Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Network constructを修正 #21

Merged
merged 1 commit into from
Oct 8, 2024
Merged

Network constructを修正 #21

merged 1 commit into from
Oct 8, 2024

Conversation

yutaro-sakamoto
Copy link
Owner

概要

Network constructを修正し、デプロイが通るように修正

変更点

  • vpcのサブネットとnatg gatewayに関する設定を削除し、デフォルト値を使用するように変更

影響範囲

デプロイが通るようになる

テスト

なし

関連Issue

なし

関連Pull Request

なし

その他

なし

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 8, 2024

cdk diffの結果

[Warning at /StartCDKStack/Network/Vpc/ECREndpoint/SecurityGroup/Resource] CdkNagValidationFailure: 'AwsSolutions-EC23' threw an error during validation. This is generally caused by a parameter referencing an intrinsic function. You can suppress the "CdkNagValidationFailure" to get rid of this error. For more details enable verbose logging.' The parameter resolved to to a non-primitive value "{"Fn::GetAtt":["NetworkVpc7FB7348F","CidrBlock"]}", therefore the rule could not be validated.

[Warning at /StartCDKStack/Network/Vpc/ECRDockerEndpoint/SecurityGroup/Resource] CdkNagValidationFailure: 'AwsSolutions-EC23' threw an error during validation. This is generally caused by a parameter referencing an intrinsic function. You can suppress the "CdkNagValidationFailure" to get rid of this error. For more details enable verbose logging.' The parameter resolved to to a non-primitive value "{"Fn::GetAtt":["NetworkVpc7FB7348F","CidrBlock"]}", therefore the rule could not be validated.

[Warning at /StartCDKStack/Network/Vpc/CloudWatchEndpoint/SecurityGroup/Resource] CdkNagValidationFailure: 'AwsSolutions-EC23' threw an error during validation. This is generally caused by a parameter referencing an intrinsic function. You can suppress the "CdkNagValidationFailure" to get rid of this error. For more details enable verbose logging.' The parameter resolved to to a non-primitive value "{"Fn::GetAtt":["NetworkVpc7FB7348F","CidrBlock"]}", therefore the rule could not be validated.

Stack StartCDKStack
IAM Statement Changes
┌───┬────────────────────────────────────────────────────────────────────────────────────────────────────────┬────────┬───────────────────────────────────┬────────────────────────────────────────────────────────────────┬───────────┐
│ │ Resource │ Effect │ Action │ Principal │ Condition │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼────────────────────────────────────────────────────────────────┼───────────┤
│ + │ ${Custom::VpcRestrictDefaultSGCustomResourceProvider/Role.Arn} │ Allow │ sts:AssumeRole │ Service:lambda.amazonaws.com │ │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼────────────────────────────────────────────────────────────────┼───────────┤
│ + │ ${FargateService/TaskDef/ExecutionRole.Arn} │ Allow │ sts:AssumeRole │ Service:ecs-tasks.amazonaws.com │ │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼────────────────────────────────────────────────────────────────┼───────────┤
│ + │ ${FargateService/TaskDef/TaskRole.Arn} │ Allow │ sts:AssumeRole │ Service:ecs-tasks.amazonaws.com │ │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼────────────────────────────────────────────────────────────────┼───────────┤
│ + │ ${FargateService/TaskDef/web/LogGroup.Arn} │ Allow │ logs:CreateLogStream │ AWS:${FargateService/TaskDef/ExecutionRole} │ │
│ │ │ │ logs:PutLogEvents │ │ │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼────────────────────────────────────────────────────────────────┼───────────┤
│ + │ ${Network/VpcFlowLogGroup.Arn} │ Allow │ logs:CreateLogStream │ AWS:${Network/VpcFlowLogGroupRole} │ │
│ │ │ │ logs:DescribeLogStreams │ │ │
│ │ │ │ logs:PutLogEvents │ │ │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼────────────────────────────────────────────────────────────────┼───────────┤
│ + │ ${Network/VpcFlowLogGroupRole.Arn} │ Allow │ sts:AssumeRole │ Service:vpc-flow-logs.amazonaws.com │ │
│ + │ ${Network/VpcFlowLogGroupRole.Arn} │ Allow │ iam:PassRole │ AWS:${Network/VpcFlowLogGroupRole} │ │
├───┼────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼───────────────────────────────────┼────────────────────────────────────────────────────────────────┼───────────┤
│ + │ arn:aws:ec2:ap-northeast-1:${AWS::AccountId}:security-group/${NetworkVpc7FB7348F.DefaultSecurityGroup} │ Allow │ ec2:AuthorizeSecurityGroupEgress │ AWS:${Custom::VpcRestrictDefaultSGCustomResourceProvider/Role} │ │
│ │ │ │ ec2:AuthorizeSecurityGroupIngress │ │ │
│ │ │ │ ec2:RevokeSecurityGroupEgress │ │ │
│ │ │ │ ec2:RevokeSecurityGroupIngress │ │ │
└───┴────────────────────────────────────────────────────────────────────────────────────────────────────────┴────────┴───────────────────────────────────┴────────────────────────────────────────────────────────────────┴───────────┘
IAM Policy Changes
┌───┬────────────────────────────────────────────────────────────┬──────────────────────────────────────────────────────────────────────────────────────────────┐
│ │ Resource │ Managed Policy ARN │
├───┼────────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${Custom::VpcRestrictDefaultSGCustomResourceProvider/Role} │ {"Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"} │
└───┴────────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────────────────────────────────────┘
Security Group Changes
┌───┬─────────────────────────────────────────────────────────┬─────┬────────────┬─────────────────────────────────────────────────┐
│ │ Group │ Dir │ Protocol │ Peer │
├───┼─────────────────────────────────────────────────────────┼─────┼────────────┼─────────────────────────────────────────────────┤
│ + │ ${FargateService/LB/SecurityGroup.GroupId} │ In │ TCP 80 │ Everyone (IPv4) │
│ + │ ${FargateService/LB/SecurityGroup.GroupId} │ Out │ TCP 80 │ ${FargateService/Service/SecurityGroup.GroupId} │
├───┼─────────────────────────────────────────────────────────┼─────┼────────────┼─────────────────────────────────────────────────┤
│ + │ ${FargateService/Service/SecurityGroup.GroupId} │ In │ TCP 80 │ ${FargateService/LB/SecurityGroup.GroupId} │
│ + │ ${FargateService/Service/SecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │
├───┼─────────────────────────────────────────────────────────┼─────┼────────────┼─────────────────────────────────────────────────┤
│ + │ ${Network/Vpc/CloudWatchEndpoint/SecurityGroup.GroupId} │ In │ TCP 443 │ ${Network/Vpc.CidrBlock} │
│ + │ ${Network/Vpc/CloudWatchEndpoint/SecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │
├───┼─────────────────────────────────────────────────────────┼─────┼────────────┼─────────────────────────────────────────────────┤
│ + │ ${Network/Vpc/ECRDockerEndpoint/SecurityGroup.GroupId} │ In │ TCP 443 │ ${Network/Vpc.CidrBlock} │
│ + │ ${Network/Vpc/ECRDockerEndpoint/SecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │
├───┼─────────────────────────────────────────────────────────┼─────┼────────────┼─────────────────────────────────────────────────┤
│ + │ ${Network/Vpc/ECREndpoint/SecurityGroup.GroupId} │ In │ TCP 443 │ ${Network/Vpc.CidrBlock} │
│ + │ ${Network/Vpc/ECREndpoint/SecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │
└───┴─────────────────────────────────────────────────────────┴─────┴────────────┴─────────────────────────────────────────────────┘
(NOTE: There may be security-related changes not in this list. See aws/aws-cdk#1299)

Parameters
[+] Parameter BootstrapVersion BootstrapVersion: {"Type":"AWS::SSM::Parameter::Value","Default":"/cdk-bootstrap/hnb659fds/version","Description":"Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"}

Resources
[+] AWS::EC2::VPC Network/Vpc NetworkVpc7FB7348F
[+] AWS::EC2::Subnet Network/Vpc/PublicSubnet1/Subnet NetworkVpcPublicSubnet1Subnet36933139
[+] AWS::EC2::RouteTable Network/Vpc/PublicSubnet1/RouteTable NetworkVpcPublicSubnet1RouteTable30235CE2
[+] AWS::EC2::SubnetRouteTableAssociation Network/Vpc/PublicSubnet1/RouteTableAssociation NetworkVpcPublicSubnet1RouteTableAssociation643926C7
[+] AWS::EC2::Route Network/Vpc/PublicSubnet1/DefaultRoute NetworkVpcPublicSubnet1DefaultRoute31EC04EC
[+] AWS::EC2::EIP Network/Vpc/PublicSubnet1/EIP NetworkVpcPublicSubnet1EIPE0D52090
[+] AWS::EC2::NatGateway Network/Vpc/PublicSubnet1/NATGateway NetworkVpcPublicSubnet1NATGateway64781A21
[+] AWS::EC2::Subnet Network/Vpc/PublicSubnet2/Subnet NetworkVpcPublicSubnet2SubnetC427CCE0
[+] AWS::EC2::RouteTable Network/Vpc/PublicSubnet2/RouteTable NetworkVpcPublicSubnet2RouteTable0FACEBB2
[+] AWS::EC2::SubnetRouteTableAssociation Network/Vpc/PublicSubnet2/RouteTableAssociation NetworkVpcPublicSubnet2RouteTableAssociationC662643B
[+] AWS::EC2::Route Network/Vpc/PublicSubnet2/DefaultRoute NetworkVpcPublicSubnet2DefaultRoute0CF082AB
[+] AWS::EC2::EIP Network/Vpc/PublicSubnet2/EIP NetworkVpcPublicSubnet2EIP24F41572
[+] AWS::EC2::NatGateway Network/Vpc/PublicSubnet2/NATGateway NetworkVpcPublicSubnet2NATGateway42CB86F5
[+] AWS::EC2::Subnet Network/Vpc/PrivateSubnet1/Subnet NetworkVpcPrivateSubnet1Subnet6DD86AE6
[+] AWS::EC2::RouteTable Network/Vpc/PrivateSubnet1/RouteTable NetworkVpcPrivateSubnet1RouteTable7D7AA3CD
[+] AWS::EC2::SubnetRouteTableAssociation Network/Vpc/PrivateSubnet1/RouteTableAssociation NetworkVpcPrivateSubnet1RouteTableAssociation327CA62F
[+] AWS::EC2::Route Network/Vpc/PrivateSubnet1/DefaultRoute NetworkVpcPrivateSubnet1DefaultRoute08635105
[+] AWS::EC2::Subnet Network/Vpc/PrivateSubnet2/Subnet NetworkVpcPrivateSubnet2Subnet1BDBE877
[+] AWS::EC2::RouteTable Network/Vpc/PrivateSubnet2/RouteTable NetworkVpcPrivateSubnet2RouteTableC48862D1
[+] AWS::EC2::SubnetRouteTableAssociation Network/Vpc/PrivateSubnet2/RouteTableAssociation NetworkVpcPrivateSubnet2RouteTableAssociation89A2F1E8
[+] AWS::EC2::Route Network/Vpc/PrivateSubnet2/DefaultRoute NetworkVpcPrivateSubnet2DefaultRouteA15DC6D5
[+] AWS::EC2::InternetGateway Network/Vpc/IGW NetworkVpcIGW6BEA7B02
[+] AWS::EC2::VPCGatewayAttachment Network/Vpc/VPCGW NetworkVpcVPCGW8F3799B5
[+] Custom::VpcRestrictDefaultSG Network/Vpc/RestrictDefaultSecurityGroupCustomResource NetworkVpcRestrictDefaultSecurityGroupCustomResource491E144D
[+] AWS::EC2::SecurityGroup Network/Vpc/ECREndpoint/SecurityGroup NetworkVpcECREndpointSecurityGroup020CC810
[+] AWS::EC2::VPCEndpoint Network/Vpc/ECREndpoint NetworkVpcECREndpointE8ED42C2
[+] AWS::EC2::SecurityGroup Network/Vpc/ECRDockerEndpoint/SecurityGroup NetworkVpcECRDockerEndpointSecurityGroupEC751EE8
[+] AWS::EC2::VPCEndpoint Network/Vpc/ECRDockerEndpoint NetworkVpcECRDockerEndpoint0D3D650F
[+] AWS::EC2::SecurityGroup Network/Vpc/CloudWatchEndpoint/SecurityGroup NetworkVpcCloudWatchEndpointSecurityGroup6E307338
[+] AWS::EC2::VPCEndpoint Network/Vpc/CloudWatchEndpoint NetworkVpcCloudWatchEndpointF625B932
[+] AWS::EC2::VPCEndpoint Network/S3Endpoint NetworkS3EndpointDED08CEB
[+] AWS::Logs::LogGroup Network/VpcFlowLogGroup NetworkVpcFlowLogGroup782DD453
[+] AWS::IAM::Role Network/VpcFlowLogGroupRole NetworkVpcFlowLogGroupRoleF6875B51
[+] AWS::IAM::Policy Network/VpcFlowLogGroupRole/DefaultPolicy NetworkVpcFlowLogGroupRoleDefaultPolicyDA3C2D9D
[+] AWS::EC2::FlowLog Network/FlowLog/FlowLog NetworkFlowLog0C7D188B
[+] AWS::IAM::Role Custom::VpcRestrictDefaultSGCustomResourceProvider/Role CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0
[+] AWS::Lambda::Function Custom::VpcRestrictDefaultSGCustomResourceProvider/Handler CustomVpcRestrictDefaultSGCustomResourceProviderHandlerDC833E5E
[+] AWS::ECS::Cluster Cluster ClusterEB0386A7
[+] AWS::ElasticLoadBalancingV2::LoadBalancer FargateService/LB FargateServiceLBB353E155
[+] AWS::EC2::SecurityGroup FargateService/LB/SecurityGroup FargateServiceLBSecurityGroup5F444C78
[+] AWS::EC2::SecurityGroupEgress FargateService/LB/SecurityGroup/to StartCDKStackFargateServiceSecurityGroupBDD59CA1:80 FargateServiceLBSecurityGrouptoStartCDKStackFargateServiceSecurityGroupBDD59CA180DC7A1073
[+] AWS::ElasticLoadBalancingV2::Listener FargateService/LB/PublicListener FargateServiceLBPublicListener4B4929CA
[+] AWS::ElasticLoadBalancingV2::TargetGroup FargateService/LB/PublicListener/ECSGroup FargateServiceLBPublicListenerECSGroupBE57E081
[+] AWS::IAM::Role FargateService/TaskDef/TaskRole FargateServiceTaskDefTaskRole8CDCF85E
[+] AWS::ECS::TaskDefinition FargateService/TaskDef FargateServiceTaskDef940E3A80
[+] AWS::Logs::LogGroup FargateService/TaskDef/web/LogGroup FargateServiceTaskDefwebLogGroup71FAF541
[+] AWS::IAM::Role FargateService/TaskDef/ExecutionRole FargateServiceTaskDefExecutionRole9194820E
[+] AWS::IAM::Policy FargateService/TaskDef/ExecutionRole/DefaultPolicy FargateServiceTaskDefExecutionRoleDefaultPolicy827E7CA2
[+] AWS::ECS::Service FargateService/Service/Service FargateServiceECC8084D
[+] AWS::EC2::SecurityGroup FargateService/Service/SecurityGroup FargateServiceSecurityGroup262B61DD
[+] AWS::EC2::SecurityGroupIngress FargateService/Service/SecurityGroup/from StartCDKStackFargateServiceLBSecurityGroupFDFE6786:80 FargateServiceSecurityGroupfromStartCDKStackFargateServiceLBSecurityGroupFDFE6786803BA30FC6

Outputs
[+] Output FargateService/LoadBalancerDNS FargateServiceLoadBalancerDNS9433D5F6: {"Value":{"Fn::GetAtt":["FargateServiceLBB353E155","DNSName"]}}
[+] Output FargateService/ServiceURL FargateServiceServiceURL47701F45: {"Value":{"Fn::Join":["",["http://",{"Fn::GetAtt":["FargateServiceLBB353E155","DNSName"]}]]}}

✨ Number of stacks with differences: 1

@yutaro-sakamoto yutaro-sakamoto merged commit 05891c0 into main Oct 8, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@yutaro-sakamoto