[英]AWS CDK: How to access VPC in another account
I need access to resources in my staging/prod accounts' VPC from my "tools" account (I have an RDS instance sitting in each of both VPCs and want to automate schema upgrades as part of my CI/CD).我需要从我的“工具”账户访问我的暂存/生产账户的 VPC 中的资源(我在两个 VPC 中都有一个 RDS 实例,并且希望将架构升级自动化作为我的 CI/CD 的一部分)。
How can I import a VPC from the staging/prod account within a stack in the "tools" accounts?如何从“工具”账户的堆栈中的暂存/生产账户导入 VPC?
Vpc.fromLookup()
does not work since it searches for VPCs in the stack's region and account, but not in other regions/accounts. Vpc.fromLookup()
不起作用,因为它在堆栈的区域和帐户中搜索 VPC,但不在其他区域/帐户中搜索。
EDIT:编辑:
I want to give a CodeBuild project (part of a CodePipeline) in the "tools" account access to the RDS instance in the VPC of the prod/staging accounts.我想在“工具”帐户中授予 CodeBuild 项目(CodePipeline 的一部分)对生产/登台帐户的 VPC 中的 RDS 实例的访问权限。 To give it access, I use the
vpc
attribute on the CodeBuild project.为了授予它访问权限,我在 CodeBuild 项目中使用了
vpc
属性。
I'm not sure what's the best way to tackle schema upgrades using CodePipeline/CodeBuild.我不确定使用 CodePipeline/CodeBuild 解决架构升级的最佳方法是什么。 Ideally, the RDS instance should be sitting in a private/isolated subnet.
理想情况下,RDS 实例应该位于私有/隔离子网中。
const dbMigrateBuild = new codebuild.PipelineProject(this, 'MigrateBuild', {
buildSpec: codebuild.BuildSpec.fromSourceFilename('buildspec-migrate.yml'),
environment: {
buildImage: codebuild.LinuxBuildImage.STANDARD_4_0,
},
environmentVariables: {
migrationBucketId: {
type: codebuild.BuildEnvironmentVariableType.PLAINTEXT,
value: sourceOutput.bucketName,
},
dbEndpoint: {
type: codebuild.BuildEnvironmentVariableType.PLAINTEXT,
value: dbEndpoint,
},
dbSecretId: {
type: codebuild.BuildEnvironmentVariableType.PLAINTEXT,
value: dbSecretId,
},
},
vpc: ec2.Vpc.fromLookup(this, 'Vpc', { vpcId }), // <-- this is not working
});
// dbMigrateBuild.connections.allowToDefaultPort(db); // how to grant permission ??
const dbMigrateAction = new codepipeline_actions.CodeBuildAction({
actionName: 'Db_Migrate',
project: dbMigrateBuild,
input: sourceOutput,
runOrder: 130,
});
For this you would need to do one of the following:为此,您需要执行以下操作之一:
This has to be performed before you run the cdk commands, using the sts assume-role command.这必须在运行 cdk 命令之前使用 sts assume-role命令执行。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.