
f"{id}-{environment}-bucket",
bucket_name=f"{id}-{environment}-web-app",
auto_delete_objects=True,
removal_policy=RemovalPolicy.DESTROY,
block_public_access=s3.BlockPublicAccess.BLOCK_ALL,
)
# Hacky React build solution
subprocess.run(["yarn", "--cwd", "../app", "build"])
web_app_site = aws_prototyping_sdk.static_website.StaticWebsite(
self,
f"{id}-{environment}-site",
website_content_path="../app/build",
website_bucket=web_app_bucket,
)
Create an EC2 bastion host for RDS
db_bastion_host_sg = ec2.SecurityGroup(
scope=self,
id=f"{id}-{environment}-db-bastion-sg",
security_group_name=f"{id}-{environment}-db-bastion-sg",
vpc=vpc,
)
db_bastion_host_sg.add_ingress_rule(
peer=ec2.Peer.any_ipv4(),
connection=ec2.Port.tcp(22),
description="Allow 22 (SSH) to DB from public internet",
)
db_bastion_host = ec2.BastionHostLinux(
scope=self,
id=f"{id}-{environment}-db-bastion",
vpc=vpc,
instance_name=f"{id}-{environment}-db-bastion",
security_group=db_bastion_host_sg,
instance_type=ec2.InstanceType("t3.nano"),
subnet_selection=ec2.SubnetSelection(
subnet_type=ec2.SubnetType.PUBLIC),
)
db_bastion_host.allow_ssh_access_from(ec2.Peer.any_ipv4())
Build and deploy a Docker image to and ECS cluster
docker_image = aws_ecr_assets.DockerImageAsset(
scope=self,
id=f"{id}-{environment}-docker-image",
directory="../api"
)
ecs_cluster = ecs.Cluster(
scope=self,
id=f"{id}-{environment}-cluster",
vpc=vpc,
)
fargate_service = ecs_patterns.ApplicationLoadBalancedFargateService(
scope=self,
id=f"{id}-{environment}-service",
load_balancer_name=f"{id}-{environment}-lb",
service_name=f"{id}-{environment}-service",
desired_count=1,
public_load_balancer=True,
enable_ecs_managed_tags=True,
cluster=ecs_cluster,
task_image_options=ecs_patterns.ApplicationLoadBalancedTaskImageOptions(
image=ecs.ContainerImage.from_ecr_repository(
repository=docker_image.repository,
tag=docker_image.image_tag,
),
container_port=8080,
execution_role=app_role,
task_role=app_role,
environment={
"KEY":"VALUE"
},
),
)
Allow traffic from a VPC
fargate_service.service.connections.security_groups[0].add_ingress_rule(
peer=ec2.Peer.ipv4(vpc.vpc_cidr_block),
connection=ec2.Port.tcp(8080),
description="Allow 8080 inbound from VPC",
)
When something gets stuck, it's usually easy to fix
Since everything is running in CloudFormation, there's no "state" to manage in the sense that it lives in a local file. I have no idea how CloudFormation works under the hood, but you can do crazy stuff like delete a stack that's in CREATING state. I manually deleted a stack that was a dependency for another stack and just... redeployed it. No tfstate surgery needed.
Capital Markets and Software
1 年Keep going - you'll love it!