CDK - 如何在用戶數據中使用 Opensearch Domain MasterUserPassword
[英]CDK - How to use Opensearch Domain MasterUserPassword within userdata
問題描述
在Opensearch L2 構造中,如果您添加細粒度的訪問控制,Secrets Manager 中將為您創建一個 Secret(可通過masterUserPassword訪問)。
我想稍后在CloudformationInit中使用這個生成的密碼,但不確定如何使用。
from aws_cdk import aws_ec2 as ec2
from aws_cdk import aws_iam as iam
from aws_cdk import aws_opensearchservice as opensearch
from aws_cdk import aws_s3 as s3
class OpensearchStack(Stack):
def __init__(
self,
scope: Construct,
construct_id: str,
**kwargs,
) -> None:
super().__init__(scope, construct_id, **kwargs)
vpc = ec2.Vpc(self, "generatorVpc", max_azs=2)
bucket = s3.Bucket(self, "My Bucket")
domain = opensearch.Domain(self,"OpensearchDomain",
version=opensearch.EngineVersion.OPENSEARCH_1_3,
vpc=vpc,
fine_grained_access_control=opensearch.AdvancedSecurityOptions(
master_user_name="osadmin",
),
)
instance = ec2.Instance(self, "Instance",
vpc=vpc,
instance_type=ec2.InstanceType.of(
instance_class=ec2.InstanceClass.M5,
instance_size=ec2.InstanceSize.LARGE,
),
machine_image=ec2.MachineImage.latest_amazon_linux(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
),
init=ec2.CloudFormationInit.from_elements(
ec2.InitFile.from_string(
file_name="/home/ec2-user/logstash-8.4.0/config/my_conf.conf",
owner="ec2-user",
mode="00755",
content=f"""input {{
s3 {{
bucket => "{bucket.bucket_name}"
region => "{self.region}"
}}
}}
output {{
opensearch {{
hosts => ["{domain.domain_endpoint}:443"]
user => "{domain.master_user_password.secrets_manager("What secret id do I put here?", json_field="username")}"
password => "{domain.master_user_password.secrets_manager("What secret id do I put here?", json_field="password")}"
ecs_compatibility => disabled
}}
}}
""",
)
)
)
由於SecretValue沒有secretId屬性,我不確定如何確定masterUserPassword的 Secret ID/Arn。
有沒有更好的方法在我的 logstash 配置中獲取生成的憑據?
2 個解決方案
解決方案1
0 2023-01-14 13:32:30
username值很簡單,因為您明確將其設置為osadmin 。 要獲取password引用,請在域的master_user_password屬性上調用to_string方法,這是一個SecretValue :
domain.master_user_password.to_string()
在合成模板中,這會變成對密碼密碼的 CloudFormation 動態引用。 模板不知道實際密碼。 它將在部署時在雲端解決。
SecretsValue.secrets_manager static 方法也合成相同的動態引用。 但是,您不能使用它。 該方法需要秘密 ID,如果Domain構造為您生成秘密,則不會公開該 ID。
解決方案2
0 2023-01-15 20:08:27
我最終向CloudFormationInit添加了命令以從 Secrets Manager 中提取操作系統憑證並進行了查找和替換工作
from aws_cdk import aws_ec2 as ec2
from aws_cdk import aws_opensearchservice as opensearch
from aws_cdk import aws_s3 as s3
from aws_cdk import aws_secretsmanager as secretsmanager
from aws_cdk import Stack
from constructs import Construct
class OpensearchStack(Stack):
def __init__(
self,
scope: Construct,
construct_id: str,
**kwargs,
) -> None:
super().__init__(scope, construct_id, **kwargs)
vpc = ec2.Vpc(self, "generatorVpc", max_azs=2)
bucket = s3.Bucket(self, "My Bucket")
domain = opensearch.Domain(self,"OpensearchDomain",
version=opensearch.EngineVersion.OPENSEARCH_1_3,
vpc=vpc,
fine_grained_access_control=opensearch.AdvancedSecurityOptions(
master_user_name="osadmin",
),
)
# Get the domain secret
domain_secret: secretsmanager.Secret = domain.node.find_child("MasterUser")
instance = ec2.Instance(self, "Instance",
vpc=vpc,
instance_type=ec2.InstanceType.of(
instance_class=ec2.InstanceClass.M5,
instance_size=ec2.InstanceSize.LARGE,
),
machine_image=ec2.MachineImage.latest_amazon_linux(
generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2,
),
init=ec2.CloudFormationInit.from_elements(
ec2.InitFile.from_string(
file_name="/home/ec2-user/logstash-8.4.0/config/my_conf.conf",
owner="ec2-user",
mode="00755",
content=f"""input {{
s3 {{
bucket => "{bucket.bucket_name}"
region => "{self.region}"
}}
}}
output {{
opensearch {{
hosts => ["{domain.domain_endpoint}:443"]
user => "REPLACE_WITH_USERNAME"
password => "REPLACE_WITH_PASSWORD"
ecs_compatibility => disabled
}}
}}
""",
),
ec2.InitPackage.yum("jq"), # install jq
ec2.InitCommand.shell_command(
shell_command=(
f"aws configure set region {self.region} && "
# save secret value to variable
f"OS_SECRET=$(aws secretsmanager get-secret-value --secret-id {domain_secret.secret_arn} "
"--query SecretString) && "
# Pull values from json string
"OS_USER=$(echo $OS_SECRET | jq -r '. | fromjson | .username') && "
"OS_PASS=$(echo $OS_SECRET | jq -r '. | fromjson | .password') && "
# Find and replace
"sed -i \"s/REPLACE_WITH_USERNAME/$OS_USER/g\" /home/ec2-user/logstash-8.4.0/config/my_conf.conf && "
"sed -i \"s/REPLACE_WITH_PASSWORD/$OS_PASS/g\" /home/ec2-user/logstash-8.4.0/config/my_conf.conf"
),
),
)
)
# Don't forget to grant the instance read access to the secret
domain_secret.grant_read(instance.role)
使用令牌作為域名時如何為 AWS CDK 指定驗證域
[英]How to specify a validation domain for AWS CDK when using tokens for domain names
對於通過 AWS CDK 創建的堡壘主機,用戶數據不會自動更新
[英]userData is not getting updated automatically for Bastion Host created via AWS CDK
如何在沒有 oauthToken 的情況下使用 AWS CDK CodePipeline?
[英]How to use AWS CDK CodePipeline without an oauthToken?
如何使用 `cdk diff` 以編程方式檢查堆棧是否需要更新?
[英]How to use `cdk diff` to programmatically check whether a stack needs an update?
如何使用 AWS CDK 為帶有別名的 Lambda 設置 EventBridge 規則目標
[英]How to use AWS CDK to set EventBridge Rule Target for Lambda with Alias
如何強制 devDependency 使用 AWS-CDK 中的依賴項
[英]How do I force a devDependency to use the dependency in AWS-CDK
如何在不中斷的情況下使用 CloudFormation 遷移到 OpenSearch?
[英]How to migrate to OpenSearch with CloudFormation without outage?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
AWS CDK - 在 Aspect 中獲取用戶數據命令
AWS CDK 將原始文本傳遞給 UserData
使用令牌作為域名時如何為 AWS CDK 指定驗證域
對於通過 AWS CDK 創建的堡壘主機,用戶數據不會自動更新
AWS CDK ec2.Instance userData ....不持久:(
如何在沒有 oauthToken 的情況下使用 AWS CDK CodePipeline?
如何使用 `cdk diff` 以編程方式檢查堆棧是否需要更新?
如何使用 AWS CDK 為帶有別名的 Lambda 設置 EventBridge 規則目標
如何強制 devDependency 使用 AWS-CDK 中的依賴項
如何在不中斷的情況下使用 CloudFormation 遷移到 OpenSearch?
相關標簽