Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Network constructを修正 #21

Merged
merged 1 commit into from
Oct 8, 2024
Merged

Network constructを修正 #21

merged 1 commit into from
Oct 8, 2024

Conversation

yutaro-sakamoto
Copy link
Owner

概要

Network constructを修正し、デプロイが通るように修正

変更点

  • vpcのサブネットとnatg gatewayに関する設定を削除し、デフォルト値を使用するように変更

影響範囲

デプロイが通るようになる

テスト

なし

関連Issue

なし

関連Pull Request

なし

その他

なし

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 8, 2024

cdk diffの結果

[Warning at /StartCDKStack/Network/Vpc/ECREndpoint/SecurityGroup/Resource] CdkNagValidationFailure: 'AwsSolutions-EC23' threw an error during validation. This is generally caused by a parameter referencing an intrinsic function. You can suppress the "CdkNagValidationFailure" to get rid of this error. For more details enable verbose logging.' The parameter resolved to to a non-primitive value "{"Fn::GetAtt":["NetworkVpc7FB7348F","CidrBlock"]}", therefore the rule could not be validated.

[Warning at /StartCDKStack/Network/Vpc/ECRDockerEndpoint/SecurityGroup/Resource] CdkNagValidationFailure: 'AwsSolutions-EC23' threw an error during validation. This is generally caused by a parameter referencing an intrinsic function. You can suppress the "CdkNagValidationFailure" to get rid of this error. For more details enable verbose logging.' The parameter resolved to to a non-primitive value "{"Fn::GetAtt":["NetworkVpc7FB7348F","CidrBlock"]}", therefore the rule could not be validated.

[Warning at /StartCDKStack/Network/Vpc/CloudWatchEndpoint/SecurityGroup/Resource] CdkNagValidationFailure: 'AwsSolutions-EC23' threw an error during validation. This is generally caused by a parameter referencing an intrinsic function. You can suppress the "CdkNagValidationFailure" to get rid of this error. For more details enable verbose logging.' The parameter resolved to to a non-primitive value "{"Fn::GetAtt":["NetworkVpc7FB7348F","CidrBlock"]}", therefore the rule could not be validated.

Stack StartCDKStack
IAM Statement Changes
┌───┬────────────────────────────────────────────────────────────────────────────────────────────────────────┬────────┬───────────────────────────────────┬────────────────────────────────────────────────────────────────┬───────────┐
│ │ Resource │ Effect │ Action │ Principal │ Condition │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼────────────────────────────────────────────────────────────────┼───────────┤
│ + │ ${Custom::VpcRestrictDefaultSGCustomResourceProvider/Role.Arn} │ Allow │ sts:AssumeRole │ Service:lambda.amazonaws.com │ │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼────────────────────────────────────────────────────────────────┼───────────┤
│ + │ ${FargateService/TaskDef/ExecutionRole.Arn} │ Allow │ sts:AssumeRole │ Service:ecs-tasks.amazonaws.com │ │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼────────────────────────────────────────────────────────────────┼───────────┤
│ + │ ${FargateService/TaskDef/TaskRole.Arn} │ Allow │ sts:AssumeRole │ Service:ecs-tasks.amazonaws.com │ │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼────────────────────────────────────────────────────────────────┼───────────┤
│ + │ ${FargateService/TaskDef/web/LogGroup.Arn} │ Allow │ logs:CreateLogStream │ AWS:${FargateService/TaskDef/ExecutionRole} │ │
│ │ │ │ logs:PutLogEvents │ │ │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼────────────────────────────────────────────────────────────────┼───────────┤
│ + │ ${Network/VpcFlowLogGroup.Arn} │ Allow │ logs:CreateLogStream │ AWS:${Network/VpcFlowLogGroupRole} │ │
│ │ │ │ logs:DescribeLogStreams │ │ │
│ │ │ │ logs:PutLogEvents │ │ │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼────────────────────────────────────────────────────────────────┼───────────┤
│ + │ ${Network/VpcFlowLogGroupRole.Arn} │ Allow │ sts:AssumeRole │ Service:vpc-flow-logs.amazonaws.com │ │
│ + │ ${Network/VpcFlowLogGroupRole.Arn} │ Allow │ iam:PassRole │ AWS:${Network/VpcFlowLogGroupRole} │ │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼────────────────────────────────────────────────────────────────┼───────────┤
│ + │ arn:aws:ec2:ap-northeast-1:${AWS::AccountId}:security-group/${NetworkVpc7FB7348F.DefaultSecurityGroup} │ Allow │ ec2:AuthorizeSecurityGroupEgress │ AWS:${Custom::VpcRestrictDefaultSGCustomResourceProvider/Role} │ │
│ │ │ │ ec2:AuthorizeSecurityGroupIngress │ │ │
│ │ │ │ ec2:RevokeSecurityGroupEgress │ │ │
│ │ │ │ ec2:RevokeSecurityGroupIngress │ │ │
└───┴────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────┴───────────────────────────────────┴────────────────────────────────────────────────────────────────┴───────────┘
IAM Policy Changes
┌───┬────────────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────┐
│ │ Resource │ Managed Policy ARN │
├───┼────────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${Custom::VpcRestrictDefaultSGCustomResourceProvider/Role} │ {"Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"} │
└───┴────────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────┘
Security Group Changes
┌───┬─────────────────────────────────────────────────────────┬─────┬────────────┬─────────────────────────────────────────────────┐
│ │ Group │ Dir │ Protocol │ Peer │
├───┼─────────────────────────────────────────────────────────┼─────┼────────────┼─────────────────────────────────────────────────┤
│ + │ ${FargateService/LB/SecurityGroup.GroupId} │ In │ TCP 80 │ Everyone (IPv4) │
│ + │ ${FargateService/LB/SecurityGroup.GroupId} │ Out │ TCP 80 │ ${FargateService/Service/SecurityGroup.GroupId} │
├───┼─────────────────────────────────────────────────────────┼─────┼────────────┼─────────────────────────────────────────────────┤
│ + │ ${FargateService/Service/SecurityGroup.GroupId} │ In │ TCP 80 │ ${FargateService/LB/SecurityGroup.GroupId} │
│ + │ ${FargateService/Service/SecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │
├───┼─────────────────────────────────────────────────────────┼─────┼────────────┼─────────────────────────────────────────────────┤
│ + │ ${Network/Vpc/CloudWatchEndpoint/SecurityGroup.GroupId} │ In │ TCP 443 │ ${Network/Vpc.CidrBlock} │
│ + │ ${Network/Vpc/CloudWatchEndpoint/SecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │
├───┼─────────────────────────────────────────────────────────┼─────┼────────────┼─────────────────────────────────────────────────┤
│ + │ ${Network/Vpc/ECRDockerEndpoint/SecurityGroup.GroupId} │ In │ TCP 443 │ ${Network/Vpc.CidrBlock} │
│ + │ ${Network/Vpc/ECRDockerEndpoint/SecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │
├───┼─────────────────────────────────────────────────────────┼─────┼────────────┼─────────────────────────────────────────────────┤
│ + │ ${Network/Vpc/ECREndpoint/SecurityGroup.GroupId} │ In │ TCP 443 │ ${Network/Vpc.CidrBlock} │
│ + │ ${Network/Vpc/ECREndpoint/SecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │
└───┴─────────────────────────────────────────────────────────┴─────┴────────────┴─────────────────────────────────────────────────┘
(NOTE: There may be security-related changes not in this list. See aws/aws-cdk#1299)

Parameters
[+] Parameter BootstrapVersion BootstrapVersion: {"Type":"AWS::SSM::Parameter::Value","Default":"/cdk-bootstrap/hnb659fds/version","Description":"Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"}

Resources
[+] AWS::EC2::VPC Network/Vpc NetworkVpc7FB7348F
[+] AWS::EC2::Subnet Network/Vpc/PublicSubnet1/Subnet NetworkVpcPublicSubnet1Subnet36933139
[+] AWS::EC2::RouteTable Network/Vpc/PublicSubnet1/RouteTable NetworkVpcPublicSubnet1RouteTable30235CE2
[+] AWS::EC2::SubnetRouteTableAssociation Network/Vpc/PublicSubnet1/RouteTableAssociation NetworkVpcPublicSubnet1RouteTableAssociation643926C7
[+] AWS::EC2::Route Network/Vpc/PublicSubnet1/DefaultRoute NetworkVpcPublicSubnet1DefaultRoute31EC04EC
[+] AWS::EC2::EIP Network/Vpc/PublicSubnet1/EIP NetworkVpcPublicSubnet1EIPE0D52090
[+] AWS::EC2::NatGateway Network/Vpc/PublicSubnet1/NATGateway NetworkVpcPublicSubnet1NATGateway64781A21
[+] AWS::EC2::Subnet Network/Vpc/PublicSubnet2/Subnet NetworkVpcPublicSubnet2SubnetC427CCE0
[+] AWS::EC2::RouteTable Network/Vpc/PublicSubnet2/RouteTable NetworkVpcPublicSubnet2RouteTable0FACEBB2
[+] AWS::EC2::SubnetRouteTableAssociation Network/Vpc/PublicSubnet2/RouteTableAssociation NetworkVpcPublicSubnet2RouteTableAssociationC662643B
[+] AWS::EC2::Route Network/Vpc/PublicSubnet2/DefaultRoute NetworkVpcPublicSubnet2DefaultRoute0CF082AB
[+] AWS::EC2::EIP Network/Vpc/PublicSubnet2/EIP NetworkVpcPublicSubnet2EIP24F41572
[+] AWS::EC2::NatGateway Network/Vpc/PublicSubnet2/NATGateway NetworkVpcPublicSubnet2NATGateway42CB86F5
[+] AWS::EC2::Subnet Network/Vpc/PrivateSubnet1/Subnet NetworkVpcPrivateSubnet1Subnet6DD86AE6
[+] AWS::EC2::RouteTable Network/Vpc/PrivateSubnet1/RouteTable NetworkVpcPrivateSubnet1RouteTable7D7AA3CD
[+] AWS::EC2::SubnetRouteTableAssociation Network/Vpc/PrivateSubnet1/RouteTableAssociation NetworkVpcPrivateSubnet1RouteTableAssociation327CA62F
[+] AWS::EC2::Route Network/Vpc/PrivateSubnet1/DefaultRoute NetworkVpcPrivateSubnet1DefaultRoute08635105
[+] AWS::EC2::Subnet Network/Vpc/PrivateSubnet2/Subnet NetworkVpcPrivateSubnet2Subnet1BDBE877
[+] AWS::EC2::RouteTable Network/Vpc/PrivateSubnet2/RouteTable NetworkVpcPrivateSubnet2RouteTableC48862D1
[+] AWS::EC2::SubnetRouteTableAssociation Network/Vpc/PrivateSubnet2/RouteTableAssociation NetworkVpcPrivateSubnet2RouteTableAssociation89A2F1E8
[+] AWS::EC2::Route Network/Vpc/PrivateSubnet2/DefaultRoute NetworkVpcPrivateSubnet2DefaultRouteA15DC6D5
[+] AWS::EC2::InternetGateway Network/Vpc/IGW NetworkVpcIGW6BEA7B02
[+] AWS::EC2::VPCGatewayAttachment Network/Vpc/VPCGW NetworkVpcVPCGW8F3799B5
[+] Custom::VpcRestrictDefaultSG Network/Vpc/RestrictDefaultSecurityGroupCustomResource NetworkVpcRestrictDefaultSecurityGroupCustomResource491E144D
[+] AWS::EC2::SecurityGroup Network/Vpc/ECREndpoint/SecurityGroup NetworkVpcECREndpointSecurityGroup020CC810
[+] AWS::EC2::VPCEndpoint Network/Vpc/ECREndpoint NetworkVpcECREndpointE8ED42C2
[+] AWS::EC2::SecurityGroup Network/Vpc/ECRDockerEndpoint/SecurityGroup NetworkVpcECRDockerEndpointSecurityGroupEC751EE8
[+] AWS::EC2::VPCEndpoint Network/Vpc/ECRDockerEndpoint NetworkVpcECRDockerEndpoint0D3D650F
[+] AWS::EC2::SecurityGroup Network/Vpc/CloudWatchEndpoint/SecurityGroup NetworkVpcCloudWatchEndpointSecurityGroup6E307338
[+] AWS::EC2::VPCEndpoint Network/Vpc/CloudWatchEndpoint NetworkVpcCloudWatchEndpointF625B932
[+] AWS::EC2::VPCEndpoint Network/S3Endpoint NetworkS3EndpointDED08CEB
[+] AWS::Logs::LogGroup Network/VpcFlowLogGroup NetworkVpcFlowLogGroup782DD453
[+] AWS::IAM::Role Network/VpcFlowLogGroupRole NetworkVpcFlowLogGroupRoleF6875B51
[+] AWS::IAM::Policy Network/VpcFlowLogGroupRole/DefaultPolicy NetworkVpcFlowLogGroupRoleDefaultPolicyDA3C2D9D
[+] AWS::EC2::FlowLog Network/FlowLog/FlowLog NetworkFlowLog0C7D188B
[+] AWS::IAM::Role Custom::VpcRestrictDefaultSGCustomResourceProvider/Role CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0
[+] AWS::Lambda::Function Custom::VpcRestrictDefaultSGCustomResourceProvider/Handler CustomVpcRestrictDefaultSGCustomResourceProviderHandlerDC833E5E
[+] AWS::ECS::Cluster Cluster ClusterEB0386A7
[+] AWS::ElasticLoadBalancingV2::LoadBalancer FargateService/LB FargateServiceLBB353E155
[+] AWS::EC2::SecurityGroup FargateService/LB/SecurityGroup FargateServiceLBSecurityGroup5F444C78
[+] AWS::EC2::SecurityGroupEgress FargateService/LB/SecurityGroup/to StartCDKStackFargateServiceSecurityGroupBDD59CA1:80 FargateServiceLBSecurityGrouptoStartCDKStackFargateServiceSecurityGroupBDD59CA180DC7A1073
[+] AWS::ElasticLoadBalancingV2::Listener FargateService/LB/PublicListener FargateServiceLBPublicListener4B4929CA
[+] AWS::ElasticLoadBalancingV2::TargetGroup FargateService/LB/PublicListener/ECSGroup FargateServiceLBPublicListenerECSGroupBE57E081
[+] AWS::IAM::Role FargateService/TaskDef/TaskRole FargateServiceTaskDefTaskRole8CDCF85E
[+] AWS::ECS::TaskDefinition FargateService/TaskDef FargateServiceTaskDef940E3A80
[+] AWS::Logs::LogGroup FargateService/TaskDef/web/LogGroup FargateServiceTaskDefwebLogGroup71FAF541
[+] AWS::IAM::Role FargateService/TaskDef/ExecutionRole FargateServiceTaskDefExecutionRole9194820E
[+] AWS::IAM::Policy FargateService/TaskDef/ExecutionRole/DefaultPolicy FargateServiceTaskDefExecutionRoleDefaultPolicy827E7CA2
[+] AWS::ECS::Service FargateService/Service/Service FargateServiceECC8084D
[+] AWS::EC2::SecurityGroup FargateService/Service/SecurityGroup FargateServiceSecurityGroup262B61DD
[+] AWS::EC2::SecurityGroupIngress FargateService/Service/SecurityGroup/from StartCDKStackFargateServiceLBSecurityGroupFDFE6786:80 FargateServiceSecurityGroupfromStartCDKStackFargateServiceLBSecurityGroupFDFE6786803BA30FC6

Outputs
[+] Output FargateService/LoadBalancerDNS FargateServiceLoadBalancerDNS9433D5F6: {"Value":{"Fn::GetAtt":["FargateServiceLBB353E155","DNSName"]}}
[+] Output FargateService/ServiceURL FargateServiceServiceURL47701F45: {"Value":{"Fn::Join":["",["http://",{"Fn::GetAtt":["FargateServiceLBB353E155","DNSName"]}]]}}

✨ Number of stacks with differences: 1

@yutaro-sakamoto yutaro-sakamoto merged commit 05891c0 into main Oct 8, 2024
5 checks passed
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@yutaro-sakamoto