AWS Codepipeline 将 cloudformation 部署到开发账户并使用输出堆栈在中央账户中创建参数存储。 可能吗?
[英]AWS Codepipeline deploy cloudformation to Dev account and use output stack to create Parameter store in Central account . Posible?
问题描述
I want to build a cross account Codepiepline the Codepipeline stay on Central Account so i assume role to DEV Account and create stack but at the same time i want to create parameter store in Central Account with output stack from Dev account
我想构建一个跨帐户 Codepiepline Codepipeline 留在中央帐户上,所以我承担开发帐户的角色并创建堆栈,但同时我想在中央帐户中使用开发帐户的输出堆栈创建参数存储
for example例如
- Codepipeline in Central account will assume role to Dev Account for deploy s3bucket Central 帐户中的 Codepipeline 将承担 Dev Account 的角色以部署 s3bucket
- and !GetAtt mydemo.DomainName to create parameter store in Central account和 !GetAtt mydemo.DomainName 在 Central 帐户中创建参数存储
** My all pipeline with stay on Central account and keep all parameter store from DEV Account so my codebuild, another codepipeline can read the value ** 我的所有管道都保留在 Central 帐户上,并保留来自 DEV 帐户的所有参数存储,以便我的代码构建,另一个代码管道可以读取该值
so any idea for me ?所以对我有什么想法吗?
#This s3 will be deploy to dev account
Resources:
DeployDevAccountBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: "dev-bucket"
AccessControl: Private
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: AES256
VersioningConfiguration:
Status: "Enabled"
#This parameter store will be deploy to Central account
BucketNameParameter:
Type: AWS::SSM::Parameter
Properties:
Name: !Sub "dev-account-s3-domainname"
Type: String
Value: !GetAtt DeployDevAccountBucket.DomainName
2 个解决方案
解决方案1
0 2021-11-05 00:36:49
You can't do this with CloudFormation (CFN) and a single stack.使用 CloudFormation (CFN) 和单个堆栈无法做到这一点。 CFN is region and account specific, and does not support cross-account deployments. CFN 是区域和账户特定的,不支持跨账户部署。
You would have to re-architect your pipeline to use CFN StackSets , which requires you to split your template to different ones, depending on the account or region.您必须重新构建管道以使用CFN StackSets ,这需要您根据帐户或区域将模板拆分为不同的模板。
But probably the easiest way is to use CodeBuild where you explicitly assume cross-account roles to deploy stacks in different accounts.但可能最简单的方法是使用 CodeBuild,您可以在其中明确承担跨账户角色以在不同账户中部署堆栈。
解决方案2
0 2021-11-05 00:51:46
#This parameter store will be deploy to Central account
there isn't any way to use the AWS::SSM::Parameter resource within your dev account to create a parameter in a different account.没有任何方法可以在您的开发账户中使用AWS::SSM::Parameter资源在不同的账户中创建参数。
My all pipeline with stay on Central account and keep all parameter store from DEV Account so my codebuild, another codepipeline can read the value
But, if the pipeline is in the central account, and you're using the cloudformation action type in code pipeline, you can still access stack outputs via Code Pipeline Cloudformation Action Output Variables .但是,如果管道在中央帐户中,并且您在代码管道中使用 cloudformation 操作类型,您仍然可以通过Code Pipeline Cloudformation Action Output Variables访问堆栈输出。 A downstream pipeline task could put those outputs into a parameter - in the Central account ,wehre the pipeline is already running, or really in any account, via role assumption.下游管道任务可以将这些输出放入一个参数中——在中央账户中,管道已经在运行,或者实际上在任何账户中,通过角色假设。
There is another method: you could define a custom cloudformation resource that would assume a role in a different account and manage the parameter there.还有另一种方法:您可以定义一个自定义 cloudformation 资源,该资源将承担不同帐户中的角色并在那里管理参数。 You'd have to manage the roles and the lambda (or whatever implementation) for that resource all separately, though.不过,您必须分别管理该资源的角色和 lambda(或任何实现)。 I think the stack outputs approach is better.我认为堆栈输出方法更好。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.